Introduction
Enforcing least privilege access policies at the edge, closest to the asset, is crucial in enterprise network security. Elisity's identity-based policy implementation provides a robust solution for microsegmentation that leverages existing switching infrastructure as Policy Enforcement fabric. This approach vastly simplifies network segmentation. However, in large scale environments, switching hardware can become a limiting factor when it comes to storing policy data for large numbers of devices. Elisity’s Distribution Zones (DZ) effectively address this challenge. By logically segmenting the network into distinct zones, DZ allows for scalable, efficient, and secure identity-based microsegmentation. This innovation ensures optimized performance and security, even in the most demanding enterprise environments.
Key Concepts
- Independence from Policy Sets and Site Labels : Distribution Zones function independently from Policy Sets and Site Labels.
- Assignment to Virtual Edges AND Virtual Edge Nodes: Distribution Zones can be assigned at the Virtual Edge level, with the attached Virtual Edge Nodes inheriting the DZ assignment of the Virtual Edge, or assigned directly to each Virtual Edge Node.
- Device Count Limits: Device count limits within each DZ exist due to hardware limitations of the onboarded switches (VENs) in each DZ. For example, a DZ with Cisco C has the capacity to support up to 9,000 devices. However, if the zone incorporates a Cisco IE3400 or C9200, the maximum device support decreases to 1,000. For information on how many Device-PG mappings for Cisco hardware, see this document. You can easily track when Distribution Zones are approaching possible limitations by viewing Device Counts in the Distrubtion Zone tab in Virtual Edge Settings.
- Distribution Logic: Dynamic Policy Group IP-to-Tag mappings are distributed within the boundaries of the Distribution Zone. In contrast, Static/Network Policy Groups are distributed across all Distribution Zones.
- Policy Enforcement: Intra-Zone policies are enforced at the Access Layer, while policies between devices in different zones are enforced at the aggregation layer or higher leveraging Global DZs.
- Versatility Across Sites: A single Distribution Zone can span multiple sites, and a single site can contain multiple Distribution Zones.
- Policy Set Flexibility: Different Policy Sets can be applied to Virtual Edges within the same Distribution Zone.
- Default Zone: There exists a default Distribution Zone to which all Virtual Edges are assigned unless manually changed.
- Global Zone: Administrators can assign certain Virtual Edges or VE Nodes to the Global Distribution Zone, which distributes ALL known IP-Group mappings to the VEs and Nodes that are assigned.
Importance of Distribution Zones
Distribution Zones address the scale challenge in large-scale policy enforcement without the need for hardware upgrades or vendor lock-in. This feature:
- Enhances Scalability: By segmenting the network into manageable zones, it allows for efficient distribution of identity tags and policies. Easily view and manage device counts within each Distribution Zone in the DZ tab within Virtual Edge Settings.
- Supports Diverse Environments: It seamlessly integrates into existing multi-vendor environments, ensuring compatibility and flexibility.
- Simplifies Management: The modular approach simplifies the complexity traditionally associated with large-scale policy enforcement.
Global Distribution Zone
Interaction with Policy Sets
Understanding the Symbiotic Relationship
While Distribution Zones and Policy Sets operate independently, their interplay is crucial for the holistic functioning of microsegmentation in large networks. This relationship can be understood through the following aspects:
-
Policy Distribution Efficiency: Distribution Zones primarily focus on the efficient distribution of identity tags, whereas Policy Sets manage the distribution of policies. The combination of both ensures that the right policies are applied to the right devices, based on their identity and location within the network.
-
Configuration Implications: When configuring Virtual Edges and their associated Nodes, it's imperative to consider the Distribution Zone and the Policy Set simultaneously. A Virtual Edge or VEN within a Distribution Zone should have a corresponding Policy Set that aligns with the identities and policies relevant to that zone.
To learn more about Policy Sets, read the Policy Sets article.
Potential Scenarios for Distribution Zone and Policy Set Configurations
-
Tag-Policy Alignment: If a tag present in an access switch (due to the Distribution Zone configuration) doesn't have a corresponding policy (because the Policy Set doesn't include it), the system might not enforce the expected policy for devices with that tag. This scenario underscores the need for careful planning when aligning tags and policies across Distribution Zones and Policy Sets.
-
Policy Misclassification: Conversely, if a Policy Set assigned to a switch lacks certain Policy Group definitions, devices might be misclassified, leading to the application of incorrect policies. This could result in either overly restrictive access or unintended exposure, depending on the nature of the misclassification.
