Showing results for 
Search instead for 
Did you mean: 
Cisco Employee
Cisco Employee


image.png For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print, Print to PDF or copy and paste to any other document format you like.


Jonothan Eaves 




NOTE: This function was in early trials with Cisco DNA Center version 2.1.1
General availability was with Cisco DNA Center version 2.1.2




About Group-Based Policy Analytics

Group-Based Policy Analytics is an application on Cisco DNA Center which helps administrators visualize group to group interactions, and helps to build policies by using discovered ports and protocols used between groups.

The 'Define' section below covers the challenges customers face today and the solution provided by Group-Based Policy Analytics. Also covered are the delivery phases and components of the solution.


About This Guide

This guide is intended to provide technical guidance for deploying Group-Based Policy Analytics. The guide covers design topics, deployment best practices and how to get the most out of the technology operation.



Figure 1: Guide workflow



As highlighted in figure 1 above, there are four major sections in this document. The initial, define section presents a high-level overview of the challenges customers face today and the solution that Group-Based Policy Analytics provides. Next, in the design section, we will see how to design the environment ready for deploying Group-Based Policy Analytics. Third, in the deploy part, the various configuration and best practice guidance will be provided for key components such as Cisco Identity Services Engine (ISE), Cisco DNA Center, Switches and Wireless LAN Controllers. Lastly, in the operate section, we will learn how best to operate the application within Cisco DNA Center.



Organizations have challenges today. High profile attacks, we all either experience or read on the news, are driving customers towards an internal segmentation strategy, it's no longer effective purely securing the perimeter. However, the internal network is often largely unknown and it's difficult to understand the network behavior of people and things. Customers are asking for help in creating a network segmentation policy that is effective in today's world.

As a solution to this challenge, Cisco is providing an Application on Cisco DNA Center which currently provides:

1) Discovery of group interaction and visibility based on flows
2) Discovery of ports and protocols being used between groups
3) Mechanism to easily and quickly build policies based on the discovered information
Screenshot 2020-06-03 at 13.01.04.png
Figure 2: Logical Diagram
The basis of this Cisco DNA Center tool is to visualize network behavior based on groups and to help build policies based on the discovered information.
As can be seen from the figure above, group entities are learned from a number of sources today. 
One is ISE. Once there is connectivity to ISE the App can learn of scalable groups (SGTs), deployed on the network; plus Profile groups which indicate different types of endpoints connected.
Another way we can learn of groups is from Endpoint Analytics. With its Machine learning capabilities and multi factor classifications, unknowns can be reduced in the network and more accurate profile groups provided.
Also, Stealthwatch is optionally integrated in order to learn of the Host Groups provided by that platform.
Along with this group information, Group-Based Policy Analytics also receives NetFlow from the network devices and stitches all this context together to produce graphs and tables to help the administrators visualize network behavior based on groups.
The idea is to provide an application to aid in network discovery and visualization and ultimately deliver mechanisms to help analyze security policy requirements and create effective security policy designs.


Group-Based Policy Analytics is an Application on Cisco DNA Center but has been designed to discover group to group interactions whether the groups are assigned inside or outside an SD-Access fabric.


Hardware and Software Requirements

The following information covers the hardware and software requirements for Group-Based Policy Analytics:

Screenshot 2021-10-13 at 11.45.43.png

Figure 3: Cisco DNA Center Requirements and Scale

Starting with DNA Center version 2.1.2, ISE versions recommended: 2.4 P13 / 2.6 P7 / 2.7 P2 (or later)
Cisco DNA Advantage License
Stealthwatch version 7.x (or later)

For Group-Based Policy Analytics to display data, the following prerequisites are required:
1) Identity Services Engine needs to be connected to Cisco DNA Center
2) NetFlow for endpoints in question needs to be sent to Cisco DNA Center
3) The Network Access Devices hosting the endpoints need to be discovered in Cisco DNA Center
4) If data from Stealthwatch Host Groups are required then Stealthwatch Management Console needs to be connected to Cisco DNA Center
5) Cisco DNA Advantage license is required

ISE sends the security groups and ISE Profiles, along with the associated network access device, to Cisco DNA Center over pxGrid. Cisco DNA Center will only accept this information if those network access devices have been discovered and are visible within the Inventory (point number 3 above). This session filtering mechanism has been incorporated to cater for multiple Cisco DNA Center platforms connecting to a single ISE.


