Find Your Path to Unmatched Security and Unified Experiences

Imagine juggling multiple remotes for your entertainment system, each controlling a different device and requiring endless button presses to achieve a simple task. This is what managing a complex network security landscape can feel like—a jumble of disparate solutions, each demanding your attention and contributing to confusion.

Today’s IT environment is no stranger to complexity. The rise of hybrid work, multicloud adoption, and more sophisticated cyberthreats have created a security landscape that traditional, siloed solutions simply cannot keep pace with. This leaves organizations vulnerable, jeopardizing the security of their data, applications, and user trust.

This is where convergence comes in. It’s just like having a single, universal remote for your entertainment system.

Secure access service edge (SASE) is this “universal remote” for your network security. It offers a converged approach that combines networking and security into a single, cloud-delivered service. By bringing security closer to the user and the cloud edge, organizations can help ensure comprehensive protection regardless of the user’s location or access point.

However, adopting SASE can feel like navigating a maze. Different vendors, complex integrations, and lengthy implementation times can leave you feeling lost. At Cisco, we understand the challenges you face and the need for simplicity. That’s why we’re committed to making your SASE journey simpler and more efficient.

Figure 1: Evolve to full SASE—Catalyst SD-WAN and Secure Access integration

Introducing the integration of Cisco Catalyst SD-WAN and Cisco Secure Access, a cloud-delivered security service edge (SSE) solution. It’s a single, integrated SASE solution that unifies the power of Cisco Catalyst SD-WAN with the robust security of our SSE solution, Cisco Secure Access. This powerful duo forms the foundation of our integrated Cisco SASE solution, offering a simplified path to robust security and streamlined management.

You can think of Catalyst SD-WAN as the intelligent highway, optimizing network traffic flow and ensuring reliable connectivity. Cisco Secure Access, meanwhile, functions as the tollbooth or security checkpoint, allowing only authorized users and devices access. When these two solutions are integrated, they offer a streamlined and efficient approach to SASE, helping to ensure secure and efficient access for your data, applications, and users.

Catalyst SD-WAN and Cisco Secure Access (SSE) combine to transform your network’s performance and security. Through Catalyst SD-WAN’s advanced networking technology, your data is intelligently routed along the most efficient pathways, optimizing cloud application performance and reducing latency by connecting users to the nearest point of presence (PoP). This ensures enhanced redundancy and supports the high bandwidth demands of specialized regional sites, underpinning your network’s scalability and agility.

Cisco Secure Access serves as a robust cloud-based security shield, embodying the zero-trust approach by thoroughly verifying and continuously monitoring each access attempt, while diligently scanning internet traffic to safeguard your network against the spectrum of emerging cyberthreats.

The integration simplifies the transition to SASE by eliminating the complexities of multivendor environments. A unified management platform offers centralized control and oversight of both networking and security functions, significantly reducing operational complexity and saving IT resources. This comprehensive control enhances decision making, streamlines workflows, and ensures a cohesive security posture across the entire network infrastructure.

Let’s explore how this integrated solution empowers you to address common security challenges.

• Securing branch offices and internet SaaS traffic: Branch offices and roaming users are particularly vulnerable to cyberthreats, especially with the growing adoption of Direct Internet Access (DIA). Our seamless integration extends robust cloud security across your entire SD-WAN fabric, protecting branch offices and users accessing internet and cloud-based applications.
• Empowering zero-trust security: Our solution requires rigorous verification for every access attempt. This continuous monitoring approach ensures only authorized users and devices gain access to critical resources. By leveraging Cisco segmentation and micro-segmentation capabilities, you can effectively isolate critical network segments and resources, significantly reducing the attack surface and hindering unauthorized access.
• Rapid deployment: Through the Cisco automation framework, you can rapidly deploy secure connectivity for hundreds or thousands of branch sites to Cisco Secure Access within minutes. This eliminates the need for complex, time-consuming manual configurations.
• Streamlined customer onboarding: The streamlined purchasing process through the buying tool not only simplifies acquiring licenses but also automatically initiates the creation of tenant spaces tailored for your organization. This pivotal feature represents a significant value-add, seamlessly transitioning customers from the acquisition phase to operational readiness.

The benefits of this integrated SASE solution go beyond just simplifying your security stack, and include:

• Enhanced security: Elevate protection for internet and SaaS traffic at branch offices, while effortlessly steering traffic for additional security. Benefit from a comprehensive suite of security features, including secure web gateway (SWG), Cloud Access Security Broker (CASB), data loss prevention (DLP), zero trust network access (ZTNA), firewall-as-a-service (FWaaS), and IPS.
• Meet converged networking and security needs at scale: Deploy robust SASE architectures on top of your existing Catalyst 8000 series routers for high-throughput branch sites.
• Distributed security enforcement offers tailored security, efficient traffic management, and enhanced protection. It combines on-premises NGFW on the Catalyst 8000 with cloud-based Cisco Secure Access, providing flexibility, scalability, and cost efficiency. This model enables organizations to tailor their security posture to specific needs, offering a robust defense against cyberthreats and empowering them to manage demanding network traffic with strong security measures.
• Operational efficiency: Simplify security implementation with policy-based routing and automated failover, minimizing complexity and ensuring smooth operation.
• Enhanced user experience: Deliver consistent, unwavering security for roaming users, regardless of location, for a more seamless user experience.
• Unparalleled agility: Scale security effortlessly to adapt to your evolving environment, enabling rapid and flexible responses to changing demands.
• Unmatched network visibility and troubleshooting: Combining Cisco Catalyst SD-WAN, ThousandEyes, and Secure Access delivers exceptional network visibility and troubleshooting capabilities. This powerful integration optimizes traffic flow, enhances digital experience assurance by securing user connections, and ensures robust connectivity across your entire network. Gain a comprehensive view of network health, streamline problem resolution, and create a resilient and efficient digital environment.
• Always ahead of threats: Leverage the power of Cisco Talos threat intelligence for real-time insights that identify, correlate, and remediate threats at exceptional speed.

