Introduction
Enforcing least privilege access policies at the edge, closest to the asset, is crucial in enterprise network security. Elisity's identity-based policy implementation provides a robust solution for microsegmentation that leverages existing switching infrastructure as Policy Enforcement fabric. This approach vastly simplifies network segmentation. However, in large scale environments, switching hardware can become a limiting factor when it comes to storing policy data for large numbers of devices. Elisity’s Distribution Zones (DZ) effectively address this challenge. By logically segmenting the network into distinct zones, DZ allows for scalable, efficient, and secure identity-based microsegmentation. This innovation ensures optimized performance and security, even in the most demanding enterprise environments.
Key Concepts
- Independence from Policy Sets and Site Labels : Distribution Zones function independently from Policy Sets and Site Labels.
- Assignment to Virtual Edges AND Virtual Edge Nodes: Distribution Zones can be assigned at the Virtual Edge level, with the attached Virtual Edge Nodes inheriting the DZ assignment of the Virtual Edge, or assigned directly to each Virtual Edge Node.
- Device Count Limits: Device count limits within each DZ exist due to hardware limitations of the onboarded switches (VENs) in each DZ. For example, a DZ with Cisco C has the capacity to support up to 9,000 devices. However, if the zone incorporates a Cisco IE3400 or C9200, the maximum device support decreases to 1,000. For information on how many Device-PG mappings for Cisco hardware, see this document. You can easily track when Distribution Zones are approaching possible limitations by viewing Device Counts in the Distribution Zone tab in Virtual Edge Settings.
- Distribution Logic: Dynamic Policy Group IP-to-Tag mappings are distributed within the boundaries of the Distribution Zone. In contrast, Static/Network Policy Groups are distributed across all Distribution Zones.
- Policy Enforcement: Intra-Zone policies are enforced at the Access Layer, while policies between devices in different zones are enforced at the aggregation layer or higher leveraging Global DZs.
- Versatility Across Sites: A single Distribution Zone can span multiple sites, and a single site can contain multiple Distribution Zones.
- Policy Set Flexibility: Different Policy Sets can be applied to Virtual Edges within the same Distribution Zone.
- Default Zone: There exists a default Distribution Zone to which all Virtual Edges are assigned unless manually changed.
- Global Zone: Administrators can assign certain Virtual Edges or VE Nodes to the Global Distribution Zone, which distributes ALL known IP-Group mappings to the VEs and Nodes that are assigned.
Importance of Distribution Zones
Distribution Zones address the scale challenge in large-scale policy enforcement without the need for hardware upgrades or vendor lock-in. This feature:
- Enhances Scalability: By segmenting the network into manageable zones, it allows for efficient distribution of identity tags and policies. Easily view and manage device counts within each Distribution Zone in the DZ tab within Virtual Edge Settings.
- Supports Diverse Environments: It seamlessly integrates into existing multi-vendor environments, ensuring compatibility and flexibility.
- Simplifies Management: The modular approach simplifies the complexity traditionally associated with large-scale policy enforcement.
Distribution Zone Assignments for Virtual Edges and VE Nodes
Distribution Zones can be assigned to Virtual Edges, or directly to individual Virtual Edge Nodes for more flexibility and granularity. The default setting enables Virtual Edge Nodes to inherit the Distribution Zone of the parent Virtual Edge. However, it is incredibly easy to assign a Distribution Zone during onboarding, or to change this configuration in the Virtual Edge Node dashboard at any point. When onboarding or editing a VE Node configuration, you can assign or create a new DZ and/or Site Label, quickly and effectively reassigning your policy enforcement points to new Distribution Zones and Policy Sets.
Example: Distribution Zones for Virtual Edges and Virtual Edge Nodes
In this example, we demonstrate the ability to deploy Distribution Zones with precision by assigning them directly to Virtual Edge Nodes. This approach showcases the flexibility of decoupling Virtual Edges and Virtual Edge Nodes within the context of Device-PG mappings. By leveraging site label and distribution zone assignments for each Virtual Edge Node, you can efficiently manage your policy deployment architecture without the need for additional design considerations for policy distribution. This also alleviates many scale considerations when designing your Elisity architecture.
Top-Down Distribution Zone Implementation for Asset Control
Assigning Distribution Zones (DZs) to Virtual Edge Nodes (VENs) ensures that every asset connected to those VENs is automatically included in the designated DZ. Here’s how the process works:
Step-by-Step Process
Step 1 - Initial Setup of Distribution Zones:
- Distribution Zones are created and configured within the Cloud Control Center (CCC). Navigate to Settings > Distribution Zones and click on "Create Distribution Zone" to define your zones. You can also create and assign new Distribution Zones when creating Virtual Edges or Nodes.
Distribution Zone Page Overview
Several columns containing important information about your Distribution Zones are available, as seen in the image above.
- Distrubtion Zone: This is the name of your Distribution Zone, and this DZ name acts as a tag that is applied to enforcement nodes.
