Cisco ACI & TrustSec – A Holistic Approach for Secure Enterprise Networks

One of the key design approaches of any successful design is the ‘holistic approach’. With this approach, as a network designer or architect, typically you need to look at the big picture first.

For example, if you are designing a data center or a campus LAN, you need to look at the architecture of the enterprise holistically and see how it will fit with the other places in the network. Also, in today’s modern networks security is a critical requirement, therefore, you must consider the end to end architecture (not only focusing on one place in the network at a time) to be able to identify and propose a solution architecture capable to provide simple, reliable, efficient and secure communication. For example, define enterprise wide policy model to provide consistent ‘end to end’ segmentation among the different users’ groups, places in the network as well as control what are the applications and services they are allowed to access within the data center.

Cisco TrustSec simplifies the provisioning and management of secure access to network services and applications. Cisco Trust Sec, is an intelligent access control solution mitigates security risks by providing comprehensive visibility into who and what is connecting across the entire network infrastructure, and control over what and where they can go.

Cisco Security Group Tag (SGT) is a key element as part of the Cisco TrustSec architecture, that overcomes the shortcomings of the traditional approaches to policy administration. If Cisco ISE is used, it transmits the tag information to all the supported Cisco devices in the network (centralized configuration and provisioning).

Cisco TrustSec classifies traffic based on the contextual identity of the endpoint versus its IP address. This means that Cisco TrustSec policy security group tag (SGT) is assigned to an endpoint typically based on that endpoint’s user, device, and location attributes (pre defined profiling). The SGT denotes the endpoint access entitlements, and all traffic from the endpoint will carry the SGT information. Switches, routers, and firewalls use SGT to make forwarding decisions that are based on a security policy.

sgtWith this approach, you can use Cisco TrustSec controls to define your access polices in terms of business needs. For example, the business or the enterprise security policy may state that any personal device such as tablet or a smart phone used by the employees should be restricted to access the external mail server at the DMZ and the Internet only, even though when the users use their corporate credentials to login to the network from these devices. With the Cisco TrusSes using (SGT and profiling) this goal can be achieved and maintained in a centralized and efficient manner without introducing any operational complexity

On the other hand, Cisco ACI, uses a policy based approach to abstract traditional network constructs (e.g. VLANs, VRFs, IP subnets, etc.). Cisco Nexus 9000 (running in ACI mode) + APIC Controller comprise the ACI elements which use the policy based approach by focusing on the application. The Nexus 9000 platform forms the physical switching infrastructure, while the APIC is a clustered policy management system (SDN and policy Controller) responsible for all aspects of fabric configuration.

The previous blog “ACI – Policy Based Data Center Model – Foundations” covered the foundation of the ACI policy-based model, this model is constructed of the following key elements:

  • Endpoint groups EPGs: A policy consists of a number of endpoint groups EPGs, which are typically one or more servers in the same segment.
  • Contracts: A policy contracts define the communication requirements between EPGs, by allowing specific ports and protocols between EPGs. The collection of Internal Endpoint Groups (IEPGs) and External Endpoint Groups (EEPGs) and the policies that define how they communicate form an Application Network Profile (ANP).
  • Application network profile ANP: contains the entire application policy. In fact, ANPs are designed to be modeled in a logical manner that matches the way applications are designed and deployed.

aci- 3.5

At this stage we have two robust approaches to secure the network communications and control traffic segmentations

  • TrustSec domain: across the different enterprise places in the network with the SGT concept.
  • ACI-ANP domain: to secure, segment and control in application focused manner (e.g. application tiers model).

As mentioned earlier, one of the key design approaches is to follow a holistic approach, this means focusing only on securing your data center perimeter and/or building micro segmentation security polices among the virtual machines is important, but not enough in today’s modern and dynamic networks.

For example, let’s consider a realistic scenario of an educational institute environment (university). This university wants to achieve the following:

  • Segregate staff traffic from students traffic across the entire network.
  • All the university staff must be able to access HR web portal-1
  • Permanent staff must be able to access HR web portal-1 & HR web portal-3
  • Contracting staff must not access HR web portal-2 & HR web portal-3
  • Engineering school students must be able to access engineering web portal, only when they are using any university PC or connected to any classroom WiFi
  • business school students must be able to access business web portal, only when they are using any university PC or connected to any classroom WiFi
  • Both staff and students must be able to access the university Internal social network website
  • Any staff can use his/her own device, however the network access will be restricted to the internet, mail server and the Internal social network website

Controlling such a dynamic environment (number of people, devices and type of access that is very frequently changing) can be a nightmare. Especially if you consider using the classical control/filtering way that is based on IP sources and destinations at the DC or network access edge!

With Cisco TrustSec integrated with Cisco ACI, you can provision and mange a cohesive solution to achieve the aforementioned requirements without introducing any operational complexity.

As shown in the figure below, Cisco ISE (the central of the TrustSec) integrate with the Cisco ACI APIC (the ACI/SDN controller). With this integration the ACI-APIC can pull and translate the SGTs into external EPGs. Then from the APIC simply you can control who can access what, using the contract concept between an external EPG and the existing internal EPGs where the intended servers/applications are grouped.


Similarly, from the ISE point of view, the internal EPGs can be pulled translated into SGTs, in which ISE can enforce the desired policy based on these SG tags

In summary, securing your data center from external networks and among the applications/VMs within the data center is a must, but not enough in today’s networks. By sharing contextual and different policy group information among TrustSec and ACI domains, Enterprises are able today to address network access breaches, compliance challenges and meet complex, and dynamic security segmentation requirements of today’s networks. In fact, with the group-based policy approach used by TrustSec and ACI, enterprises can define a unified and consistent security policies to gain ‘end to end’ visibility and control with vastly simplified security design, management and compliance across the different places in the network (remote sites, Campus, VPN users and Data center).


Marwan Al-shawi – CCDE No. 20130066, Google Cloud Certified Architect, AWS Certified Solutions Architect, Cisco Press author (author of the Top Cisco Certifications’ Design Books “CCDE Study Guide and the upcoming CCDP Arch 4th Edition”). He is Experienced Technical Architect. Marwan has been in the networking industry for more than 12 years and has been involved in architecting, designing, and implementing various large-scale networks, some of which are global service provider-grade networks. Marwan holds a Master of Science degree in internetworking from the University of Technology, Sydney. Marwan enjoys helping and assessing others, Therefore, he was selected as a Cisco Designated VIP by the Cisco Support Community (CSC) (official Cisco Systems forums) in 2012, and by the Solutions and Architectures subcommunity in 2014. In addition, Marwan was selected as a member of the Cisco Champions program in 2015 and 2016.


Leave a Reply

Your email address will not be published. Required fields are marked *

Order Now