Most enterprise networks were built for connectivity, not containment. When a threat actor enters a flat network, nothing stops lateral movement from one system to the next. That is the core problem that Cisco ISE micro-segmentation solves.
Cisco Identity Services Engine (ISE) is a policy management platform that controls network access based on user identity, device type, and security posture. Combined with Cisco TrustSec, it enforces micro-segmentation across campus wired and wireless networks, data centers, and operational technology (OT) environments. Organizations can segment devices without redesigning the network and manage access to enterprise resources centrally. For C-suite leaders evaluating how to reduce enterprise risk, this distinction matters enormously.
The threat numbers tell a clear story. According to a 2024 OT and cybersecurity report, 73% of organizations experienced intrusions impacting their OT systems, a sharp increase from 49% in the prior year. Ransomware attacks in the industrial sector rose 87% year over year in 2024, making manufacturing the top ransomware target for four consecutive years. The industrial sector also recorded the steepest increase in average data breach cost, rising by $830,000 per incident in 2024.
These figures reflect a structural vulnerability. OT and campus networks were historically isolated, but digital transformation has converged IT and OT. According to research on OT security trends, 75% of OT attacks begin as IT breaches, meaning a compromised employee laptop can become the entry point for an attack on a factory floor or a power distribution system. Flat, unsegmented networks make this lateral movement effortless for attackers.
Cisco ISE micro-segmentation addresses this directly. Rather than relying on VLANs or static access control lists, ISE uses identity and context to control who can reach what, from the moment a device connects to the network.
To understand how Cisco ISE micro-segmentation works, it is necessary to understand Cisco TrustSec. Cisco TrustSec is a software-defined segmentation framework built around a concept called Security Group Tags (SGTs).
An SGT is a 16-bit value assigned to a user, device, or workload at the point of authentication. According to Cisco's branch segmentation guide, SGTs are defined in ISE and represent a user-defined group name with a decimal value between 1 and 65,535. These tags are carried in the Layer 2 frame header using Cisco Meta Data fields. They travel with the traffic through the network and allow enforcement points such as switches, routers, and firewalls to apply policies based on group membership rather than IP addresses.
This is the fundamental shift that Cisco TrustSec enables. Traditional segmentation depends on network topology: if two devices are on the same VLAN or subnet, they may communicate freely. TrustSec segmentation depends on identity: a contractor laptop and a finance server can be physically connected to the same switch and still be prevented from communicating, because their SGTs have no permitted policy between them.
The Cisco ISE TrustSec configuration process follows three phases: classification, propagation, and enforcement.
Classification is the process of assigning an SGT to a device. ISE handles classification through 802.1X authentication for managed endpoints, MAC Authentication Bypass (MAB) for devices that cannot run a supplicant such as IP phones or printers, and static IP-to-SGT mappings for legacy OT assets that cannot authenticate.
Propagation moves the SGT through the network. Two methods exist. Inline tagging embeds the SGT directly in the Layer 2 frame as traffic traverses switches and requires hardware support from platforms such as the Catalyst 9000 series. The SXP (SGT Exchange Protocol) is an alternative for devices that do not support inline tagging. It operates as a control-plane protocol exchanging IP-to-SGT mappings between ISE and enforcement devices, including older switches and firewalls.
Enforcement applies Security Group ACLs (SGACLs). ISE distributes an SGACL policy matrix to the network. This matrix defines what traffic is permitted or denied between any two SGTs. A policy might allow HR devices to reach the HR application server but deny them any path to the finance database, all without modifying a single VLAN or firewall rule.
An independent analysis by Forrester Consulting found that Cisco TrustSec reduced operational costs by 80% and enabled policy changes 98% faster compared to traditional segmentation methods. These figures reflect the elimination of thousands of IP-based ACL rules replaced by a centralized policy matrix.
Campus networks present specific challenges for segmentation. Thousands of devices connect across wired and wireless infrastructure: managed laptops, bring-your-own devices, IP phones, printers, and an expanding range of IoT endpoints. Managing access with traditional ACLs across this diversity requires enormous manual effort and introduces configuration errors.
Cisco ISE TrustSec in campus environments simplifies this through group-based policy. When a user authenticates via 802.1X, ISE evaluates the authentication against policy sets that match conditions including Active Directory group membership, device type, location, and posture status. ISE then returns an SGT with the RADIUS Access-Accept response. The switch assigns this SGT to the port.
From that point, the user carries their identity-based access rights wherever they move on the network. A contractor who plugs into any switch port across any building will receive the contractor SGT and be restricted to contractor-permitted resources. This consistency reduces the time needed for network engineering and compliance validation across large, multi-site campus deployments.
Campus segmentation with Cisco ISE also integrates with Software-Defined Access (SDA). According to Cisco Press documentation on SDA and micro-segmentation, ISE acts as the authoritative enforcement point while DNA Center (now Catalyst Center) provides centralized policy management. Scalable group tags defined in Catalyst Center are shared with ISE via the REST API, creating a unified policy across wired, wireless, and VPN infrastructure.
OT security presents a fundamentally different challenge. As Cisco's overview of OT security explains, OT assets include programmable logic controllers (PLCs), distributed control systems (DCS), SCADA systems, and other hardware that control physical processes in manufacturing plants, power grids, water utilities, and transportation infrastructure. These systems prioritize availability above everything else. Rebooting a suspicious device or patching software during production hours is simply not an option in most OT environments.
This creates a specific constraint for segmentation: any approach must operate without disrupting the operational process. Cisco ISE micro-segmentation meets this requirement through passive profiling and static classification.
ISE profiles OT devices using passive methods. It collects data through DHCP, NetFlow, SNMP, and Cisco Device Sensor on network switches. This data builds a device inventory without requiring agents or touching the OT asset directly. A PLC running firmware from 2010 will be identified and assigned to an appropriate SGT without any changes to the device itself.
According to Cisco's OT segmentation session materials, ISE integrates with industrial-specific discovery tools to classify OT assets by function: historian servers, engineering workstations, field devices, and safety systems. Each category can receive its own SGT, and policies can enforce strict communication boundaries between them.
The risk of leaving OT environments unsegmented is no longer theoretical. According to a 2025 OT cyber threat report, 1,015 industrial sites experienced physical disruption from cyberattacks in 2024, a 146% increase from the year before. Nation-state attacks with physical consequences tripled. In flat OT networks, a single compromised IT endpoint can reach PLCs, HMIs, and safety instrumented systems without restriction.
IBM's analysis of OT security notes that industrial networks are often unsegmented, making it straightforward for attackers to move laterally without detection. Cisco ISE TrustSec addresses this by placing OT assets in security groups matched to their function and criticality, then enforcing strict allow-list policies between those groups. An engineering workstation can communicate with the historian server but cannot initiate connections to the safety instrumented system. These rules are enforced at the network level, independent of the OT device's own security capabilities.
Deploying Cisco ISE micro-segmentation effectively requires disciplined planning. The following practices are drawn from Cisco's segmentation design guidance and practical deployment experience.
Start with visibility before enforcement. Before creating any SGACL policy, run ISE in monitor mode. Collect authentication data, device profiles, and traffic flows. Understand what communicates with what and why. Rushing to enforcement without this phase creates false positives that block legitimate traffic.
Design the SGT taxonomy around business function. Assign SGTs based on the role of a user or device in the organization, not based on network location. Categories such as Employee, Contractor, IoT Device, PLC, Historian, and Guest are more durable than VLAN-based names.
Use SXP strategically for legacy devices. Not every switch in a campus or OT environment will support inline tagging. SXP enables ISE to propagate SGT-to-IP mappings to enforcement points such as firewalls for devices on legacy infrastructure. This extends TrustSec segmentation across the full network without requiring immediate hardware upgrades.
Apply default-deny as the foundation. The SGACL matrix should default to denying traffic between any two SGTs unless an explicit rule permits it. This zero-trust posture limits the blast radius of any breach to the resources accessible to the compromised identity group.
Test policies with a phased rollout. Implement policies on a pilot group of devices before extending them network-wide. Use ISE's built-in reporting to confirm that the correct SGTs are being assigned and the correct policies are being enforced before expanding scope.
Several recurring mistakes undermine TrustSec segmentation deployments. Recognizing them in advance helps avoid costly rollbacks.
Skipping the device profiling phase. ISE cannot assign accurate SGTs to devices it has not identified. Organizations that skip profiling end up with large numbers of devices landing in the default Unknown SGT. These devices receive no meaningful policy enforcement.
Over-relying on static IP-to-SGT mappings in dynamic environments. Static mappings work well for OT devices with fixed IP addresses. In campus environments where DHCP assigns addresses dynamically, relying on static mappings creates gaps as devices move and IP addresses change.
Failing to plan for SXP scalability. SXP binding tables grow with the number of endpoints. Organizations must account for the scaling limits of their enforcement devices. According to technical documentation, a standalone ISE node supports up to 20,000 SXP bindings. Exceeding this limit requires architectural adjustments.
Treating segmentation as a one-time project. Network devices change. New IoT and OT assets connect. Applications are decommissioned or relocated. Without an ongoing process for updating SGT assignments and policies, segmentation drifts from the intended design and creates security gaps.
Neglecting OT-specific communication protocols. OT environments use protocols such as Modbus, DNP3, and EtherNet/IP. Segmentation policies must account for these protocols explicitly. A policy that blocks all traffic except standard TCP ports will break OT communications.
Before moving from planning to production, verify each of the following:
For organizations at the beginning of this process, the most important step is an accurate asset inventory. You cannot segment what you cannot see. Deploy ISE in passive profiling mode and allow it to build a complete picture of connected devices across both campus and OT networks.
For organizations that have existing ISE deployments but have not enabled TrustSec, the path forward is an SGT design workshop. Define the groups that reflect your business, map your current device population to those groups, and build the policy matrix before you begin configuration.
For organizations operating OT environments under regulatory requirements such as ISA/IEC 62443, NIST CSF, or NIS2, Cisco ISE TrustSec provides the technical control mechanism for network segmentation requirements. Documenting the SGACL matrix and demonstrating enforcement to auditors is straightforward once the deployment is in place.
Engaging a qualified security partner to assess your current network posture and design a TrustSec segmentation architecture significantly reduces risk during deployment. Securview's cybersecurity consulting practice works with enterprises across industries to design and implement Cisco ISE micro-segmentation tailored to campus and OT environments.
Network segmentation has moved from a best practice to a baseline requirement. The convergence of IT and OT networks, the expansion of connected devices, and the rise of sophisticated lateral movement attacks have made flat networks indefensible. Cisco ISE micro-segmentation, powered by Cisco TrustSec, provides a scalable and operationally practical path to enforcing identity-based access controls across complex, heterogeneous environments.
The technology works because it decouples security policy from network topology. A contractor's device receives contractor-level access whether it connects in a corporate office or a remote branch. A PLC receives communication permissions based on its function, not its IP address. This consistency is what makes Cisco ISE TrustSec effective at scale and what makes it a foundational component of a mature enterprise security architecture.
Explore our latest insights on AI, cybersecurity, and data center innovation. Discover how SecurView delivers scalable, Cisco-integrated solutions for complex enterprise needs.
![[background image] image of an innovation lab (for an ai developer tools).](https://cdn.prod.website-files.com/69835fe30bf38b9637e73850/6a33b821a269851d9127079e_hello.png)
![[background image] image of an innovation lab (for an ai developer tools).](https://cdn.prod.website-files.com/69835fe30bf38b9637e73850/6a31400e44613cb23af3a32a_hiiii.png)
![[background image] image of an innovation lab (for an ai developer tools).](https://cdn.prod.website-files.com/69835fe30bf38b9637e73850/6a2fe38c1d43f6d6892db7e6_hey.png)