- Online Devices: This is a crucial piece of data that helps Administrators view the number of online devices within each Distribution Zone. This is important for ensuring that Distribution Zone device counts do not exceed the device-tag storage limitations of switching infrastructure.
- Last Modified: This gives a time and date of the last modification to the Distribution Zone. This shows when a DZ was created or renamed.
Step 2 - Assigning Virtual Edges to a Distribution Zone:
- Once the Distribution Zones are defined, they can be assigned to Virtual Edges (VEs) and VIrtual Edge Nodes (VENs). This assignment and creation of DZs can be done during the initial configuration of the Virtual Edge or modified later through the Virtual Edge dashboard in the CCC.
- Navigate to Virtual Edges, select the desired VE, and in the configuration options, assign the appropriate Distribution Zone from the drop-down menu.
Step 3 - Inheriting Distribution Zone Assignments:
- By default, Virtual Edge Nodes inherit the Distribution Zone assignment of their parent Virtual Edge. This means that when a VE is assigned to a DZ, all connected VENs will automatically belong to the same DZ unless specified otherwise.
Step 4 - Direct Assignment to Virtual Edge Nodes:
- For more granular control, Distribution Zones can be directly assigned to individual Virtual Edge Nodes. This is useful for scenarios where specific nodes need to be part of different Distribution Zones than their parent VE.
- During the onboarding of a VEN, you can specify or create a new Distribution Zone directly in the configuration settings.
- If no specific DZ is chosen, the VEN will inherit the DZ from its parent VE. If a new or different DZ is needed, select it from the provided options or create a new one.
Step 6 - Automatic Asset Assignment:
- Once a VEN is assigned to a DZ, any asset that connects to that VEN is automatically placed within the assigned DZ. The Cloud Control Center policy engine ensures that assets inherit the DZ of the VEN they connect to, streamlining the management process and maintaining consistent policy enforcement.
Step 7 - Managing Distribution Zones:
- Changes to Distribution Zone assignments can be made at any time through the CCC. Simply edit the configuration of the relevant VE or VEN and update the Distribution Zone settings as needed.
- Ensure that all changes are saved and applied to keep the policy enforcement and asset management consistent across the network.
- Edits
Benefits of Assigning Assets to Distribution Zones via Virtual Edge Nodes
Scalability:
- By leveraging Distribution Zones, network administrators can efficiently manage and scale the microsegmentation policies without overloading the switching infrastructure.
- Assigning DZs to VENs ensures that each device is correctly mapped and managed within the appropriate segment of the network, maintaining optimal performance.
Flexibility and Granularity:
- The ability to assign Distribution Zones at both the VE and VEN levels provides flexibility to meet the specific needs of various network segments and organizational requirements.
- This granularity ensures that even within the same physical location, different policies can be enforced based on the logical segmentation provided by Distribution Zones.
Improved Security:
- Enforcing least privilege access policies close to the asset, through VENs, enhances security by ensuring that policies are applied at the most granular level.
- This approach minimizes the attack surface and ensures that access controls are precise and effective.
By following these steps, network administrators can effectively assign assets to Distribution Zones through Virtual Edge Nodes. This ensures that every asset connected to those VENs is automatically included in the designated DZ, supporting dynamic and static policy group mappings and maintaining robust and adaptable network segmentation.
Global Distribution Zone
The Global Distribution Zone is a system-created, unmodifiable DZ that contains ALL IP-Group mappings for all devices known in Cloud Control Center. By assigning specific Virtual Edges (VEs) or Virtual Edge Nodes (VE Nodes) to the Global Distribution Zone, administrators ensure that all known IP-Group mappings are uniformly distributed to these designated VEs and Nodes. This centralized approach simplifies policy deployment management and enhances consistency and efficiency within the network.
The Global Distribution Zone can be leveraged on higher capacity switches onboarded for policy enforcement at the aggregation layer or higher, allowing them to store all IP-Group mappings in memory. By utilizing this feature, administrators enable these critical network components to effectively secure and manage traffic between network segments.
By design, devices discovered by switches/WLCs in the Global DZ are propagated to all enforcement points.
It is strongly recommended that infrastructure assigned to the Global Distribution Zone performs only enforcement with Endpoint Discovery disabled.
Interaction with Policy Sets
Understanding the Symbiotic Relationship
While Distribution Zones and Policy Sets operate independently, their interplay is crucial for the holistic functioning of microsegmentation in large networks. This relationship can be understood through the following aspects:
-
Policy Distribution Efficiency: Distribution Zones primarily focus on the efficient distribution of identity tags, whereas Policy Sets manage the distribution of policies. The combination of both ensures that the right policies are applied to the right devices, based on their identity and location within the network.
-
Configuration Implications: When configuring Virtual Edges and their associated Nodes, it's imperative to consider the Distribution Zone and the Policy Set simultaneously. A Virtual Edge or VEN within a Distribution Zone should have a corresponding Policy Set that aligns with the identities and policies relevant to that zone.