Network Device Compatibility Information

The following is the network device compatibility information:
Screenshot 2020-07-02 at 09.40.31.png
Figure 4: Compatibility

Accessing the Graphical User Interface

Navigate to Group-Based Policy Analytics via the top left icon
Screenshot 2021-12-22 at 12.08.46.png
Figure 5: Cisco DNA Center Menu Access


and then select Policy > Group-Based Access Control

Screenshot 2021-12-22 at 12.06.02.png

Figure 6: Cisco DNA Center Menu for Group-Based Access Control


Group-Based Policy Analytics used to reside in an Analytics menu under the Group-Based Access Control screen, now the functions are accessible within the Overview tab:

Screenshot 2021-12-22 at 12.20.50.png
Figure 7: Policy Analytics Menu


The top half of the screen shows group entities learned from ISE (scalable groups and ISE profiles) and from Stealthwatch (host groups). Stealthwatch connectivity is optional.

In the middle you see Policy Issues which are issues that Cisco DNA Center has detected within the selected date and time period. These are the same as shown within Assurance but filtered specifically to show only the issue counts related to policy.

The bottom of the screen shows hit counts for deployed policies. Role-based policy counters are retrieved from network devices using TDL streaming and displayed for most active and least active policies.


If ISE is not yet connected when navigating to Group-Based Access Control, then a wizard will be displayed helping the administrator to connect ISE, Steathwatch (optional) and provide help for setting up NetFlow.

Once ISE is connected to Cisco DNA Center, Group-Based Policy Analytics needs to execute the first data aggregation process before flow data is displayed. Data Aggregation operation then occurs every hour after which the flow data is updated (results shown at roughly 10 past the hour).




Zero Day Workflow

When Cisco DNA Center release 2.1.1 or later is installed then Group-Based Policy Analytics is available with Cisco DNA Advantage license.

As mentioned previously, if ISE has not previously been connected then the navigation to Policy > Group-Based Access Control will instigate a Zero Day workflow.

Screenshot 2022-01-05 at 11.45.12.png
Figure 8: Zero Day Workflow, Get Started


Click 'Get Started'.
Screenshot 2022-01-05 at 11.45.40.png
Figure 9: Zero Day Workflow, Let's Do It


Click 'Let's Do It'. The Data Connectors can then be configured for ISE and optionally Stealthwatch:

Screenshot 2022-01-05 at 11.53.35.png
Figure 10: Configure Group Data Connectors

Click on the 'Configure' link for ISE, a new browser tab will open to allow a new authentication and policy server to be added with your ISE details as follows:

Server IP Address: The IP Address of the ISE Primary PAN node.
Shared Secret: The ISE shared secret used between ISE and network devices
Username: ISE username
Password: ISE password (GUI and CLI password must be the same)

Screenshot 2022-01-05 at 12.14.33.png
Figure 11: Add ISE Details

The configuration status will take a few minutes to activate and you may have to accept the pxGrid approval request in ISE depending on the settings. When complete, the ISE connection status shown is ACTIVE:

Screenshot 2020-06-30 at 12.10.49.png
Figure 12: ISE Status
Once Active, close that browser tab and return to the tab displaying the Group Data Connectors. Optionally, click on the 'Configure' link for Stealthwatch, a new browser tab will open to help with connectivity to Stealthwatch:Screenshot 2020-06-30 at 13.19.52.png
Figure 13: Stealthwatch Configuration Options

Note: The Stealthwatch Analytics App (option 1 above) is just required to be installed to be able to retrieve the Host Groups. It does not need to be set up because network devices do not need to send NetFlow data to Stealthwatch. While that may be a particular requirement for the deployment, it is not a requirement purely for Group-Based Policy Analytics. Click “check here” to see if the Stealthwatch Analytics App is installed.

Click “settings” for option 2 above (that is, to set up connectivity to the Stealthwatch Management Console) and complete the connectivity information. This is used to retrieve Host Groups from Stealthwatch should they want to be used in the Policy Analytics application:

Screenshot 2020-06-30 at 13.23.33.png
Figure 14: Connecting to Stealthwatch

Once the Group Data Connectors are set up, the workflow continues with the Communication Connectors (for setting up NetFlow):

Screenshot 2022-01-05 at 12.23.49.png
Figure 15: Options for setting up NetFlow

As can be seen from the options, the Template Editor can be used to send NetFlow configuration to the network devices. However, the use of the Telemetry function makes this configuration much easier (but note the device types supported in the GUI text displayed above and the prerequisite 'lan' keyword requirement).


[Note: release 2.1.2 supports a new methodology of enabling NetFlow on device interfaces as well as continuing to support 'lan' in the description. See this link for the criteria comparison of the two methods].


