Roadmap: Zero Trust Network Segmentation

1. Overview

This roadmap defines a Zero Trust microsegmentation architecture using Cisco ISE TrustSec for:

  • Identity-based network segmentation beyond VLANs

  • Software-defined segmentation groups (SGTs)

  • Dynamic access control based on user/device identity

  • Lateral movement prevention within network segments

  • Compliance with CISA Zero Trust framework

ISE 3.4 introduces Pac-less Communication for TrustSec and enhanced FQDN-to-SGT mapping for cloud/geo-distributed deployments. This roadmap incorporates these new capabilities.

2. Architecture Vision

direction: right

identity: "Identity Sources" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#89b4fa"

  ad: "Active Directory"
  certs: "Certificates"
  keycloak: "Keycloak SSO"
  device: "Device Certs"
  profile: "Profiling"
}

policy: "Policy Engine" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#a6e3a1"

  ise: "ISE 3.4 TrustSec" {
    style.fill: "#45475a"
    style.stroke: "#a6e3a1"
  }
}

enforcement: "Enforcement" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#f9e2af"

  catalyst: "Catalyst Switches"
  nexus: "Nexus"
  firepower: "Firepower"
}

identity -> policy -> enforcement

sgt: "SGT Assignment" {
  shape: rectangle
  style.fill: "#1e1e2e"
  style.stroke: "#cba6f7"

  ws: "Workstations: 10"
  srv: "Servers: 20"
  iot: "IoT: 30"
  guest: "Guests: 40"
  quar: "Quarantine: 999"
}

sgacl: "SGACL Matrix" {
  shape: rectangle
  style.fill: "#1e1e2e"
  style.stroke: "#f38ba8"

  r1: "10→20: permit"
  r2: "30→20: deny"
  r3: "40→*: restrict"
  r4: "999→*: deny all"
}

policy -> sgt: "assigns"
sgt -> sgacl: "enforces"

3. Current State

Component Status Notes

802.1X EAP-TLS

OPERATIONAL

Linux and Windows workstations authenticated

VLAN Segmentation

OPERATIONAL

Traditional macro-segmentation in place

ISE 3.4

OPERATIONAL

Upgraded, TrustSec not fully deployed

SGT Assignment

PARTIAL

Static SGTs for some endpoints

SGACL Policies

PLANNED

Matrix design incomplete

TrustSec NADs

PARTIAL

Not all switches enrolled

4. Phase 1: TrustSec Foundation

4.1. Objectives

  • Enable TrustSec on all capable network devices

  • Implement ISE 3.4 Pac-less Communication

  • Design initial SGT taxonomy

  • Configure SGT propagation (inline tagging vs SXP)

4.2. SGT Taxonomy Design

SGT Name Description Tag

2

TrustSec_Devices

Network infrastructure

0x0002

10

Workstations

Domain-joined computers with EAP-TLS

0x000A

15

BYOD

Personal devices with limited access

0x000F

20

Servers

Production servers

0x0014

25

Management

Out-of-band management

0x0019

30

IoT_Devices

Profiled IoT endpoints

0x001E

40

Guests

Guest WiFi users

0x0028

50

Contractors

Third-party contractors

0x0032

999

Quarantine

Failed posture or security events

0x03E7

4.3. Tasks

# Task Priority

1.1

Enable CTS (Cisco TrustSec) on Catalyst 9300

HIGH

1.2

Configure ISE as TrustSec PAC server

HIGH

1.3

Enable Pac-less Communication (ISE 3.4)

HIGH

1.4

Create SGT objects in ISE Work Centers

HIGH

1.5

Configure inline tagging on access switches

MEDIUM

1.6

Document NAD enrollment in domus-ise-ops

HIGH

4.4. Pac-less Communication (ISE 3.4)

! Enable Pac-less on Catalyst switch
cts credentials id <switch-name> password <secret>
cts role-based enforcement
cts role-based enforcement vlan-list all

! Verify TrustSec status
show cts interface
show cts role-based sgt-map all
show cts environment-data

4.5. Success Criteria

  • All access switches TrustSec-enabled

  • SGT taxonomy documented and approved

  • Pac-less authentication verified

  • ISE TrustSec dashboard showing NAD status

5. Phase 2: Dynamic SGT Assignment

5.1. Objectives

  • Assign SGTs based on authentication results

  • Implement authorization policies with SGT outcomes

  • Configure profiling-based SGT for IoT

5.2. Authorization Policy Design

direction: down

title: "ISE Authorization Policy (SGT Outcomes)" {
  shape: text
  style.font-size: 16
  style.bold: true
}

r1: "Domain_Workstations" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#a6e3a1"

  cond: "IF: AD Group + Cert + Posture Compliant"
  result: "→ VLAN 50, SGT = 10"
}

r2: "BYOD_Devices" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#89b4fa"

  cond: "IF: User Cert, Not Domain-Joined"
  result: "→ VLAN 60, SGT = 15"
}

r3: "IoT_Profiled" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#f9e2af"

