Methods and devices are provided for implementing security groups in an
enterprise network. The security groups include first network nodes that
are subject to rules governing communications between the first network
nodes and second network nodes. An indicator, referred to as a security
group tag (SGT), identifies members of a security group. In some
embodiments, the SGT is provided in a field of a data packet reserved for
layer 3 information or a field reserved for higher layers. However, in
other embodiments, the SGT is provided in a field reserved for layer 1 or
layer 2. In some embodiments, the SGT is not provided in a field used by
interswitch links or other network fabric devices for the purpose of
making forwarding decisions.