Clicking on 'Telemetry in Network Settings' navigates to the Telemetry section in the Design menu. Scroll down and enable 'Use Cisco DNA Center as NetFlow Collector server' as shown below and save the change:

Screenshot 2022-01-05 at 12.42.04.png
Figure 16: Setting Cisco DNA Center as a NetFlow Collector Server
Then, to push NetFlow configuration to the network devices, navigate to Provision > Inventory, select the network device, and under Actions, select Telemetry > Enable Application Telemetry:
Screenshot 2020-09-01 at 13.38.41.png
Figure 17: Enable Application Telemetry (push NetFlow config to network devices)
1) If Stealthwatch Security Analytics (SSA) has already been used to deploy NetFlow config to network devices then there may be a configuration conflict experienced. If NetFlow is required to be sent to both Stealthwatch and Cisco DNA Center then the devices could be configured to send NetFlow to a platform like Cisco UDP Director which could then send the NetFlow to multiple destinations.
2) NetFlow will be enabled on network device interfaces via Telemetry that have the letters 'lan' in the interface description (for wired) or in the WLAN profile name (for wireless). The configuring of 'lan' in the description is not automated by Cisco DNA Center. If configuring the description manually on the network devices then ensure a resync (Provision > Inventory, select device, Actions> Inventory > Resync Device) is carried out before enabling the Application Telemetry to push the NetFlow configuration. In release 2.1.2, there is a new method of enabling NetFlow on device interfaces without needing 'lan' in the interface description, see this link for a comparison of the criteria.


Wired NetFlow Configuration

The wired NetFlow configuration that is pushed to network devices is shown below. This will help in Template creation if required. The 'description lan' on the interface is not pushed and adding this manually is one method that Cisco DNA Center detects on which interfaces to enable the function:


flow record dnacrecord
match ipv4 version
match ipv4 protocol
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
collect timestamp absolute first
collect timestamp absolute last
collect flow direction
collect connection initiator
collect connection client counter packets long
collect connection client counter bytes network long
collect connection server counter packets long
collect connection server counter bytes network long
collect connection new-connections

flow exporter dnacexporter
destination <Cisco DNA Center IP Address>
source Vlan <vlan>
transport udp 6007
export-protocol ipfix
option interface-table timeout 10
option vrf-table timeout 10
option sampler-table
option application-table timeout 10
option application-attributes timeout 10

flow monitor dnacmonitor
exporter dnacexporter
cache timeout inactive 10
cache timeout active 60
record dnacrecord

interface GigabitEthernet1/0/1
description lan
 switchport mode access
 ip flow monitor dnacmonitor input
 ip flow monitor dnacmonitor output


Wireless NetFlow Configuration

The wireless NetFlow configuration that is pushed to network devices is shown below. This will help in Template creation if required. The term 'lan' in the Profile Name is not pushed and adding this manually is one method that Cisco DNA Center detects on which profiles to enable the function:


Creating Exporter and Monitor
config flow create exporter dnacexporter <exporterIp> port <exporterPort>
config flow create monitor dnacmonitor
config flow add monitor dnacmonitor exporter dnacexporter
config flow add monitor dnacmonitor record ipv4_client_src_dst_flow_record

Applying monitor to WLAN
config wlan disable <wlan_id>
config wlan flow <wlan_id> monitor dnacmonitor enable
config wlan enable <wlan_id>


Screenshot 2020-07-02 at 09.55.58.png
Figure 18: WLC Profile Name


Once ISE and NetFlow is setup (and optionally Stealthwatch) and data is being received, navigating to Policy > Group-Based Access Control will show counts in the group boxes within the Overview tab:

Screenshot 2022-01-05 at 14.18.21.png
Figure 19: Group-Based Access Control Overview Page

If the ISE/Stealthwatch/NetFlow setup screens need to be accessed again once deployed, use the Configuration link near the top right of the page shown above. Once clicked, select the Analytics Settings menu:

Screenshot 2022-01-05 at 14.22.47.png
Figure 20: Configuration > Analytics Settings


The top of the main page (navigation is Policy > Group-Based Access Control [defaults to the Overview tab]) consists of a search bar and counts within tiles. If connectivity to Stealthwatch has been made then three tiles will be shown, otherwise just two will be present:

Screenshot 2022-01-05 at 14.18.21.png
Figure 21: Overview tab
From left to right, the tiles show the number of scalable groups, ISE Profiles and optionally Stealthwatch Host Groups that contain members that are communicating with members of other groups. The tiles will show a count of 0 if there are no members of containing groups communicating with other groups.

