Network segmentation remains one of the most critical—yet surprisingly underutilized—pillars of enterprise security. As cyber threats grow more sophisticated and breach containment becomes a primary concern, organizations are discovering that a solid segmentation strategy can mean the difference between a localized incident and a company-wide catastrophe. But segmentation isn't one-size-fits-all; the debate between traditional VLAN-based approaches and modern micro-segmentation strategies has evolved considerably over the past decade, especially as cloud environments and dynamic workloads have fundamentally changed how we think about network boundaries.

What This Episode Covers

  • The evolution of network segmentation strategies over the past ten years
  • VLAN-based segmentation versus micro-segmentation approaches
  • How group-based policy (GBP) enables more granular control than traditional VLAN segmentation
  • Proactive versus reactive segmentation and their roles in Zero Trust architecture
  • Enforcement mechanisms including VLANs, zone-based firewalls, and access control lists
  • Cisco TrustSec and Security Group Tags (SGTs) as enforcement tools
  • Cloud considerations and dynamic segmentation
  • How Cisco solutions (ISE, Duo, Multi-Cloud Defense) integrate to support segmentation
  • Designing segmentation to limit blast radius and contain breaches

Deep Dive

The Evolution of Network Segmentation

Ten years ago, network segmentation was relatively straightforward: you created VLANs, separated traffic by business function or department, and called it a day. Today’s threat landscape and infrastructure complexity have rendered that approach insufficient for serious security programs.

The shift has been driven by several converging factors. Cloud adoption introduced workloads that don’t fit neatly into physical network boundaries. Container orchestration and microservices architectures created dynamic endpoints that spin up and down constantly. And Zero Trust principles demanded that we stop trusting anything inside the perimeter and instead verify every connection, every time.

Modern segmentation must account for this dynamism. Instead of static VLANs based on geography or department, organizations now need segmentation that follows workloads, applications, and user identities—regardless of where they physically reside. This shift has fundamentally changed how enterprises think about enforcement and policy management.

VLAN-Based Segmentation: The Traditional Approach

VLANs (Virtual Local Area Networks) have been the backbone of network segmentation for decades, and for good reason. They’re well understood, supported by virtually every network vendor, and relatively simple to implement. A VLAN creates a logical boundary within a physical network, isolating traffic at Layer 2.

In traditional deployments, VLANs work by separating traffic flows based on physical location, department, or function. A finance VLAN doesn’t directly communicate with a development VLAN unless explicitly permitted by a firewall or router. This creates clear boundaries and makes policy enforcement straightforward.

However, VLAN segmentation has real limitations in modern environments. First, it’s static—changing VLAN assignments requires manual configuration or DHCP manipulation. Second, VLAN-to-VLAN enforcement still typically happens at the firewall level, creating a bottleneck and limiting scalability. Third, VLANs don’t map well to cloud environments or containerized workloads, where infrastructure is ephemeral. And finally, the sheer number of VLANs required to segment a complex organization can become administratively unwieldy.

VLANs remain valuable as part of a comprehensive strategy, but they’re increasingly viewed as infrastructure support for segmentation rather than as the segmentation strategy itself.

Micro-Segmentation and Group-Based Policy

Micro-segmentation represents a fundamental shift in segmentation philosophy. Instead of creating broad network zones based on function or location, micro-segmentation aims to enforce security policies at the application or workload level—often down to individual servers or even processes.

Group-Based Policy (GBP) is a key technology enabling this granularity. Rather than defining access rules based on IP subnets or VLANs (which are increasingly abstract in cloud environments), GBP classifies endpoints and applies policies based on their logical group membership. A web server belongs to a specific security group, a database belongs to another, and policies are defined around those groups rather than around their network locations.

This approach offers several advantages. First, policies follow workloads. If a web server migrates from one physical location to another, or from on-premises to the cloud, its security group membership and policies remain intact. Second, it enables much finer-grained control—you can enforce policies between individual application tiers rather than between entire departments. Third, it scales more gracefully in dynamic environments where endpoints are constantly being created and destroyed.

In practice, GBP works through security tags or policy-based markers that travel with the workload or endpoint. These tags determine which policies apply regardless of the endpoint’s network location. This is fundamentally different from VLAN-based approaches, where the network location itself determines policy.

The challenge with micro-segmentation is operational complexity. Defining and maintaining policies for hundreds or thousands of security groups requires solid governance, good tooling, and clear visibility into your application architecture. It’s not something you can implement without significant planning.

Proactive Versus Reactive Segmentation

Segmentation has two distinct roles in security strategy: proactive and reactive.

Proactive segmentation is about building secure architecture from the ground up. It’s implementing Zero Trust principles by assuming no trust between network segments and requiring explicit authorization for every connection. This means designing your segmentation policy before incidents occur, mapping trust relationships between applications, and enforcing the principle of least privilege across your environment.

Reactive segmentation, by contrast, focuses on containment and response. When a breach occurs or a threat is detected, reactive segmentation allows you to quickly isolate affected systems to prevent lateral movement and limit the blast radius. An intrusion detection system might identify suspicious activity on a particular segment, and segmentation controls allow you to further isolate that segment while investigation proceeds.

Both approaches are necessary. Proactive segmentation prevents many incidents from occurring in the first place, while reactive segmentation limits damage when prevention fails. The most mature security programs integrate both: they design segmentation with Zero Trust principles, but they also build in the flexibility to add additional isolation when threats are detected.

Enforcement Mechanisms

Segmentation policy can be enforced at multiple points in the network architecture:

VLANs and network switches provide Layer 2 enforcement and work well for basic, static segmentation. However, they don’t scale well for micro-segmentation and provide limited visibility into application-level traffic.

Zone-based firewalls enforce policies at Layer 3-4, examining traffic between network zones. These are effective but can become bottlenecks when traffic volumes are high or when policies need to change frequently.

Access Control Lists (ACLs) on switch ports can enforce very granular policies directly on infrastructure devices, but they’re difficult to scale and maintain across large deployments.

Security Group Tags (SGTs) and TrustSec represent a more modern approach. Rather than defining policies based on IP addresses or network locations, SGTs tag packets with metadata about their source. Downstream devices use these tags to enforce policies, enabling segmentation that travels with the workload and works across physical boundaries.

Different organizations use different combinations of these mechanisms depending on their architecture, tooling, and operational maturity. The trend is toward tag-based enforcement (SGTs and similar technologies) because it scales better and adapts more readily to cloud and hybrid environments.

Cisco TrustSec and Security Group Tags

Cisco TrustSec is an architecture for enforcing network segmentation using Security Group Tags embedded in packets. Rather than relying on IP addresses or VLANs, TrustSec applies tags that indicate the security group of the source endpoint.

Here’s how it works in practice: An endpoint is profiled and assigned to a security group (perhaps “finance-workstation” or “web-server”). When that endpoint sends traffic, the TrustSec infrastructure tags the packet with the appropriate SGT. Downstream enforcement points—switches, firewalls, or other devices—examine these tags and apply policies accordingly. A packet tagged as “finance-workstation” trying to reach a “database-server” can be allowed or denied based on the policy matrix you’ve defined.

The power of this approach is that it decouples security policy from network topology. Workloads can move, VLANs can change, and cloud instances can spin up in different regions—but their security group membership and associated policies remain consistent.

TrustSec is particularly valuable in hybrid environments where you need consistent policies across on-premises infrastructure and multiple cloud platforms. It’s also useful in organizations that have embraced micro-segmentation because it provides the policy abstraction layer that makes fine-grained segmentation manageable.

Cloud Environments and Dynamic Segmentation

Cloud fundamentally changes segmentation because traditional network boundaries don’t exist. There are no VLANs spanning across availability zones, and endpoints are ephemeral—they may exist for only minutes or hours.

This is where dynamic segmentation becomes essential. Rather than statically assigning security policies based on network topology, dynamic segmentation assigns policies based on workload identity, application tier, and runtime attributes. When a containerized service spins up, it’s automatically assigned to the correct security group based on metadata like container labels or application tags. Policies are then automatically enforced based on that group membership.

This requires deeper integration between your security tools and your infrastructure orchestration—whether that’s Kubernetes, cloud provider APIs, or other automation platforms. You need visibility into which workloads are running, where they’re running, and what they’re supposed to be communicating with.

Integration and Comprehensive Solutions

The most effective segmentation strategies don’t rely on a single product but instead integrate multiple Cisco security solutions:

Cisco ISE (Identity Services Engine) provides network access control and identity management, authenticating endpoints and assigning them to security groups based on their identity and device posture.

Cisco Duo provides multi-factor authentication and device trust validation, ensuring that only legitimate, compliant endpoints access sensitive resources.

Cisco Multi-Cloud Defense extends segmentation policies and threat protection across hybrid and multi-cloud environments where traditional network boundaries don’t exist.

When these solutions integrate, you get a comprehensive picture of who’s on your network, what devices they’re using, where they’re connecting from, and what they should be allowed to access. Segmentation policies can then be applied consistently across this entire landscape, with the confidence that authentication and device health are verified before access is granted.

Implementation Considerations

If your organization is looking to improve segmentation strategy, consider these practical steps:

Start with assessment and planning. Map your current network architecture, identify critical assets and data flows, and define trust zones. Understand which applications and workloads need to communicate and which should be isolated. This foundation is essential before you add any new technology.

Choose your primary enforcement mechanism based on your environment. Organizations with primarily on-premises infrastructure might start with zone-based firewalls and TrustSec. Those heavily invested in cloud need dynamic, workload-based segmentation. Most organizations will use a combination of approaches.

Implement identity-driven segmentation. Tie segmentation to authentication and device identity. This requires robust identity management infrastructure (like ISE) but provides much more reliable policy enforcement than IP-based approaches.

Plan for both proactive and reactive capabilities. Design your segmentation architecture with Zero Trust principles, but also ensure you can quickly add isolation when incidents occur. This means building flexibility into your enforcement mechanisms and maintaining good visibility into traffic patterns.

Invest in visibility and analytics. Segmentation only works if you understand your network traffic. Implement tools that show you what’s communicating with what, identify anomalies, and help you refine policies over time.

Start small and iterate. Don’t try to segment everything at once. Choose a critical application or business unit, implement segmentation there, learn from the process, and expand from there.

Key Takeaways

  • Network segmentation has evolved from static VLAN-based approaches to dynamic, workload-aware strategies that align with cloud and Zero Trust principles
  • Micro-segmentation using group-based policy provides finer-grained control than VLAN-to-VLAN segmentation and scales better in modern environments
  • Both proactive segmentation (preventing breaches through Zero Trust architecture) and reactive segmentation (containing breaches when they occur) are necessary components of a mature security strategy
  • Security Group Tags (SGTs) and tag-based enforcement mechanisms enable consistent policies across hybrid and multi-cloud environments where traditional network boundaries no longer apply
  • Integration of multiple security solutions (ISE, Duo, Multi-Cloud Defense) creates comprehensive segmentation that combines identity, device trust, and policy enforcement
  • Effective segmentation requires careful planning around application dependencies and trust relationships, not just technology implementation
  • Success depends on starting with clear assessment and planning, choosing enforcement mechanisms appropriate to your environment, and building in visibility and operational flexibility

Why This Matters

Network segmentation directly impacts your ability to contain incidents and limit blast radius—the spread of damage when a breach does occur. In an era where attackers routinely breach perimeter defenses, the assumption that everything inside your network can trust everything else is simply not viable. Organizations that have invested in comprehensive segmentation strategies dramatically reduce their dwell time (the number of days an attacker remains undetected) and minimize the number of systems compromised. This translates directly to lower incident response costs, reduced regulatory exposure, and faster recovery.

Beyond incident response, segmentation is foundational to implementing Zero Trust architecture, which is rapidly becoming an industry best practice and increasingly a regulatory requirement. Zero Trust requires that you explicitly verify every connection and enforce the principle of least privilege—and you can’t do that without segmentation. As cloud adoption accelerates and hybrid work becomes permanent, the ability to enforce consistent security policies regardless of where workloads and users are located becomes increasingly critical.

For IT and security teams, this means that segmentation strategy decisions made today will shape your organization’s security posture for years to come. The good news is that mature, field-tested approaches now exist—from traditional VLAN-based methods to modern micro-segmentation and tag-based enforcement. The key is understanding which approaches fit your environment, planning carefully before implementation, and viewing segmentation as an evolving practice that adapts as your infrastructure and threat landscape change.

    ---

    Listen to the full episode on [YouTube](https://youtube.com/@SecurityIn45) or subscribe via [RSS](https://media.rss.com/security-in-45/feed.xml).

Full Transcript

Click to expand the full episode transcript

Welcome everybody to the Security in 45 show. Today is December 11th, 2024. I’m just gonna go ahead and do this, even though it’s corny, but ho, ho, ho. Welcome to the show.

As you can see, we’ve got four Santa Clauses on the show with you today. On this show, we of course cover a new security topic every month in 45 minutes or less. We’ve got a Christmas themed presentation today for you. We’ll be talking about segmentation.

Foundational segmentation, something that needs to be in every network, regardless of size. And tomorrow you will see the things we’re talking about in practice in a real dashboard. So kind of a two part show here. Andres, what can you tell us about our guest Santa Claus speakers?

Also while we’re at it, did you get your Christmas shopping done? Ha, ha, I’m still working on that. I’m probably gonna be last minute like every year. We were talking about that earlier.

So yeah, I’m pretty sure everybody relates to that. But no, today’s show is going to be awesome. It’s gonna be on segmentation. We have Chad and we have Sam.

We had him before in previous shows. And these guys are awesome, super knowledgeable about segmentation identity and eyes duo and things that just help a lot. And basically what we’re gonna do is just talk about proper segmentation from a high level overview of what it is, how we do it. And as you mentioned, Mike, we’re gonna have a quick demo tomorrow showing everything related to segmentation with some products that we do have that can do segmentation.

So with that, I guess I will give it to you, Chad, and then Sam too, and choose yourselves if you want. Awesome, thank you. Hello everyone, my name is Chad Bui. I am a solutions engineer here at Cisco.

Been with Cisco for 11 years, coming up on year 12 this coming January. So started on the CX side of the house, started in the lab, working in a lab, racking and stacking, building and recreate for tech engineers. From then I moved on to a tech role, supporting the ice solution on the AAA team. I was there for a number of years before coming over to the sales side of the house.

So a little bit more background about myself, but I had to be on the show today. I know I’ve worked with you guys on a daily, but to share the stage with you guys is special. So thanks for having me. Glad you’re here.

Well, hi everyone, my name’s Sam Baxter. I’m a solutions engineer here at Cisco as well. So I’ve been at Cisco going on 10 years now. During that time, I started working in professional services.

So I was in CX on the opposite side of the house as tech, where Chad just mentioned. And I moved into pre-sales. So in the past years, I’ve been focused primarily on dual security and Cisco’s identity ecosystem. Worked with these guys in the past and it’s a pleasure to receive the invite to come talk to you guys today.

So really looking forward to the conversation. Awesome, that’s great. Looking forward to it as well. Some of the best Christmas presents I’ve ever had is just the knowledge you guys have helped me out with when it comes to segmentation, nice and duo things.

So thanks for the early Christmas present on that. Guys, let’s talk a little bit about when it comes to segmentation, the terminology, basic principles, maybe like foundational knowledge. What can you tell us about some of the terms that we hear and need to know about and kind of just some high level basic principles of segmentation? Yeah, I can jump in.

So yeah, basically segmentation, there are a lot of different ways to segment a network, segment your resources, but from my understanding, it’s really taking the network, dividing it up into different segments and then within those segments, you can start controlling those with more granular policies. But at a high level, segmentation is gonna allow you to isolate assets from one another. There are a couple of different ways you would apply segmentation. So sometimes you’ll think about app to app communication, you can think about user to app communication, but it’s really just how can we create smaller pockets within a network if there is some type of risk or if there is a breach, how can we limit lateral movement?

So thinking about the East-West traffic and then also North-South. So Chad, do you have anything you wanna expand upon your understanding of segmentation? Yeah, you get the nail on the head. Segmentation is just that dividing your network up.

And a lot of times when we talk segmentation, it’s more in the security perspective, but there is a networking side to it in terms of performance when it comes to segmentation. Second up bandwidth is important in terms of networking performance, especially when it comes to video and voice traffic, which is another reason for segmentation, putting that voice traffic on its own domain while keeping the data separate to avoid any issues with this WebEx right now. Of course, we have to separate that out to get the best performance. So a lot of times as security guys, we’re thinking of the security aspect, this user can access this resource or this application can’t speak to this application, but it does expand out in terms of network performance as well.

But yeah, segmentation is just that. And you can get pretty crazy with segmentation. Of course, like traditional ways of segmentation would be like the VLANs and VRS and having your access control list, but that’s just pretty much like the start of it. From there, we can get it super granular.

So yeah, that segmentation, dividing your network up and adding some security around it, but also increasing performance. How about RBAC? We hear that term a lot. What are we talking about there?

And Mike, that’s a good question. And this is something that came up when I was in the office a few weeks ago is just your understanding of RBAC. A lot of times when I think of RBAC, and those of you unfamiliar with RBAC is World Base Access Control, I always think of like administrative duties. Like within an application, if you have an analyst that really shouldn’t be involved in making configuration changes, but wanna go in and look at logs, I think of RBAC policies, like making sure that they’re not able to mess anything up, but also get the information they need.

While you have the administrator that should have full rights into a system. But that’s not the only use case for RBAC. It also can apply to network access. But just curious to think what comes to mind when you guys think of RBAC.

Yeah, I think of the admin use case as well. I think my time within Duo kind of helped me understand specific application use cases for RBAC. So maybe there’s some type of application that has a billing component or something that users shouldn’t be able to see. So from the end user perspective, like obviously the admin is gonna set the policy.

But yeah, I think about it both ways now, but I think since we’re always configuring from the admin side and we’re always in the dashboard, that’s why we typically will think about the admin use case. I think that’s nice, I have to say. That’s true. That’s true.

And I always look at it on the two different ways. I know it’s easy, like for example, some of the things that we’re configuring will be related to role-based access control. And then if we take it up a step further, I think it’s going to be every role in the company. So it’s segmenting that I think.

That’s my point of view, I think. Yeah, that’s great. How about this term, micro segmentation and macro segmentation? Yeah, I can jump in that one from the macro side.

Typically, just segmenting your network based on different zones. You might have, like Chad said, with the voice side, you have a voice VLAN and then you have a data VLAN. So just segmenting those, it’s gonna be a more broader approach. And then micro as in the name, right?

We’re able to segment applications or segment workloads down to the individual components of that workload. So if you have like a database component in the overall microservices application, you can start controlling who can access that database component. Maybe only the front end can talk to the database and not the user portion. So micro segmentation can go a lot further than that, but those are just a few examples.

And I think that’s a great question, Mike, because that comes up daily in conversations that I’m having with our customers is how to go about implementing micro as well as macro. Of course, I guess start with macro and then from there, fine tuning things. But it’s important to understand the difference between the two, but there are specific use cases that each can take advantage of. Yeah.

And I’d like that you brought up where to start. And I know we’re gonna ask you guys a little bit late about recommendations on where to start with the topic of segmentation, but yeah, that’s a good call starting with the macro. Andres, you’re muted. I’m muted.

You’re muted, Santa. You’re mute, Master. You’re mute, Master Gachi. There you are, I’m back.

No, I was just saluting to the fact that we have a lot of terminology on this type, which is pretty cool. And I really appreciate that we’re breaking it down. One thing that I will add that I’ve seen over the years is that segmentation. And let’s say, for example, think about the VLANs segmenting traffic and things like that, but it actually completes this story once you start applying policy.

And I know we’re gonna talk about a little bit about that in a few, but I have the next question is, what have you guys seen as far as the evolution of segmentation compared right now to 10 years ago? What do you guys think? Yeah, so when it comes to the evolution, based on my experience coming from my background and working with the identity services in ICE, I see the transition from performing dynamic segmentation, whether that’s with dynamic VLAN assignments. So having that static configuration on a switchboard or the static configuration on an SSID, but being able to take that user into account and that machine that that user’s logged into account and be able to put that session on a different VLAN, whether that VLAN, that new VLAN restricts them or actually allows access to them, which again, there’s a lot that goes into that as well.

When you throw into things like compliance, is this a vulnerable endpoint? Of course, if it’s vulnerable, then we wanna make sure we put it in a quarantine VLAN, but that dynamic VLAN assignment and being able to dynamically change the access that that machine has, whether it’s applying an access control list is pretty much like the evolution I’ve seen. And then this is a journey that customers are still on and providing an easy way to implement segmentation. Again, with having those static configurations in place.

Yeah, I think from my perspective, I see a lot of the movement to the cloud. So, obviously with the shared responsibility of the cloud for customers, you have to implement your own policies, ensure that you’re segmenting the cloud, just like you would do on-premise. And then from the old networking, the protection for old networks, right? We had inherent trust for what was within the gates or within our network.

So I think that’s changed a lot with the cloud migration. And then with the cloud piece, right? They’re different constructs. So now you have strategies for like VPCs and keeping certain workloads from talking to others.

And then also allowing that outside access based on the business requirements also. Something else we’re seeing is segmentation of certain apps, being able to control segmentation using the kernel. So it could be the Linux kernel, could be using Windows. So using those host firewalls is a technique that we’re seeing.

And also for the application segmentation, there’s also agents that are in use. So there is a lot of different ways to achieve the micro segmentation, but those are just some of the things that I’ve seen recently. I’m glad you brought up the cloud environments just because that’s something that I’m continually ramping up on, getting familiar with the VPCs, the VNets, depending on the cloud infrastructure you’re in, just because that best segmentation in itself, having those segments within that cloud environment. So I’m glad you mentioned that just because that’s something that is on the rise.

Yeah, a lot of times, right, those environments will talk to each other, or you’ll have like private clouds or hybrid private clouds that talk to your public cloud. So we’ll get into this a little later, but you really need to understand the traffic flows and do some dependency mapping, right? Understand what are my apps actually doing? But yeah, that’s another topic when we start talking about the visibility as the first step.

Yep. Excellent, yeah, get visibility and then trying to map it all together, maybe trying to reduce the complexity and understanding of it as much as possible. I know Sam and Chad, you alluded to that coming up towards the end of the conversation. Segmentation, initially I was, when I first learned about segmentation, I kind of thought of it as something you do upfront, like a proactive approach, but then you start thinking about like, well, is segmentation more of a reactive benefit as well?

Does it have, would you guys say it has proactive and reactive components? For sure, for sure, both proactive and reactive. The proactive side is plays a part in kind of like this, this whole trend of zero trust within your environment. So being sure that me, when I’m on a Cisco network, I don’t have access into the HR records.

And then also on the opposite side, had making sure an HR employee doesn’t have access to the engineering resources. So that’s the proactive side of it, but then you have to be reactive. Like Sam mentioned, whenever there’s a threat or even just like suspicion of a threat, being reactive, whether that’s manually or automated to quarantine that device or apply an access control list, that’s what your quarantine looks like, is on the reactive side. So it all starts with the proactive, every network starts flat.

So it’s the engineer’s responsibility to segment those sections off and apply security around it. But then also just stop that lateral movement on the reactive side. I completely agree with you, Chad. Yeah, obviously the proactive side, understanding the types of devices, the types of users that ties in with the role-based access control we talked about earlier, making sure that you’re operating from a least privilege.

So when you’re designing a policy to make sure that least privilege isn’t in mind. And then from reactive, there are tons of different ways, right? You might wanna do like a change of authorization. If we determine there’s a vulnerability on a machine, putting someone on another VLAN, right?

Just being very dynamic based on certain attributes that you’re seeing on that endpoint or some way to achieve that as well. Sure, sure. I think about that decrease the blast radius for the reactive, like something does happen, it’d be great if it’s contained, so a good reactive. Everyone’s trying to automate those things now, which makes sense.

I mean, meantime the detection and responding is critical, it can be critical. So again, I would say the traditional way is the manual intervention, going into a system and manually segmenting or quarantining an endpoint, but a lot of times that’s not good enough. Once something gets in and starts spreading, that happens quick. In the networking world, things happen fast in terms of traffic, so it’s important to have those automations in place.

Yeah, that’s it. There’s lots of ways to do that as well. Yeah, that time to reaction is critical and these attacks are happening much quicker than us humans can respond to. Yeah, you’re right, you couldn’t agree more about having something automated to perform that reactive segmentation if you need to.

Yeah, that was good. There’s always an element of when do we react, so that’s always good to know. Now building up on those things that we started talking about where we get started, we also want to know, and if you guys don’t mind going over this is, where do we start enforcing the segmentation? And I know in some cases, depending on the architecture of what we’re implementing, it’s gonna be different, but what do you guys think we should know where it gets enforced?

That’s a good question. So going back to where things start, if we were to look at a flat network and you start to build your segments out, your different VLANs, from right there, through routing and access control list, we can start doing some segmentation enforcement. What VLAN can talk to what? And I think that’s a good place and going back to my CCNA days, that’s what we were taught as the basics of networking when you start getting into two different segments.

And going back to the evolution, from there, we have the zone-based firewalls as Sam mentioned as well, being able to enforce segmentation at the firewall level. And we know there’s different places you can place a firewall, you can place it inside your network to monitor that east to west traffic. Of course, you’re gonna have a firewall at your edge for the north-south, but there’s segmentation being enforced there. And then again, going back to my ICE experience as it relates to software-defined access, that’s when we can get pretty granular.

So of course you have your VLANs, but doing that inter-VLAN segmentation. So the devices that are sitting in the same subnet, we can take things a step further with using group-based policy, which opens the door to multiple enforcement points at the access layer. Your switches are enforcement points, your APs are enforcement points. So there’s different ways to enforce segmentation and everyone does it differently.

There’s some people that do it the same in terms of having a firewall in place to do some segmentation, but there are others that organizations that use access control lists on the switch ports, session-based access control lists to enforce segmentation. So it’s a mix and it’s really finding which segmentation enforcement model fits best for your organization. Yeah, just to expand on that, I think it depends on the assets as well. So if you have highly valued assets, you can start segmenting those.

So doing that zone-based will probably be an easy win there. Something that a lot of organizations are using is APs with the guest network. That’s technically a form of segmentation and we can start layering security controls on top of that, some of those segmented networks. But yeah, like Chad said, it’s multiple ways.

If you wanna control it at the network, it depends if you wanna allow that user to even get to that application or get to that resource. So a number of different ways to achieve the same goal. Some are easier, some are more difficult, but if you think about like dual security, there may be an application that you have on premises and all your users can get to that app. You can easily segment users from even being able to log in, coming through the front door using like group base or identity policies.

So that’s a form of segmentation and that’s gonna be an easier win than going out and touching all of your network devices or touching all of your routers and switches. And I’m glad you mentioned that, Sam, just because like there are, when we’re talking about where segmentation is enforced, again, reaching that application is one thing where we can segment the network so that that user doesn’t even reach that application. But then we can also put the segmentation on the application and using something like a duo. So we allow network access to that IP address, but there’s an authentication process that happens there to confirm if you’re able to actually get into that application.

So again, that just speaks to the multiple ways of enforcing it. And there’s also the discussion about if it’s logical to block as close as the user or as far as the user, as close as the application. So yeah, I’ve seen both and it becomes different from the architectural perspective. So that’s pretty cool that you guys talk about that.

Yeah, and then like you just mentioned, like blocking closer to the destination, that’s like a concept of TrustSec, like looking at security group tags. This source can talk to this destination, but the enforcement really happens closer to that destination where that destination tag is known. There are ways that you can use SXP to send the mappings to other devices to enforce the policies, but in most cases it’s done at that destination where that tag lives. Chad, these SGTs, these security group tags that we talk about when we hear ICE or identity services engine, hopefully we’ll get to see a little bit of that tomorrow in the dashboard as well.

So I know that’s a big component there. Sure, for sure. So that is the concept of TrustSec or group-based policy where we’re assigning tags to the traffic on the network. So there’s a security group tag to an IP mapping and in the concept of TrustSec, there are three main components, the classification.

So the tagging of that traffic can be done through authentication, can be done in line throughout the network, the propagation piece, so the passing those tags across the network and then the enforcement. And that’s where we’re able to put in and enforce the segmentation according to the policy that’s configured. So something that I can’t wait to show you guys just because it is so useful, especially if you have a Cisco network to take advantage of a solution like that, referred to as adaptive policy on the Meraki side. So the concept’s still the same.

And this is also what makes Cisco special, being able to enforce in the end segmentation. TrustSec is something that is available, of course, in the campus branch networks. We’ve added it to our SASE solutions, secure access, all the way to the public cloud environments, the data centers within ACI. It’s just a helpful way to have that common policy as well.

So something uniform, the same user, no matter where they are, has the same experience no matter where they’re connected. For instance, if I come into a Cisco office in RTP, I should have the same experience as when I go to a Cisco office in Atlanta. And that’s thanks to that common policy provided by our NEC. Yeah, those SGTs and anybody listening who wants to explore segmentation, do yourself a favor and look into what TrustSec is and just get a basic understanding.

Because I kind of think of it as a more modernized way to segment. And I like that it’s easier to think about for me, because I think of a tag following a packet around wherever it goes, however far it goes in the network, it still has that tag there. And I can take a look at that tag as I want to do some type of policy. All right, so we’ve talked about a lot and we’ve also talked about various places where we can do the segmentation and the network on the device, on the application, maybe on an access switch, maybe the network device, on a firewall, on the edge.

So segmentation, I don’t think there’s like a super simple easy button for it. So like, what is it that journey to segmentation look like in terms of, or am I wrong? Is there an easy button? Is it a thing that takes a month long to do?

Where do you, is it a never ending journey? Where do you go to start with something like this? It is in fact a journey. And it all starts with a good design, which again, goes into, Sam mentioned understanding one, the assets that are on your network, the applications, the resources that these users need access to and taking that to the drawing board.

I feel like a solid segmentation design will only set you up for success. But again, that comes with having the visibility and understanding of what is present within your network instead of just jumping in and putting in rules. That’s a quick and easy way to set yourself up for failure. It’s a journey.

It’s a journey. And there are some people that are in the mature stages of that journey. So they have a solid macro segmentation design in place but explore micro segmentation as they do have these applications dispersed everywhere whether it’s in the private cloud, public cloud. Again, it goes back to visibility and tying that into everything that you’re doing on the campus side, campus and branch side as well.

So do you have to answer your question? It is a journey and it all starts with the right design in my opinion. And you’d mentioned don’t set yourself up for failure making it too strict right off the bat. Like maybe start broad, get some this large group of things communicating with this large group of users has or does not have access, maybe not so granular to very right off the bat.

Exactly. And I learned that crawl, walk, run approach about working with the identity services engine. It is a beast of a solution. And it’s one that you must take that crawl, walk, run approach to and it only sets you up for success.

One thing that I’ve seen over the years is that it is so easy. Like when we talk about the identity services engine or ICE, it is so easy to make it super complex instead of just looking at it from a high level perspective. So that’s the flexibility of the product. You can make it as easy or as complex as you want, but yeah, that’s one thing to think about.

We talk about complexity being the enemy of security. Yeah, like I’m a big fan of just keeping it simple. And I think you can mess a lot up and you overcomplicate something like segmentation as well. Or if it is complex, that’s okay.

But like, let’s kind of conceal that or let some type of tool worry about the complexity and let us humans kind of view this in a simplistic way to make sure we’re not cutting someone’s access off or over allowing access. Exactly. Yep. All right, so glad we have you back, Tom.

I know you lost power for a minute there, so. Oh yeah, sorry about that. The Grinch was trying to get me, but. You can’t keep sailing away for too long, yeah.

Yeah, dealing with some storms here in North Carolina, so rainy days. Yeah, yep. Now usually it’s Andres down in Miami dealing with high wind and storms and all that. He’s living the good life right now.

What is it, 80 degrees down there and. It’s 70 something. 70 something, sun, no. Must be nice.

And here in North Carolina fashion, I mean, it’s freezing one day and then the next day is 67 degrees, so. Yeah, it’s a roller coaster here. That’s crazy. All right, guys, so I do have the next question and this one is I guess what everybody’s waiting to hear from the session is, and we have the pros here, so what are the secret tips or things that you guys know to make this easy to start that segmentation conversation inside of the company?

Like what do you see it’s the best way or the best route to start thinking about it? Yeah, I think the main thing is, you know, trying to understand your security policy, really knowing the organization is appetite for risk and the value of all your assets. So the visibility part is gonna be key. Making sure you can have those dynamic policies.

And then also another key tip is, you don’t have to turn everything on in enforcement mode from the start. So you don’t wanna break anything, so you definitely wanna start broad and then start adding granular policies later. Like if you wanna quarantine, a device or put them on a quarantine VLAN. So monitor mode is gonna be crucial in helping you understand the impact of your policies before you roll them out.

100%, that’s a great pro tip right there. Monitoring mode and when you go and just toggle that switch and start blocking things as network administrators, get ready for some calls. So that is a great tip in a second there. What about changes on Friday at 5pm?

Oh yeah, yeah. Oh my gosh. Set yourself up. I love the, I think every tool for, it’s a segmentation tool should have a visibility mode or discovery monitoring mode without enforcement.

So great. So I think that’s a great tip. Monitoring mode without enforcement. Great pro tip on that one.

Try to think that’s a good one. I was trying to think of a second one, but that’s one that I’ve seen burn our customers in the past. Just not even thinking about it and clicking on something, changing the default rule, then next thing you know, you lose access. So yeah.

Can we, you guys are very familiar with ICE and Duo. Can you do something like that on one of those tools where we have discovery only without enforcement mode? You can. So, and what I was mentioning with TrustSec, where you have that matrix, that there is a monitoring mode in that.

So you can get an understanding of what will be blocked, what will be allowed before you actually put it in place. Same thing with authentication. When you put that on switch ports, there’s a monitoring mode, close mode, open mode, where you can make sure that that switchboard is getting the access it needs based on that user, based on that endpoint, without actually impacting the traffic. So it’s a good start in place to keep your users happy, but also help you fine tune your security policy.

Yeah, it’s the same for Duo as well. So for certain applications, as you’re rolling it out, you can allow access without the 2FA, just for visibility. And in some cases, if you’re doing things like trusted endpoints, where you wanna look at another system to verify that this device is something that you know about or it’s within your MDM, you can get that visibility in monitor mode first, understand what types of devices are even trying to connect to your apps. And then once you have that knowledge, then you can enforce.

You don’t wanna start blocking first. Oh, that’s awesome. Yeah, I love tools like that. I can confidently and safely roll out.

Chad, you mentioned those, you know, when once those calls, those help desk tickets, those ones that we got in tack all the time. Right. Yeah, that was, especially on a Friday, like Andre said. Now guys, tomorrow when we’re seeing, you know, the live dashboards, let’s talk a little bit about the role Cisco has in segmentation.

We’ve been talking about ICE, we’ve been talking about Duo, on top of my mind I’m thinking like multi-cloud defense as well. Tell us a little bit about Cisco and the role that Cisco plays in segmentation. And I can jump in. So like you mentioned, I mean, there’s a lot of products that help make up our entire segmentation vision and framework.

And it starts with our NAT ICE being that core of Cisco segmentation, having that unified or common policy across the board. But then the way that that solution ties into the rest of the security stack, ties into the firewalls, it ties into the endpoint. I mentioned it ties into SASE, into the data center, to do things like rapid threat containment. Going back to the proactive versus reactive side and automating things.

ICE has a feature called rapid threat containment, to where we’re using API calls to from other security solutions to take action. So the firewall sees something suspicious, let ICE know so we can take action at the access layer of the network. Something happens in your EDR solution, when you’re using secure endpoint. Endpoint will make your firewall aware of it, endpoint will make ICE aware of these activity and automate containment, automate quarantine.