To learn more about Policy Sets, read the Policy Sets article.
Potential Scenarios for Distribution Zone and Policy Set Configurations
-
Tag-Policy Alignment: If a tag present in an access switch (due to the Distribution Zone configuration) doesn't have a corresponding policy (because the Policy Set doesn't include it), the system might not enforce the expected policy for devices with that tag. This scenario underscores the need for careful planning when aligning tags and policies across Distribution Zones and Policy Sets.
-
Policy Misclassification: Conversely, if a Policy Set assigned to a switch lacks certain Policy Group definitions, devices might be misclassified, leading to the application of incorrect policies. This could result in either overly restrictive access or unintended exposure, depending on the nature of the misclassification.
-
Strategic Assignment: In some cases, different Policy Sets might be needed within the same Distribution Zone to cater to specific requirements of Virtual Edges. This flexibility allows for tailored policy enforcement that accounts for unique needs or constraints within various segments of the network.
Best Practices for Configuration
- Comprehensive Mapping: Ensure a thorough mapping of tags to policies within each Distribution Zone and corresponding Policy Sets. This mapping should account for all possible device identities and their required access privileges.
- Consistent Review and Update: Regularly review and update Distribution Zones and Policy Sets to reflect changes in network configuration, device roles, or policy requirements.
- Testing and Validation: Before deploying changes on a large scale, test the configuration in a controlled environment to validate the correct implementation of policies as per the designated Distribution Zones and Policy Sets.
Distribution Zone Examples
Example 1 - Single Distribution Zone
In this scenario, a single Distribution Zone is applied to all Virtual Edges and associated Virtual Edge Nodes at a single site. All IP to TAG mappings for endpoints are distributed within the Distribution Zone and policy enforcement between assets happens at the access layer. The Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. Since no Policy Set is applied to any of the Virtual Edges, Policies are distributed globally.
Example 2 - Single Distribution Zone Across Multiple Sites
In this scenario, a single Distribution Zone is applied to all Virtual Edges and associated Virtual Edge Nodes across multiple sites. All IP to TAG mappings for endpoints are distributed within the Distribution Zone and policy enforcement between assets happens at the access layer, even between sites. The Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. Since no Policy Set is applied to any of the Virtual Edges, Policies are distributed globally.
Example 3 - Multiple Distribution Zones Across Single Site
In this scenario, a single site is broken up into multiple Distribution Zones, possibly because the site is so large that it exceeds the 9000 device limit for a single Zone. It could also be broken up based on site architecture, business unit separation or for a multitude of other technical and business reasons. IP to TAG mappings for endpoints within a Distribution Zone are only distributed within that Zone. Policy enforcement within a Distribution Zone happens at the access layer, and policy enforcement between Distribution Zones is handled via Network Policy Groups, integration upstream firewalls or other security elements. Each Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. Since no Policy Set is applied to any of the Virtual Edges, policies are distributed globally, even if the policy is not relevant to assets within a particular Distribution Zone. Example 5 provides details on how to leverage Distribution Zones and Policy Sets together to get the most efficient outcome.
Example 4 - Multiple Distribution Zones Across Single Site with IE3400
This example is similar to the one prior but shows that you can easily migrate Virtual Edges or Virtual Edge Nodes between Distribution Zones if a device limit has been reached. For example, DZ: 1 is assigned to a Virtual Edge that has onboarded a mix of C9300 and IE3400 Virtual Edge Nodes. Each Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. If DZ: 1 is approaching the scale limit, some of the C9300s can be migrated to another Distribution Zone, DZ: 2. You can track when Distribution Zones might be reaching scale limitations in the Distribution Zone tab within Virtual Edge Settings.
Example 5 - Distribution Zones with Policy Sets
This example shows some of the flexibility offered by the decoupling of Distribution Zones from Policy Sets and Site Labels. A single Policy Set could be assigned to a single site leveraging a single Distribution Zone; this is a recommended approach to ensure all of the required policies and tags are present. However, if necessary, a single Policy Set could also be assigned to a single site leveraging multiple distinct Distribution Zones. A single site could also have multiple different Policy Sets applied to different Virtual Edges assigned to different Distribution Zones. While these latter designs are not common, it is important to ensure that the appropriate Policy Set and Distribution Set match is applied otherwise the system may not have the required policies or tags for a specific set of devices.
Deployment Steps
Step 1: To configure a Distribution Zone, in Cloud Control Center navigate to Settings > Distribution Zones. Click + Create Distribution Zone.
Step 2: In the slide out window, define one or multiple Distribution Zones and click Create.
Step 3: Apply the Distribution Zone to Virtual Edges or Virtual Edge Nodes by navigating to Virtual Edges or Virtual Edge Nodes and selecting the Edit option.
Step 4: Select the Distribution Zone drop-down list and choose the Distribution Zone. If assigning a DZ directly to a Virtual Edge Node, you may need to click the assign manually button first. Click Submit.