Chapter 17: Network Security Architecture and Segmentation
Learning Objectives
Design network segmentation architectures using VLANs, VRFs, firewalls, and Security Group Tags (SGTs)
Implement defense-in-depth strategies across enterprise network tiers
Design network access control solutions for wired, wireless, and remote users
Evaluate trade-offs between macro-segmentation and micro-segmentation approaches
Architect DMZ, firewall zone, and ZTNA designs appropriate for different organizational requirements
Pre-Study Assessment
Answer these questions to gauge your current understanding. You will see the same questions again after studying.
Pre-Quiz
1. An enterprise needs to isolate PCI cardholder data traffic from general corporate traffic on shared physical infrastructure, with completely separate routing tables. Which segmentation technology is most appropriate?
VLAN-based segmentation with inter-VLAN ACLs
Security Group Tags (SGTs) with SGACLs
VRF-based segmentation
Host-based firewalls on each endpoint
2. What is the primary advantage of SGT-based segmentation over VLAN-based segmentation?
SGTs provide stateful inspection of traffic
SGTs decouple security policy from network topology
SGTs eliminate the need for authentication
SGTs can create separate routing tables
3. In a Cisco SD-Access deployment, what is the role of the fusion firewall?
It authenticates endpoints via 802.1X before granting network access
It provides stateful inspection for inter-VN (inter-VRF) traffic
It assigns SGTs to traffic based on device profiling
It provides VXLAN encapsulation for overlay traffic
4. During a phased ISE deployment, what happens in Low-Impact Mode (Phase 2)?
All traffic is permitted regardless of authentication result
No traffic is permitted until successful authentication
A pre-authentication ACL permits essential services while requiring authentication for other access
Only 802.1X-authenticated devices are allowed; MAB devices are blocked
5. What is the key architectural difference between traditional VPN and Zero Trust Network Access (ZTNA)?
VPN uses encryption while ZTNA does not
ZTNA grants per-application access while VPN grants broad network access
VPN requires a cloud broker while ZTNA uses on-premises concentrators
ZTNA only works with wireless connections
6. Why is a dual-firewall DMZ design preferred over a single-firewall (three-legged) design?
It costs less to deploy and manage
It eliminates the need for IPS inspection in the DMZ
Compromise of the outer firewall does not expose the internal network
It allows DMZ servers to initiate connections to internal databases
7. When should SXP (SGT Exchange Protocol) be used instead of inline SGT tagging?
When all devices in the path support TrustSec hardware
When hardware in the path does not support inline tagging
When stateful inspection of SGT traffic is required
When the network uses only wireless connections
8. In the 802.1X authentication framework, what role does the switch or WLC play?
Supplicant
Authentication server
Authenticator
Identity store
9. A network architect must choose a segmentation approach to prevent lateral movement between employees and contractors within the same VRF. Which approach is most appropriate?
Create separate VRFs for employees and contractors
Apply SGTs and SGACLs to enforce identity-based policies within the VRF
Deploy a separate physical network for contractors
Add inter-VLAN ACLs at the core layer only
10. Which EAP method provides mutual authentication using certificates on both client and server?
PEAP (MSCHAPv2)
EAP-FAST
EAP-TLS
EAP-TTLS
11. What is the primary function of ISE Policy Service Nodes (PSNs) in a large-scale deployment?
Central configuration and policy management
Log aggregation and reporting
Processing RADIUS and TACACS+ authentication requests
Certificate authority operations
12. In a defense-in-depth architecture, why is IPS placement between internal zones important even when a perimeter firewall exists?
Internal IPS replaces the need for endpoint protection
It detects lateral movement and internal threats that bypassed the perimeter
It provides NAT services between internal zones
Internal IPS is only needed for compliance documentation
13. In the Central Web Authentication (CWA) guest access flow, what triggers the Change of Authorization (CoA) to the switch?
