Wireless controllers changed Wi-Fi operations by replacing device-by-device tuning with coordinated policy. Secure fabric applies the same principle to campus segmentation by combining identity, common policy and automated enforcement.
Wireless networking provides a useful example of how network operations evolve.
Early enterprise Wi-Fi deployments required engineers to configure channels, transmit power and radio parameters on every access point. This worked for small environments. It became difficult to operate as deployments grew.
Wireless controllers changed the model.
Engineers defined SSIDs, security settings and RF policies centrally. The controller coordinated channel and power assignments across the deployment. Access points continued to handle the radio functions, but engineers no longer had to optimize every device manually.
Few network teams would choose to return to configuring channels on hundreds of individual access points.
Campus segmentation is now following a similar path.
The Operational Limits of Traditional Segmentation
Many campus networks still implement segmentation with VLANs, IP subnets, ACLs and firewall rules.
These technologies remain useful. The operational challenge appears when security policy becomes closely tied to the physical network design.
A new device category may require another VLAN. Extending a security zone to a branch may involve changes across several switches and firewalls. Moving an application can affect addressing, routing and access-control policy.
Changing IP addressing can also have major cost implications.
User endpoints usually receive addresses through DHCP. Many IoT, OT, industrial and building-management systems still use static IP addresses. Renumbering these devices can require maintenance windows, application changes, vendor support and physical access to equipment.
Addressing decisions made years ago therefore tend to remain in place, even when the security requirements have changed.
A practical segmentation strategy needs to account for that reality. Improving security should not always require redesigning the addressing plan first.
From Device Configuration to Secure Networking
Secure fabric follows the same operational principle that changed wireless networking.
The network team defines the required outcome:
- Which users and devices belong to a security group
- Which groups may communicate
- Which applications they may access
- Where additional inspection is required
The infrastructure then translates that intent into enforcement across wired, wireless, branch and security platforms.
Switches, access points, routers and firewalls still perform the forwarding and enforcement. Identity, common policy and automation coordinate those individual components.
Cisco describes this broader approach through the Cisco Secure Networking Reference Architecture (SNRA).

Cisco Secure Networking combines secure infrastructure, scalable segmentation, zero-trust access and Hybrid Mesh Firewalling through common policy and AgenticOps.
The architecture focuses on fusing security into the network instead of relying only on controls placed at the perimeter.
The complete architecture and design guidance are available in the Cisco Secure Networking Reference Architecture documentation.
Segmentation Starts with Identity
Traditional segmentation often starts with a network location such as a switch port, VLAN or IP subnet.
Identity-based segmentation adds business context.
The network can identify an employee, contractor, point-of-sale terminal, camera, printer or building-management controller and assign the appropriate security group.
Policy can then describe which groups are allowed to communicate.
Cisco Identity Services Engine (ISE) or Cisco Access Manager can provide endpoint identity and profiling. Security Group Tags provide an abstraction between that identity and the underlying IP addressing.
VLANs and VRFs continue to provide useful Layer 2 and Layer 3 boundaries. Security Group Tags add a policy layer that is less dependent on the location or address of an endpoint.
This is particularly useful in brownfield environments. Organizations can improve control around existing IoT and OT devices without first renumbering every static endpoint.
Segmentation can also be introduced incrementally.

Segmentation can evolve from native network controls to identity-based policy and an automated secure fabric.
1. Native Segmentation
VLANs, VRFs, VPNs and Security Group Tags use capabilities already available in the network infrastructure.
This can provide a practical starting point for a smaller branch, a specific IoT environment or an initial segmentation project.
2. Segmentation Strengthened with NAC
Cisco ISE or Access Manager adds user and device identity, profiling and dynamic policy assignment.
The network can distinguish between employees, guests, printers, cameras and other device categories instead of relying only on IP addresses or switch ports.
3. Automated Secure Fabric
A secure fabric automates the deployment and propagation of segmentation across larger campus and branch environments.
The main operational improvement comes from defining the intended policy centrally rather than translating it manually into hundreds of individual device configurations.
Different Fabric Models, One Security Objective
Organizations operate networks in different ways.
Some prefer cloud management. Others require an on-premises controller. Engineering-led teams may want direct control through APIs, Infrastructure as Code and automation pipelines.
Cisco Secure Fabric supports these different operational models.

Cloud Fabric, SD-Access and Programmable Fabric provide different operational models for Cisco Secure Fabric.
Cloud Fabric
Cloud Fabric provides a cloud-managed operating model for organizations that want centralized lifecycle management and simplified operations across distributed environments.
SD-Access
SD-Access uses Cisco Catalyst Center to automate fabric deployment, identity-based policy and assurance.
Its fabric control plane is based on LISP. Customers already operating SD-Access can continue using that architecture while aligning it with the broader Secure Networking model.
Programmable Fabric
A programmable fabric gives engineering teams direct control through APIs, automation frameworks and Infrastructure as Code.
A BGP EVPN-based design can be used where standards-based routing, overlay programmability and integration with existing automation pipelines are important requirements.
The protocols and control planes differ. The desired security outcome remains consistent: identify endpoints, apply policy and enforce segmentation across the network.
I used this progression in our Cisco Connect Switzerland session, Delivering a Secure Network for the AI-ready Campus and Branch.
Distributed Enforcement with C9000 Smart Switches
The new Cisco C9000 Smart Switches provide the infrastructure foundation for these deployment models.
Their value goes beyond switching capacity.
The platform supports distributed enforcement, telemetry, programmability and flexible management models. Customers can select cloud-managed, controller-based or programmable operations based on their requirements.
This flexibility matters because network hardware often remains in service much longer than the management model selected during the initial deployment.
Distributed enforcement also addresses an important limitation of perimeter-focused security.
A perimeter firewall remains a critical control point, but it does not see every communication inside the campus. Endpoints in the same segment may communicate without crossing a firewall. An infected user or IoT device can therefore attempt to reach other internal systems.
Secure fabric allows policy to be enforced closer to the source of the traffic.
This reduces unnecessary traffic steering and gives the network a more active role in limiting lateral movement. Firewalls, switches and security services still provide different capabilities, but common identity and policy allow each platform to apply the appropriate control while preserving context.
A Better Foundation for AgenticOps
Consistent identity, policy and telemetry also provide better context for AI-assisted operations.
An AI assistant has limited value when it must reconstruct business intent from thousands of VLAN definitions, ACL entries and firewall objects.
A structured secure-fabric architecture can expose clearer operational questions:
- Which identity initiated the connection?
- Which security group applies?
- Where was the policy enforced?
- Why was the traffic allowed or denied?
- Does the observed behaviour match the intended policy?
This gives AgenticOps a more reliable foundation for deployment, validation and troubleshooting.
Conclusion
Wireless networking evolved from configuring individual access points to managing the required outcome centrally.
Campus segmentation is moving in the same direction.
Network teams should be able to define identity and communication policy centrally, then apply it consistently across the environment.
Cisco SNRA provides the architectural framework. Cisco Secure Fabric provides flexibility between cloud-managed, SD-Access and programmable deployment models. The C9000 Smart Switches provide a common infrastructure foundation.
The practical benefit is stronger segmentation without continuously redesigning VLANs, renumbering static IoT devices or rebuilding policy independently for every network domain.
Further Reading
- Cisco Secure Networking Reference Architecture
- Cisco Live BRKENS-2614: Campus Design with Secure Networking Reference Architecture
- Cisco Connect Switzerland: Delivering a Secure Network for the AI-ready Campus and Branch
- Cisco C9000 Smart Switches At a Glance