Meet the new Cisco Catalyst 1200 and 1300 Series Switches for SMBs

In today’s hyperconnected world where seamless customer experience is the key to success, your network can often become the differentiator that helps you succeed. This is true not just for large enterprises, but also for small and medium businesses.

Through Cisco’s small and medium business portfolio, we have been bringing the latest technology to our SMB customers and helping them create secure, reliable networks that can be effortlessly setup, monitored and managed; all at prices that fit small business budgets.

The new Cisco Catalyst 1200 and 1300 series switches are the latest additions to our small and medium business portfolio of access switches with Linux-based OS that combine powerful network performance, simplified management, and reliability with a comprehensive suite of network features that enable the digital transformation of growing businesses and branch offices.

Cisco Catalyst 1200 Series Switches

Cisco Catalyst 1300 Series Switches

These switches have been designed to help customers focus on growing their business rather than spending their time managing IT, by offering the following benefits:

Simplicity – Simple management with web-based configuration, Cisco Business Mobile App and Cisco Business Dashboard. Auto discovery for easy integration with Collab and Wi-Fi products.

Flexibility – Ultimate business flexibility with Gigabit, Multigigabit and 10G connectivity, Gigabit or 10G uplinks, and PoE+ support up to 740W.

Security – Advanced security protocols providing a solid security foundation, ensuring privacy and business continuity.

Cisco Catalyst 1200 Series Switches

The Cisco Catalyst 1200 Series Switches are purpose-built for growing businesses, combining robust performance & reliability with ease of setup, monitoring & management. These switches provide comprehensive security capabilities, Layer 3 static routing features, & multiple PoE+ options to choose from.

Cisco Catalyst 1300 Series Switches

The Cisco Catalyst 1300 Series Switches are fixed, managed, enterprise-class Layer 3 switches designed for small and medium-sized business and branch offices. They offer advanced security features, front-panel stacking capabilities, gigabit, multi-gigabit and 10 gig-ethernet options, and Layer 3 RIP routing, with a POE+ budget up to 740W.

Which one do you need?

The following table compares the prominent features of Catalyst 1200 and 1300 series switches:

With the Cisco Catalyst 1200 and 1300 Series switches, there are no licenses to purchase, and software updates are available at no additional cost. The switches offer a limited lifetime warranty with one-year free phone support.

Customers who wish to deploy themselves can purchase the new Cisco Catalyst 1200 and 1300 series switches through eComm partners such as Amazon.com or other e-tailers. Cisco partners can contact their distributor of choice.

Source: cisco.com

Continue reading

SD-Routing: Unlock Agility and Efficiency for the Secure WAN Edge

Many Cisco enterprise customers have decades of Cisco Catalyst routing and security capabilities functioning at branch locations. However, many of their traditional network management solutions can’t keep up with the demands of cloud adoption, remote work, and ever-growing user expectations. This translates to poor user experience, sluggish applications, and possible security vulnerabilities. These factors are driving the need for a transformation across applications, networks, and security.

This operational paradigm shift aims to seamlessly connect users anywhere to any application and secure user access by protecting against evolving threats. The answer to these operational challenges is Cisco’s software-defined routing (SD-Routing) solution. It goes beyond traditional per-device-based management by enabling full frictionless lifecycle device management, monitoring, configuration, and troubleshooting—as well as robust, next-generation firewall security integrations—from a single dashboard that doesn’t require any changes to your existing environment.

Figure 1. SD-Routing solution overview

Let’s explore some key use cases of SD-Routing that can transform your network:

Frictionless device lifecycle management. Simplify and prepare your network for the future with one management platform. SD-Routing, controlled through the Cisco Catalyst SD-WAN Manager dashboard, can:

• Unify management: Manage device software upgrades, monitoring, and troubleshooting through the intuitive Catalyst SD-WAN Manager dashboard. This simplifies network operations and empowers you to manage both traditional routing and Catalyst SD-WAN environments.
• Tame legacy challenges: Simplify complex legacy operations with SD-Routing. Basic troubleshooting tools within the manager help you maintain and optimize performance. Continuous updates ensure your network stays ahead of the curve.
• Combat configuration drift: Manage and track changes with a unified platform. Use the manager to create configuration templates for standardized deployments and future SD-WAN migration.

Network administrators might be using homegrown automation or third-party vendor tools to solve these problems. You can continue to use these tools, but you don’t need to invest further. Rather, take advantage of SD-WAN Manager, which comes as a part of Catalyst licensing.

Security

Configuring diverse IOS XE security features through the command-line interface (CLI) or customized ad hoc scripts has historically been a complex, labor-intensive process that is prone to errors. This is especially true for defining granular security policies across zones and containers. With the introduction of SD-Routing guided security workflows, customers aiming to implement robust, next-generation firewall (NGFW) security on their on-premises routers will find this a valuable addition, allowing for consistent policy application across deployments. Many customers want Direct Internet Access (DIA) at their branch offices, but security concerns hold them back. SD-Routing can streamline secure DIA deployment on WAN edge routers, offering a simpler approach to securing distributed networks.

Cloud on-ramp for multicloud

Traditional network teams often struggle to securely extend their WANs to cloud providers, where key enterprise applications may reside. SD-Routing simplifies this process, especially for those who are hesitant to adopt it. With SD-Routing, you can securely connect to cloud providers like AWS and Azure following best practices, without months of learning complex, cloud-specific configurations. This empowers you to seamlessly connect to cloud providers and focus on your business outcomes.

As you tackle the modern network challenges, explore SD-Routing to simplify, streamline, secure, and future-proof your WAN environment. The single management platform for Catalyst SD-WAN and SD-Routing saves time and operational expenses with agile and automated workflows that quickly respond to network changes.

Beyond these immediate benefits, SD-Routing also can help strategically position your network for simplified future migrations to SD-WAN, depending on where you are in your digital transformation journey.

Whether you have existing enterprise networking equipment in your WAN or are considering a future purchase of Cisco Catalyst 8000 Edge Platforms, Cisco 1000 Series Integrated Service Routers, Cisco 1000 Series Aggregation Service Routers, or Industrial Routers, SD-Routing can unlock their full potential. Even better, if you’re already using Cisco Catalyst SD-WAN Manager, you can leverage the same platform to manage your SD-Routing deployments.

Source: cisco.com

Continue reading

Helping customers reduce cyber risk by complying with NIS2 and securely managing industrial assets

This week, I’m attending Cisco Live in Amsterdam! Together with my team, we’re excited to exchange insights and network with our customers and industry leaders. Our focus is to interact with customers firsthand, grasp their preferences, and highlight how our latest portfolio upgrades cater to their requirements.

Up to this point in the event, numerous customers have emphasized that cybersecurity in industrial settings is a primary concern, alongside the introduction of the new NIS2 regulations. Our team is present to assist customers in navigating and adhering to these latest regulations, ensuring a seamless transition as we adjust to new mandates. Let me share some insights into NIS2 and outline our investments aimed at aiding customers.

Cisco helps customers comply with NIS2 regulations to reduce cyber risk with enhanced cybersecurity capabilities

The European Union created Network and Information Security (NIS2) to update and strengthen the existing NIS1 framework, addressing emerging cybersecurity threats and evolving technological landscapes more effectively. The intent is to enhance cybersecurity resilience and coordination across critical sectors and digital service providers. It will impact more than 350,000 organizations and will extend to non-European companies that are part of the EU supply chain. This directive will be enforced as of October 18, 2024.

To comply with NIS2 requirements, customers need a good understanding of their security posture to implement cyber risk management best practices and zero-trust security policies. Meeting these requirements requires our customers to control risks from their supply chain (machine builders, control system vendors, contractors, hardware service providers, etc.) as well as risks from connected assets that now need access to external applications and cloud services. This translates into a problem of scale for our customers due to the diverse ecosystem of supply chain vendors, and tens of thousands of assets in their environments.

Cisco has comprehensive capabilities and a market-leading industrial networking portfolio, which helps our customers address these challenges. Our portfolio complies with ISA/IEC 62443 security standards so that customers can trust their supply chain.

The Industrial IoT team has been investing in enhancements to industrial security solutions, Cisco Cyber Vision and Secure Equipment Access, to help customers reduce cyber risk and drive compliance with NIS2 cybersecurity regulations as they securely connect assets in their critical infrastructure.

First, we have enhancements to Cisco Cyber Vision with new reports and risk scores from Cisco Vulnerability management. Cyber Vision software, deployed on the industrial network, builds a detailed inventory of all connected assets and their security posture. This will help customers monitor and manage cyber risks of their OT assets. The new report engine helps industrial organizations drive compliance and governance by sharing OT Security Posture insights with all stakeholders.

“With Cyber Vision, we now have the visibility into our mission-critical OT networks as a first step to mitigate vulnerabilities and improve our security posture. Cyber Vision found more than 20 instances of malware in our substations and identified features and protocols that don’t need to be active.”

 – Emerson Cardoso, Chief Information Security Officer, CPFL Energia

External users need to connect to OT assets for maintenance and troubleshooting. Operational teams can use Cisco Secure Equipment Access to remotely deploy, configure, and troubleshoot assets and applications connected to Cisco industrial routers and switches. Secure Equipment Access solution adopts a ZTNA architecture that enforces strong security controls to grant remote users access only to specific resources at specific times. Another exciting announcement is the new Secure Equipment Access dashboard that helps administrators to monitor and audit remote access activities and trends for compliance. The dashboard works to enable advanced users and partners to automate remote access workflows with a new set of APIs for easy integration with other software solutions.

“As the NIS2 cybersecurity regulation is implemented across Europe, our industrial customers need to better control remote access to their operational networks. Cisco Secure Equipment Access simplifies the enforcement of zero-trust network access policies within an OT environment. By embedding this capability into the industrial network, Cisco makes it easy for customers to deploy OT cybersecurity at scale.”

 – Damiano Di Mauro, OT Networking Solutions Team Leader, Lutech (Cisco partner)

In our journey to help customers with Cyber Vision capabilities, we are very excited to see our partner Orange launching ‘Secure Industrial LAN’ managed service for industrial organizations. They are combining the Cisco Industrial IoT networking portfolio with Cisco Cyber Vision for OT security and skilled resources from Orange Cyberdefense and Orange Business worldwide. This service can be delivered to multinational customers with production sites across the globe with a single offer.

“As industries are accelerating the digitization of their operations, they need help to manage and secure industrial networks anywhere they are on the globe. By combining Cisco’s leading industrial networking and OT security portfolio with Orange Business’ and Orange Cyberdefense’s IT and OT expertise with human resources worldwide, our Secure Industrial LAN offer is the ideal solution for industrial organizations to scale their operations, improve resilience, and meet ever-growing cybersecurity regulations.”

– Emmanuel Routier, VP Smart Industries, Orange Business (Cisco partner)

The excitement of new enhancements doesn’t just stop there. Because different industries and use cases require different network technologies and capabilities for connectivity, we are continuing to expand our industrial networking portfolio to ensure customer success for a variety of deployment scenarios and locations. Therefore, we are also announcing:

• Catalyst IW9167E is now available for hazardous environments (Class 1, Div 2), so that customers in locations such as oil & gas, chemical, and pharmaceutical can deploy Wi-Fi or Cisco Ultra Reliable Wireless Backhaul (Cisco URWB).
• The Catalyst IW9165 series now also supports Wi-Fi 6/6E as well as Cisco URWB. With different form factors, we are enabling customers to deploy in more locations such as inside a cabinet in manufacturing, and roadways intersections.
• The 5G PIM now supports both public and private standalone on Catalyst Industrial Rugged Routers (IR1100, IR1800, IR8300) for roadways (cameras and sensors at intersections), public safety (ambulances, police cars), utilities, and other mission critical industrial settings.

If you are at Cisco Live Amsterdam, come and find the Cisco Industrial IoT Team at the World of Solutions to experience live demos and a coffee machine powered by Catalyst Center and Secure Equipment Access. Innovation and a cup of coffee come together to fuel digitization and connectivity for the whole week. I look forward to seeing you there!