The guest device initiates an 802.1X exchange
The guest successfully authenticates through the ISE guest portal
The switch detects the guest VLAN tag in the Ethernet frame
The VPN concentrator validates the guest's certificate
14. What is a key limitation of SGACL enforcement on switches compared to firewall enforcement?
SGACLs cannot filter based on source and destination groups
SGACLs operate as simple permit/deny filters without stateful connection tracking
SGACLs require manual IP address configuration for each endpoint
SGACLs can only be applied to wireless traffic
15. An architect is designing segmentation for an organization with regulatory compliance zones, guest isolation, and granular role-based access. What is the recommended layered approach?
Deploy SGTs first, then add VRFs only if SGTs prove insufficient
Use only VLANs with detailed ACLs for all segmentation needs
Deploy macro-segmentation (VRFs) first for broad boundaries, then layer micro-segmentation (SGTs) on top
Implement host-based firewalls on every endpoint and skip network-level segmentation
Section 1: Network Segmentation Design
Network segmentation divides a network into smaller, isolated sections to limit the blast radius of security incidents, enforce policy boundaries, and improve manageability. Think of segmentation like the watertight compartments on a ship: if one compartment is breached, the bulkheads prevent the entire vessel from flooding.
1.1 VLAN-Based Segmentation
VLANs are the most fundamental form of segmentation. They create Layer 2 broadcast domain boundaries, and inter-VLAN communication requires a Layer 3 device where ACLs can filter traffic.
Provides macro-segmentation by grouping devices into subnets based on function, department, or security level
Policy is topology-dependent: a device's VLAN assignment is tied to the physical or logical port
Limitation: VLAN sprawl is a management burden in large enterprises; ACLs grow complex; cannot enforce policy within a single VLAN
1.2 VRF-Based Segmentation
Virtual Routing and Forwarding (VRF) creates entirely separate routing tables within the same physical infrastructure. Each VRF maintains its own independent Forwarding Information Base (FIB).
Analogy: If VLANs are rooms in a building, VRFs are entirely separate buildings. Rooms in the same building share hallways. Separate buildings have no corridors connecting them unless you deliberately construct a bridge.
Use Case
VRF Design Pattern
PCI-DSS compliance
Cardholder data in a dedicated VRF, isolated from general traffic
Guest wireless
Guest traffic in its own VRF with only internet-bound exit points
Multi-tenancy
Each tenant receives a VRF with separate routing domains
IoT isolation
OT/IoT devices in a dedicated VRF with restricted exit paths
1.3 Fusion Firewall Architecture
In modern campus architectures, the fusion firewall handles communication between separate Virtual Networks (VNs) or VRFs, providing stateful inspection at segmentation boundaries with application-layer visibility.
Animation: Traffic flow through a fusion firewall showing three VNs (Corporate, IoT, Guest) being inspected before reaching shared services
1.4 TrustSec and SGT-Based Segmentation
Cisco TrustSec assigns a Security Group Tag (SGT) -- a 16-bit identifier -- to traffic based on the identity of the user or device. This decouples security policy from network topology entirely.
