New Feature: Security Service Insertion in Cisco SD-Access
Cisco is introducing a powerful new capability in Catalyst Center 3.x that brings identity-based traffic steering directly into SDA fabrics. And as part of an Early Field Trial, I’ve been able to test it in our lab, including the policies shown in the screenshot below.
What does it do?
Security Service Insertion lets you steer traffic based on identity. For example, when Identity X communicates with Identity Y (within the same VRF), Catalyst Center and Cisco ISE can configure the switches to send that traffic through a Next-Generation Firewall for SSL decryption, IPS/IDS, or any other advanced inspection. It’s like Policy-Based Routing, but identity-driven, automated through SDA, and deeply integrated with ISE and IOS-XE
Hands-on experience
I’ve deployed the feature in our lab, and it’s looking extremely promising. Cisco has added new IOS-XE capabilities to support it, and so far I can see that:
- Catalyst Center pushes the intent to ISE.
- ISE distributes traffic-steering policies to the switches.
- The fabric enforces identity-based flows cleanly and consistently.
This is a major step toward true zero-trust, identity-centric networking. I’m planning a full deep-dive article soon, including architecture, packet flow, and lessons learned. Keep an eye out on our knowledge base!