Jumpstart your SASE journey with ease

The integrated power of Cisco Catalyst SD-WAN and Cisco Secure Access unlocks a scalable, secure, and simplified path to SASE. This powerful combination, merging the best of networking and security into a single solution delivers a unified experience for both IT and users. Centralized management of your entire network and security posture streamlines operations and simplifies SASE adoption. Additionally, users enjoy unmatched security with consistent protection across the network, regardless of location.

Source: cisco.com

Continue reading

Come Together Right Now, IT Operations Teams

If you have been reading our blog series around the 2023 Global Networking Trends Report, you may have noticed two recurring themes. First, network infrastructure has become more complex, and second, this complexity is calling for a change in the way we operate. We have changed where we run everything, we have changed the locations of the end users, and we have moved to a flexible model that adapts to changing needs.

For one thing, most organizations have more than one cloud. The 2023 Global Networking Trends Report shows that 92% of respondents reported using more than one public cloud, and 69% stated they are using more than five software-as-a-service (SaaS) applications. That does not mean they are using SaaS exclusively, of course; the architecture varies from traditionally developed, on-premises software (you can call it “legacy” or “heritage”) to third-party microservices and full-blown commercial SaaS offerings. The choices of systems are bound to fixed hardware and operating system stacks or abstracted into granular containers and services.

Most organizations still support the older, static technology models, and at the same time have to adapt to newer technologies such as virtualization, microservices, Kubernetes, and heavier API use—which each come with different network support requirements. The “long tail” of old versus new presents a greater challenge to IT operations and security.

Avoid “cylinders of excellence”

Back when I was a system administrator, I would have been considered part of a “full stack” team. We were responsible for setting up and troubleshooting everything—from pulling cables and carrying (heavy) 20-inch CRT monitors to diagnosing application issues together with the developers. But that technology model fragmented over the decades into layer-based areas of specialization (see Figure 1).

Figure 1. Distributed infrastructures and workforce have caused increases in IT complexity (click to enlarge)

If you needed support, you had to pull in people from different domains, like the network engineer, the desktop support tech, the security experts, the Exchange admin, the database wizard, the business-embedded software engineer, and possibly a third-party vendor or two. We still see that problem today with IT operations forming silos. Silos such as cloud, network, and security operations were cited by 40% of our 2023 Global Networking Trends respondents as a top challenge to providing secure access from distributed locations to multiple cloud-based applications. And while some organizations have tried to unite these teams by forming “centers of excellence,” my experience is that with each team having its own agenda, these teams tend to turn into “cylinders of excellence”—further segmenting IT operations, while slowing down IT teams and the business.

Move swiftly and carry a small stick

None of the networking architectural options of the past few years are static. Just because many users went home during the pandemic doesn’t mean they’ll stay there long term. One call for an onsite, all-hands meeting will bring the networking load and access requirements back into the building for a few hours or even a few days. IT operations teams need to plan for a dynamic environment that hides each transition from the user. Implementing a zero-trust framework can help with this, since one of the principles of zero trust is that every access request should be subject to the same authentication and authorization process, no matter the location.

Given the dynamic nature of networking requirements, the IT operations and security teams need to converge—providing more alignment in their tools, processes, and people. This requires understanding how they can work better together to simplify IT and focus on end-to-end use cases. Cloud networking requirements are different from those in the data center. A security executive at a global bank once described to me how they made sure all the networking engineers received cloud training. Not only did that help with operational alignment, but it also opened up more career opportunities for the staff and empowered them to contribute support in more areas.

Another example in simplifying IT is to consider a secure access service edge (SASE) architecture to standardize enforcement, reduce complexity, and stay flexible in the face of a dynamic environment (as shown in Figure 2).

Figure 2. A secure access service edge (SASE) architecture converges people, processes, and technology for the monitoring and management of the software-defined WAN (SD-WAN) and security service edge (SSE) solutions (click to enlarge)

The days of siloed IT operations are over. All IT teams need a seat at the operations table as well as a unified agenda, including IT operations, networking, cloud services, and security professionals. End users should also have a seat at the table to add their business-side experience and desired outcomes to networking solutions.

As you go on your journey to consolidate and simplify your infrastructure, take this opportunity to bring all your IT operations teams together, along with users, so that the knowledge, skills, and processes in your network environment evolve as well. Try to avoid building another “cylinder of excellence” that is dedicated solely to cloud-based technology. While this may look like “plumbing” that doesn’t concern the business side, it is deeply user-facing in terms of performance and experience, and you may well discover important use cases when you include the end-to-end view.

The important message here is that people and processes are every bit as important as technology choices; IT operations should never operate in silos again.

Source: cisco.com

Continue reading

Simplifying IT for Better Experiences

IT leaders face the challenge of managing a growing set of often disparate technologies and successfully delivering them to a wide audience of end users who demand simple experiences. However, today’s technology landscape is complex and fragmented.

Simplifying IT requires us to rethink our processes and what we mean by “experience.”

Unified experiences show us what’s possible when technologies, applications, and networks all work as one. Simplifying the end-to-end journey, which includes back-end systems and end-user experiences, comes with challenges, risks, and opportunities.

With insights from a panel of cross-sector IT leaders, we can examine what we’re simplifying and how that leads to superior experiences.