How SGTs Work:
A user or device connects to the network
Cisco ISE authenticates the endpoint (via 802.1X, MAB, or WebAuth)
ISE assigns an SGT based on identity attributes: role, department, device type, posture
The SGT is embedded in the Ethernet frame (inline tagging) or shared via IP-to-SGT mappings (SXP)
Enforcement points apply SGACLs based on source SGT and destination SGT
Propagation Method
Mechanism
When to Use
Inline Tagging
SGT embedded in Ethernet frame header
All devices support TrustSec hardware -- preferred for scalability
SXP
TCP-based peer-to-peer IP-to-SGT mapping
Hardware does not support inline tagging; bridges TrustSec and legacy domains
sequenceDiagram
participant EP as Endpoint
participant SW as Switch (Authenticator)
participant ISE as Cisco ISE
participant SRV as Destination Server
EP->>SW: Connect to network port
SW->>EP: EAP-Request/Identity
EP->>SW: EAP-Response (credentials)
SW->>ISE: RADIUS Access-Request
ISE->>ISE: Authenticate & assign SGT
ISE->>SW: RADIUS Access-Accept (SGT=10)
SW->>SW: Tag traffic with SGT 10
EP->>SW: Traffic to server
SW->>SRV: Forward with SGT 10
SRV->>SRV: SGACL check (Src SGT 10 to Dst SGT 50)
SRV-->>EP: Permit or Deny per SGACL matrix
Figure 17.1: SGT Assignment and SGACL Enforcement Flow
1.5 Macro-Segmentation vs. Micro-Segmentation
Characteristic
Macro-Segmentation
Micro-Segmentation
Granularity
Broad groups (all employees, all IoT)
Fine-grained (by role, device type, application)
Mechanism
VRFs, VNs, VLANs
SGTs, SGACLs, host-based firewalls
Policy basis
Network topology (subnet, VLAN)
Identity (user, device, posture)
Enforcement
Routing boundaries, fusion firewalls
Inline at access layer or endpoint
Use case
Regulatory compliance zones, tenant isolation
Limiting lateral movement within a zone
flowchart TB
subgraph MACRO["Macro-Segmentation (VRFs / VNs)"]
direction LR
VRF1["VRF: Corporate"]
VRF2["VRF: Guest"]
VRF3["VRF: IoT/OT"]
end
subgraph MICRO["Micro-Segmentation (SGTs within each VRF)"]
direction LR
SGT1["SGT 10: Employees"]
SGT2["SGT 20: Contractors"]
SGT3["SGT 30: Printers"]
SGT4["SGT 40: Cameras"]
end
subgraph ENFORCE["Enforcement Points"]
direction LR
FW["Fusion Firewall (inter-VRF)"]
SGACL["SGACLs (intra-VRF)"]
end
MACRO --> MICRO
MICRO --> ENFORCE
VRF1 -.->|"contains"| SGT1 & SGT2
VRF3 -.->|"contains"| SGT3 & SGT4
Figure 17.2: Layered Macro and Micro-Segmentation Architecture
1.6 Segmentation in SD-Access and ACI
SD-Access uses VXLAN overlays with LISP. Virtual Networks (VNs) map to VRFs for macro-segmentation. SGTs within VNs provide micro-segmentation enforced by fabric edge nodes. A fusion firewall handles inter-VN traffic.
ACI uses Endpoint Groups (EPGs) and Contracts to define allowed communication. VRFs and Bridge Domains provide Layer 3/Layer 2 isolation. Both platforms integrate with ISE for identity-based policy.
Key Points -- Network Segmentation Design
VLANs provide basic Layer 2 macro-segmentation but are topology-dependent and cannot enforce policy within a single VLAN
VRFs create completely separate routing tables -- ideal for regulatory compliance zones and tenant isolation
SGTs decouple security policy from topology, enabling identity-based micro-segmentation using a source-destination matrix model
The fusion firewall provides stateful inspection at VRF/VN boundaries where SGACLs lack application-layer depth
Best practice: deploy macro-segmentation (VRFs) first for broad boundaries, then layer micro-segmentation (SGTs) for granular control
Animation: Side-by-side comparison showing a flat network with unrestricted lateral movement vs. a segmented network with VRFs, SGTs, and fusion firewall blocking unauthorized paths
Section 2: Network Access Control Design
Network Access Control (NAC) is the gatekeeper that determines who and what gains access and under what conditions. NAC directly feeds segmentation: the authentication result determines the VLAN, SGT, ACL, or policy applied to the endpoint.
2.1 802.1X and MAB Design
802.1X is the IEEE standard for port-based network access control using EAP for authentication before granting network access.
The Three Roles:
Supplicant: Software on the endpoint (built into Windows, macOS, Linux)
Authenticator: The switch port or wireless controller that controls access
Authentication Server: Cisco ISE, which evaluates credentials against identity stores
EAP Method
Authentication
Mutual Auth?
Best For
EAP-TLS
Certificate-based (client + server)
Yes
High-security; managed endpoints
PEAP (MSCHAPv2)
Username/password + server cert
One-way
Environments without PKI
EAP-FAST
Flexible; PAC-based and certificate
Configurable
Mixed environments
MAB (MAC Authentication Bypass): For devices without 802.1X supplicants (printers, IoT sensors, cameras). The switch submits the MAC address to ISE as credentials. Typical authentication order: 802.1X first, then fall back to MAB after timeout.
