Security Group Tagging Basics

An overview of security group tagging.

Policy

Figure1 - Policy

Credit: Aaron Woland

In my last blog (which admittedly was a bit long, and verbose) I discussed the changing landscape of Identity Networking. With Identity Networking there are many different ways of controlling network access based on the context of a user and device. There is:

  • VLAN assignment, in which access is controlled at the Layer-3 edge, or by isolating that VLAN into a segmented virtual network (VRFs).
  • ACL assignment, which can be a local ACL, called into action by a RADIUS attribute, or a downloaded ACL (dACL). These ACLs are applied ingress at the switchport or virtual port in the case of the Wireless LAN Controller (WLC).
  • We just touched on the topic of a new scalable enforcement mechanism known as Security Group Tagging.

This new technology, Security Group Tagging, is going to be the focus of today’s blog.

Security Group Tagging allows for segmentation without needing VLANs, and even more importantly simplifies the operational management of firewall policy and access lists. For our example in this blog, there are two switches in the Access Layer, each with a user from the HR Department, and another user who needs access to Payment Card Industry (PCI) data. These two users have absolutely NO need to ever communicate.

The Policy is a simple one. HR is allowed to communicate to HR, PCI is allowed to communicate with PCI. However, they may not talk to one another, even though they could be on the same VLAN (same VLAN in the Access Layer or even the Data Center).

Our Policy:

Policy Aaron Woland

Figure1 - Policy

With this SIMPLE policy, we are able to enable the flows as shown in the next figure:

  • PCI User attempting to talk to HR user on same switch & same VLAN is denied.
  • HR User on Switch 1 is able to communicate with HR User on Switch 2.
  • HR User is denied access to the PCI Server.
  • PCI User is granted access to the PCI Server.
Tagging in Action Aaron Woland

Figure2 - Tagging in Action

If the benefits have not made themselves abundantly obvious already, let me point some out to you. Security Group Tagging advantages are extensive throughout most IT network operations and may affect how they operate and the way decisions are made as it opens a variety of new possibilities that were not practical using VLAN-based topologies.

Advances Protection

Classifies endpoints by context, dynamically segments into security groups, and protects data center applications.

Simplifies Administration

Manages policy with plain language, enables changes in minutes, and automates the management of firewall rules.

Scales Extensively

Removes design complexity, helps increase network performance, and ensures dependable resource access.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.