Source: cisco.com

Continue reading

SD WAN solutions for utility Distribution Automation

Networks are expanding outside traditional office buildings and into industrial fixed and mobile use cases. This results in more devices being connected to the Internet and data centers as well as increased security exposure. IoT has moved traditional networking far beyond the carpeted spaces and into industries like Fleets, Oil & Gas, Energy & Water Utilities, Remote Condition Monitoring and Control — basically anything that can establish a wide area connection. Moreover, these industrial networks are increasingly being considered critical infrastructure. In response to this expansion, Cisco has on-going innovations advancing the ways networks operate – and at the forefront of these trends is the way that SD WAN solutions enable and support industrial use cases.

Cisco Catalyst SD-WAN today is already an industry-leading wide area network solution offering a software-defined WAN solution that enables enterprises and organizations to connect users to their applications securely. It provides a software overlay that runs over standard network transports, including MPLS, broadband, and Internet, to deliver applications and services. The overlay network supports on-premises solutions but also extends the organization’s network to Infrastructure as a Service (IaaS) and multi-cloud environments, thereby accelerating their shift to the cloud.

Most utilities are used to building large networks utilizing technologies such as Internet Protocol Security (IPsec) and Dynamic Multipoint Virtual Private Network (DMVPN) to encrypt critical communications, Multiprotocol Label Switching (MPLS) for the underlying transport network, and public or private cellular for remote sites with no other WAN connectivity. Catalyst SD-WAN brings these technologies together and enables automation to greatly simplify deployments.

Automation benefits:

• Secure Zero Touch deployment of field gateways (i.e., no field staff required to configure a gateway)
• Simple provisioning of end-to-end service VPNs to segment traffic (SCADA, CCTV, PMU, IP Telephony, etc.)
• Templated configurations making it easy to change configurations at scale and push it to gateways in the field.
• Application of unified security policies across a diverse range of remote sites and equipment
• Managing multiple backhaul connectivity options at the gateway including private MPLS for critical SCADA traffic and cellular for backup and even internet-based connections for non-critical traffic, where appropriate
• Lifecycle management of gateways (e.g., firmware updates, alarm monitoring and statistics)

Cisco SD-WAN Validated Design for Distribution Automation (DA)

SD-WAN has origins as an enterprise solution using fixed edge routers of various performance capabilities and predictable enterprise traffic patterns. Utility networks present new challenges with especially when applied to Distribution network use cases:

• Connectivity to legacy serial devices not supporting Ethernet/IP
• communications (g., Modbus RTU, DNP3 over serial, IEC101 or vendor proprietary)
• Mobility needs for mobile assets to ensure resilient wide area connectivity
• New WAN interfaces including dual 4G or 5G cellular, DSL, fiber or Ethernet
• The use of NAT to allow fixed privately addressed equipment to communicate
• Requirement to encrypt SCADA traffic across the wide area network
• Applicable to both distribution substations and field area networks
• Segregation of services via VPNs in flexible topologies (Hub & Spoke, or Meshed [Fully or Partial])
• Intelligent traffic steering across multiple backhaul interfaces when needed (critical vs. non-critical traffic)

Key use Distribution Network use cases that the Cisco SD-WAN solution can address are:

Cisco IoT Solutions have introduced a new Cisco Validated Design to address an SD-WAN architecture for Distribution Automation use cases. Leveraging the Cisco Catalyst IR1100 Rugged Series Routers as an SD-WAN router with flexible modular backhaul capabilities (DSL, Fiber, Ethernet, 4/5G, 450MHz LTE) and operating as an SD-WAN controlled edge router.

Along the distribution network feeders, the IR1101 should be positioned as a Distribution Automation gateway. It can be easily mounted within a DA device cabinet (e.g. Recloser, Cap bank controller etc) and can be powered by the same DC supply (flexible 9-36VDC input). It also has extended environmental capabilities to cope with the variations in temperature, humidity, and vibration.

The new SD-WAN for Utility Distributed Automation Design Guide builds on other existing documents that describe in detail Cisco’s SD-WAN architecture and industrial IoT hardware offerings and shows how they can be combined to provide a scalable, secure network. The new Design Guide is focused on areas that are unique or at least emphasized by DA use cases in general. This document also has detailed configuration examples for many of the DA features.

Source: cisco.com

Continue reading

Simplify the Adoption of Sustainable Technologies in the Workplace with Cisco DNA Center

Supporting sustainable technologies on a campus network is great for the planet and can substantially lower the cost of workplace operations. But adding hundreds of new IoT devices to a campus network can be a heavy lift for IT teams. Let’s take a look at the many innovations that Cisco has made to address sustainable technology, so that supporting a cleaner planet does not become a burden on IT teams.

For organizations, environmental sustainability is the practice of operating without producing a negative impact on the environment. Certainly, you’ve been hearing a lot about environmental sustainability and how IT can help to reduce your organization’s carbon footprint. When it comes to reducing the environmental impact of offices, factories, and warehouses, IT has a very big role to play. Gartner estimates that “By 2025, 75% of CIOs will be responsible for sustainable technology outcomes and 25% of CIOs will have compensation linked to their sustainable technology impact.” (Gartner Top Strategic Technology Trends for 2023: Sustainable Technology, ID G00774132)

Most IT departments will begin their sustainability work by verifying that IT technologies are being sourced from companies with “Net Zero” policies and programs. Cisco has documented all the steps we’ve taken to create a more sustainable solution for your network. Your next step will be to lower your environmental footprint by deploying new sensor technologies within your campus networks for initiatives such as energy efficiency, water usage, recycling, and site optimization. These technologies will be helpful in your sustainability objectives, but they can become a major source of complexity and time drain for IT teams. So, let’s look at some of the more popular technologies and the recent innovations in Cisco networking solutions that can make deploying them much easier.

