Cisco Fabric in Campus & DC : SGTs and EPGs

Cisco Fabric in Campus & DC : SGTs and EPGs

We are going to discuss both SGTs and EPGs in our article as both are used to segment the users/devices in campus and DC respectively. 

Cisco SD-Access (SDA) & SGTs
SD-Access from Cisco allows you to segment traffic by user, device, and application without redesigning the network.

With Cisco SD-Access, organizations can automate user access policy, ensuring that the correct policies are established for all users and devices, irrespective of the application.

LAN and WLAN networks can be integrated into a single network fabric to provide a consistent user experience wherever they are without compromising security.

Let's talk about SGT in Cisco SDA environment.

Fig 1.1- EPGs and SGTs

SGT (Secure group tag)
SGT (Secure group tag) is a security group tag assigned to user’s or device’s traffic in campus networks based on their roles. SGT is a 16 bit value that the Cisco ISE assigns to the user or endpoint’s session upon login and SGT is globally unique

Cisco ACI & EPGs
ACI is Cisco's software-defined networking solution for data centers. Cisco ACI simplifies, optimizes, and accelerates application deployment lives cycles by defining network infrastructure based on network policies.

Let's talk about EPGs in Cisco ACI environment.

EPG (End point Group)
EPG (End point Group) is end point group in ACI fabric used to group servers that require similar treatment of policy. EPG is hierarchical in nature.

EPG is categorized as Physical or Virtual servers as most of the end points in the data center environment are servers. So each contract is defined by Access lists. Contract is like if one server wants to talk to another server there is a contract between them which is defined by applying permit statement in the Cisco ACI GUI interface. 

So simply, EPG provides a contract when it has a listening socket for incoming requests. As an example an EPG that hosts web servers should be configured as a provider of a contract that includes port 80 and 443. The client side EPG instead is a consumer of a web contract. 

Well if we talk about the segmentation in our network then SGTs are the way to segment users/devices in LAN environment and EPGs are the way to segment it in the Datacenter.

When ISE has Application Centric Infrastructure (ACI) Policy Element Exchange enabled then Endpoint Groups (EPG’s) and group membership information learned from Application Policy Infrastructure Controller (APIC) can be shared with network devices in the Campus for dynamic classification (and therefore enforcement) across domains. 

Note that ISE also sends information to APIC for policies to be built in the ACI domain based on Scalable Group Tags (SGT’s) and group membership from the Campus.

No comments