Cisco
Login
Search
Software Secure Workload
Activity Configure

Get Started with Cisco Secure Workload Get Started with Segmentation and Microsegmentation General Process for Implementing Microsegmentation

Last updated: Jun 09, 2025

General Process for Implementing Microsegmentation

The intent of segmentation and microsegmentation is to allow only the traffic that is required for business purposes and to block all other traffic.

Procedure

1

Ensure that Secure Workload supports the platforms and versions that your workloads are running on, and the systems that provide essential information to your policies. See Secure Workload Compatibility Matrix.
2

Install agents on workloads.

Agents gather flow data and other information that is required that is for Secure Workload to group workloads and determine appropriate policies. The agents also enforce approved policies. For more information, including links to lists of supported platforms and requirements, see Deploying Software Agents.
3

Gather or upload labels that describe your workloads.

Labels let you easily understand the purpose of each workload and provide other key information about each workload.

You need this information to group workloads, apply appropriate policies, and understand the policies that Secure Workload suggests. Labels are the foundation of maintaining groups that simplify policy management. For more information, see Workload Labels and Importing Custom Labels.
4

Create a scope tree based on your workload labels.

The logical groups of workloads that labels help you create are called scopes, and a well-chosen set of labels helps you create a hierarchical map of your network called a scope tree. This hierarchical view of the workloads on your network is key to efficiently creating and maintaining policies. The hierarchical view enables you to create a policy once and apply it automatically to every workload on that branch of the tree. The view also lets you delegate responsibility for certain applications (or parts of your network) to people who have the expertise needed to determine the correct policies for those workloads.

You can query workloads and group them into scopes based on their labels. For example, you can create a scope called Email-app that includes all of the workloads that have the labels Application = Email-app and Environment = Production. You can create a parent scope for the Application = Email-app scope by using the query Environment = Production. The Production scope includes the production Email-app and all other workloads labeled with Environment = Production.

For more information, see Scopes and Inventory.

If you have not yet created any scopes, you can use the Quick Start wizard to create a scope tree. For more information, see Quick Start Wizard.
5

Create a workspace for each scope for which you want to create policies.

The workspace is where you manage policies for the workloads in that scope. For more information, see Workspaces.
6

Manually create policies that apply across your network.

For example, you might want to allow access from all internal workloads to your NTP server, and deny all external traffic, or deny access from all non-internal hosts unless explicitly permitted. Policies can be absolute, meaning that they cannot be overridden by more specific policies, or default, where they can be overridden by more specific policies.

For more information, see Manually Create Policies.

Secure Workload has policy templates that make policy creation easier. For more information, see Policy Templates.

You can enforce manually created policies without waiting for the policies to be discovered. For more information, see Enforce Policies.
7

Automatically discover policies based on existing traffic patterns.

Secure Workload analyzes traffic between workloads, groups workloads based on their behavior, and suggests a set of policies that are intended to allow the traffic that your organization needs, so you can block all other traffic.

Analysis of more data flow over a longer time period leads to more accurate policy suggestions.

You can discover policies iteratively. (There is more information about this later in this procedure.)

  1. Discover policies for a branch of your scope tree.

    If you are just getting started, you can have temporary set of policies in place and provide protection against future threats.

  2. Discover policies for single scopes.

    Typically, you will do this for scopes at or near the bottom of your scope tree. These scopes usually include workloads for a single application.

For more information, see Automatic Policy Discovery and Discover Policies for One Scope or for a Branch of the Scope Tree.
8

Review and analyze your policies.

Examine your policies carefully to ensure that they have the effects you expect and that there are no unintended side effects.

Work with subject-matter experts and application owners in your organization to understand the needs of the organization and the appropriateness of suggested policies.

  1. Review the policies and clusters that Secure Workload has suggested.

    (Clusters are groups of workloads within a scope that are closely related and may warrant policies that are more tailored than policies targeted at the entire scope. For more information, see Grouping Workloads: Clusters and Inventory Filters.)

    For more information, see Review Automatically Discovered Policies.

  2. Analyze your policies to see how they affect actual traffic on your network.

    Use policy analysis and other tools in Secure Workload to confirm that your policies allow the traffic your organization needs in order to conduct business. For more information, see Live Analysis. and Policy Visual Representation.

    As you analyze the results of your policies, keep the following points in mind:

    • Policies in workspaces for higher scopes of a branch might affect the workloads of lower scopes of the branch. For more information, see Policy Inheritance and the Scope Tree.

    • Microsegmentation creates a miniature firewall around each workload. In order for a connection to be successful, both consumer and provider of the transaction must have policies allowing the traffic. If both workloads are not in the same scope, creating these policies may require extra steps. For more information, see When Consumer and Provider Are in Different Scopes: Policy Options.


     

    We recommend listing the frequently observed and time-sensitive traffic rules at the top of the firewall rules table. In order to do this, you can change the policy priorities within the workspace policies to the lowest number, which allows them to be programmed first.
9

Iteratively discover policies as needed.

More traffic flow produces more accurate policy suggestions. For example, for a monthly report even three weeks worth of data may not capture all essential traffic. Continue to discover policies and review and analyze new policy suggestions. Each discovery run suggests policies based on the current traffic flows.

You can also iteratively discover polices to capture changes in policy discovery settings and approved clusters. For more information, see Iteratively Revise Policies.

Before you re-run automatic policy discovery, ensure that you approve policies and clusters that you want to retain.

Each time you re-discover policies, you must review and analyze them.
10

When you are ready, enforce policies.

After you have determined that the policies associated with a workspace (and hence, the associated scope) are appropriate and will block unwanted traffic while not interrupting essential services, you can enforce those policies.

You can iteratively enforce policies; for example, you might initially enforce just the manually created policies in scopes near the top of your tree, then over time, enforce discovered policies in scopes lower in the tree.

For more information, see Enforce Policies.
Previous topic Get Started with Segmentation and Microsegmentation Next topic Set Up Microsegmentation for Workloads Running on Bare Metal or Virtual Machines