Once traffic has left the source and entered the network, a matching SGT will be applied inline before the IP header based on the source, similar to an 802.1Q tag. From there, the traffic is intended to traverse the network while maintaining the applied SGT to the edge nearest the destination; at this point, the traffic is again inspected, and the destination SGT is determined. Then, the source SGT and destination SGT are compared to the defined security policies (see Figure 7-30) to determine whether the traffic should be forwarded to the destination client or dropped based on the applicable policy. This creates a highly scalable policy framework, as the network device only needs to evaluate the tags of the clients directly attached to it and not the IP prefixes.
Figure 7-30 Adaptive Policy Deployment Logic
SGT Assignment Methods
In an Adaptive Policy network, after creating the Adaptive Policy tags, enabling Adaptive Policy, and classifying clients with relevant tags, the next step is policy enforcement. The critical feature of a tag-based network is that the policy is enforced at the destination network device. This setup makes the policy framework highly scalable, as the network device needs to consider only the tags of the clients directly connected to it, not the IP prefixes. However, this approach necessitates rigid requirements for micro-segmentation, including end-to-end support of the CMD encapsulation. Consider the different methods available for assigning SGTs:
• Static port assignment: Assign a fixed SGT to a specific port on the switch. This method is suitable for devices without a method of network authentication.
• Static SSID assignment: Assign a specific SGT to a single-use SSID, such as a guest network.
• Dynamic via RADIUS: Use RADIUS authentication and authorization for wired and wireless devices, supporting MAC Authentication Bypass (MAB), 802.1X, and Identity Pre-Shared Key (IPSK) with or without RADIUS integration.
• IP prefix to SGT map: Use this method to match traffic based on the IP subnet when no system is available to propagate SGT tags.