Skip to content

SGT Policy Matrix

AI-Assisted Documentation


Source SGT Source Name Destination SGT Destination Name Policy Action Protocol Ports Logging Priority Use Case Enforcement Point Notes
5 Network-Admin ANY ANY PERMIT ANY ANY YES Critical Admin full access Edge + Border Admins can access everything
10 Employee-Full 70 Servers PERMIT TCP 80,443,445,3389,22 YES Normal Business apps access Border Corporate users to internal servers
10 Employee-Full 60 Printers PERMIT TCP 9100,631 NO Normal Print services Edge Direct printing
10 Employee-Full 20 Voice DENY ANY ANY YES Normal Prevent voice tampering Edge Users cannot access voice infra
10 Employee-Full 100 Internet PERMIT TCP 80,443 NO Normal Web browsing Border + FW Via firewall inspection
10 Employee-Full 10 Employee-Full PERMIT ANY ANY NO Normal Peer-to-peer Edge File sharing between employees
10 Employee-Full 40 Guest DENY ANY ANY YES Normal Isolation Border Employees cannot access guest network
20 Voice 20 Voice PERMIT UDP 5060-5061,16384-32767 NO Critical VoIP signaling + RTP Edge Phone to phone / call manager
20 Voice 70 Servers PERMIT TCP 5060,8443 YES Normal Phone registration Border Phones to call manager
20 Voice 100 Internet DENY ANY ANY YES Critical Security Border Phones should not reach Internet
20 Voice 10 Employee-Full PERMIT UDP 16384-32767 NO Normal Voice to PC (softphone) Edge Allow IP phones to talk to PCs
30 IoT-Camera 30 IoT-Camera PERMIT ANY ANY NO Normal Camera-to-NVR Edge Surveillance system internal
30 IoT-Camera 70 Servers DENY ANY ANY YES High Prevent lateral movement Border Cameras isolated from servers
30 IoT-Camera 100 Internet PERMIT TCP 443 YES Normal Cloud upload (restricted) Border + FW Only HTTPS to specific cloud NVR
30 IoT-Camera 10 Employee-Full DENY ANY ANY YES Normal Isolation Border Cameras cannot initiate to users
40 Guest 100 Internet PERMIT TCP 80,443 YES Normal Guest web access Border + FW Captive portal + URL filtering
40 Guest 10 Employee-Full DENY ANY ANY YES High Isolation Border Guests isolated from corporate
40 Guest 70 Servers DENY ANY ANY YES Critical Security Border No server access for guests
40 Guest 60 Printers PERMIT TCP 9100,631 YES Normal Guest printing Border Limited print access
40 Guest 40 Guest PERMIT ANY ANY NO Normal Guest-to-guest Edge Allow collaboration
50 IoT-Sensor 70 Servers DENY ANY ANY YES Critical Security isolation Border Compromised IoT cannot reach servers
50 IoT-Sensor 50 IoT-Sensor PERMIT ANY ANY NO Normal Sensor-to-gateway Edge IoT mesh network
50 IoT-Sensor 100 Internet PERMIT TCP 443 YES Normal Cloud telemetry Border + FW HTTPS only to approved clouds
50 IoT-Sensor 10 Employee-Full DENY ANY ANY YES High Isolation Border IoT cannot initiate to users
60 Printers 10 Employee-Full PERMIT TCP 9100 NO Normal Print response Edge Allow printer to respond to users
60 Printers 70 Servers PERMIT TCP 443 YES Normal Print server connection Border Managed printing
60 Printers 100 Internet DENY ANY ANY YES High Security Border Printers should not reach Internet
60 Printers 60 Printers PERMIT TCP 9100 NO Normal Printer-to-printer Edge Print queue redistribution
70 Servers 10 Employee-Full PERMIT TCP 80,443,445 NO Normal Server response to users Border Stateful return traffic
70 Servers 70 Servers PERMIT ANY ANY YES Normal Server-to-server Edge DB replication / app tier
70 Servers 100 Internet PERMIT TCP 80,443 YES Normal OS updates / cloud sync Border + FW Via proxy for security
70 Servers 30 IoT-Camera DENY ANY ANY YES High Prevent compromise Border Servers should not initiate to IoT
80 Contractor 10 Employee-Full DENY ANY ANY YES Normal Isolation Border Contractors separated from employees
80 Contractor 70 Servers PERMIT TCP 80,443 YES Normal Limited app access Border Only specific web apps
80 Contractor 100 Internet PERMIT TCP 80,443 YES Normal Contractor web access Border + FW Via firewall
80 Contractor 60 Printers PERMIT TCP 9100 NO Normal Print services Edge Basic printing
90 Quarantine ANY ANY DENY ANY ANY YES Critical Security Border Isolated for remediation
99 Network-Device 99 Network-Device PERMIT ANY ANY NO Critical Infrastructure N/A Switch-to-switch / DNAC
100 Internet 10 Employee-Full PERMIT TCP 80,443 NO Normal Return traffic FW + Border Stateful firewall allows return
100 Internet 70 Servers PERMIT TCP 80,443 YES Normal Inbound to web servers FW + Border Published services (DMZ)
100 Internet 40 Guest PERMIT TCP 80,443 NO Normal Guest return traffic FW + Border Stateful return
POLICY SUMMARY
Total SGTs Defined 15 Network segmentation
Default Policy Implicit DENY Zero-trust model
Logging Enabled High + Critical SIEM integration
Enforcement Points Edge (inline tagging) Border (inter-VN) Firewall (external)
SGT Propagation Inline (CMD header) Preserves SGT through VXLAN
Policy Database ISE Policy Server Centralized in ISE
Dynamic Updates Via pxGrid Real-time policy changes

This data table was converted from CSV format for better readability.