|For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print, Print to PDF or copy and paste to any other document format you like.|
NOTE: This function has been in early trials with Cisco DNA Center version 2.1.1
General availability is with Cisco DNA Center version 2.1.2
Group-Based Policy Analytics is an application on Cisco DNA Center which helps administrators visualize group to group interactions, and discover ports and protocols being used between groups. These ports and protocols can subsequently be used within the Group-Based Access Control functions of Cisco DNA Center to enforce traffic as appropriate.
The 'Define' section below covers the challenges customers face today and the solution provided by Group-Based Policy Analytics. Also covered are the delivery phases and components of the solution.
This guide is intended to provide technical guidance for deploying Group-Based Policy Analytics. The guide covers design topics, deployment best practices and how to get the most out of the technology operation.
As highlighted in figure 1 above, there are four major sections in this document. The initial, define section presents a high-level overview of the challenges customers face today and the solution that Group-Based Policy Analytics provides. Next, in the design section, we will see how to design the environment ready for deploying Group-Based Policy Analytics. Third, in the deploy part, the various configuration and best practice guidance will be provided for key components such as Cisco Identity Services Engine (ISE), Cisco DNA Center, Switches and Wireless LAN Controllers. Lastly, in the operate section, we will learn how best to operate the application within Cisco DNA Center.
As a solution to this challenge, Cisco is providing an Application on Cisco DNA Center which provides 3 things
Group-Based Policy Analytics is an Application on Cisco DNA Center but has been designed to discover group to group interactions whether the groups are assigned inside or outside an SD-Access fabric.
The following information covers the hardware and software requirements for Group-Based Policy Analytics:
Group-Based Policy Analytics version 1.0
For Cisco DNA Center GA version 2.1.2, ISE versions recommended: 2.4 P13 / 2.6 P7 / 2.7 P2 (or later)
For Cisco DNA Center EFT version 2.1.1, ISE versions recommended: 2.4 P7 / 2.6 P1 / 2.7 (or later)
Cisco DNA Advantage License
Stealthwatch version 7.x (or later)
ISE sends the scalable groups and ISE Profiles, along with the associated network access device, to Cisco DNA Center over pxGrid. Cisco DNA Center will only accept this information if those network access devices have been discovered and are visible within the Inventory (point number 3 above). This session filtering mechanism has been incorporated to cater for multiple Cisco DNA Center platforms connecting to a single ISE.
and then select Policy > Group-Based Access Control:
When in the Group-Based Access Control screen, navigate to Group-Based Policy Analytics by selecting the 'Analytics' menu:
If ISE is not yet connected when navigating to Group-Based Policy Analytics, then a wizard will be displayed helping the administrator to connect ISE, Steathwatch (optional) and provide help for setting up Netflow.
When Cisco DNA Center release 2.1.1 or later is installed then Group-Based Policy Analytics is available with Cisco DNA Advantage license.
As mentioned previously, if ISE has not previously been connected then the navigation to Policy > Group-Based Access Control > Analytics will instigate a Zero Day workflow.
Click 'Get Started'.
Click 'Let's Do It'. The Data Connectors can then be configured for ISE and optionally Stealthwatch:
Click on the 'Configure' link for ISE, a new browser tab will open to allow a new authentication and policy server to be added with your ISE details as follows:
Server IP Address: The IP Address of the ISE Primary PAN node.
Shared Secret: The ISE shared secret used between ISE and network devices
Username: ISE username
Password: ISE password (GUI and CLI password must be the same)
FQDN: ISE Primary PAN URL
The configuration status will take a few minutes to activate and you may have to accept the pxGrid approval request in ISE depending on the settings. The connection process is complete when an ACTIVE status is seen for the entry:
Note: The Stealthwatch Analytics App (option 1 above) is just required to be installed to be able to retrieve the Host Groups. It does not need to be set up because network devices do not need to send NetFlow data to Stealthwatch. While that may be a particular requirement for the deployment, it is not a requirement purely for Group-Based Policy Analytics. Click “check here” to see if the Stealthwatch Analytics App is installed.
Click “settings” for option 2 above (that is, to set up the Stealthwatch Management Console) and complete the connectivity information:
Once the connectors are set up, the workflow provides a Summary:
Click on Edit for the Communication Connectors to be taken to a page describing different ways that network devices can be configured to send NetFlow data to Cisco DNA Center
As can be seen from the options, the Template Editor can be used to send Netflow configuration to the network devices. However, the use of the Telemetry function makes this configuration much easier (but note the device types supported in the GUI text displayed above and the prerequisite 'lan' keyword requirement).