Sustainable Technology is Coming to your Campus

The reason I can guarantee that you will soon be deploying sustainable technology is that there are substantial financial rewards for lowering your usage of electricity and material goods. Investments in sustainability are good for the planet and good for your bottom line. Sustainable technology, which is a category of smart building technologies, is a framework of networking solutions that enable businesses to achieve their sustainability goals. These goals usually include a reduction in environmental impact (power, water, recycling, and waste disposal), and optimization of office space and physical assets. Typical devices are automatic window shades that close in direct sunlight, water usage sensors, and of course UPoE+ LED lighting powered by Cisco Catalyst 9000 PoE ports and monitored by Cisco DNA Center. These are popular choices because PoE LED lighting can yield large savings quickly without a complex electrical installation, and water usage sensors are an easy way to detect water leaks – which is the most common and most expensive of office accidents.  The industry for smart building technology is diverse, and you will certainly find an IoT device or sensor for just about any project.

Figure 1: Architectures for smart buildings

The diagram in Figure 1 above, shows the many categories of smart building technologies, as well as the infrastructure and applications that manage and operate the solution. Cisco has a great webpage on our portfolio for smart buildings where you read more about the solution. Many of these technologies are complements or expansions to projects that your team already supports, but the impact of sustainable technology on your network will be substantial. There will surely be hundreds of new sensors, meters, and control devices on your campus network. Most of these will require PoE and many will require local application servers. There are three categories of Cisco DNA Center innovations that facilitate supporting these devices: (1) connecting and securing, (2) powering, and (3) software management.

Connecting and Securing New IoT Devices 

I’m sure you’ve heard about Cisco DNA Center AI-Endpoint Analytics. This feature is in the Policy section of Cisco DNA Center, and it automatically identifies all new endpoints that connect to the network using a cloud-based device manufacturers database. Endpoints are then added to the inventory dashboard and checks and authentications are made using deep packet inspection (DPI) and machine learning to authenticate that the device is what it says it is. Each device is given a “Trust Score” between 1 (suspicious) and 10 (trustworthy) and you can view a list of the verifications that each device has passed. During the lifecycle of devices, Cisco DNA Center will continue to monitor device behavior and any anomalies (such as sudden changes in communication protocols) will be flagged for attention. Additionally, Cisco DNA Center can be configured to automatically isolate devices that demonstrate behavior anomalies.

Besides security and posture information, endpoint inventory includes the manufacturer, model, OS type, software version, and other management information. You can even register the device with the manufacturer within Cisco DNA Center, and if a software upgrade is available, you will be advised right inside the dashboard. The comprehensive dashboard gives you everything you need to connect, secure, and manage the many new IoT devices on your network.

Figure 2: AI endpoint analytics aggregates network data to identify endpoints.

Powering IoT Devices and Managing PoE Capacity

As more PoE devices connect to your network, understanding power usage and availability per branch office and per switch will become critical. The PoE Analytics dashboard in Cisco DNA Center gives you quick and easy visibility of your PoE usage everywhere. You can see the status of PoE consumption across your organization: by branch, building, individual switch, or even by type of device. You can view the total power budget available in any switch, as well as what is allocated, remaining, and load. You can verify the actual amount of power being drawn from each device—this is critical since many IoT devices pull more power than their manual indicates. During the lifecycle of these devices, PoE Analytics monitors spikes in power and pushes alerts for any anomaly to the main Cisco DNA Center Assurance dashboard. Any Cisco DNA Center alert can be exported to your ServiceNow (ITSM) or PagerDuty, and PoE alerts are good candidates for immediate attention. The PoE Analytics dashboard in Cisco DNA Center enables you to plan and manage the power of your IoT devices anywhere in your network.

Figure 3: PoE Analytics facilitates managing power for IoT devices

Edge Compute for Device Software

Another challenge you will likely encounter is the performance of the server software that controls these IoT devices. In many cases, this software is located in the cloud, and the time spent managing it will be minimal. However, some of the more complex sensors may recommend that the server software be installed on-premises for improved performance. This requires either a server in your wiring closet or small Raspberry Pi devices distributed around the campus.

Instead of deploying additional hardware on-site, Cisco DNA Center can help you run these IoT applications on your Catalyst 9000 switches. Cisco Application Hosting on Catalyst 9000 series of switches extend the cloud application to the edge of the network enabling data processing closer to the source for much-improved performance of low-power IoT devices. The app hosting framework inside Catalyst 9000 switches enables off-the-shelf Docker apps, running as separate Linux processes, so they do not affect the switch’s IOS XE performance or security. Installing the application has been streamlined with Cisco DNA Center’s App Hosting Automation dashboard. Simply drag and drop the application into the dashboard and it loads into the Cisco DNA Center’s app hosting library. Then choose the switches where you want the application installed and push them out.

Figure 4: Using Cisco DNA Center to install apps on your Catalyst 9000 switches

Deploying smart building technology to meet your company goals for sustainability and cost optimization will be a big trend in 2023. Training your staff on Cisco DNA Center will enable you to manage this new technology while maximizing your IT staff’s productivity.

Source: cisco.com

Continue reading

Cisco Catalyst 9200CX now orderable!

Now is the time to make sure your network is ready for a hybrid world where the workplace is anywhere, endpoints could be anything, and applications are hosted all over the place.

Extending the power of the secure network as close to the edge as possible helps you to better respond to the unexpected… transforming the challenges of hybrid work into opportunities for innovation.

Introducing Cisco® Catalyst® 9200CX compact switches

Figure 1: Catalyst 9200CX 12 port

As part of the Catalyst 9000 family, these highly anticipated compact switches bring IOS® XE and enterprise-class access down to the very edge with an extra level of security, and the features required to handle our ever-changing world of hybrid work.

The new compact Catalyst 9200CX models are optimized for flexibility and security and are ideal for

◉ Fiber to the edge

◉ Small branches

◉ Healthcare, retail, hospitality, sports, media, and entertainment

◉ smart building retrofits

◉ places where space is at a premium and quiet operation is a must.