Animation: 802.1X authentication flow showing supplicant, authenticator, and authentication server exchange followed by MAB fallback sequence
2.2 ISE Deployment Architecture
Node Role
Function
Scaling Approach
PAN
Central configuration and policy management
Primary/Secondary for HA
PSN
Processes RADIUS/TACACS+ authentication requests
Multiple PSNs behind load balancers
MnT
Log aggregation, reporting, analytics
Active/Standby for redundancy
2.3 Phased ISE Deployment
Phase
Mode
Behavior
Risk
Phase 1
Monitor Mode
All traffic permitted; ISE logs successes and failures
Minimal
Phase 2
Low-Impact Mode
Pre-auth ACL permits essential services; other traffic requires auth
Moderate
Phase 3
Closed Mode
No traffic until successful authentication; full enforcement
High
Analogy: Phase 1 is like guards who observe and log everyone entering but do not stop anyone. Phase 2 allows anyone through the lobby but requires a badge for specific floors. Phase 3 requires a valid badge to enter the building at all.
sequenceDiagram
participant EP as Endpoint
participant SW as Switch Port
participant ISE as Cisco ISE
rect rgb(200, 230, 200)
Note over EP,ISE: Phase 1 - Monitor Mode
EP->>SW: Connect
SW->>ISE: Auth request
ISE->>SW: Auth result (pass/fail)
SW->>EP: All traffic permitted regardless
Note right of ISE: Log only - no enforcement
end
rect rgb(255, 230, 180)
Note over EP,ISE: Phase 2 - Low-Impact Mode
EP->>SW: Connect
SW->>EP: Pre-auth ACL (DHCP, DNS allowed)
SW->>ISE: Auth request
ISE->>SW: Auth result + dACL
SW->>EP: Apply per-user policy
Note right of ISE: Partial enforcement
end
rect rgb(255, 200, 200)
Note over EP,ISE: Phase 3 - Closed Mode
EP->>SW: Connect
SW--xEP: All traffic blocked
SW->>ISE: Auth request
ISE->>SW: Auth success + VLAN/SGT/dACL
SW->>EP: Full access granted
Note right of ISE: Full enforcement
end
Figure 17.3: Phased ISE Deployment -- Monitor, Low-Impact, and Closed Mode
2.4 BYOD and Guest Access
BYOD: Personal devices are redirected to a self-service portal, provisioned with certificates, and granted limited access based on posture and identity. BYOD devices receive a different SGT than corporate-managed devices.
Guest Access (CWA):
Guest connects (no supplicant), switch times out 802.1X, initiates MAB
ISE returns URL-redirect authorization to guest portal
Guest enters credentials (sponsor-approved, self-registration, or social login)
ISE issues CoA (Change of Authorization) applying guest VRF + guest SGT + restricted ACL
sequenceDiagram
participant Guest as Guest Device
participant SW as Switch/WLC
participant ISE as Cisco ISE
participant Portal as ISE Guest Portal
Guest->>SW: Connect (no supplicant)
SW->>SW: 802.1X timeout
SW->>ISE: MAB (MAC address as credential)
ISE->>SW: URL-Redirect authorization
Guest->>SW: HTTP request
SW->>Guest: Redirect to Guest Portal
Guest->>Portal: Enter credentials
Portal->>ISE: Validate guest credentials
ISE->>SW: CoA (Change of Authorization)
SW->>SW: Apply guest VRF + guest SGT + ACL
Guest->>SW: Internet-only access granted
Figure 17.4: Central Web Authentication (CWA) Guest Access Flow
2.5 Remote Access: VPN vs. ZTNA
Attribute
Traditional VPN
ZTNA
Access scope
Broad network access
Per-application access
Trust model
Trust then verify
Never trust, always verify
Lateral movement risk
High
Low -- access limited to authorized apps
Traffic path
All through VPN concentrator
Direct-to-resource (distributed)
Policy enforcement
Static ACLs
Dynamic, context-aware
Scalability
Limited by concentrator
Cloud-delivered, elastic
flowchart LR
subgraph VPN["Traditional VPN"]
direction TB
U1["Remote User"] -->|"VPN Tunnel"| CONC["VPN Concentrator"]
CONC -->|"Broad network access"| NET["Internal Network"]
NET --> APP1["App A"]
NET --> APP2["App B"]
NET --> APP3["App C"]
end
subgraph ZTNA["Zero Trust Network Access"]
direction TB
U2["Remote User"] -->|"Identity + Posture"| BROKER["Cloud Broker"]
