One of my customers have the following requirements wants to prevent malware from spreading rapidly from an infected computer to the rest of the environment. As a result, they want to prevent users/machines that are located on the same VLAN/Broadcast domain from communicating with each other.
My initial thought was to evaluate ISE with TrustSec. However, they also have a requirement where they also want to be able to allow exceptions for particular users/machines so they are allowed to communicate with each other. Is this possible with TrustSec? Can we combine SGTs with additional attributes such as IPs, MACs, AD Groups, etc? Based on my research this is not possible with I figured I would still ask. Here is an example:
Permit
Src_sgt_10 and ad_user=User1 to Dst_sgt_10 and ad_user=User2
Deny
Src_sgt_10 to Dst_sgt_10
The other two alternatives that we considered are:
Private VLANs:
- No support for dynamic PVLANs
- No support for Voice VLANs
DACLs
- DACL Entries could potentially become too long and exaust TCAM resources
Thank you in advance!
Neno