Scalable Groups

Click on the number in the left tile (number 13 in the example above) to display communications between Scalable Groups:
Screenshot 2022-01-05 at 14.28.01.png
Figure 22: Scalable Group to Scalable Group
Note the group entities shown on the left are source scalable groups and on the right are destination scalable groups. If members within those groups are communicating then a flow interaction will be displayed between the groups.
At the top right of the screen, there is a toggle button to toggle between graph/chart view and lisst view. When toggled to list view this is the result:
Screenshot 2022-01-05 at 14.29.18.png
Figure 23: List View of Scalable Group to Scalable Group
There is also a date/time selection near the top right. This allows the displayed data to be shown for any 1, 12 or 24 hour period within the last 14 days:
Screenshot 2022-01-05 at 14.30.59.png
Figure 24: Date/Time Period Selection
Near the top left of the screen is displayed a filter which by default shows 'Communicating With: Scalable Groups'. This can be changed by clicking on the blue filter icon to show 'Communicating With: ISE Profiles' or 'Communicating With: Stealthwatch Host Groups':
Screenshot 2022-01-05 at 14.32.18.png
Figure 25: Changing 'Communicating With'
As an example, if 'Communicating With: ISE Profiles' is selected within the chart view, the data shows group to group communications from Scalable Groups to ISE Profiles:
Screenshot 2022-01-05 at 14.33.51.png
Figure 26: Communicating With ISE Profiles
Hover over the flow interactions to show the number of flows detected between those groups:Screenshot 2020-07-01 at 11.42.06.png
Figure 27: Display Flow Count
Hover over a source scalable group to show which destination groups members are communicating with:Screenshot 2020-07-01 at 11.47.35.png
Figure 28: Source Scalable Group interactions
Click on a source group to navigate to a screen showing the destination groups that members of the source group are interacting with:
Screenshot 2022-01-05 at 14.47.30.png
Figure 29: Source Scalable Group to Multiple Destination Scalable Groups
Screen explanations follow:
Screenshot 2022-01-05 at 14.54.25.png
Figure 30: GUI Layout Explanation

1) Breadcrumbs (Click each item to change the display.)

2) Search for Scalable Groups.

3) Click the blue filter icon to change the destination group type (Communicating With)

4) Click individual flow to show details of that flow.

5) Toggle between chart view and table view.

6) Set date and time range for data display.

7) Choose between inbound or outbound flows for the displayed source group.

Number of unique traffic flows detected

9) Number of destination groups

10) Create a report (Found at Report > Generated Reports).

11) Download a previously created report.

12) Click destination group to navigate to the detail 1-1 page.

If 'Create Report' is selected (number 10 above), a report is automatically created with the details as displayed on the current chart page. Clicking navigates to Report > Generated Reports.

The blue icon under “Last Run” shows the data is being collated, below is an example:

Screenshot 2020-07-01 at 15.34.52.png
Figure 31: Report being created

When the data collection has completed, the icon turns green, and a download icon is displayed:

Screenshot 2020-07-01 at 15.36.48.png
Figure 32: Report completed and ready for download
If the report is downloaded the format is as per this example:Screenshot 2020-07-01 at 15.44.44.png
Figure 33: Example Downloaded Report
From the main chart or the chart showing a single source group, the flows or groups highlighted below can be selected:
Screenshot 2020-07-01 at 15.58.26.png
Figure 34: Click to Display Applications, Ports and Protocols

When selected, a chart showing a 1-1 group interaction is displayed along with applications, ports and protocols discovered between those groups. It is this information which will allow access control policies to be built with confidence:

Screenshot 2022-01-05 at 15.14.43.png
Figure 35: Discovered Applications, Ports and Protocols Between 2 Groups
Screen explanations follow:
Screenshot 2022-01-05 at 15.34.54.png
Figure 36: GUI Layout Explanation

1) Breadcrumbs (Click each item to navigate back to previous screens).

2) Toggle between chart view and table view.

3) Set the date and time range for the data display.

4) Change the data displayed depending on the direction of flow.

5) Search bar.

6) Create a report of the displayed data.

7) Download a report.

View the contract for the source and destination groups displayed (see below)

9) View graph of policy enforcement stats (requires Frey release 2.3.2 and Netconf to retrieve policy counters from network devices).