-
Strategic Assignment: In some cases, different Policy Sets might be needed within the same Distribution Zone to cater to specific requirements of Virtual Edges. This flexibility allows for tailored policy enforcement that accounts for unique needs or constraints within various segments of the network.
Best Practices for Configuration
- Comprehensive Mapping: Ensure a thorough mapping of tags to policies within each Distribution Zone and corresponding Policy Sets. This mapping should account for all possible device identities and their required access privileges.
- Consistent Review and Update: Regularly review and update Distribution Zones and Policy Sets to reflect changes in network configuration, device roles, or policy requirements.
- Testing and Validation: Before deploying changes on a large scale, test the configuration in a controlled environment to validate the correct implementation of policies as per the designated Distribution Zones and Policy Sets.
Distribution Zone Examples
Example 1 - Single Distribution Zone
In this scenario, a single Distribution Zone is applied to all Virtual Edges and associated Virtual Edge Nodes at a single site. All IP to TAG mappings for endpoints are distributed within the Distribution Zone and policy enforcement between assets happens at the access layer. The Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. Since no Policy Set is applied to any of the Virtual Edges, Policies are distributed globally.
Example 2 - Single Distribution Zone Across Multiple Sites
In this scenario, a single Distribution Zone is applied to all Virtual Edges and associated Virtual Edge Nodes across multiple sites. All IP to TAG mappings for endpoints are distributed within the Distribution Zone and policy enforcement between assets happens at the access layer, even between sites. The Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. Since no Policy Set is applied to any of the Virtual Edges, Policies are distributed globally.
Example 3 - Multiple Distribution Zones Across Single Site
In this scenario, a single site is broken up into multiple Distribution Zones, possibly because the site is so large that it exceeds the 9000 device limit for a single Zone. It could also be broken up based on site architecture, business unit separation or for a multitude of other technical and business reasons. IP to TAG mappings for endpoints within a Distribution Zone are only distributed within that Zone. Policy enforcement within a Distribution Zone happens at the access layer, and policy enforcement between Distribution Zones is handled via Network Policy Groups, integration upstream firewalls or other security elements. Each Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. Since no Policy Set is applied to any of the Virtual Edges, policies are distributed globally, even if the policy is not relevant to assets within a particular Distribution Zone. Example 5 provides details on how to leverage Distribution Zones and Policy Sets together to get the most efficient outcome.
Example 4 - Multiple Distribution Zones Across Single Site with IE3400
This example is similar to the one prior but shows that you can easily migrate Virtual Edges or Virtual Edge Nodes between Distribution Zones if a device limit has been reached. For example, DZ: 1 is assigned to a Virtual Edge that has onboarded a mix of C9300 and IE3400 Virtual Edge Nodes. Each Distribution Zone can support a maximum of 9,000 devices unless the Distribution Zone includes a Cisco IE3400 in which case lowers the support to 1000 devices for that particular zone. If DZ: 1 is approaching the scale limit, some of the C9300s can be migrated to another Distribution Zone, DZ: 2. You can track when Distribution Zones might be reaching scale limitations in the Distribution Zone tab within Virtual Edge Settings.
Example 5 - Distribution Zones with Policy Sets
This example shows some of the flexibility offered by the decoupling of Distribution Zones from Policy Sets and Site Labels. A single Policy Set could be assigned to a single site leveraging a single Distribution Zone; this is a recommended approach to ensure all of the required policies and tags are present. However, if necessary, a single Policy Set could also be assigned to a single site leveraging multiple distinct Distribution Zones. A single site could also have multiple different Policy Sets applied to different Virtual Edges assigned to different Distribution Zones. While these latter designs are not common, it is important to ensure that the appropriate Policy Set and Distribution Set match is applied otherwise the system may not have the required policies or tags for a specific set of devices.
Deployment Steps
Step 1: To configure a Distribution Zone, in Cloud Control Center navigate to Settings > Distribution Zones. Click + Create Distribution Zone.
Step 2: In the slide out window, define one or multiple Distribution Zones and click Create.
Step 3: Apply the Distribution Zone to Virtual Edges by navigating to Virtual Edges and selecting Edit/Download Virtual Edge Configuration.
Step 4: Select the Distribution Zone drop-down list and chose the Distribution Zone. Click Submit.