BROKER -->|"Per-app tunnel"| APPA["App A"]
BROKER -->|"Per-app tunnel"| APPB["App B"]
BROKER -.->|"Denied"| APPC["App C"]
end
Figure 17.5: Traditional VPN vs. ZTNA Traffic Flow
Key Points -- Network Access Control Design
802.1X provides the strongest port-based authentication; MAB is the fallback for devices without supplicant support
ISE uses three node roles: PAN (policy management), PSN (authentication processing), MnT (monitoring) -- each scaled independently
Guest access uses CWA with MAB, URL-redirect, portal authentication, and CoA to apply guest VRF + SGT
ZTNA provides per-application access with continuous verification, reducing lateral movement risk compared to VPN
Section 3: Defense-in-Depth Architecture
Analogy: Defense-in-depth is like a medieval castle. The moat stops the first wave. The outer wall stops those who cross the moat. The inner wall protects the keep. Guards patrol each layer independently. In networking: perimeter firewalls, internal segmentation, endpoint protection, and monitoring each operate independently.
3.1 Firewall Placement and Zone Design
A firewall zone is a logical grouping of interfaces sharing a common security policy. Traffic within a zone flows freely; traffic between zones is subject to inspection.
Zone
Purpose
Typical Contents
External
Untrusted internet-facing
ISP uplinks, public IPs
DMZ
Semi-trusted; public-accessible services
Web servers, mail gateways, reverse proxies
Internal
Trusted corporate network
User endpoints, app servers, databases
Extended zones include: Management (out-of-band), Database (isolated tier), PCI (cardholder data), and Partner/Extranet (B2B).
NGFW integrates: (1) Stateful packet inspection + NAT + VPN, (2) IPS -- signature and anomaly-based detection, (3) Application control -- identifies traffic by application, not just port/protocol.
Single Firewall DMZ (Three-Legged): One firewall with three interfaces. Simple but single point of failure -- compromise exposes both DMZ and internal network.
Dual Firewall DMZ (Recommended): Outer firewall between internet and DMZ, inner firewall between DMZ and internal. Advantages:
Compromise of outer firewall does not expose internal network
Vendor diversity reduces risk of single vulnerability compromising both layers
Each firewall has a simpler, more focused rule set
Service Edge Principles: Public services belong in the DMZ. DMZ servers should never initiate connections to internal networks. Database servers reside behind the inner firewall, accessible only from the application tier.
Animation: Dual-firewall DMZ showing traffic flow from internet through outer firewall to DMZ, then through inner firewall to internal network, with attack path being stopped at each layer
Key Points -- Defense-in-Depth Architecture
Firewall zones create policy boundaries; the three-zone model (External, DMZ, Internal) is the foundation, extended with management, database, PCI, and partner zones
NGFWs integrate stateful inspection, IPS, and application control in a single platform; deployment modes include routed, transparent, and inline set
Dual-firewall DMZ is preferred: compromise of the outer firewall does not expose the internal network; vendor diversity reduces single-vulnerability risk
IPS placement between internal zones catches lateral movement that bypassed the perimeter -- essential for defense-in-depth
Design with the assumption that any single layer can fail; the remaining layers must still provide protection
Post-Study Assessment
Now that you have reviewed the material, answer the same questions again to measure your improvement.
Post-Quiz
1. An enterprise needs to isolate PCI cardholder data traffic from general corporate traffic on shared physical infrastructure, with completely separate routing tables. Which segmentation technology is most appropriate?