10) Shows the direction of flow

11) Shows the Application/Service name

12) Shows the protocol

13) Shows the port number

14) Shows the flow count within that row and clicking the entity navigates to the endpoint details (requires Frey release 2.3.2)


If 'View Contract' is selected (number 8 above), then not only will the discovered ports and protocols be displayed between those two groups, but the configured contract between the groups will also be shown for an easy comparison of discovered traffic vs configured policy/contract:

Screenshot 2022-01-05 at 15.51.17.png

Figure 37: From Policy Analytics: Contract and Discovered Activity Side-by-Side


If 'Flow Count' is selected (number 14 above), then the associated endpoint details are displayed:

Screenshot 2022-01-05 at 16.44.51.png

Figure 38: Drill down to associated endpoint details


Traffic flow details can also be accessed via the Group-Based Access Control screen and Policies menu. When navigating using Group-Based Access Control/Policies, click on a cell to view the assigned contract, a 'View Traffic Flows' option is shown:

Screenshot 2022-01-05 at 15.58.12.png

Figure 39: From Group-Based Access Control: View Traffic Flows


When selected, the discovered activity is shown beside the configured contract:

Screenshot 2022-01-05 at 15.51.17.png

Figure 40: From Group-Based Access Control/Policies: Contract and Discovered Activity Side-by-Side


From Figure 38, there is also an option to 'View Policy Enforcement Stats'. If there is a policy deployed and the network devices are counting the permit and deny hits, then Cisco DNA Center retrieves these counters. These are not only displayed within the Overview menu but also here in graph format:

Screenshot 2022-01-05 at 16.29.45.png

Figure 41: Policy Enforcement Stats


Note: the red line depicting denies is at 0 as this particular contract was permitting only. If the graph is clicked on anywhere along the timeline then the associated flows and contract are displayed:

Screenshot 2022-01-05 at 16.39.17.png

Figure 42: Policy Enforcement Stats


ISE Profile Groups

Back at the main Overview page, click on the number in the middle tile (number 17 in this example):
Screenshot 2022-01-05 at 16.01.21.png
Figure 43: Overview Page
This displays communications from ISE Profiles to Scalable Groups:
Screenshot 2022-01-05 at 16.03.09.png
Figure 44: Communications from ISE Profiles to Scalable Groups
Clicking the source group and flow interactions and navigating down to show applications, ports and protocols works the same as explained in the previous section. You can now display ISE Profile to ISE Profile interactions.


Stealthwatch Host Groups

Back at the Overview page, click on the number in the right tile (number 6 in this example):

Screenshot 2022-01-05 at 16.01.21.png

Figure 45: Overview Page
This displays communications from Stealthwatch Host Groups to Scalable Groups:
Screenshot 2022-01-05 at 16.05.42.png
Figure 46: Communications from Stealthwatch Host Groups to Scalable Groups
Clicking the source group and flow interactions and navigating down to show applications, ports and protocols works the same as explained in the previous sections. You can now display Stealthwatch Host Groups to Stealthwatch Host Groups interactions.

Search Function

IP addresses, group names, and/or MAC addresses can be searched in the Overview tab search bar:

Screenshot 2022-01-05 at 16.09.28.png
Figure 47: Overview tab Search Bar
Possible result categories are displayed as you type the characters. In the following example, entering 10.4 provides the possible categories of Source IP Address or Destination IP Address:
Screenshot 2022-01-05 at 16.12.19.png
Figure 48: Search Categories Automatically Displayed

 Click on one of the available categories and a search is executed for the entered characters:
Screenshot 2022-01-05 at 16.13.38.png
Figure 49: Search result
A more detailed search can be carried out by selecting the filter icon at the top right of the table. The figure below shows that filter, and further search criteria entered for scalable group and destination IP address. As can be seen, AND/OR functions can be used within the columns and it is an AND operation across columns:
Screenshot 2022-01-05 at 16.18.31.png
Figure 50: Detailed Search Criteria
Further columns can be added by clicking on the three dots on the right of the headings:
Picture 20.png
Figure 51: Selecting Search Columns
The search criteria can be saved by clicking the ribbon icon near the top right corner and selecting 'Save Current Search':
Screenshot 2022-01-05 at 16.21.25.png
Figure 52: Save Search Criteria

Deployment Guide Summary

The Group-Based Policy Analytics application can now be seen as an integral part of Group-Based Access Control. It provides an understanding of group to group communication patterns and visualization into the ports and protocols needed in access control, or Group-Based policies.

This guide is an aid to deploying the Group-Based Policy Analytics application as well as the components necessary to provide the solution. The guide also covers design aspects and operation of the system.



List of Acronyms

AAA                  Authentication, Authorization and Accounting

DNA                  (Cisco) Digital Network Architecture

FQDN                Fully Qualified Domain Name

ISE                    Identity Services Engine

LAN                  Local Area Network

MFC                  Multi Factor Classification

SDA                  Software Defined Access

SGT                  Scalable Group Tag

SSA                  Stealthwatch Security Analytics

UDP                  User Datagram Protocol

WLAN               Wireless Local Area Network

WLC                 Wireless LAN Controller




So Useful

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: