Introduction xxiii Chapter 1The Segmentation Mindset 1 Pillars of Zero Trust 2 Policy and Governance 2 Identity 5 Vulnerability Management 8 Enforcement 9 Analytics 10 Beyond the Five Pillars 11 Addressing the Problem Head On: Why Do Segmentation Strategies Fail? 11 The Importance of the Team 13 Information Security 14 Network Engineering/Desktop Engineering 15 Network Security 15 Operations 16 Cross-Team Collaboration 17 Business Entities 18 Executive-Driven Vision 19 Other Considerations Beyond Standard Teams 19 Aligning Strategy and Tactics 21 Maturing in Segmentation Strategy 22 A Look Ahead 23 Summary 24 Reference 24 Chapter 2Alignment with Business Outcomes 25 Identifying the Need for Segmentation in Modern Hybrid Networks 25 Patterns Driving Modern Hybrid Networks 27 Bring Your Own Device (BYOD) 27 Internet of Things (IoT) 28 Artificial Intelligence (AI) 29 Security Risks: A Hacker''s Playground 30 Compliance Mandates: The Regulatory Maze 33 Microsegmentation for Regulatory Compliance 34 Payment Card Industry Data Security Standard (PCI DSS) 35 9780135462362_print.indb 12 09/04/26 2:28 PM Health Insurance Portability and Accountability Act (HIPAA) 37 General Data Protection Regulation (GDPR) 39 Performance, Scalability, and Adaptability 42 Operational Complexity: The Management Nightmare 43 Cloud and Multicloud Adoption: The Consistency Crisis 45 Developing a Segmentation Strategy 45 Reducing Risk via Organizational Perspectives 46 The Leadership Perspective 46 Strategic Oversight 47 Effort Versus Value 48 Resource Allocation 50 Policy Development 51 Risk Management 52 Stakeholder Engagement 53 Training and Awareness 54 Performance Metrics 54 Continuous Improvement 55 The Architect''s Perspective 56 Design and Planning 56 Integration and Alignment 58 Innovation and Adaptation 58 Collaboration and Communication 59 The Asset Management Perspective 60 The Network and Security Administrator''s Perspectives 61 The Application Development Perspective 63 Perspectives on Infrastructure, Network, Applications, and Automation 64 Roles and Responsibilities of the Application Team for Effective Segmentation 65 Bringing It All Together: An Actionable Segmentation Framework 66 Summary 68 References 69 Chapter 3Developing a Segmentation Strategy 71 Cisco SAFE 72 How to Use Cisco SAFE 73 Capability Phase 75 Architecture Phase 77 Design Phase 82 The Foundations of Segmentation 85 Physical Segmentation 86 Logical Segmentation 87 Virtual Local Area Networks (VLANs) 87 Private VLANs (PVLANs) 90 Wireless SSID 92 Access Control List (ACL) 92 SD-Segmentation and Cisco TrustSec 94 Security Zones 97 Network Virtualization 99 Extending Network Segments with VXLAN 101 Session Layer Segmentation with QUIC 102 Segmentation as a Service in Public Cloud 105 Cloud-Native Segmentation 106 Kernel-Level Segmentation with eBPF 112 Segmentation Strategy and the Shared Responsibility Model 113 Summary 115 Chapter 4Macrosegmentation 117 Gaining Visibility While Architecting Segmentation 118 Network Virtualization 120 An Overlay for an Overlay: VLANs 122 Achieving Macrosegmentation with Firewalls 123 Understanding Traditional Access Control Lists 124 Understanding Interface-Based Firewalls 125 Understanding Zone-Based Firewalls 126 Hybrid Mesh Firewall 127 Linking Concepts Together 130 Practical Macrosegmentation Policy Development 130 Segmentation Involves the Infrastructure but Is Really About the Endpoint 134 Mapping with Cisco SAFE Architecture 136 Campus: Securing Guest Wi-Fi Access in a Campus Network 136 Solution with Macrosegmentation Features 137 Conclusion 137 Branch: Protecting Payment Processing in a Branch Network 137 A Solution with Macrosegmentation Features 138 Conclusion 139 Data Center: Securing Remote Access in a Data Center 139 Solution with Macrosegmentation Features 140 Conclusion 140 Internet PIN: Securing SaaS Application Access in the Internet PIN 140 Solution with Macrosegmentation Features 141 Conclusion 141 Cloud PIN: Securing Workload Communication in a Cloud PIN 142 Solution with Macrosegmentation Features 142 Conclusion 143 Edge PIN: Securing IoT Endpoints in an Edge PIN 143 Solution with Macrosegmentation Features 143 Conclusion 145 Summary 145 References 145 Chapter 5Microsegmentation 147 Benefits of Microsegmentation 148 Implementing Microsegmentation 148 Challenges in Implementing Microsegmentation 150 Microsegmentation in the Campus 152 Application Segmentation 153 Cloud-Native Segmentation Controls 154 Organizing Workloads 155 Segmentation 156 Applying Policies 157 Network Service Mesh 160 Automated Zero Trust Microsegmentation 160 Grouping Workloads 162 Organizing Workloads 164 Automating Scope Discovery 166 Critical Common Services 169 Providing Access to Scopes 170 Workload Information 170 Policies 171 Policy Creation 172 Policy Discovery 174 Measuring Segmentation 175 Achieving Microsegmentation with a Next-Generation Firewall 175 Seeing Through the Fog: Application Awareness 176 Knowing Who''s at the Gate: User Identity Policies 177 Labeling the Landscape: Security Group Tags 178 Reading the Room: Context-Aware Policies 179 Cisco Secure Firewall: The Skilled Artisan 179 Applying More Granular Enforcement Mechanisms Closer to the Endpoint 182 Integration with Other Cisco Technologies for Enhanced Segmentation 186 Summary 188 References 188 Chapter 6Building the Segmentation Fabric 189 Cisco SD-Access Components 190 Cisco Catalyst Center 190 Cisco Identity Services Engine 192 Operational Planes 195 LISP: The Overlay Control Plane 195 VXLAN: The Data Plane 195 Cisco TrustSec: The Policy Plane 196 Cisco Catalyst Center: The Management Plane 196 Architecture Components 197 Fabric 197 Underlay Network 197 Overlay Network 198 &n.