Simplify the back end

Whether driven by internal or external forces, innovation typically results in more systems and greater complexity. A closer look often reveals a patchwork of new and legacy systems that are burning through budgets, confusing customers, and squeezing profits.

A big part of this complexity stems from backward compatibility with legacy systems. It’s not so much a matter of redundant old systems taking up valuable resources, but rather maximizing value and operations efficiency across both old and new systems. This challenge lies at the heart of simplifying IT.

Graeme Howard, former CTO and CIO of Covea Insurance, points to legacy systems as a challenge for his organization’s digital transformation. “We built out a huge number of new platforms and new functionality, but we also had many legacy platforms that were far too expensive to change.”

In the process of driving customer experience, hyper-personalization, and data enrichment, legacy systems can pose a significant obstacle. Graeme encourages leaders to persevere and push through such challenges.

Focus on first impressions, Graeme argues. If it’s difficult for a customer or internal user to log onto a system or buy a product, that could mean losing customers and business.

Simplify for the customer

Simplifying IT for better experiences isn’t just about hiding the complexities of our processes from the customer. It’s also about including customers in the design of those experiences. Whether starting from scratch or taking on a complex project of integrating new and legacy systems, IT can no longer dictate to the user.

Instead of relying on customers to create their own demand for our products and services, Archana Jain, CTO at Zurich Insurance Group, understands simplifying IT as the opportunity to reach insurance customers with products and services, when and how they need them. Alongside traditional methods of insurance, she poses a simple question to get her industry thinking: “Can we offer [customers] insurance when they need it, as opposed to having something static forever and forever?”

For example, if a customer wants to go on holiday, instead of a lengthy process of booking travel insurance for flights, hotels, and car rentals, Jain suggests simplifying that experience through a partner so the customer can buy insurance with one click. That thinking conceptualizes travel insurance within the customer’s travel-planning journey, not as a stand-alone task. It’s a win for everyone.

Simplify to better manage risk

As IT leaders, we can be nimble in how we lead digital transformation. For superior experiences, how we responsibly simplify IT must extend to how we manage risk. Change for the sake of change, or moving too fast for stakeholders to keep up, can expose organizations to unnecessary risk.

Technologists leading successful IT simplification strategies can balance business value, business case, and legacy systems. Joanna Pamphilis, UniCredit’s Senior Vice President and CDIO, is one such leader. She believes organizations should be practical about the need to eliminate legacy systems, and deliver value while leading responsible change.

Jain at Zurich Insurance Group says operational alerts are a great example of how technology that is designed to improve a process can, ultimately, complicate it. How often do we hear stories of overburdened IT operations teams with piles of server, network, device, and security alerts (among others) with no way of sorting the high priorities from the quick fixes from the FYIs? But technology is also the answer to simplifying that same operation without completely unravelling the infrastructure.

According to Jain, Zurich Insurance Group’s IT operations team were handling thousands of alerts designed to pick up events like server issues. Ironically, the technology deployed to manage risk created the risk of not having the human resources to investigate every alert—and the risk of an unreliable user experience. To solve this challenge, Zurich now uses artificial intelligence (AI) to filter out the unnecessary alerts so their IT operations team can better focus on actionable items.

Consolidating customer, employee, and other types of data is a critical step in becoming proactive about risk and the customer experience, according to Ronald Martey, CISO at GCB Bank. He wants leaders to investigate different elements and systems, and ask, “What kind of data can I move onto the cloud that will not impact privacy and security regulations?”

Simplify for the future

From pioneering digitalization to pivoting to hybrid work, every era of digital transformation has been about optimizing organizations’ need to serve customers and grow businesses efficiently, reliably, and safely.

The process of simplifying IT requires us to assess our entire business, from customer interactions to back-end systems, and the role of data. It’s about rethinking our traditional methods and modernizing them, without the rush to rip out and replace everything.

The era of simplifying IT will test you, just like every era before it did, but the ultimate reward of a more simplified IT infrastructure is unified experiences that connect your customers and teams through technologies, applications, and networks that all work as one.

Source: cisco.com

Continue reading

Bridging the IT Skills Gap Through SASE: A Path to Radical Simplification and Transformation

Imagine a world where IT isn’t a labyrinth of complexity but instead a streamlined highway to innovation. That world isn’t a pipe dream—it’s a SASE-enabled reality.

As we navigate the complexities of a constantly evolving digital world, a telling remark from a customer onstage with me at Cisco Live in June lingers: “We don’t have time to manage management tools.” This sentiment is universal, cutting across sectors and organizations. An overwhelming 82% of U.S. businesses, according to a Deloitte survey, were prevented from pursuing digital transformation projects because of a lack of IT resources and skills. Without the right experts to get the job done, teams are often entangled in complex, disparate systems and tools that require specific skills to operate.

The IT talent crunch

Today’s tech landscape presents a challenge that IT leaders can’t ignore: complex IT needs combined with a fiercely competitive talent market. Internally, teams are overwhelmed, often struggling to keep up with ever-evolving technical demands. In fact, many teams are strapped and rely on early-in-career staff to fill wide gaps left behind by more experienced predecessors. And the problem is only going to get worse.

For experienced IT workers, it’s an attractive time to entertain new opportunities. According to a global Deloitte study, 72% of U.S. tech employees are considering leaving their jobs for better roles. Interestingly, a mere 13% of employers said they were able to hire and retain the tech talent they most needed.

Now more than ever, organizations must rethink their approach to talent management and technology adoption to stay ahead of the curve.

Convergence as a catalyst for transformation

In an era where time is a premium and complexity is the norm, the need for convergence has never been more apparent. Technical skills, while essential, are not enough. The real game-changers are adaptability, cross-functional collaboration, and strategic foresight. And yet, these “soft skills” can’t be optimally used if teams are entangled in complex, disparate systems and tools that require specialized skills to manage and operate.

So how do organizations tackle this dilemma? How do they not just keep the lights on but also innovate, improve, and lead? In a word: convergence. Unifying siloed network and security teams as well as systems and tools with a simplified IT strategy is key to breaking through complexity.

A platform to radically simplify networking and security

Secure access service edge (SASE) is more than just an architecture; it’s a vision for the future where the worlds of networking and security are not siloed and become one. Cisco takes a unified approach to SASE, where industry-leading SD-WAN meets industry-leading cloud security capabilities in one, robust platform to make managing networking and security easy.

Figure 1. SASE architecture converging networking and security domains

Unified SASE converges the two domains into one, streamlining operations across premises and cloud. Admins from both domains gain end-to-end visibility into every connection, making it easier to optimize the application experience for users, providing seamless access to critical resources wherever work happens. This converged approach to secure connectivity through SASE delivers real outcomes that matter to resource-strapped organizations.

Simplify IT operations and increase productivity

◉ Administrators find it easier to manage networking and security when they are consolidated

◉ 73% reduction in application latency improves collaboration and enhances overall productivity

◉ 40% faster performance on Microsoft 365 improves employee experience

Do more with less

◉ 60% lower TCO for zero-trust security enables budget reallocation to strategic initiatives3

◉ 65% reduction in connectivity costs helps ease the burden on IT budgets3

Enhance security without adding complexity

◉ Simplify day-2 operations with centralized policy management, which makes it easier for IT teams to execute

◉ Improve security posture through consistent enforcement—from endpoints and on-premises infrastructure to cloud—across your organization

Scale and adapt

◉ Cloud-native architecture supports scaling and addresses the challenges of rapidly evolving IT landscapes

◉ Prepares your organization for changes, reducing the need for constant upskilling or reskilling in IT teams

Organizations can use SASE architecture to advance their technological frameworks and strategically address the IT skills gap, leading to long-term business success.

Shifting gears: Unifying, simplifying, innovating

SASE is not merely a technological evolution; it’s a paradigm shift in how we approach IT management. This lets IT admins focus less on tool management and more on driving business innovation, enriching user experiences, and evolving in tune with market demands.

Figure 2. Introducing unified SASE with Cisco+ Secure Connect, a better way to manage networking and security

The path ahead with unified SASE from Cisco

Cisco offers a unified, cloud-managed SASE solution, Cisco+ Secure Connect. From on-premises to cloud, this comprehensive SASE solution delivers simplicity and operational consistency, unlocking secure hybrid work for employees wherever they choose to work. The beauty of Cisco’s unified SASE solution lies in the principle of interconnecting everything with security everywhere–if it is connected, it is protected. It’s that easy.

Source: cisco.com

Continue reading

Securing the Modern Hyper-Distributed Network: Perspectives from the 2023 Gartner Magic Quadrant for SD-WAN

A typical day’s tasks for today’s modern worker are frequently distributed across multiple devices, applications, and locations. They could be working from home, analyzing CRM dashboards, and later, they might be at a coffee shop reviewing slides for an upcoming customer meeting. Perhaps they then head into the office for team meetings, followed by catching up with emails and messages on the commute home.

For a networking and security leader, a typical day looks very different. Those individuals need to ensure that the WAN is delivering a superior app performance connecting users to applications wherever they are. They also need to know if an untrusted device is being used to access confidential CRM dashboards. How is network traffic being secured outside the office? How are apps and services being accessed and secured?

Multiply these security concerns by the number of employees at numerous office locations, and then factor in technology-led business transformation initiatives, and we start to understand the complexity facing IT to secure and connect hyper-distributed users and resources everywhere.

Choose the right security

We hear you loud and clear—security and high performance are top priorities. In the face of constant change and increasing complexity—especially over the WAN—organizations must implement security technologies that converge with their SD-WAN, enforcing them as close as possible to users and workloads. For the most effective implementation, this will require security hosted on-premises and in the cloud that ensures the best possible app performance.

The importance of security with SD-WAN was acknowledge by Gartner in its recently published 2023 Magic Quadrant for SD-WAN report, which provides an annual evaluation of the SD-WAN market for IT leaders. We feel this year’s report includes the most thorough assessment of security capabilities—hosted on-premises and in the cloud—since Gartner Magic Quadrant for SD-WAN began.

In 2023, Cisco was named a Leader for the fourth consecutive year.

At Cisco, we work closely with our customers and partners to better understand their challenges so we can build products and solutions that support their long-term goals. These continued partnerships provide us with the insight to deeply ingrain advanced security technologies into Cisco SD-WAN.

• The right security: Stateful firewall, intrusion detection systems (IDS), intrusion prevention systems (IPS), advanced malware protection (AMP), URL filtering, HTTPS inspection, data loss prevention (DLP), cloud access security broker (CASB), and more—are all natively informed by the world’s largest commercial threat intelligence team, Talos.
• Hosted in the right place: On-premises or in the cloud (native or third party) hosting ensures that security policies are enforced closely to workloads and users.
• SASE your way: WAN appliances provide the building blocks to effortlessly chart your own journey.

Seek real-world validation

With a highly dense market of network security technologies and products to choose from, understanding which solutions will perform best for your environment and be the right long-term strategic fit can be confusing. While there is no substitute for testing solutions in a production environment, independent testing that mirrors real-world conditions can help identify top performers and refine a shortlist.

Miercom, a leading independent product test center, conducted a thorough evaluation of Cisco’s security and SD-WAN technologies delivered through Cisco Catalyst and Meraki WAN appliances. These tests were meticulously designed to match real-world conditions as closely as possible, instead of a theoretical laboratory environment.