The smaller footprint and quiet, fan-less design means Catalyst 9200CX compact switches can go in places other switches cannot, like on or under a desk, mounted on the wall or ceiling, or in a closet, hospital room, or classroom. But at the same time, they offer many advanced features that are firsts for a compact switch:

◉ MACsec-256 encryption

◉ Full flexible NetFlow/IPFIX

◉ Plug-and-play zero-touch provisioning

◉ SD-Access edge node capabilities with 16 VNs!

And to top it off, they’re also IPsec, AVB/PTP, and BGP EVPN hardware ready. 

The Catalyst 9200CX is designed to allow you to secure your network from the inside out, applying continuous zero-trust security anywhere you need it, and often extending your network to places it has never been before.

Whether in the board room or the bedroom, at the checkout counter, or the check-in desk, don’t box in your network to a traditional workspace or workplace; embrace the future of hybrid work with Catalyst 9200CX compact switches.

Source: cisco.com

Continue reading

Cisco Catalyst 9300X – IPsec And Cisco Umbrella

In this blog, you will learn how to configure IPsec and Cisco Umbrella tunnels on a Catalyst 9300X by onboarding it with the Plug and Play (PNP) Cloud Service and Cisco DNA Center.

This capability is supported with Cisco DNA Center 2.3.4. The switch will need IOS-XE 17.8.1 for onboarding and an Advantage license. The IPsec feature on the switch requires an HSEC K9. Please refer to Part 1 of this series to understand at least three use cases that can leverage IPsec on a Catalyst switch.

PnP Cloud Service (Onboarding C9300X with IPsec)

The onboarding section below assumes that the switch only has direct internet and requires a secure connection back to Cisco DNA Center for management. Traditionally a switch has access to a local PnP Server but with this lean branch deployment with just the 9300X connectivity back to a PnP server is highly unlikely.

Figure 1. Day 0 Automation Workflow for onboarding Catalyst 9300X

Cisco has augmented the PNP Connect with Plug and Play as a Service (PnPaaS). This enhancement allows Cisco DNA Center to send the Day 0 switch configuration file to the PnP Cloud Service. Once the switch sends its PnP request to devicehelper.cisco.com, the PnP Cloud Service responds with the configuration file. This allows the switch to establish the IPsec tunnel and for Cisco DNA Center to manage the newly onboarded switch.

Figure 2. Onboard Catalyst 9300X Device using PnP Cloud

So, how do you create the Day 0 configuration file? Easy, it’s pretty straightforward. Just go to Cisco DNA Center Provision –> Services –> Secure Tunnels and click on Onboard New Device. The form will ask for a Site and a Virtual Account where the switch is associated. Once this information is confirmed, the form can be completed with the following: the switch serial number, a management IP (resulting in a loopback address on the switch), the IP address of the Head-End (or remote side), an IPsec pre-shared key, the HSEC token, and a switch hostname. If the switch already has the HSEC token pre-installed from manufacturing at the time of purchase (it requires a selection in CCW), then the HSEC token entry does not need to be filled in. To look at the configuration file prior to its implementation, select the Day-0 Configuration Preview tab.

Figure 3. Cisco DNA Center Plug and Play Status

After selecting the Onboard Device option, the onboarding status of the switch can be verified under Provision –> Network Devices –> Plug and Play. Initially, the switch will appear as Unclaimed, and the state as Planned. When the process completes (please be patient, it will take several minutes) the switch appears under Provisioned and the state as Provisioned.

Figure 4. Cisco Catalyst 9300X with IPsec in Inventory

After the switch is onboarded, it can be managed over the IPsec tunnel using the loopback by selecting Provision –> Network Devices –> Inventory.

Cisco Umbrella – Creating Secure Tunnels

Now that the switch is under Cisco DNA Center management, additional IPsec tunnels can be configured to connect to a Secure Internet Gateway (SIG). In this case, it will be to Cisco Umbrella, but it can also be to a third party like Zscaler. In order to automate both sides of the tunnel the switch and Cisco Umbrella there is a prerequisite to integrate Cisco Umbrella and Cisco DNA Center using API Keys (System –> Settings –> External Services). This topic is not covered here. Cisco DNA Center will only automate the switch portion when the API integration is not established.

Figure 5. Cisco Umbrella IPsec Tunnel Creation in Cisco DNA Center

In order to add the Cisco Umbrella tunnels, go to Cisco DNA Center Provision –> Services –> Secure Tunnels but this time click on Create Secure Tunnel. The form will require the following information: Site, Device, number of Cisco Umbrella tunnels (up to 4), Tunnel Name, and Tunnel Source Interface. In addition, a selection of the Cisco Umbrella data center location can be made, otherwise, the selection will be made based on the switch site location. If you have more than one tunnel, either the same data center or a different location can be selected.

Figure 6. Cisco Umbrella IPsec Pre-Shared Key in Cisco DNA Center

The next screen will ask for the Cisco Umbrella Tunnel Pre-Shared Key and the option to change the default IKEv2 and Transform Set values. The default values are for best practice and should not be changed unless it is for interoperability or other security reasons.

Figure 7. Handling Site Traffic using ECMP or PBR

In the next screen, traffic can be handled either by sending all traffic to Cisco Umbrella using Equal-Cost Multi-Path (ECMP) load balancing when using multiple tunnels or traffic can be steered using Policy-Based Routing (PBR). Handling the traffic in this manner should help with most use cases. Subsequently, there will be a summary screen and a selection to create the tunnel(s).

Figure 8. Cisco DNA Center and Cisco Umbrella Tunnel Confirmation

After the switch and Cisco Umbrella have been provisioned, the status of the tunnels can be verified under Cisco DNA Center Provision –> Services –> Secure Tunnels.

Figure 9. C9300X IPsec Tunnels Cisco DNA Center and Cisco Umbrella

The IPsec tunnel information to both Cisco DNA Center and Cisco Umbrella can be verified via the CLI as well. Tunnel1 is the tunnel to Cisco DNA Center and Tunnel2 is the tunnel to Cisco Umbrella.

Figure 10. Cisco Umbrella UI IPsec tunnel to C9300X

Alternatively, Cisco Umbrella can also display the IPsec tunnel established to the Catalyst 9300X.

