Cisco User Defined Network: Redefining Secure, Personal Networks

Connecting all your devices to a shared network environment such as dorm rooms, classrooms, multi-dwelling building units, etc. may not be desirable as there are too many users/devices on the shared network and onboarding of devices is not secure. In addition, there is limited user control; that is, there is no easy way for the users to deterministically discover and limit access to only the devices that belong to them. You can see all users’ devices and every user can see your device. This, not only results in poor user experience but also brings in security concerns where users knowingly or unknowingly can take control of devices that may belong to other users. 

Cisco User Defined Network (UDN) changes the shared network experience by enabling simple, secure and remote on-boarding of wireless endpoints on to the shared network to give a personal network-like experience. Cisco UDN provides control to the end-users to create their own personal network consisting of only their devices and also enables the end-users the ability to invite other trusted users into their personal network. This provides security to the end-users at the same time giving them ability to collaborate and share their devices with other trusted users. 

Solution Building Blocks

The following are the functional components required for Cisco UDN Solution. This is supported in the Catalyst 9800 controllers in centrally switched mode.

Figure 1. Solution Building Blocks

Cisco UDN Mobile App: The mobile app is used for registering user’s devices onto the network from anywhere (on-prem or off-prem) and anytime. End-user can log in to the mobile app using the credentials provided by the organization’s network administrator. Device on-boarding can be done in multiple ways. These include: 

◉ Scanning the devices connected to the network and selecting devices required to be onboarded

◉ Manually entering the MAC address of the device

◉ Using a camera to capture the MAC address of the device or using a picture of the mac address to be added

In addition, using mobile app, users can also invite other trusted users to be part of their private network segment. The mobile app is available for download both on Apple store and Google play store.

Cisco UDN Cloud Service: Cloud service is responsible for ensuring the registered devices are authenticated with Active Directory through SAML 2.0 based SSO gateway or Azure AD. Cloud service is also responsible for assigning the end-users and their registered devices to a private network and provides rich insights about UDN service with the cloud dashboard.

Cisco DNA Center: Is an on-prem appliance which connects with Cisco UDN cloud service. It is the single point through which the on-prem network can be provisioned (automation) and provides visibility through telemetry and assurance data. 

Identity Services Engine (ISE): Provides authentication and authorization services for the end-users to connect to the network.

Catalyst 9800 Wireless Controller and Access Points: Network elements which enables traffic containment within the personal network. UDN is supported on wave2 and Cisco Catalyst access points.

How does it work?

Cisco UDN solution focuses on simplicity and secure onboarding of devices. The solution gives flexibility to the end-users to invite other trusted users to be part of their personal network. The shared network can be segmented into smaller networks as defined by the users. Users from one segment will not be able to see traffic from another user segment. The solution ensures that broadcast, link-local multicast and discovery services (such as mDNS, UPnP) traffic from other user segments will not be seen within a private network segment. Optionally, unicast traffic from other segments can also be blocked. However, unicast traffic within a personal network and north-south traffic will be allowed. 

Workflows

There are three main workflows associated with UDN:

1. Endpoint registration workflow: User’s endpoint can register with the UDN cloud service through a mobile-app from anywhere at any time (on-prem or off-prem). Upon registration, the cloud service ensures that the endpoint is authenticated with the active directory. Cloud service then assigns a private segment/network to the authenticated users and assigns a unique identity – User Defined Network ID (UDN-ID). This unique identity (UDN-ID) along with the user and endpoint information (mac address) is pushed from cloud service to on-prem through DNAC. The unique private network identity along with the user/endpoint information is stored in ISE 

2. Endpoint on-boarding workflow: When the endpoint joins the wireless network using one of the UDN enabled WLANs, as part of the authorization policy, ISE will push the private network ID associated with the endpoint to the wireless controller. This mapping of endpoint to UDN-ID is retrieved from ISE. The network elements (wireless LAN controller and access point), will use the UDN-ID to enforce traffic containment for the traffic generated by that endpoint

3. Invitation workflow: A user can invite another trusted user to be part of his personal network. This is initiated from the mobile app of the user who is inviting. The invitation will trigger a notification to the invitee through the cloud service. Invitee has an option to either accept or reject the invitation. Once the invitee has accepted the request, cloud service will put the invitee in the same personal network as the inviter and notify the on-prem network (DNAC/ISE) about the change of the personal room for the invitee. ISE will then trigger a change of authorization to the invitee and notify the wireless controller of this change. The network elements will take appropriate actions to ensure that the invitee belongs to the inviter’s personal room and enforces traffic containment accordingly

The following diagram highlights the various steps involved in each of the three workflows.

Figure 2. UDN Workflows

Traffic Containment

Traffic containment is enforced in the network elements, wireless controller and access points. UDN-ID, an identifier for a personal network segment, is received by WLC from ISE as part of access-accept RADIUS message during either client on-boarding or change-of-authorization. Unicast traffic containment is not enabled by default. When enabled on a WLAN, unicast traffic between two different personal networks is blocked. Unicast traffic only within a personal network and north-south traffic will be allowed. Wireless controller enforces unicast traffic containment. The traffic containment logic in the AP ensures that the link-local multicast and broadcast traffic is sent as unicast traffic over the air to only the clients belonging to a specific personal network. The table below summarizes the details of traffic containment enforced on the network elements.

