Distribution Zones

Introduction

In the domain of enterprise network security, the enforcement of least privilege access policies at the edge, closest to the asset, is paramount. This approach, when integrated with Elisity's identity-based policy implementation in a cloud-delivered model, presents a powerful solution for microsegmentation challenges. However, the effectiveness of this implementation can be constrained by hardware limitations, particularly in large-scale environments. Elisity's innovative solution to this challenge hints at the promising developments ahead for streamlined, large-scale identity-based microsegmentation.

What are Distribution Zones?

Distribution Zones represent a key innovation in Elisity’s approach to microsegmentation, a technique essential for modern enterprise network security. These zones are conceptualized as distinct sections within a network, each functioning as a dedicated sphere for identity tag distribution. The creation of Distribution Zones is a component of Elisity's response to the complexities and limitations encountered in large-scale network environments, particularly those challenges associated with traditional hardware-centric models. This feature enhances the scalability of endpoint identity and policy management in large environments with multi-vendor access and diverse switching hardware.

 

Key Concepts

  1. Independence from Policy Sets and Site Labels : Distribution Zones function independently from Policy Sets and Site Labels.
  2. Attachment to Virtual Edges: They are linked to Virtual Edges, with all nodes of a Virtual Edge belonging to the same Distribution Zone. They can be reassigned at any time and unassigning one from a Virtual Edge would put it back into the Default Zone. 
  3. Device Limits: Every Distribution Zone has the capacity to support up to 9,000 devices. However, if the zone incorporates a Cisco IE3400 or C9200, the maximum device support decreases to 1,000.
  4. Distribution Logic: Dynamic Policy Group IP-to-Tag mappings are distributed within the boundaries of the Distribution Zone. In contrast, Static/Network Policy Groups are distributed across all Distribution Zones.
  5. Policy Enforcement: Intra-Zone policies are enforced at the Access Layer, while Inter-Zone policies are currently handled at the Access Layer via Network Policy Groups or at a higher layer through integration with firewalls upstream. Future releases will enhance dynamic functionality and integration with other enforcement points.
  6. Versatility across Sites: A single Distribution Zone can span multiple sites, and a single site can contain multiple Distribution Zones.
  7. Policy Set Flexibility: Different Policy Sets can be applied to Virtual Edges within the same Distribution Zone.
  8. Default Zone: There exists a default Distribution Zone to which all Virtual Edges are assigned unless manually changed.

Importance of Distribution Zones

Distribution Zones address the scale challenge in large-scale policy enforcement without the need for hardware upgrades or vendor lock-in. This feature:

  • Enhances Scalability: By segmenting the network into manageable zones, it allows for efficient distribution of identity tags and policies.
  • Supports Diverse Environments: It seamlessly integrates into existing multi-vendor environments, ensuring compatibility and flexibility.
  • Simplifies Management: The modular approach simplifies the complexity traditionally associated with large-scale policy enforcement.

Interaction with Policy Sets

Understanding the Symbiotic Relationship

While Distribution Zones and Policy Sets operate independently, their interplay is crucial for the holistic functioning of microsegmentation in large networks. This relationship can be understood through the following aspects:

  1. Policy Distribution Efficiency: Distribution Zones primarily focus on the efficient distribution of identity tags, whereas Policy Sets manage the distribution of policies. The combination of both ensures that the right policies are applied to the right devices, based on their identity and location within the network.

  2. Configuration Implications: When configuring Virtual Edges and their associated Nodes, it's imperative to consider the Distribution Zone and the Policy Set simultaneously. A Virtual Edge within a Distribution Zone should have a corresponding Policy Set that aligns with the identities and policies relevant to that zone.

To learn more about Policy Sets, read the Policy Sets article

Potential Configuration Scenarios

  1. Tag-Policy Alignment: If a tag present in an access switch (due to the Distribution Zone configuration) doesn't have a corresponding policy (because the Policy Set doesn't include it), the system might not enforce the expected policy for devices with that tag. This scenario underscores the need for careful planning when aligning tags and policies across Distribution Zones and Policy Sets.

  2. Policy Misclassification: Conversely, if a Policy Set assigned to a switch lacks certain Policy Group definitions, devices might be misclassified, leading to the application of incorrect policies. This could result in either overly restrictive access or unintended exposure, depending on the nature of the misclassification.

