02-03-2021 10:53 AM
Hi guys
we are about to embark on a network access control and segmentation project.
what I’m looking for is some best practices around network segmentation, what does a good policy look like that is realistic, we don’t want to go over the top with it and cause complexity.
what are the big wins? He are you segmenting your network to limit the impact of threats moving laterally on the lan.
many thanks
Carl
Solved! Go to Solution.
02-03-2021 12:44 PM
I am working DNAC and SGT (scalable Group Tag) with ISE.
some good documents from my collection to understand segmentation.
https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424
02-03-2021 09:30 PM
You're on the right track, keep it simple and build a solid foundation, don't try to do it all at once but keep the end state in mind. Understand that you can change the design as you gain visibility prior to implementing enforcement policies, but it gets increasing harder once something is in place. So start off with a focus on getting monitor mode deployed, it's the first big win. Just having the visibility of what's plugged in to the network and where is a huge step forward for most companies.
Break it down in to some manageable tasks, follow a framework methodology such as Cisco's PPDIOO. Some highlights and things that have helped me over the years.
As far as what a good policy is? The least complicated one that meets the goals. It's hard for someone on the outside to tell you what your policy should look like, no environment is the same, but the fact that you're asking these questions now means you are already ahead of the curve.
02-03-2021 12:44 PM
I am working DNAC and SGT (scalable Group Tag) with ISE.
some good documents from my collection to understand segmentation.
https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424
02-03-2021 09:30 PM
You're on the right track, keep it simple and build a solid foundation, don't try to do it all at once but keep the end state in mind. Understand that you can change the design as you gain visibility prior to implementing enforcement policies, but it gets increasing harder once something is in place. So start off with a focus on getting monitor mode deployed, it's the first big win. Just having the visibility of what's plugged in to the network and where is a huge step forward for most companies.
Break it down in to some manageable tasks, follow a framework methodology such as Cisco's PPDIOO. Some highlights and things that have helped me over the years.
As far as what a good policy is? The least complicated one that meets the goals. It's hard for someone on the outside to tell you what your policy should look like, no environment is the same, but the fact that you're asking these questions now means you are already ahead of the curve.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide