Examine the DNA Center Group-Based Policy Analytics Tool

Available Languages

Download Options

  • PDF     (531.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (629.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (355.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 28, 2023
Document ID:220665

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the Cisco DNA Center Group-Based Policy Analytics tool basic concepts.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco UCS M4 or M5 appliance, 44, 55 or 112 cores 
    • Cisco DNA Center software

    • Cisco Identity Service Engine (ISE)

    • Group-Based Policy Control

    Components Used

    The information in this document is based on Cisco DNA Center running release 2.3.5.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    Pre-checks

    Check 1. You must enable NetFlow to use Cisco Group-Based Policy Analytics. This table shows the various ways in which NetFlow can be enabled on different network devices.

    Table 1.Device Support
    Network Devices Series NetFlow Configurable in telemetry section of Network Settings in Cisco DNA Center UI (Flexible NetFlow or Application Visibility and Control Based NetFlow) NetFlow Configurable using the template hub tool in the Cisco DNA Center UI (Flexible NetFlow or Application Visibility and Control Based NetFlow) NetFlow Collection in Fabric Deployment NetFlow Collection in Nonfabric Deployment
    Routers Cisco 1000 Series Integrated Services Routers (ISR1K) Yes Yes Yes Yes
    Cisco 4000 Series Integrated Services Routers (ISR4K) Yes Yes Yes Yes
    Cisco Cloud Services Router 1000v Series (CSR 1000v) Yes Yes Yes Yes
    Cisco 1000 Series Aggregation Services Routers (ASR1K) Yes Yes Yes Yes
    Switches Cisco Catalyst 9200 Series Yes Yes Yes Yes
    Cisco Catalyst 9300 Series Yes Yes Yes Yes
    Cisco Catalyst 9400 Series Yes Yes Yes Yes
    Cisco Catalyst 9500 Series No Yes Yes Yes
    Cisco Catalyst 9600 Series No Yes Yes Yes
    Cisco Catalyst 2k Series No Yes NA Yes
    Cisco Catalyst 3560 Series No Yes NA Yes
    Cisco Catalyst 3650 Series No Yes Yes Yes
    Cisco Catalyst 3850 Series No Yes Yes Yes
    Cisco Catalyst 4k Series No Yes Yes Yes
    Cisco Catalyst 6500 Series Switches No Yes Yes Yes
    Cisco Catalyst 6800 Series Switches No Yes Yes Yes
    Wireless Controllers Cisco 3504 Wireless Controller (AireOS-Based) Yes Yes No Yes, only central switching SSID
    Cisco 5520 Wireless Controller (AireOS-Based) Yes Yes No Yes, only central switching SSID
    Cisco 8540 Wireless Controller (AireOS-Based) Yes Yes No Yes, only central switching SSID

    Cisco Catalyst 9800 Based Controller

    Yes

    Yes

    Yes

    Yes

    Check 2. Make sure that you Network Devices has Cisco DNA Advantage or Cisco DNA Premier license enabled.

    Check 3. On Cisco DNA Center GUI navigate to System > Software Management > Currently Installed Applications and confirm that the Group-Based Policy Analytics application is installed. 

    Group Based Policy Analytics application installedGroup-Based Policy Analytics application installed

    Check 4. Cisco ISE needs to be integrated and Available over ERS and PxGrid with Cisco DNA Center. Confirm on System > System 360. 

    Externally Connected Systems

    Home Page Actions

    On Cisco DNA Center GUI navigate to Policy > Group/Based Access Control.

    Group Based Access Analytics Home PageGroup-Based Access Analytics Home Page

    In this page you can find:

    1. Title box - Click it to navigate to the Scalable Groups communication flow.
    2. Search bar - Helps out to filter on any group type, filter can be done by IP address or MAC address. 
    3. The Favorite icon - Shows the recent or saved searches.
    4. Configuration icon - Shortcut to either Policy settings or Analytics settings,

    The tile boxes show the unique traffic flow counts for the past 14 days for Scalable Groups, ISE Profiles and Stealthwatch Host Groups (If configured).

    A unique traffic flow is defined as traffic with a unique protocol and server port (like TCP port 80 or UDP port 123)

    As the example, if Stealthwatch is not configured, that tile box is not going to be shown. 

    Groups

    Network visibility is shown for these three types of groups.

    1. Scalable Group (SG). Known as Security Group in ISE and TrustSec group in routers, switches and WLCs 
    2. ISE Profile.
    3. Stealthwatch Host Group (HG).

    Group to Group Communication

    Groups communication can be separated in three levels:

    1. Multiple Groups to Multiple Groups (many-to-many) 
    2. Single Group to Multiple Groups (one-to-many) 
    3. Single Group to Single Group (one-to-many) 

    Click on the Group of your preference and the flow view is presented, on it the Source is always on the left-hand side and Destination is always on the right-hand side. The first view presented is the Multiple Groups to Multiple Groups.

    The flow view is a Sankey Diagram which is a type of flow diagram in which the width of the arrows is proportional to the flow rate of the depicted property.

    Multiple Groups to Multiple Groups view.

    Flow chart for Scalable GroupsFlow chart for Scalable Groups

    In this page you can find:

    1. Search bar - You can filter the Source groups.
    2. Talking to option - Only if the source is a scalable group you can choose the destination group type. 
    3. Time range - Click on it to change the date and time range. The range can be 1 hour, 12 hours or 24 hours.
    4. Switch tool - Switch between the Flow view and the Table view.
    5. Source Group - Click on a group to drill down to the Single Group to Multiple Groups view.
    6. Link - Hover over a link and click it to drill down two levels and end up in the Single Group to Single Group view.
    note-icon

    Note: The Multiple Groups to Multiple Groups view shows the top 25 source groups with the most flows.

    Table view for Multiple Group to Multiple GroupTable view for Multiple Group to Multiple Group

    tip-icon

    Tip: Yo can always expand the range to see more than the first 25 entries.

    Single Group to Multiple Groups View

    In this view the flow chart can be shown in Outbound and Inbound options.

    Outbound view shows a source group communication with all the destination groups you talks with.

    Outbound single group to multiple groups viewOutbound single group to multiple groups view

    Inbound view shows all the source groups communicating with a single destination group.

    Inbound view for single group to multiple groupsInbound view for single group to multiple groups

    In this page you can find:

    1. Search bar - Enter a value to filter the Destination groups if Outbound, and the source groups if Inbound.
    2. Communicating with option - Only if the source is a scalable group you can choose the destination group type. 
    3. Time range - Click on it to change the date and time range. The range can be 1 hour, 12 hours or 24 hours.
    4. Switch tool - Switch between the Flow view and the Table view.
    5. Navigation path - Click on any level of the path to move along it.
    6. Link - Hover over a link and click it to drill down one level to end up in the Single Group to Single Group view.
    7. Inbound | Outbound selector - Select the direction of traffic.
    8. Create Report and Download Report -  Export data from this page to create a report or download a previously created report.
    9. Group - Select a new Source Group.
    10. Pagination - Move to the previous or next page or change the number of records per page.

    Single Group to Single Group View

    On this view the you can see a source group communication with a destination group.

    Explore Scalable Groups

    In this page you can find:

    1. Time range - Click on it to change the date and time range. The range can be 1 hour, 12 hours or 24 hours.
    2. Switch tool - Switch between the Flow view and the Table view.
    3. Navigation path - Click on any level of the path to move along it.
    4. Arrow icon - Click on it to swap the Source and Destination groups.
    5. Filter - Filter per column.
    6. Find - Filter on all existing data.
    7. Create Report and Download Report -  Export data from this page to create a report or download a previously created report.
    8. Pagination - Move to the previous or next page or change the number of records per page.

    Reports

    Export data is available for:

    • Any Group to Group Communication table
    • IP/MAC address

    Report optionsReport options

    tip-icon

    Tip: Report section is not available for read-only user role.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    28-Jul-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Diego Granados
      Customer Delivery Engineering Technical Leader

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products