VLAN-based segmentation with inter-VLAN ACLs
Security Group Tags (SGTs) with SGACLs
VRF-based segmentation
Host-based firewalls on each endpoint
2. What is the primary advantage of SGT-based segmentation over VLAN-based segmentation?
SGTs provide stateful inspection of traffic
SGTs decouple security policy from network topology
SGTs eliminate the need for authentication
SGTs can create separate routing tables
3. In a Cisco SD-Access deployment, what is the role of the fusion firewall?
It authenticates endpoints via 802.1X before granting network access
It provides stateful inspection for inter-VN (inter-VRF) traffic
It assigns SGTs to traffic based on device profiling
It provides VXLAN encapsulation for overlay traffic
4. During a phased ISE deployment, what happens in Low-Impact Mode (Phase 2)?
All traffic is permitted regardless of authentication result
No traffic is permitted until successful authentication
A pre-authentication ACL permits essential services while requiring authentication for other access
Only 802.1X-authenticated devices are allowed; MAB devices are blocked
5. What is the key architectural difference between traditional VPN and Zero Trust Network Access (ZTNA)?
VPN uses encryption while ZTNA does not
ZTNA grants per-application access while VPN grants broad network access
VPN requires a cloud broker while ZTNA uses on-premises concentrators
ZTNA only works with wireless connections
6. Why is a dual-firewall DMZ design preferred over a single-firewall (three-legged) design?
It costs less to deploy and manage
It eliminates the need for IPS inspection in the DMZ
Compromise of the outer firewall does not expose the internal network
It allows DMZ servers to initiate connections to internal databases
7. When should SXP (SGT Exchange Protocol) be used instead of inline SGT tagging?
When all devices in the path support TrustSec hardware
When hardware in the path does not support inline tagging
When stateful inspection of SGT traffic is required
When the network uses only wireless connections
8. In the 802.1X authentication framework, what role does the switch or WLC play?
Supplicant
Authentication server
Authenticator
Identity store
9. A network architect must choose a segmentation approach to prevent lateral movement between employees and contractors within the same VRF. Which approach is most appropriate?
Create separate VRFs for employees and contractors
Apply SGTs and SGACLs to enforce identity-based policies within the VRF
Deploy a separate physical network for contractors
Add inter-VLAN ACLs at the core layer only
10. Which EAP method provides mutual authentication using certificates on both client and server?
PEAP (MSCHAPv2)
EAP-FAST
EAP-TLS
EAP-TTLS
11. What is the primary function of ISE Policy Service Nodes (PSNs) in a large-scale deployment?
Central configuration and policy management
Log aggregation and reporting
Processing RADIUS and TACACS+ authentication requests
Certificate authority operations
12. In a defense-in-depth architecture, why is IPS placement between internal zones important even when a perimeter firewall exists?
Internal IPS replaces the need for endpoint protection
It detects lateral movement and internal threats that bypassed the perimeter
It provides NAT services between internal zones
Internal IPS is only needed for compliance documentation
13. In the Central Web Authentication (CWA) guest access flow, what triggers the Change of Authorization (CoA) to the switch?
The guest device initiates an 802.1X exchange
The guest successfully authenticates through the ISE guest portal
The switch detects the guest VLAN tag in the Ethernet frame
The VPN concentrator validates the guest's certificate
14. What is a key limitation of SGACL enforcement on switches compared to firewall enforcement?
SGACLs cannot filter based on source and destination groups
SGACLs operate as simple permit/deny filters without stateful connection tracking
SGACLs require manual IP address configuration for each endpoint
SGACLs can only be applied to wireless traffic
15. An architect is designing segmentation for an organization with regulatory compliance zones, guest isolation, and granular role-based access. What is the recommended layered approach?
Deploy SGTs first, then add VRFs only if SGTs prove insufficient
Use only VLANs with detailed ACLs for all segmentation needs
Deploy macro-segmentation (VRFs) first for broad boundaries, then layer micro-segmentation (SGTs) on top
Implement host-based firewalls on every endpoint and skip network-level segmentation