Figure 1. According to leading independent product test center Miercom, Cisco’s malware efficacy is 25% better than the industry average. Across 11 malware exploit categories, Cisco averaged 98% malware efficacy.

Maximize your WAN

The WAN is central to an organization’s success. In addition to an uncompromising commitment to security, we continue to push Cisco SD-WAN beyond traditional expectations to help IT leaders maximize the potential of the WAN for their business through:

• Delivering high performance, irrespective of where users and workloads live, to provide a superior experience wherever users and workloads are.
• Simplifying cloud migration with integration and streamlined workflows for AWS Cloud WAN and Microsoft Azure Virtual WAN.
• Enabling secure, long-term remote work strategies with Meraki Z4 and Catalyst CG113 secure teleworker gateways.
• Providing continuous visibility across all the hyper-distributed internal and external domains with instant activation of Cisco ThousandEyes, which leverages predictive patch recommendations (PPR) to deliver proactive feedback, enhancing the user experience for critical application performance across the SD-WAN fabric.
• Enabling agile business models using 5G fixed wireless access through indoor and outdoor Meraki MG51 and Catalyst CG522 cellular gateways.

Build a long-term strategy for simplicity

At Cisco, we’re committed to helping organizations simplify IT. Our vision is to create a simpler network management platform experience to help customers easily access and manage Cisco networking products from one place—the Cisco Networking Cloud.

The distribution of users and resources will continue to evolve along with the IT landscape, creating new complexities along the way. Simplifying the IT experience enables IT to better automate, analyze, and diagnose issues—supporting a framework that is well-positioned to evolve alongside the modern hyper-distributed network and helping to secure and connect hyper-distributed users and resources, no matter where they are located.

Source: cisco.com

Continue reading

Make Your WAN Connectivity an Extraordinary Experience

Alan Dapré, author of more than 60 children’s books said, “Why be ordinary when you can be extraordinary?” You may be thinking that “extraordinary” is not a term commonly associated with network connectivity. Shouldn’t it just be like water coming out of the faucet? A utility that is … well … ordinary?

Extraordinary is an enhanced experience. And the Cisco Networking Cloud vision enables you to create an enhanced experience that your users refer to as extraordinary. With our latest SD-WAN product enhancements, we’ve made it easier for you to deliver that exceptional experience to them.

SD-WAN: New name and additional deployment option

At Cisco Live in Las Vegas, we announced the rebranding of the Viptela technology solution from Cisco SD-WAN to Cisco Catalyst SD-WAN. The Catalyst brand has always stood for the industry’s most powerful switching, wireless, and routing platforms. This name change not only provides consistent alignment with the Catalyst brand of our routing hardware, but also with our access, data center, and cloud solutions—and drives brand simplification. Cisco’s SD-WAN portfolio includes both Catalyst SD-WAN and Meraki SD-WAN fabrics to provide the most versatile solutions regardless of your use case.

Deployment options for SD-WAN connectivity

Until now, Cisco has offered two ways for you to consume Cisco Catalyst SD-WAN. First, an on-premises deployment would reside in your own data center or a managed service provider’s data center. The second option was to deploy in a Cisco hosted environment with either an AWS or Microsoft Azure cloud infrastructure.

A third deployment option is now available. Cisco Catalyst SD-WAN can be cloud-delivered to align to your infrastructure strategy. Why cloud-delivered? We recognize that operating models are changing. Organizations demand simplicity, agility, flexibility, and scalability. Cloud-delivered Catalyst SD-WAN provides a cloud-first experience with automated, rapid on-boarding and single sign-on.

Cisco provides zero-touch life cycle deployment and management of the infrastructure via Cisco’s Cloud Operations team. Customers will experience end-to-end service delivery, providing automated provisioning of the SD-WAN fabric. Cisco provides the management, monitoring, upgrades, and backup and restore. We’ve included access to end-to-end actionable insights that measure, predict, understand, and remediate potential issues, so there’s no need to implement it later. You can now consume SD-WAN with a flexible subscription model that scales to your needs and enables more precise OpEx planning and lower TCO.

Elevating the application experience

Nary a business has been unaffected by the need to support hybrid work requirements. The importance of delivering an exceptional experience to your users has risen with this trend, and the accelerated adoption of digital services has transformed enterprise IT. Unless every one of your users work from the office and all applications they access are on premises, you no longer fully control the end-to-end infrastructure, yet you are still accountable for delivering optimal digital experiences. These new capabilities and solutions help you elevate the application experience.

ThousandEyes Service Assurance helps your organization ensure top-notch digital experiences through end-to-end network visibility and proactive insights that empower you to pinpoint, troubleshoot, resolve, and optimize performance across every network domain that matters to them—whether on premises, the internet, or cloud.

Cisco is announcing expanded support with ThousandEyes, providing visibility into public cloud networks, internet routing, and enterprise sites with new vantage points from Meraki MX (and Webex RoomOS) devices. You’ll enhance operations with automated event detection and problem isolation, and unmatched insights of your cloud connectivity.

As organizations adapt to hybrid work, IT is expected to support workers at the branch, campus, and remotely. The Meraki Z4 gateways allow IT teams to securely provide connectivity to remote workers and simultaneously manage SD-branch infrastructure across global locations on a unique cloud platform that consolidates security, SD-WAN, access, and IoT.

Simplifying IT

Technology should never get in the way of conducting business and has two essential requirements: work as expected and be simple to use.

The latest enhancements in SD-WAN management and analytics include new Circuit and SecOps dashboards—along with step-by-step configuration templates to expedite the implementation and management of security policies. They include enhanced visibility into circuits and traffic patterns with a visual interface. An enhanced topology view has been added, and real-time tracking of network and path conditions by application-aware routing provides faster brownout detection.

