Lab 6 - AI Endpoint Analytics Smart Grouping
Task Goal
In this laboratory session, you'll explore the Smart Grouping feature of Cisco AI Endpoint Analytics and you'll learn and how to use it to achieve full visibilty of all the network endpoints connecting to the network, including the most specialized or uncommon devices, without the need to identify each endpoint, but rather leveraging AI/ML to automatically group and classify similar endpoints for you.
This lab task will guide you through the Smart Grouping workflow:
- get an overview of the AI/ML generated classification rules
- identify groups of similar endpoints and the attributes they have in common
- visualize the automatically generated rule to classify each endpoint group
- apply the labels (also using crowd-sourced data, if available) to classify each endpoint group
Smart Grouping
Smart Grouping is part of AI Endpoint Analytics app in Cisco Catalyst center. Before getting into details of Smart Grouping feature lets briefly understand what AI Endpoint Analytics is all about.
IT organizations are challenged with protecting endpoints and IOT devices every day. New IOT devices get connected every day and these are pretty much unknown so it is hard to protect them and provide them right level of access to the network. Visibility is the first step towards securing an endpoint. Key to endpoint visibility is the ability to successfully identify and classify different types of Endpoints that are IT and IOT devices.
Cisco AI Endpoint Analytics is a solution that detects and classifies endpoints/IOT devices into different labels such as (Endpoint Type, Hardware Model, Manufacturer, OS Type). This can be called as Multi-Factor Classification (MFC) or assigning multiple labels to endpoints. A big advantage in doing this to categorize endpoint by variety of ways that can be used in enforcing access policies from ISE.
Cisco AI Endpoint Analytics uses three key sources of endpoint meta data.
1. Using Deep Packet Inspection from Cat9k and/or Telemetry sensor
2. ISE discovery mechanism and probe data
3. Asset information from external databse (Service NOW (Configuration Management Database))
Endpoint meta data collected by turning on the deep packet inspection capability in the network infrastructure (Catalyst 9000 acess switches, Catalyst 9800 WLC, Cisco Traffic Telemetry Appliance), endpoint information is also learnt from ISE. These metadata are fed into Cisco Catalyst Center and Endpoint Analytics profiles these endpoints for assigning labels to IT and IOT devices.
Even after profiling by Endpoint Analytics about 5% of endpoints still remain unknow and this is where ML based soulution called Smart Grouping comes into play.
Finally labels are sent to ISE for authorization. ISE uses these labels to create custom profiles to be used in Authorization policies. These authorization policies are policy decision points to enforce network access across the enterprise.
Algorithm
Smart Grouping uses unsupervised machine learning algoriths called clustering algorithms to group all unknow endpoints into different groups called clusters such that all similar endpoints fall in same group.
After grouping all similar endpoints into same group Smart Grouping goes a step further and provides a better understanding of each group by listing all comman attributes of endpoints in that group, proposes a profile rule for the group and provides list of all endpoints in that group.
Admin can then ladel the group and save it as a profile rule. Smart Grouping also learns from all the labels assigned by admins and provides recommendation for label when a similar group is seen in another customer environment.
Usecase workflow
AI Endpoint Analytics is available under the Policy section:
Menu > Policy > AI Endpoint Analytics
Smart Grouping rules are shown under AI Proposals section. It has three section, first is for new rules/groups discovered by Smart Grouping. Second section is suggested modification for any previously accepted rule and last one is suggestions to delete any previously accepted rule.
Click on Review to see the details of of the proposed groups.
Left panel lists all rules and specifies number of endpoints present in that group and number of common attributes among them. Summary section lists common attributes of endpoints in the group.
Profile rule section proposes potential rule for this group
Endpoint section lists all endpoints in the group with available details
After reviewing all the details we can either accept or reject the proposed rule. Let’s first go through accept workflow.
Reject workflow
Now let’s look into workflow where a user can reject a ML proposed rule and provide feedback. Click on Overview and then review. Note that number of rules has reduced from 2 to 1 as we have already accepted one rule.
Now click on reject grouping
Provide feedback as to why this rule had to be rejected so that algorithm can suggest better rules in future. Click on Submit to complete the workflow.
Accept workflow
Click on Next to get into accept workflow. Fill in the details.
Click next to review rule summary.
Click Done to save rule under Profiling rules section section. Click on Profiling Rules to see all available rules.