Figure 3. UDN Traffic Containment

The WLAN on which UDN can be enabled should have either MAC-filtering enabled or should be an 802.1x WLAN. The following are the possible authentication combinations on which UDN can be supported on the wireless controller:

For RLAN, only mDNS and unicast traffic can be contained through UDN. To support LLM and/or broadcast traffic, all clients on RLAN needs to be in the same UDN.

Monitor and Control

The end-to-end visibility into the UDN solution is enabled through both DNA cloud service dashboard and DNAC assurance. In addition, DNAC also enables configuring the UDN service through a single pane of glass. 

DNA Cloud Service provides rich insights with the cloud dashboard. It gives visibility into the devices registered, connected within a UDN and also information about the invitations sent to other trusted users etc. 

Figure 4. Insights and Cloud Dashboard

On-Prem DNAC enables enablement of UDN through automation workflow and provides complete visibility of UDN through Client 360 view in assurance.

Figure 5. UDN Client Visibility

Cisco UDN enriches the user experience in a shared network environment. Users can bring any device they want to the Enterprise network and benefit from home-like user experience while connected to the Enterprise network. It is simple, easy to use and provides security and control for the user’s personal network.

Continue reading

The Factory: A Living Organism for Wireless and Mobility

We live in a wireless world. We almost never plug our computers into a network. Our mobile phones and tablets provide constant connectivity. Some of us wear health tracking devices like Apple Watches, Fitbits, and Garmins. These devices count our steps, measure our heart rates, and log the number of hours we sleep. In doing so, health tracking devices create incredible volumes of data we use to monitor our personal health and improve the quality of our lives. When we don’t feel well, we can look back at hours slept and pulse rate to understand the cause and effect of our bodies’ inputs and outputs.

In many ways, our bodies are like machines requiring inputs like food for fueling, sleep for recovery, and exercise for maintaining optimal performance. When we take care of our bodies, we are rewarded with optimal outputs including increased awareness and productivity.

The same is true for machines on the factory floor. They require electricity for fuel and raw materials to manufacture products. Historically, machinists and engineers were the experts in operating their tooling. They learned through years of experience. Over time, sensors connected to the equipment and computers collected data used to monitor and improve visibility into operating characteristics. Sensors measure equipment performance like vibration, current draw, and lubricant temperatures assisted equipment operators in gaining maximum productivity from their equipment.

Initially many of these sensors and computers were wired and tethered. Over time, sensors became wireless and hard-wired computers morphed into wireless laptops, tablets, and mobile devices. And with wireless becoming pervasive, manufacturers gained considerable flexibility to monitor and manage the health of their factory equipment.

The shift to mobility

Previously, we described networks as being wireless. Over-time, we shifted from wireless to mobile and mobility. With mobility, we can drive the business benefits associated with the wireless features.

Building a mobile manufacturing network creates many challenges. The fundamental challenge is to ensure the wireless capabilities are built on a solid foundation. The foundation requires robust security and a common network infrastructure. Historically, the factory network operated independently of the enterprise network. However, today, it’s possible to secure and converge both the factory and enterprise networks with Cisco’s standard platform.

Once the foundation has been established, the mobile environment must be configured for the three foundational use cases.  These use cases enable data, communications, and video capabilities.

Although it sounds obvious, data drives everything.  Sensors enable access to data.  The simplest type of IoT sensors- vibration, current, particle, temperature, humidity, etc. connects wirelessly. These sensors then communicate with our networks where we secure, move, and reduce data we want to persist or keep, as well as discard the data when it’s perishable.

When we move to communication, the most tangible and relatable mobility use case, we typically think about providing workers with mobile devices like tablets and phones. Mobile communications enable workforces to do their jobs at the place of work. Wi-Fi enabled voice, makes it possible to replace licensed use of hand-held paid spectrum and cellular fees by shifting to Wi-Fi enabled communicators.

Of course, with Wi-Fi mobile communicators, everyone on the factory floor gains immediate access to factory floor personnel as well as receive real-time notifications, pages, and safety alert messages.

Wireless video has become part of our daily lives, typically through applications like Cisco WebEx, Facetime, and many others. On the shop floor or in a warehouse, the video capabilities take communications to the next level. Video on the shop floor, whether enabled by a mobile phone or tablet, immediately takes away the mystery of trying to imagine what is happening or what has happened.

The business benefits of mobility

Because every dollar spent in manufacturing is tied to a return on investment, it’s crucial to map mobility capabilities to business needs and benefits.

Ultimately, factory wireless solutions enable essential business benefits like less downtime, fewer line stoppages, improved worker efficiency, increased cycle time and higher OEE, which means better productivity, availability, and quality.

The Cisco Factory wireless platform includes our products, services, partners and solution implementation plans. Together, all of these components provide what’s necessary for customers to deploy and scale their wireless capabilities.

A manufacturing plant is like a living organism – requiring care and feeding in all areas. Every organism must be part of a connected ecosystem, sensing and sharing information across all parts to ensure not just survival, but growth as well.

While we wouldn’t attach a Fitbit to a piece of manufacturing equipment, we will deploy wireless and mobility capabilities in our factories to monitor and connect our equipment, resulting in operational benefits with improved cost, quality, and delivery.

Continue reading

Manufacturing mobility: Data, voice, video, and location

Manufacturers use wireless to increase margins, reduce cycle times, enable lean, and improve equipment productivity. While pervasive wireless connects sensors, tools, robots, AGVs, and RFID devices, it also enables mobility. Mobility supports far more than just cell phones, tablets, and laptops.

Very simply put, mobility drives data, voice, video and location applications.

Continue reading