Segmentation on your LAN and Datacentre
One of the most important security aspects of your new LAN or datacentre design is traffic segmentation. When asked about the segmentation techniques on the network, most people usually mention VLANs, access lists or sometimes VRFs. All of those techniques can provide some very high levels of segmentation but none of them is either flexible or scalable.
Using a combination of VLANs and access lists for example doesn’t allow decoupling of user or endpoint identity from its IP address. Layer 3 segmentation techniques like VRFs often require complex route leaking or inserting firewalls between VRFs. None of the traditional segmentation techniques take endpoint mobility into account nor does it provide the same level of security regardless of network access method: wired, wireless or vpn.
Any modern network today should deliver consistent, access independent segmentation of traffic that is easy to manage, scalable and can be modified without changing underlaying IP network. This applies to both LAN as well as datacentre environments. In order to achieve this we have to introduce additional fields in the packet headers that will allow “tagging” the traffic based on user or endpoint identity. This mechanism will allow us to decouple endpoint or user identity from IP addresses while simultaneously encoding this identity in the packet itself.
Our software defined access blog provides quite a lot of information about the idea of splitting the logical network into underlay and overlay. Understanding those concepts is essential to implement modern methods of network segmentation. Both SDA and cutting-edge datacentre like ACI use this approach. There are some differences in how those concepts are implemented in terms of control plane but in the end of the day the common denominator is VXLAN encapsulation of all data-plan traffic.
VXLAN header includes two important fields that allow both Macro and Micro segmentation. Both of those types of segmentation are described in more detail in our policy enforcement article. For micro segmentation we are talking about Scalable Group Tags (SGTs) for SDA or Endpoint Groups (EPGs) for ACI. In terms of macro segmentation there is a construct of Virtual Network (VN) in SDA and VRF in ACI. Despite many acronyms that are seemingly different for ACI and SDA those are actually the same fields in VXLAN packet headers.
Cisco ACI also provides another concept called Endpoint Security Groups (ESGs) which allow a lot more flexibility in terms of segmentation design of your datacentre. Operationally, the ESG concept is similar to, and more straightforward than the original EPG approach. Just like EPGs, communication is allowed among any endpoints within the same security group, but in the case of ESGs, this is independent of the subnet or BD they are associated with.
In summary modern software defined network solutions allow far greater flexibility when it comes to network segmentation. Using additional fields in data packet allows decoupling endpoint identity from its IP address which is critical in terms of scalability and mobility.