As a network administrator, you know the value of policies. When your network was small, it was easy for you to manually handle its day-to-day operations. But as it has grown over the years, you have found that such ad-hoc control is not possible. You now need controls to be more intelligent, secure, and automated – in other words, you need a policy-driven network.

While there are many policies that may govern the functioning of your network – for QoS, traffic routing, or service insertion, it is access policies that form the basis for segmentation, and thus for business security. It is important to define the right access policies to block unauthorized access but not interfere in normal functioning of your organization. In this post we shall describe how Cisco DNA Center helps you write the right access policies.

Security through segmentation

Network segmentation is a well understood and recognized way to secure an organization’s assets. With proper segmentation, you can control privileges for every user, endpoint, and IoT device for running applications and connecting to resources in the network. Segmentation builds zones of trust that minimize malware propagation. The more granular segmentation that you can do, the better control the network has to enforce these privileges and prevent misuse.

When we set about defining such policies, we run into challenges. First, we may not have enough knowledge about who or what is on our network, without which we can’t even think of security. Second, we may not know how they are using the network, i.e., what the traffic flows are. Without that insight we don’t know what traffic to permit and what to deny. Third, we may not have a simple way to enforce the policies to achieve desired segmentation.

New enhancements in Cisco DNA Center addresses all these challenges making defining, authoring, and enforcing effective policies simple.

Identify, visualize, and secure

So how to define and enforce the right access policies? With Cisco DNA Center you can do it in 3 easy steps.

Step 1 – Identify and group with AI endpoint analytics

You can’t be secure until you know who and what is on your network. AI endpoint analytics, an application in Cisco DNA Center, extracts information by performing deep packet inspection (DPI) on traffic to and from the endpoint. It aggregates this information with data it gathers from sources such as ISE probes, asset information from ServiceNow, 3rd party etc., to build a complete profile on the endpoints. Profile labels are assigned to endpoints based on endpoint type, OS type, hardware model and manufacturer. This helps to characterize the endpoints to apply security policies based on endpoint attributes. Endpoints profiled can also have a trust assessment score to determine how trustworthy these endpoints are. Trustworthiness of the endpoints can be determined by different factors including but not limited to detection of anomalies, vulnerabilities, compliance etc.

Once these endpoints are profiled, machine learning plays a crucial role in reducing the net unknown endpoints in the network. AI/ML algorithms group unknown endpoints that share a common set of attributes, for admins to label them. Labels learned from one customer become part of a common knowledgebase that helps other customers profile similar unknown endpoints more accurately, further improving the quality of groupings.

Step 2 – Discover and visualize with group-based policy analytics

Once we have identified and grouped endpoints, we need to know how these endpoints are interacting with each other and with data and applications throughout the network. That way we can record their normal behavior and investigate suspicious activities. For example, you would expect a surveillance camera to send its video to a recorder, but would it really need to interact with your customer database? Deep insights into endpoint behavior is essential to spot and stop these potential breaches of security.

Group-based policy analytics, another feature in Cisco DNA Center, independently of device identification, analyzes traffic flows from endpoint groups and gives you a graphic visual. From the analysis you can get granular details such as source and destination, service, protocol, and port numbers.

These traffic insights form the basis of access policies. Armed with the information we need, we can begin to define policies to either permit, deny, or more granularly decide what interaction should be permitted and what should be denied.

Step 3 – Define and enforce with group-based access control

Once we figure out the right policies, we need to get them into the network so the network can begin to enforce them. Deploying many firewalls to permit or deny traffic flows is not feasible, and neither is manual configurations of each network device for each endpoint.

This is where we use group-based access control, another feature built into the Cisco DNA Center. This feature presents an easy-to-use matrix with endpoint groups as sources and destinations on its X and Y axes, and with each cell of the matrix representing the policy, down to the service, transport, and port levels, that governs communication between them. Such a matrix makes defining granular interaction policies between groups simple, and the whole process scalable.

Once written, group-based access control sends these policies to Cisco Identity Services Engine (ISE) which functions as the security policy engine for the solution. ISE dynamically programs the network infrastructure – switches, routers, wireless access points and LAN controllers, so they can enforce these policies. All packets from and to endpoints are now appropriately tagged, placing the endpoints into the right network segment.

Watch this video of how these three innovations come together to make segmenting your network easier than ever:


With proper segmentation, network traffic can be better controlled. Not only does it reduce risk of unauthorized access to sensitive data, it also restricts lateral movement of threats among endpoints, and enhances regulatory compliance.

Segmentation is a key pillar of Cisco’s zero trust security solution. Cisco Software-Defined Access (SD-Access), a Cisco DNA solution, provides policy-based segmentation for zero trust security in the workplace.

Useful resources

It’s easy to get started. Group-based policy features in Cisco DNA are available under the Cisco DNA Advantage and ISE licenses or with a single Cisco DNA Premier bundle.

We have much more information in the following links:

Subscribe to the Networking blog