SD-Access - Policy Plane (CTS)
1. The Policy Plane Framework
In a Cisco SD-Access fabric, operational duties are cleanly split across three specialized planes: the control plane runs on LISP, the data plane runs on VXLAN, and the policy plane runs on Cisco TrustSec.
-
Role of VXLAN Headers: The VXLAN encapsulation header explicitly carries both Virtual Routing and Forwarding (VRF) and Scalable Group Tag (SGT) metadata directly inside the data plane. These fields are leveraged by the infrastructure to execute macro-segmentation and micro-segmentation security policies.
-
Role of Cisco ISE: Acts as the centralized SDN policy controller. It abstracts software-defined segmentation groups and policy rules, allowing administrators to maintain and deploy consistent access rules across networks of any size via a simplified graphical policy matrix.
2. Two-Level Segmentation Hierarchy
Cisco SD-Access implements a strict two-level hierarchy to isolate network traffic, completely separating access entitlements from physical topology, IP subnets, or VLAN configurations.
+-----------------------------------------------------------------------+
| MACRO LEVEL (Level 1): Virtual Network (VN) / VRF Isolation |
| - Blocks distinct routing domains (e.g., IoT vs. Corp) |
+-----------------------------------------------------------------------+
|
v
+-----------------------------------------------------------------------+
| MICRO LEVEL (Level 2): Scalable Group Tag (SGT) Isolation |
| - Fine-grained permissions inside a VN (e.g., Employee vs. Guest) |
+-----------------------------------------------------------------------+
Macro-Level Segmentation (Virtual Networks)
-
Logical Isolation: Divides a single physical network topology into multiple, distinct virtual networks (VNs). By default, endpoints residing in different VNs/VRFs are completely blocked from communicating with each other.
-
The L3 Routing Domain: Each VN acts as an independent Layer 3 routing domain providing Layer 2 or Layer 3 services. On Cisco DNA Center, these instances are managed as Virtual Networks, which are instantiated as independent VRF instances on fabric switches and routers.
-
Control Plane Virtualization: LISP uses a unique Instance ID to maintain separate, isolated address spaces within the control plane database.
-
Data Plane Virtualization: Within the fabric data plane, VN isolation is carried inside the VXLAN Network Identifier (VNID) field. The architecture uses both a Layer 2 VNID and a Layer 3 VNID to maintain data plane segregation.
-
External Mapping: At the fabric boundary (Border Node), internal fabric VNs map directly to traditional external VRF instances, allowing multi-tenant virtualization to extend outside the fabric infrastructure.
Micro-Level Segmentation (Scalable Group Tags)
-
Role-Based Security: Provides granular, simplistic microsegmentation inside a virtual network. Users, applications, and devices are grouped logically based on contextual business decisions and organizational identities rather than their location or network addresses.
-
The SGT Label: An SGT is a 16-bit value assigned dynamically to an endpoint session by Cisco ISE upon user login or device authentication.
-
Operational Benefits: Decoupling access rights from IP addresses and VLAN structures drastically reduces operational maintenance costs, eliminates human configuration errors, increases deployment speed, and applies access rules consistently across wired, wireless, and VPN access mediums.
3. SGT Classification and Assignment
Cisco TrustSec functions by classifying and tagging traffic at network ingress (where traffic enters the infrastructure), carrying that tag across the network, and enforcing access control rules based on that tag further down the path. Classification can occur in two distinct ways:
Dynamic Classification
When an endpoint connects to a fabric edge switch and authenticates, Cisco ISE dynamically pushes the designated SGT value down to the local switchport as part of standard RADIUS attribute-value pairs. This applies to:
-
802.1X authentication.
-
MAB (MAC Authentication Bypass).
-
WebAuth (Web Authentication).
Static Classification (Manual Bindings)
Administrators can manually configure static architectural bindings across fabric nodes to map traffic to specific SGTs based on infrastructure criteria:
-
VLAN to SGT bindings.
-
Subnet to SGT bindings.
-
VM (Port Profile) to SGT bindings (e.g., on Hypervisor Switches).
-
Layer 2 Port to SGT bindings (e.g., at Data Center Access layers).
-
Layer 3 Interface (SVI) to SGT bindings.
4. Policy Enforcement Points
Network nodes (switches, routers, and firewalls) use SGT metadata to make programmatic forwarding and filtering decisions. Cisco TrustSec devices evaluate and filter packets at their egress interface.
Depending on where traffic is moving, policy enforcement occurs at different spots within the fabric:
-
Edge Nodes (East-West Traffic): Enforce microsegmentation policies for traffic moving internally within the fabric site (user-to-user or local intra-fabric flows).
-
Border Nodes (North-South Traffic): Enforce policies for traffic leaving the fabric boundaries toward external destinations (e.g., users accessing an external Data Center routing domain).
5. Non-Fabric and Legacy Integration (SXP)
When a packet leaves the fabric domain bound for an external network destination, the VXLAN header is stripped off at the Border Node, causing the inline SGT tag to be lost. To maintain security context across legacy or non-TrustSec hardware, the network relies on the SGT Exchange Protocol (SXP):
-
SXP Functionality: SXP is a control plane protocol that propagates IP-to-SGT binding information (learned via Manual configurations or RADIUS sessions) across network nodes that do not possess hardware support for inline data-plane packet tagging.
-
Upstream Signaling: Cisco ISE acts as the central mechanism to announce these IP-to-SGT mappings via SXP to upstream perimeters, such as firewalls, traditional routers, or Layer 3 core switches.
-
TrustSec Security Domains: Cisco TrustSec builds highly secure domains by requiring neighboring peer network devices to authenticate one another. Once a trusted link adjacency is established, communications between those infrastructure nodes are cryptographically secured using a combination of:
-
Data Encryption.
-
Message Integrity Checks (MIC).
-
Data-path Replay Protection mechanisms.
-
6. Architectural Comparison: Traditional TrustSec vs. SD-Access
Cisco SD-Access vastly simplifies and extends traditional TrustSec by integrating group policy natively into the automated network overlay.
| Capability / Feature | Traditional Cisco TrustSec | SD-Access Policy |
| SGT Propagation Method | Must be enabled hop-by-hop across all hardware links, or transported via peering lines using SXP. | Native Overlay Transport: Natively embedded and carried inline with data traffic inside the VXLAN-GPO header. |
| Virtual Network Integration | Not supported. | Fully Supported: Natively integrates virtual networks with SGT-aware firewalls and fabric elements. |
| Access Control Policy Enforcement | Supported. | Supported. |
| Quality of Service (QoS) Policy | Not supported. | Supported: Enables advanced Application-based QoS policy profiles. |
| Traffic Copy Policy | Not supported. | Supported: Enables highly flexible Source/Destination (SRC/DST) based copy policies. |