We are introducing closed-loop automation capabilities to Predictive Path Recommendations (PPR). As an integral component of Cisco predictive networks, PPR delivers a predictive network solution, enabling IT personnel to proactively improve application experience. Leveraging advanced algorithms and predictive models, PPR determines the performance and policy compliance of the paths carrying the site application traffic. When performance is below historical benchmarks or SLA, PPR can make recommendations to the IT personnel and automatically implement corrective actions—before impacting users.

Granular Role-Based Access Control (RBAC) enables service providers to offer a robust co-managed SD-WAN service. Both service providers and their tenants can share or split responsibilities while maintaining accountability via auditing functionality in managing an SD-WAN overlay.

Cisco Catalyst SD-WAN now supports Cisco Umbrella’s multi-org integration, allowing customers to easily manage multiple child organizations or regions from a single Umbrella dashboard. This enables the integration of multiple Umbrella organizations with a single-tenant Cisco Catalyst SD-WAN deployment by configuring the Umbrella API integration for DNS and SIG on a per-device basis. By creating customized security policies tailored to specific needs of different regions or organizational units, customers can simplify the security management process, improve network security, and reduce the risk of security breaches. A centralized view of multiple networks reduces the time and effort to manage multiple networks and improves the user experience.

Cloud and middle-mile connectivity

Cisco SD-WAN Cloud Hub with AWS Cloud WAN provides a dynamic WAN service that allows building of a global network in a simplified and fully automated manner, within minutes. The solution delivers a secure, on-demand, flexible, and highly available middle-mile, leveraging the global AWS backbone, intent-based network management, and advanced security through a central policy framework.

Our multicloud solutions start with our enhanced cloud router—the Catalyst 8000V—a virtual router that is optimized for scale and performance for compute instances across the cloud and backbone providers. You can consume this software from public cloud marketplaces with pay-as-you-go (PAYG) licenses or bring your own license (BYOL), purchased directly from Cisco.

During Cisco Live, we announced a network-as-a-service consumption model for middle-mile services with Megaport. This PAYG model allows customers to be billed by Cisco according to the usage of their Megaport services. We also announced the availability of Megaport Ports on Cisco’s Global Price List (GPL). Customers will be able to purchase ports globally for private connectivity to Megaport Virtual Edge and for provisioning global backbones through Cisco Catalyst SD-WAN. With PAYG and Megaport Ports, you gain private connectivity to virtual edges from your data centers or sites. PAYG is important for customers because you only pay if you use them. There is no upfront commitment and no overage.

Efficiency and cost savings for service providers

Cisco Multitenant Edge for Cisco Catalyst SD-WAN platforms enables providers to securely host multiple tenants on a single physical or virtual SD-WAN platform. It simplifies and accelerates SD-WAN design and deployment, while also providing CapEx and OpEx savings. This also helps you meet your sustainability goals by powering fewer WAN appliances.

Clearly, network connectivity is no longer just an ordinary, basic utility. As we continue to build on our vision for Cisco Networking Cloud, we are enabling elevated experiences that allow you to provide connectivity experiences for your users that are truly extraordinary.

Source: cisco.com

Continue reading

Unifying Experiences Starts By Unifying SASE

Over the years, advancements in technology and the endless waves of new innovations have created an unintended problem for most organizations today—overcomplexity. 53% of senior decision-makers say their IT environment is more complex than it was just two years ago.

I explained how Secure Access Service Edge (SASE) and the convergence of networking and security are key to reducing operational complexity. Now, more than ever, organizations need an efficient way to securely connect distributed workforces and build a consistent operational model that extends from on-premises to the cloud, bridging a hyper-dispersed landscape and creating secure and seamless experiences anywhere.

Answering that call are two general SASE approaches that may deliver those desired outcomes. The first, a “best of breed” solution, is comprised of separate networking (SD-WAN) and security service edge (SSE) products, typically from multiple vendors, which inherently will lack a consistent operational model, leading to a more fragmented experience given the increased integration required to produce a complete SASE solution. This may also lead to a solution that is less secure.

The second approach is a unified SASE solution that delivers networking and security components as a simplified, turnkey cloud service featuring unified management from a single dashboard. A well-designed SASE solution removes complexity by providing centralized management with intelligent and consistent distributed enforcement, along with controls and visibility across endpoints, enterprise edge, and cloud edge to deliver a more secure end-to-end solution that further enhances the end-user experience. Unified SASE embraces a platform approach, seamlessly converging networking and security technologies into one experience that makes management easy.

Acknowledging the importance of a unified, single-vendor approach, Gartner predicts that… “By 2025, 50% of new SD-WAN purchases will be part of a single-vendor SASE offering, up from 10% in 2022.” 

Converging the Best of Networking with Security on a Single Platform

Cisco+ Secure Connect is Cisco’s premier unified solution that provides a blueprint for SASE made easy. This unified SASE solution is built on a converged cloud-first platform that connects Cisco’s industry-leading networking and security technology and delivers several key outcomes:

◉ Creates a streamlined IT management experience, which in turn helps deliver a more seamless experience for end users so they can access the resources they need, wherever and whenever they need them

◉ Simplifies the management of networking and security domains within a single dashboard, providing greater visibility and insight to ITand allowing them to proactively stay on top of threats and vulnerabilities across the network, ensuring greater resiliency and security

◉ Harmonizes the networking and security domains by interconnecting everything and providing security everywhere to build a unified SASE fabric, removing complexity and creating a simple, consistent operating model

Figure 1. Cisco+ Secure Connect Dashboard

Every organization has an installed technology base, and there may be a temptation to simply add the missing SASE functionalities to whatever currently exists. However, it’s important to note that SASE is a long-term strategic choice and simply deploying all the components of a SASE model without a high level of integration does not constitute a fully functional SASE solution and will not deliver the desired outcomes. For this reason, unified SASE is the simplest and easiest path to realizing true SASE benefits that “stick” – ultimately, delivering better experiences.