Source: cisco.com

Continue reading

High Availability – Features in Cisco IOS XE Software Makes It Appear Seamless

High availability (HA) networks continue to function even when some components fail. A variety of features in Cisco IOS XE Software provide hardware and software redundancy that contribute to five nines (99.999%) uptime, which translates to no more than 5.26 minutes of downtime per year. That’s the kind of reliability that Cisco customers have come to expect. Thousands of Cisco engineers in offices throughout the world make it possible.

This is the first in a series of three blogs that describe significant features in Cisco IOS XE that contribute to HA in the enterprise.

Stack Manager

Cisco Stack Manager is a platform-independent discovery protocol that provides failover from active to standby switches in case the active switch experiences a failure. Available on Cisco Catalyst 9000 series, it enables a switch to discover peer nodes, verify their authenticity, raise alarms in case of a mismatch, allocate a unique switch number during discovery, and assign a HA role (e.g., active, standby, and member in one type of configuration). In case of failover, switchover, or a reload of the active switch card, the standby switch takes over.

After Stack Manager assigns roles to the switches (e.g., Active, Standby, Member), the Cisco IOS XE redundancy framework enables the control plane protocols to synchronize configuration data to the standby node. Standby protocols remain in a hot state so the standby switch can become active in case of a failure.

Stack Manager works in three different HA configurations, which will be described in an upcoming blog:

1. Switch connected via stack cable to up to eight nodes

2. Switch connected via StackWise Virtual Link to up to two nodes

3. Dedicated HA interface for wireless devices like controllers

Cluster Manager

Cluster Manager is an adaptation of Stack Manager for use with Cisco Next Gen StackWise® Virtual Link, which provides the ability to virtualize two connected switches into a single virtual switch. Cluster Manager enables the same standby/active failover features provided by Stack Manager, with the added ability to provide HA across an entire data center environment using Next Gen StackWise Virtual Link. Virtualization eliminates the need to physically stack switches on top of each other. Soon, Cluster Manager will be able to support HA in switch clusters across different geographically dispersed locations.

Redundancy Management Interface

The Stack Manager solution connects switches in a ring up to 8 switches but in configurations using StackWise Virtual Link and in wireless deployments, there is only a single interface between two nodes: one active, one standby. So, two technologies were created to handle split-brain-related HA scenarios in these configurations: Redundancy Management Interface (RMI) and Dual Active Detection (DAD).

RMI adds another interface to wireless controllers so that if one interface falters or fails, the other will take over to handle HA, first determining if it is an actual failure or just a momentary glitch. If it is an actual failure, RMI provides the redundant connection to ensure that if the active switch goes down, the standby takes over.

Dual Active Detection

For deployments using StackWise Virtual Link, if the connection between the active and standby switches is lost, if one switch fails over to the second, the Dual Active Detection (DAD) process is activated. It queries the node manager for the existence of the lost peer. If it is available, it sends a recovery handshake. Once the handshake is completed, if the lost connection was due to a momentary glitch, the standby switch goes into recovery mode. If the switch is experiencing a failure, the other switch goes into recovery mode and assumes the active role.

Operational Data Manager

All processes in active switches update the database and the database maintains the device’s state. Since the standby doesn’t communicate to the outside world, when it is updated by the active switch, it uses Operational Data Manager (ODM) to update the database. ODM uses Replication Manager to trigger all the data to sync from an active to a standby switch. The update first goes to the DB and then out to update the processes in the hot standby switch.

Symmetric Early Stacking Authentication

Symmetric Early Stacking Authentication (SESA) imposes authentication when one Catalyst 9000 series switch interacts with another and encrypts and decrypts all the remote inter-process communication between them to guard against hacking attempts. It works alongside standard stacking, StackWise Virtual Link, and wireless HA solutions and is Federal Information Processing Standards (FIPS) compliant.

Extended Fast Software Upgrade

In the past, reloading software on Cisco platforms could take 6-7 minutes. Now, with Extended Fast Software Upgrade (xFSU), the process is reduced to 30 seconds or less. This fast reload feature for Catalyst 9300 series switches decreases downtime during reload ― the hardware is never powered off and traffic keeps flowing ― while maintaining the control plane in an operational state during the reload process.

Graceful Insertion and Removal

Network admins may wish to remove a network device from the network to perform troubleshooting or upgrade operations. To remove one device and replace it with another, the Graceful Insertion and Removal (GIR) function notifies the protocols of both devices that there is a maintenance window but not to go down. When the platform undergoing maintenance comes back online, it goes immediately into production without having to recreate the sessions it missed, minimizing traffic disruption both at the time of removal from the network and during insertion back into the network.

Hot Patching

Another area that contributes to HA is hot patching. Cisco issues small micro images containing only the code necessary for a critical bug or security fix. Customers can install it on devices in a fraction of a second using hot patching without any network disruption. Hot patching doesn’t result in a device reload and the fix takes effect immediately. Because of the small size of the patches, they are easy to distribute. Because of their limited content, customers can have much higher confidence in installing these micro patches in their production network without going through the complete validation process. The Cisco IOS XE hot patching feature is a toolchain of integrated technology and is expected to provide a default hitless defect fix.

ISSU

With the in-service software upgrade (ISSU) feature, Cisco customers using Cisco IOS XE products with HA functionality, including both routing and switching platforms, can avoid disruptions from image upgrades. ISSU orchestrates the upgrade on standby and active processors one after the other and then switches between them in the control plane so that there is zero effective downtime and zero traffic loss. The Cisco IOS XE software stack has the ability to do ISSU between any–to–any releases and the development team has an elaborate feature development testing and governance process to ensure this happens without failures occurring. Cisco defines policies for a smooth ISSU experience based on platform and releases combinations.

An Ongoing Quest for High Availability

Handling failover at the device level seems straightforward, with automatic features guiding active, standby, and sometimes member switches that are all waiting in line. (For Cisco ASR 1000 routers, active and standby route processors also provide failover and HA, much like Catalyst 9000 series switches.) But for Cisco engineers working on Cisco IOS XE solutions, HA is an ongoing, complex challenge, with vulnerabilities addressed by the many solutions above.

Source: cisco.com

Continue reading

Latest Innovations in Cisco DNA Software for Switching

Cisco continues to deliver on its promise of innovation in our Cisco DNA software for Switching subscription. By deploying the latest innovations in Cisco DNA software for Switching along with Cisco DNA Center, you can unlock the full power of your Catalyst switches in a user-friendly way. It’s no question that Cisco DNA Center is the most powerful management platform for your Catalyst devices over any third-party network management system.

What’s new?

ThousandEyes integration (Application assurance): Cisco DNA Center can provide visibility into how your applications are performing, which is improved as a result of the out-of-the-box integration with ThousandEyes (TE). TE agents are included in Cisco DNA Software subscriptions at the Advantage level in specific models, they just need to be deployed out to your switches. You can see applications that TE agents are monitoring in the dashboard and get a performance summary (loss, latency, jitter) with the ability to drill down further. Not only does TE provide insight into your internal network, but also service providers.

Figure 1: ThousandEyes integration in Cisco DNA Center

Client Health: This feature allows you to quickly and efficiently understand how well the network is supporting end-users. The impact of any issues can be minimized for end users as well as IT staff in terms of issue resolution. You have the ability to drill down and search for specific users and get a 360 view of the health of their devices to pinpoint any downtimes.

Figure 2: Client 360 in Cisco DNA Center

PoE analytics: As people return to the office, it is important to be able to understand the power in remote offices. PoE analytics will allow IT to troubleshoot issues by looking at key attributes of PoE. For example, if a device is pulling more power, it is usually an indication that it may break. Action can be taken to disable specific ports or even power cycle ports.

Figure 3: PoE Analytics

Group Policy with ISE: The integration of Cisco DNA Center and ISE to control policy on a Cisco network provides a level of security that is unmatched in the industry. You can visualize what’s going on in your network and what devices and servers are communicating with each other. This allows you to make corrections as needed and ultimately prevent any security breaches.

Figure 4: Cisco DNA Center integration with ISE

Cisco DNA Spaces for Smart Buildings: Cisco DNA Spaces, a cloud-based data platform for IoT devices, gives smart building managers an all-encompassing view of operations and power consumption of smart lighting and shades, conference room availability, and cleaning frequency, and asset location, to name a few. Cisco DNA Spaces entitlement for Smart Buildings (See and Extend) is included in Cisco DNA Advantage licenses for Cisco Catalyst 9300 and 9400 Series Switches.

Figure 5: Cisco DNA Spaces

How can I get these features and more?

If you already have a Cisco DNA Advantage subscription in Switching along with Cisco DNA Center, you will get to utilize these features at no additional cost to you.

If you do not have a Cisco DNA Advantage subscription or if you have a Cisco DNA Essentials subscription, the time to upgrade is now. We will continue to innovate and add more wireless features to our advantage tier.

Cisco is expanding the deployment options of Cisco DNA Center to provide greater operational flexibility and choice.

Cisco DNA Center is currently installed on a dedicated appliance. However, we recently announced at Cisco Live a new option for Cisco DNA Center customers, the Cisco DNA Center Virtual Appliance. The virtual appliance which is targeted for general availability next year will give customers new deployment options for a network controller to deploy in a public cloud on AWS or on VMware ESXi within a company data center or in a private cloud.

Source: cisco.com

Continue reading

Your Network, Your Way: A Journey to Full Cloud Management of Cisco Catalyst Products

At Cisco Live 2022 in Las Vegas, Nevada (June 12-16), there were many announcements about our newest innovations to power the new era of hybrid workspace, distributed network environments and the customers journey to the cloud. Among the revelations was our strategy to accelerate our customers transition to a cloud-managed networking experience.

Our customers asked, and we answered: Cisco announced that Catalyst customers can choose the operational model that best fits their needs: Cloud Management/Monitoring through the Meraki Dashboard or On-Prem/Public/Private Cloud with Cisco DNA Center.

Figure 1: Bringing together the best of both worlds

Note: This article heavily references the following terms:

◉ DNA Mode and Meraki Mode for Catalyst: DNA Mode is a Catalyst device using a DNA license with DNA features and Meraki Mode is a Catalyst device using a Meraki license with Meraki features.

◉ Monitor and Manage: Cloud Monitoring allows Catalyst devices to have visibility and troubleshooting tools via the Meraki dashboard, while Cloud Management for Catalyst means complete feature parity with Meraki solutions.

So WHY THIS and WHY NOW?

Our Catalyst technology remains the most powerful campus and branch networking platform and fastest growing product on the market. Also, Meraki dashboard continues to be the simplest cloud management platform, with the highest adoption and deployment on the market. How can we bring things together and give our customers the best of both worlds? Enter Cloud Management and Monitoring for Catalyst. Simplicity without compromising.

And HOW to get started?

Today we have an on-premises management offering through Cisco DNA Center, which is a do-it-yourself high-touch approach. There are now two ways to implement this: in addition to existing Cisco DNA Center physical appliances that come in multiple sizes and flavors, we announced at Cisco Live the Cisco DNA Center Virtual Appliance, which runs as VMware ESXi instances in private data centers or as a virtual machine in public cloud platforms starting with AWS.

We also have Cisco Meraki Cloud Management which provides low touch, and simplicity as Meraki’s slogan’s: Simplicity at Meraki stands for everything from how we approach product development to user experience.

Executing a Cloud Ready Strategy

Cloud Management: Common Hardware Platforms

Figure 2: Delivering the Next Generation of Networking

On the wired network side, Cisco is focusing on our fixed switching portfolio in the Cisco Catalyst 9000 series switches. We announced that starting with the Cisco Catalyst 9300 series switches they will be common hardware and operate in either DNA or Meraki mode. A Cisco Catalyst 9300 switch can be migrated from DNA Mode to Meraki Mode and fully managed by the Meraki Dashboard. While the Meraki mode of the Catalyst 9300 can be migrated back to the DNA Mode, the Meraki MS390 cannot be migrated to a DNA mode of operation.