  3. Strategic Assignment: In some cases, different Policy Sets might be needed within the same Distribution Zone to cater to specific requirements of Virtual Edges. This flexibility allows for tailored policy enforcement that accounts for unique needs or constraints within various segments of the network.

Best Practices for Configuration

  • Comprehensive Mapping: Ensure a thorough mapping of tags to policies within each Distribution Zone and corresponding Policy Sets. This mapping should account for all possible device identities and their required access privileges.
  • Consistent Review and Update: Regularly review and update Distribution Zones and Policy Sets to reflect changes in network configuration, device roles, or policy requirements.
  • Testing and Validation: Before deploying changes on a large scale, test the configuration in a controlled environment to validate the correct implementation of policies as per the designated Distribution Zones and Policy Sets.

Distribution Zone Examples

Example 1 - Single Distribution Zone

In this scenario, a single Distribution Zone is applied to all Virtual Edges and associated Virtual Edge Nodes at a single site. All IP to TAG mappings for endpoints are distributed within the Distribution Zone and policy enforcement between assets happens at the access layer. The Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. Since no Policy Set is applied to any of the Virtual Edges, Policies are distributed globally.

 

Example 2 - Single Distribution Zone Across Multiple Sites

In this scenario, a single Distribution Zone is applied to all Virtual Edges and associated Virtual Edge Nodes across multiple sites. All IP to TAG mappings for endpoints are distributed within the Distribution Zone and policy enforcement between assets happens at the access layer, even between sites. The Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. Since no Policy Set is applied to any of the Virtual Edges, Policies are distributed globally.

 

Example 3 - Multiple Distribution Zones Across Single Site

In this scenario, a single site is broken up into multiple Distribution Zones, possibly because the site is so large that it exceeds the 9000 device limit for a single Zone. It could also be broken up based on site architecture, business unit separation or for a multitude of other technical and business reasons.  IP to TAG mappings for endpoints within a Distribution Zone are only distributed within that Zone. Policy enforcement within a Distribution Zone happens at the access layer, and policy enforcement between Distribution Zones is handled via Network Policy Groups, integration upstream firewalls or other security elements. Each Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. Since no Policy Set is applied to any of the Virtual Edges, policies are distributed globally, even if the policy is not relevant to assets within a particular Distribution Zone. Example 5 provides details on how to leverage Distribution Zones and Policy Sets together to get the most efficient outcome. 

 

Example 4 - Multiple Distribution Zones Across Single Site with IE3400

This example is similar to the one prior but shows that you can easily migrate Virtual Edges or Virtual Edge Nodes between Distribution Zones if a device limit has been reached. For example, DZ: 1 is assigned to a Virtual Edge that has onboarded a mix of C9300 and IE3400 Virtual Edge Nodes. Each Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. If DZ: 1 is approaching the scale limit, some of the C9300s can be migrated to another Distribution Zone, DZ: 2. 

 

Example 5 - Distribution Zones with Policy Sets

This example shows some of the flexibility offered by the decoupling of Distribution Zones from Policy Sets and Site Labels. A single Policy Set could be assigned to a single site leveraging a single Distribution Zone; this is a recommended approach to ensure all of the required policies and tags are present. However, if necessary, a single Policy Set could also be assigned to a single site leveraging multiple distinct Distribution Zones. A single site could also have multiple different Policy Sets applied to different Virtual Edges assigned to different Distribution Zones. While these latter designs are not common, it is important to ensure that the appropriate Policy Set and Distribution Set match is applied otherwise the system may not have the required policies or tags for a specific set of devices.

 

Deployment Steps

Step 1: To configure a Distribution Zone, in Cloud Control Center navigate to Settings > Distribution Zones. Click + Create Distribution Zone.

 

Step 2: In the slide out window, define one or multiple Distribution Zones and click Create.

 

Step 3: Apply the Distribution Zone to Virtual Edges by navigating to Virtual Edges and selecting Edit/Download Virtual Edge Configuration.

 

Step 4: Select the Distribution Zone drop-down list and chose the Distribution Zone. Click Submit.

 

Was this article helpful?
0 out of 0 found this helpful