Source: cisco.com

Continue reading

Something New: AP Discovery Methods for 6GHz Wi-Fi – Part 2

In Part 1 (Something Old) we looked at basic changes to the physical layer provided by wave 1 of 801.11ax, how these changes can affect performance, and how OFDMA enables the optimal use of the 6GHz spectrum. In this second article, we’ll explore “something new:” the challenges of discovery in 6GHz, new methods used for solving this, and how these new methods open 6GHz for many different use cases.

Is There Anybody Out There?

In previous generations, Wi-Fi clients would scan channels and send unsolicited probe requests to discover access points (APs). Scanning channels can be a timely process as beacons are only broadcast every 102400us so the client must dwell long enough to detect the beacon. At 6GHz this is 102400us x 59 channels (there are 59 20MHz channels in the new 6GHz spectrum) which is over 6 seconds. For the client, this loss in time represents a disruption in communication. Creating intolerable latency in voice and lost opportunity to hundreds of megabytes of data every time the client decides to scan. Furthermore, the previous process would be to send unsolicited probe requests (wildcard requests) to see how APs would respond. Now, remember, this is all a contention-based medium, so these probe requests and responses on every channel for every client create a significant amount of interference and at the very least, inefficient use of the spectrum.

Read More: 300-710: Securing Networks with Cisco Firepower (SNCF)

Over the years the IEEE has introduced measures to address these roaming challenges. 802.11k was introduced to provide clients with a list of neighboring APs, 802.11v was introduced to provide a recommended AP candidate, and 802.11r was introduced to reduce the roaming time for 802.1x clients. Not all clients and infrastructure support these measures so while they helped, they did not eliminate the need for clients to send unsolicited probes.

While these IEEE updates are still available for 6GHz, the strategy for AP discovery fundamentally changes. To start with, unsolicited probe requests are no longer allowed (with one limited exception we will discuss shortly).

Three New Methods to Improve AP Discovery

Since we have already established scanning channels at 6GHz is not allowed, there are three new methods introduced in Wi-Fi 6E for finding AP candidates.

The primary method (and the one that clients typically respond to best) is called Reduced Neighbor Report (RNR). Since most, if not all, clients will have legacy band capability, there is an Information Element (IE) embedded in the legacy band beacons that list the 6GHz SSID(s) that are available on the serving AP. The client first scans the 5GHz or 2.4GHz channels and looks for this RNR element. The RNR report contains information about the 6GHz channel, SSID, BSSID, a bit of information on the AP, and the allowed power levels (Power Spectral Density). This effectively makes the 2.4GHz and 5GHz channels a control channel for the 6GHz. Clients can then send a directed probe request to those channels that are learned in the RNR to determine which 6GHz AP to join. It is important to note there can be multiple 6GHz SSIDs included in the RNR and they do not have to match the legacy SSIDs.

The information contained in an RNR is very similar to the information provided in the previously introduced 802.11v action frame. The RNR below is from a 5GHz beacon and is advertising two SSIDs on the 6GHz channel number 5. The legacy 802.11v action report below shows similar information to the RNR but the fundamental difference is twofold:

◉ This is an action frame not part of the beacon like the RNR. It is a request-response type transaction. An RNR is broadcast in the legacy band beacons.

◉ The information in the 802.11v action frame contains information about other APs on the same frequency band. The RNR only lists SSIDs broadcasted from the 6GHz band (different frequency band) as this same AP.

Figure 1: RNR on 5GHz beacon

Figure 2: 802.11v Action Frame

What if the AP is only broadcasting 6GHz? This is an unlikely condition, but nonetheless a potential one. First, scanning can be reduced by limiting the number of channels to be scanned. This is called Preferred Scanning Channels (PSC). The PSCs are the primary channels (20MHz subchannel) of the 80MHz channels. This works well since 80MHz will often be the preferred bandwidth to operate for reasons previously discussed in part 1 of this blog series. If however, lower bandwidth channels are used without RNR or additional support from the methods below, it would be very easy for a client to miss this channel which should be a consideration when using PSC with narrower band channels.

Figure 3: Preferred Scanning Channels (red)

There are two mutually exclusive options to further enhance the AP discovery in which the AP will broadcast messages an additional 4 times between the beacons or about every 20ms (configurable from 5ms to 25ms). The first method is called Fast Initial Link Setup (FILS) and is based on a previous standard of 802.11ai. This is a very lightweight message (somewhere around 100 bytes as compared to a beacon which is 500+ bytes). The second method is called “Broadcast Probe Response” or “Unsolicited Probe Response” (UPR). Like FILS, this advertisement will be broadcast at a higher rate than the beacon. However, the UPR broadcasts everything in the probe response so while it supplies the client with more information, it is a bit heavier in the amount of data transmitted repeatedly.

Teamwork Makes the Discovery Dream Work

So how do these four methods work together? First, if there are legacy band SSIDs transmitted on the AP the expectation is that the RNR will do the work of discovering the 6GHz channel, and no other method is required. In the case where only 6GHz is broadcast from the AP the most likely scenario would be the use of PSC with either FILS or UPR. Notice UPR and FILS are exclusive options, you can only use one or the other. Early testing of client devices has seen some issues with 6GHz standalone APs not being discovered with only PSC and it is needed to have FILS (or UPR) enabled to assist a client in discovering the AP. This may change over time but for the early implementations, deploying 6GHz with only 80MHz channels and PSC enabled is a good option. This allows the primary channel to match the PSC channels. In addition, enabling FILS can provide further assistance for discovery with minimal impact on performance.