So there are a number of products that make that possible. And when you integrate those, that’s what it makes your life easier when it comes to implement segmentation. So with ICE, secure firewall, secure endpoint, multi-cloud defense, secure access, can all make use of the common policy to enforce segmentation on the proactive as well as on the reactive side. Yep, and also for like for the data center and the cloud, Cisco also has a couple of different solutions where we can offer a fabric.

So being able to integrate the network with those applications is key and something a lot of the competition doesn’t really offer, right? So we can ensure that it’s an end to end segmentation policy. But for certain products like multi-cloud defense, we have a visibility so we can pull in all of the NSGs or the security groups or any of the rules you have in your cloud environments before we start doing any enforcement. So letting you know what’s out there.

And then also we have secure workload, which allows you to do that application micro segmentation. And the workload is going to have multiple enforcement points. And we’ll be able to gather information on the vulnerability of the types of dependencies on the application, all of the communication between the different components of the overall app. All of that dependency is gonna be automated as well.

And then we can also show you what would have happened if we turned this on in enforcement mode in workload also. And then multi-cloud defense, we can automate that east-west. So some of that lateral traffic through zones in the cloud. In addition to everything Chad said, but that’s from the data center and the cloud side.

Multi-cloud defense is becoming one of my favorite products. Oh man, totally. Getting the visibility, especially if you’re in a different cloud environment, you don’t have to be proficient in Azure or AWS to deploy this solution out and have it tie into everything else you’re doing on premises. So I do love what we’ve done with that.

I love that defense. Like taking something that no one wants to deal with, cloud complexity segmentation, confusing, where do I start? And then like completely making this as simple as it could be. Yeah, I could not agree more.

I think that’s- The last thing, oh, go ahead. No, I was gonna say something silly that’s making a lot of us look like we know what we’re doing in cloud. Don’t be fooled anybody. Yeah, the last thing I’ll mention is the Cisco Secure Access.

So Secure Access, we’re able to use resource connectors. So we can hide applications for hybrid workers. So you have to come through our stack to even be exposed to that application. And then we also have that in Duo as well with the reverse proxy.

But that’s gonna limit the exposure to the app. And then you can also add posture and like device identity policies on top of that traffic. That’s a good call about the resource connectors in Secure Access and then the DNG and Duo. Yeah, cause that’s a good part of segmentation when you’re giving access just through an application, you don’t have that lateral movement like the IP based lateral movement that like a traditional remote access VPN would give you.

So yeah, good fundamental approach there. So I will say this, I think a lot of times, as technical people we’re just in the dashboards and technical details, but I do say I am, I was pretty awesome in Cisco with the recent awards with Gartner and Forrester for both Zero Trust and Leaders in Micro Segmentation, including Enterprise Firewall. So I’m glad to see segmentation as a primary focus of Cisco there and kind of shows through those awards there. For sure.

And it’s nice to see so many products that we create integrating together. So think about SGTs, Trosik, how they’re expanding to other products. And that makes a lot of sense. All right, even non-Cisco.

I mean, you think about like Palo firewalls can make use of Trosik tags. So the development, the evolution of Cisco security is we’re seeing some success now because if a security stack is integrated, I mean, there’s a good chance that you will have an effective security policy. Yeah, that’s a great call out. All right, Mike, what do you think?

Man, let’s do it. The moment we’ve all been waiting for. All right, so for today, we have a rapid fire Christmas questions. And I don’t know, how do we want to do this?

But I’m gonna shoot the first one. Maybe all of us want to answer it. But what is your favorite Christmas movie? And before anybody take it from me, I’m gonna say Home Alone.

Oh, good one, one or two. One. Yeah. Yeah, one’s good.

What about you Chad? I will have to go with Santa Claus. Santa Claus with Tim Allen. That is probably one of my favorite Christmas movies.

Santa falls off the roof, he puts on the Santa suit becomes Santa Claus. That was Tim Allen, right? Yeah, that’s Tim Allen. Yeah, yeah, yeah.

Yeah, so that’s up there, at least my top three. It might be my favorite. Home Alone is up there for sure. Yeah.

What about you, Phil? Yeah, I’ll have to say the Rudolph the Red Nose Reindeer. I just like the design. Like the- So cool.

Yeah, it’s cool. Like how, you know, the different characters. Yeah, just how they designed the movie. This is great.

No, I was gonna say National Lampoon’s Christmas Chevy Chase, but I think I’m actually with Chad. Edges it out, the Rudolph with the claymation and how cool that uniqueness is there. But man, that’s tough to beat that National Lampoon’s Chevy Chase. He also falls off the roof.

He’s got all those Christmas lights he’s trying to hang up. What about Die Hard? Die Hard, oh man, that’s good. You know, I’ve seen, have you guys seen any like, of the more like the deeper side of Christmas, like the scary Santa Claus movies?

I saw one last year where Santa Claus has got to like send off these people robbing this house and he’s got- Oh no, I haven’t seen that. I haven’t seen that either. I haven’t seen that. It’s like the Grinch is up there too, you know, as a classic.

Oh. Introduce my daughters to the Grinch and we watched the real movie and I think that might’ve scared them a little bit. Just like the real people. But yeah, the Grinch has been on repeat at my house.

Christmas Story with the Red Rider BB gun. Man, that’s so awesome. Yeah, classic. Right, I have another one.

We have a few here on the list, but I’m gonna pick another one that probably be controversial or not. What about Christmas tree? Do you prefer fake Christmas tree or a real Christmas tree? I’m sure that you won’t get canceled if you choose to.

Either way. It’s a fake- Yeah, I just think fake. It’s just easier and then, yeah, just not dealing with like bugs and critters and stuff like that. I don’t know, I’ve never had a real Christmas tree.

So we’ve always done fake. And I always, I’ve done the real one and the smell, the smell is really nice. So yes. Yeah.

I miss that smell. I’ve always had a real tree. Definitely considered the fake tree just for ease of setting it up, putting it apart. There’s a lot that comes with the fake or the real tree.

Of course, I mean, you mentioned bugs. I usually don’t have the bugs issue, but like, when you bring in the Christmas tree and you got sap all over your hands, you get watered. But I think it’s part of like my family tradition too, just like going out, picking the perfect tree, putting it on the car, taking it off. And to share those experiences with my daughter is something that will probably keep me doing the real tree.

But there have been those years where I’m like, I’m just going with the fake tree. But they’re just like, what about the smells? Like you get the, the smell of the fish tree. But I’m a real tree, real tree guy.

Yeah. I refer to the real tree. We do have, we’ve had a fake one for the past couple of years. But yeah, man, nothing beats for me, that real one with the real smell.

And I have to go back to the National Lampoon’s, you know, Chevy Chase Christmas. Like they do that. They go out in the field and cut down that, they try to cut down the tree, but they forgot the sauce. So they just rip it out from the roofs and put it on the car and, you know, get home that way.

Oh, that’s awesome. A lot of fun season. Well, all right. I have the last one.

And this one’s gonna be your favorite holiday tradition. So I’ll get started with you Chad. Favorite holiday tradition is just getting together with my family. I have a huge family.

Like I have tons of cousins, aunts and uncles. And we usually get together at my house, my parents’ house. So, I mean, it’s madness, a ton of food, a bunch of kids running around, everyone’s laughing and having a good time playing games. So I would say just that family time is, that’s all I know when it comes to Christmas time.

So I would say that’s my favorite tradition, just getting extended family together. Nice. Yeah, I’ll say like the community outreach. So always giving back during the holidays, it’s a tough time for people who are at need and we’re blessed with our job and the things we do for a living.

So just getting together with family, getting together with friends to do some type of give back, whether it’s an angel tree or donating gifts. That brings a lot of joy to me and my family during the holidays. So definitely say that’s my favorite part of the year. That’s awesome.

What about you, Mike? Man, those are, I could not agree more with both of those, family and the giving. My favorite thing is we do this like, if you guys on the white elephant thing where everybody gets one gift and you go around in the circle, that’s really fun to see what everyone’s gonna bring. I do that with my family and, you know, just to see what everybody was thinking about in terms of bringing their present and you don’t know what you’re gonna end up with, it’s pretty cool.

That’s nice. How about you, Andres? Yeah, that’s nice. In my house, and I will say in every Latin house, we don’t open the presents on the 25th.

We wait until midnight to open the presents. Yeah. So midnight on the 24th. On the Christmas Eve.

Christmas Eve night, okay. Oh, okay. Nice. So we usually have, so the funny thing is that we have, we have the dinner, then probably at six, 7 p.m., everybody just goes crazy, starts running around, but everybody’s waiting until 12.

And if you have kids and the presents are a bunch of things that they can use and they can, you know, go outside and mess around, yeah. They probably go to bed at like 3 a.m., 4 a.m., just because of that. I would have loved that as a kid, like to be able to open presents as soon as possible. Yeah.

Stay up late, yeah. Yeah, stay up late. That’s awesome. Oh man, that’s…

Yeah. That’s what we do. Yeah. That’s what we do.

All right, Mike, I give it back to you, I guess. Okay. Some closing thoughts. It’s been a, yeah, it’s been a great show.

Chad, Sam, how about just some closing thoughts from you guys over you? Maybe Sam, I’ll hand it over to you. Yeah, so as we mentioned, there are a number of ways to do segmentation. Segmentation is really critical, right?

You never know when someone’s gonna penetrate your network. So you definitely have to assume that it’s going to happen. So when it does happen, how do you limit the blast radius? So that goes hand in hand with everything we talked about today.

Some of the techniques are easier, some take more planning, but I’ll definitely say design is key, visibility is key. And Cisco has been doing this for years, so we can definitely help you out with that journey and make sure you have some support while you think about segmentation and how you can plan to achieve it. So I’ll piggyback on that. And segmentation is critical, it’s key, super important.

And all of us, we’re all resources. So for those of you listening, we are more than happy to talk things through with you, help you with design in any way that we can. Cisco has a ton of solutions to help you accomplish your segmentation goals. And that’s where we come in to kind of help you put that into action.

So please don’t hesitate to reach out and have those conversations. Something that I always end calls with, whether I’m doing demos on other solutions or ice talking segmentation is, hey, if anything comes up, I’m happy to talk things through with you, just because that is a part of that journey, is making sure you have the plan and design in place to successfully segment your network. Yeah. And I know you guys mean it too, and that’s true.

I’ve seen you guys throughout the years, helping customers out before, during, throughout, and after their segmentation is, like you said, the journey of it. I like starting off with those concepts. We always hear terms like macro and micro segmentation kind of differentiating between those. The evolution was pretty cool.

You guys touched on how segmentation now is in the cloud and there’s concepts we wasn’t really thought about traditionally about how segmentation has evolved over the past 10 years. Has proactive and reactive concepts and benefits and being enforced at different places. Same talk about the application level. Chad, you were talking about using ICE to segment at the port level.

So there’s firewall segmentation and segmentation on the end point itself and of course in the cloud. And I do wanna- I have to thank you for the docs. No problem. And I did wanna jump in and just say, thank you guys for having me again.

It’s always a pleasure to get on it and talk security with you guys. Even though we do it on a daily basis, every time we do it, I love it. So definitely wanna thank you for this opportunity. Yeah, I appreciate it.

Yeah, I love talking with you guys. Definitely see you guys as friends and coworkers. So appreciate talking security with you anytime you wanna invite me again, just let me know. Thank you guys so much.

And likewise, it’s pretty special that we do get to work together and I appreciate you guys being on the show. Wearing the Santa hats, amazing. And best part about it, Andres, we’ll see these guys tomorrow at the demo day. Yeah, demo day tomorrow.

So we’ll work for you again. We’ll do this again tomorrow and it’s always a pleasure. Thanks everybody. I hope you enjoyed the show on security in 45 today.

And yeah, tune in to see all this in action. We’ll see the ICE dashboard, the duo dashboard, who knows what else we’ll see. Who knows if we’ll be wearing these Santa hats or something else or if you’re listening in through Apple podcasts, you have no idea what we’re talking about. We’ll see you guys tomorrow.

Be safe, stay secure. Yeah. Have a good one. See you.