[Note: release 2.1.2 supports a new methodology of enabling Netflow on device interfaces as well as continuing to support 'lan' in the description. See this link for the criteria comparison of the two methods].
Clicking on 'Telemetry in Network Settings' navigates to the Telemetry section in the Design menu. Scroll down and enable 'Use Cisco DNA Center as NetFlow Collector server' as shown below and save the change:
The wired Netflow configuration that is pushed to network devices is shown below. This will help in Template creation if required. The 'description lan' on the interface is not pushed and adding this manually is one method that Cisco DNA Center detects on which interfaces to enable the function:
flow record dnacrecord
flow exporter dnacexporter
flow monitor dnacmonitor
The wireless Netflow configuration that is pushed to network devices is shown below. This will help in Template creation if required. The term 'lan' in the Profile Name is not pushed and adding this manually is one method that Cisco DNA Center detects on which profiles to enable the function:
Creating Exporter and Monitor
config flow create exporter dnacexporter <exporterIp> port <exporterPort>
config flow create monitor dnacmonitor
config flow add monitor dnacmonitor exporter dnacexporter
config flow add monitor dnacmonitor record ipv4_client_src_dst_flow_record
Applying monitor to WLAN
config wlan disable <wlan_id>
config wlan flow <wlan_id> monitor dnacmonitor enable
config wlan enable <wlan_id>
Once ISE and Netflow is setup (and optionally Stealthwatch) and data is being received, navigating to the Policy Analytics main page will show counts in the group boxes:
If the setup screens need to be accessed again once deployed, navigate to the Settings > Configuration menu as shown below:
The main page (navigation is Policy > Group-Based Access Control > Analytics) consists of a search bar and counts within tiles. If connectivity to Stealthwatch has been made then three tiles will be shown, otherwise just two will be present:
1) Search for Scalable Groups.
2) Click the blue filter icon to change the destination group type (Communicating With)
3) Breadcrumbs (Click each item to change the display.)
4) Click individual flow to show details of that flow.
5) Show more destination groups if more exist.
6) Toggle between chart view and table view.
7) Set date and time range for data display.
9) Number of unique traffic flows detected
10) Number of destination groups
11) Create a report (Found at Report > Generated Reports).
12) Download a previously created report.
13) Click destination group to navigate to the detail page.
14) Pagination control
The blue icon under “Last Run” shows the data is being collated, below is an example:
When the data collection has completed, the icon turns green, and a download icon is displayed:
When selected, a chart showing a one-to-one group interaction is displayed along with applications, ports and protocols discovered between those groups. It is this information which will allow access control policies to be built with confidence:
1) Breadcrumbs (Click each item to navigate back to previous screens).
2) Toggle between chart view and table view.
3) Set the date and time range for the data display.
4) Change the data displayed depending on the direction of flow.
5) Filter the results based on Service name, Protocol, and/or Port.
6) Create a report of the displayed data
7) View the contract for the source and destination groups displayed (see below)
9) Shows the Application/Service name
11) Shows the port number
If 'View Contract' is selected (number 7 above), then not only will the discovered ports and protocols be displayed between those two groups, but the configured contract between the groups will also be shown for an easy comparison of discovered traffic vs configured policy:
When navigated to the Group-Based Access Control screen and assigning a contract within a policy, a 'View Contract Activity' option is shown:
When selected, the discovered activity is shown beside the configured contract:
IP addresses, group names, and/or MAC addresses can be searched in the main page search bar:
Group-Based Policy Analytics provides an understanding of group to group communication patterns and visualization into the ports and protocols needed in access control, or Group-Based policies.
This guide is an aid to deploying the Group-Based Policy Analytics application as well as the components necessary to provide the solution. The guide also covers design aspects and operation of the system.
This is just phase one of the journey for Policy Analytics covering discovery. This guide will be updated over time when further features are implemented like policy creation/authoring and policy simulation/modelling.
AAA Authentication, Authorization and Accounting
DNA (Cisco) Digital Network Architecture
FQDN Fully Qualified Domain Name
ISE Identity Services Engine
LAN Local Area Network
MFC Multi Factor Classification
SDA Software Defined Access
SGT Scalable Group Tag
SSA Stealthwatch Security Analytics
UDP User Datagram Protocol
WLAN Wireless Local Area Network
WLC Wireless LAN Controller