The fabric policy plane is based on Cisco TrustSec. Cisco TrustSec Scalable Group Tags are assigned to authenticated groups of users and end devices.
Network policy, such as ACLs and QOS are applied throughout the software defined access fabric based on the Scalable Group Tag rather than an IP address or MAC address.
This means within the fabric, policies are applied to the SGT assigned rather than an address of the endpoint.
There are several advantages with this implementation for software defined access:
- Support for network based segmentation using virtual networks and group based segmentation using policies.
- Network address independent group based policies based on SGT rather than MAC, IPv4 or IPv6 reducing complexity
- Dynamic enforcement of group based policies regardless of location
- Policy constructs over a legacy or third party network using VXLAN
- Extended policy enforcement to external networks such as cloud or data centre by transporting the tags to Cisco TrustSec-aware devices using SGT exchange protocol (SXP)