  cond: "IF: Profile = Printer/Camera + MAB"
  result: "→ VLAN 70, SGT = 30"
}

r4: "Guest_Wifi" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#cba6f7"

  cond: "IF: Guest Portal Auth"
  result: "→ VLAN 80, SGT = 40"
}

r5: "Posture_Failed" {
  shape: rectangle
  style.fill: "#313244"
  style.stroke: "#f38ba8"

  cond: "IF: Posture = Non-Compliant"
  result: "→ VLAN 999, SGT = 999 (Quarantine)"
}

r1 -> r2 -> r3 -> r4 -> r5: "policy order" { style.stroke-dash: 3 }

5.3. Tasks

# Task Priority

2.1

Update EAP-TLS authorization to include SGT assignment

HIGH

2.2

Create profiling-based SGT policies (IoT, printers)

HIGH

2.3

Configure guest portal SGT assignment

MEDIUM

2.4

Implement posture-based SGT downgrade (quarantine)

HIGH

2.5

Test SGT visibility on switches

HIGH

2.6

Document authorization rules in domus-ise-linux

MEDIUM

5.4. Success Criteria

  • All EAP-TLS sessions receive SGT

  • SGTs visible in show cts role-based sgt-map

  • Profiled devices auto-assigned correct SGT

  • Posture failure triggers quarantine SGT

6. Phase 3: SGACL Policy Matrix

6.1. Objectives

  • Define traffic rules between security groups

  • Implement permit/deny matrix

  • Enable enforcement on switches and firewalls

6.2. SGACL Matrix

Source↓ / Dest→ Workstations Servers IoT Guests Mgmt Quarantine

Workstations

Permit

Permit

Deny

Deny

Permit

Deny

Servers

Permit (reply)

Permit

Deny

Deny

Permit

Deny

IoT

Deny

Limited

Permit

Deny

Deny

Deny

Guests

Deny

Deny

Deny

Permit

Deny

Deny

Mgmt

Permit

Permit

Permit

Permit

Permit

Permit

Quarantine

Deny

Deny

Deny

Deny

Deny

Deny

6.3. Tasks

# Task Priority

3.1

Design SGACL permit/deny matrix

HIGH

3.2

Create SGACLs in ISE (contract-based)

HIGH

3.3

Configure egress policy matrix in ISE

HIGH

3.4

Enable SGACL enforcement on switches

HIGH

3.5

Test lateral movement prevention

HIGH

3.6

Document SGACL in domus-ise-ops policy module

MEDIUM

6.4. SGACL Configuration Example

! ISE SGACL (configured in ISE GUI, pushed to devices)
ip access-list role-based Workstations_to_IoT
  deny ip

ip access-list role-based Guests_to_Servers
  deny ip

ip access-list role-based IoT_to_Servers
  permit tcp any any eq 443
  deny ip

! Verify on switch
show cts role-based permissions
show cts rbacl

6.5. Success Criteria

  • SGACL matrix fully implemented

  • Lateral movement blocked between segments

  • Workstations cannot reach IoT directly

  • Guests isolated from internal resources

7. Phase 4: ISE 3.4 Advanced Features

7.1. FQDN-to-SGT Mapping

ISE 3.4 allows multiple node resolution for FQDN-to-SGT mapping. Critical for:

  • Cloud services with geo-distributed DNS

  • CDN endpoints with varying IP addresses

  • SaaS applications (O365, Google Workspace)

7.2. Tasks

# Task Priority

4.1

Configure FQDN-to-SGT for cloud services

MEDIUM

4.2

Enable multi-node DNS resolution for FQDNs

MEDIUM

4.3

Integrate with BIND DNS for resolution (VyOS replaced pfSense)

LOW

4.4

Document cloud segmentation patterns

LOW

8. Phase 5: Monitoring and Compliance

8.1. Objectives

  • Real-time SGT assignment visibility

  • Policy violation alerting

  • Compliance reporting

8.2. Tasks

# Task Priority

5.1

Create ISE live logs dashboards for SGT

MEDIUM

5.2

Configure pxGrid for SGT change events

LOW

5.3

Build compliance reports (CIS, NIST)

LOW

5.4

Integrate with netapi for SGT queries

MEDIUM

9. Work Applicability

This roadmap directly supports work enterprise requirements:

  • CISA Zero Trust: Aligns with federal Zero Trust mandates

  • Healthcare: HIPAA segmentation for medical devices

  • Microsegmentation: Prevents ransomware lateral movement

  • Compliance: PCI DSS, SOC2 network segmentation evidence

  • Scalability: Policy-based, not ACL-based segmentation

TrustSec patterns validated in home enterprise deploy to enterprise.

10. Related Documentation

11. External Resources

12. Revision History

Date Author Changes

2026-02-11

EvanusModestus

Initial roadmap based on ISE 3.4 features