On the wireless network side, we also announced the first common hardware Access Points, the new Cisco Catalyst 916x Series Wi-Fi 6E Access Points. Those Access Points are built with dual modes: they are capable of booting in either Meraki or DNA modes. That means a Catalyst 916x Access Point can appear on the network as either a Meraki device or a Cisco DNA device, with all the associated monitoring and management capabilities inherent in each platform. The demo goes into detail.

Cloud Migration Details

◉ Cisco IOS-XE 17.8.1 version (or later) is required for the Cisco Catalyst 9300 switch to be migrated to Meraki Mode and managed by the Meraki Dashboard.

◉ The catalyst switch or access point when put in the Meraki mode of operations, their features align with what is available in the Meraki Dashboard. For example, the Cisco Catalyst 9300 switch in Meraki Mode is aligned with the switching features available for the Cisco Meraki MS390.

◉ You can migrate a standalone or a stack of Cisco Catalyst 9300 switches to Meraki Mode.

◉ Currently, you cannot stack the migrated Cisco Catalyst 9300 with Cisco Meraki MS390.

◉ Like native Meraki devices, once a Catalyst switch or AP is in Meraki Mode, the CLI access is 

unavailable.

◉ Managed devices display their software version as Meraki MS, just like native Meraki devices.

◉ Current supported switching platforms are Cisco Catalyst C9300-24T, C9300-48T, C9300-24P, C9300-48P, C9300-24U, C9300-48U, C9300-24UX, C9300-48UXM, C9300-48UN.

◉ Currently supported modules are C9300-NM-8X, C9300-NM-2Q, C3850-NM-4X.

◉ Current supported Cisco Catalyst Access Points are the Wi-Fi 6E CW APs (9162, 9164 and 9166).

Figure 3: The Migration Process from Cisco Catalyst 9300 DNA Mode to Meraki Mode

Cloud Monitoring: Existing Cisco Catalyst 9000 fixed switches 

Starting with IOS-XE 17.3.4, Cisco Catalyst 9200, 9300 and 9500 series switches in DNA mode with a valid DNA license (Essentials or Advantage) can be added to the Meraki dashboard for monitoring and troubleshooting, providing a single pane of glass and centralized network monitoring, network device visibility, usage, topology. The Meraki dashboard also allows the ability to see alerts, port information and use of diagnostic tools, all in one place.

Figure 4: Cloud Monitoring for Catalyst

Cloud Monitoring Details

◉ Catalyst Switches in DNA mode and with a valid DNA license (single or in a stack) can be monitored via the Meraki dashboard.

◉ Once claimed in the Meraki Dashboard, the switches will be automatically tagged with “Monitor Only” in the dashboard to distinguish from fully managed Meraki switches. Aside from this difference, “Monitor Only” Catalyst switches have visibility similarly to Meraki MS switches in the dashboard, including a visual representation of connected ports and traffic information.

◉ The Meraki Dashboard displays two serial numbers in the inventory of each catalyst device. Similar to migrated Catalyst switches, all switches in monitor mode keep a Catalyst Serial Number and generate a Meraki serial number which both appear in the dashboard to help identify switches.

◉ Monitor-only devices display their software version as IOS-XE. The device is still in DNA Mode which means that the CLI is still enabled, and other DNA features are available.

◉ For monitor-only devices, other management tools can still be used to make changes to devices such as Ansible, CLI, GUI, etc.

◉ Current supported switching platforms are Cisco Catalyst 9200, 9300 and 9500 series. Other platforms are under consideration.

◉ The process to onboard Cisco Catalyst switches for monitoring is done through a guided process using the Meraki onboarding app for Mac, Windows or Linux.

Figure 5. Cloud Monitoring Capabilities

License Flexibility

Our Licensing Team has been working hard to ensure a smooth transition between Modes (DNA and Meraki) from the licensing perspective.

For the common hardware perspective, to migrate the Cisco Catalyst 9300 switch to a Meraki mode, a valid DNA license is required. You can choose between Meraki Enterprise or Advanced license depending upon enabled features during license renewal.

The Cisco Catalyst 916x series APs can be purchased with the appropriate licenses based on the management platform: DNA license for Cisco DNA Center or Meraki license for Meraki mode.

On the visibility/monitoring front: A valid DNA Essentials (for switch visibility) or Advantage license (client visibility) is required to be onboarded into the Meraki dashboard. The device can be managed by other tools such as Cisco Prime, CLI or 3rd party tools.

Customer Use Cases

Cloud Monitoring

◉ Catalyst customers not using Cisco DNA Center as the operational platform: You will be able to gain immediate value with cloud monitoring, providing a view of your network from anywhere, anytime, giving them a low-effort way to experience Meraki Cloud Dashboard.

◉ Customers who are running a hybrid network of Meraki and Catalyst: Benefit by moving their Catalyst hardware into view on the Meraki dashboard with monitoring.

Cloud Management

◉ Customers with network refresh network: Customers who already have Meraki platforms; upon refresh, they can choose to adopt Catalyst into their existing infrastructure (APs and switches)

◉ Current Cisco Catalyst 9300 customers looking to move to cloud operations and the features available in the Meraki Dashboard satisfy their use cases.

Cisco DNA Center Physical/Virtual Appliance

◉ Customers using DNA features with Air gapped or Compliance requirements

◉ Customers using DNA features and require a Public or Private Cloud deployment

◉ Customers with requirements for on-premise management platform

Why this is important?

The benefits are endless

Customers now have the operational flexibility to choose either Meraki dashboard or Cisco DNA Center for the Cisco Catalyst family, providing extensive monitoring and management capabilities while enabling the choice as to where the services are running—on-premises or in the cloud—depending on operational needs, geography, and regional data regulations.

For example, financial organizations that require air-gap protection from internet traffic can utilize an on-premises Cisco DNA Center appliance while a distributed organization that needs to support high-speed Wi-Fi access at retail outlets, branch offices, or emergency popup sites, can deploy the new Cisco Catalyst Wi-Fi 6E Access Points and manage them from the cloud-first Meraki dashboard to simplify remote operations.

Source: cisco.com

Continue reading