Source: cisco.com

Continue reading

Networking Demystified: The Modern Networking Stack

Suppose you were to peruse any book or paper on the topic of computer networking. In that case, you will undoubtedly find at least a cursory mention of the OSI or TCP/IP networking stack. This 7 (or 5) layers model defines the protocols used in a communication network, described in a hierarchy with abstract interfaces and standard behaviors. In this “Networking Demystified” blog post, we shed light on the modern networking stack but from a completely different vantage point: the focus will be on the technologies and areas associated with the various layers of the stack. The goal is to offer a glimpse of what engineers and technologists are working on in this exciting and continuously evolving space that impacts businesses, education, healthcare, and people worldwide.

But first, how did we get to where we are today?

A Brief History of Time (well, … networking mostly)

The early years of networking were all about plumbing: building the pipes to interconnect endpoints and enable them to communicate. The first challenges to conquer were distance and reach—the connection of many devices—which gave rise to local area networks, wide area networks, and the global Internet. The second wave of challenges involved scaling those pipes with technologies that offered faster speeds and feeds and better reliability.

The evolution in Physical and Link Layer technologies continued at a rapid cadence, with several technologies getting their 15 minutes of fame (X 25, Frame Relay, ISDN, ATM, among others) over the years and others ending up as roadkill (which shall remain unnamed to protect the innocent). The Internet Protocol (IP) quickly emerged as the narrow waist of the hourglass, normalizing many applications over several link technologies. This normalization created an explosion in Internet usage that led to the exhaustion of the IPv4 address space, thereby bringing complexities like Network Address Translation (NAT) to the network as a workaround.

The years that followed in the evolution of networking focused on enabling services and applications that run over the plumbing. Voice, video, and numerous data applications (email, web, file transfer, instant messaging, etc.) converged over packet networks and contended for bandwidth and priority over shared pipes. The challenges to overcome were guaranteeing application quality of service, user quality of experience, and client/provider service level agreements. Technologies for traffic marking (setting bits in packet headers to indicate the quality of service level), shaping (delaying/buffering packets above a rate), and policing (dropping packets above a guaranteed rate), as well as resource reservation and performance management, were developed. As networks grew more extensive, and with the emergence of public (provider-managed) network services, scalability and availability challenges led to the development of predominantly Service Provider oriented technologies such as MPLS and VPNs.

Then came the things… the Internet of Things, that is. The success of networks in connecting people gave rise to the idea of connecting machines to machines (M2M) to enable many new use cases in home automation, healthcare, smart utilities, and manufacturing, to name a few.  This, in turn, presented a new set of challenges pertaining to constrained devices (i.e., one with limited CPU, memory, and power) networking, ad hoc wireless, time-sensitive communication, edge computing, securing IoT endpoints, scaling M2M networks, and many others. While the industry has solved some of these challenges, many remain on the plates of current and future networking technologists and engineers.

Throughout this evolution, the complexity of networks continued to grow as IT added more and more mission-critical applications and services. Every emerging innovation in networking created new use cases that contributed to more significant network usage. The high-touch, command-line interface (CLI) oriented approach to network provisioning and troubleshooting could no longer achieve the scalability, agility, and availability demanded by networks. A paradigm shift in the approach to network operations and management was needed.

Cue the Controllers

Network management systems are not a new development in the history of networking. They have existed in some form or fashion since the early days. However, those management controls operated at the level of individual protocols, mechanisms, and configuration interfaces. This mode of operation was slowing innovation, increasing complexity, and inflating the operational costs of running networks. The demand for networks to meet business needs with agility led to the requirement for networks to be software-driven and thus programmable.

This change led to the notion of Software-Defined Networks (SDN). A core component of a Software-Defined Network is the controller platform: the management system that has a global view of the network and is responsible for automating network configuration, assurance, troubleshooting, and optimization functions. In a sense, the controller replaces the human operator as the brain managing the network. It enables centralized management and control, automation, and policy enforcement across network environments. Controllers have southbound APIs that relay information between the controller and individual network devices (such as switches, access points, routers, and firewalls) and northbound APIs that relay information between the controller and the applications and policy engines.

Controllers originally were physical appliances deployed on-premises with the rest of the network devices. But more recently, it is possible for the controller functions to be implemented in the Cloud. In this case, the network is referred to as a cloud-managed network. The choice of cloud-managed versus on-premises depends on several factors, including customer requirements and deployment constraints.

Figure 1: Modern Networking Stack

So now that we have a historical view of how networking has evolved over the years let’s turn to the modern networking stack.

From Silicon to the Cloud

The OSI and TCP/IP reference models only paint a partial picture of the modern networking stack. These models specify the logical functions of network devices but not the controllers. With networks becoming software-defined, the networking stack spans from silicon hardware to the cloud. So, building modern networking gear and solutions has become as much about low-level embedded systems engineering as it is about cloud-native application development.

First, let’s examine the layers of the stack that run on network devices. The functions of these layers can be broadly categorized into three planes: data plane, control plane, and management plane. The data plane is concerned with packet forwarding functions, flow control, quality of service (QoS), and access-control features. The control plane is responsible for discovering topology and capabilities, establishing forwarding paths, and reacting to failures. In comparison, the management plane focuses on functions that deal with device configuration, troubleshooting, reporting, fault management, and performance management.

Data Plane

Engineers focusing on the data plane work on or close to the hardware (e.g., ASIC or FPGA design, device drivers, or packet processing engine programming). One of the perennial focus areas in this layer of the stack is performance in the quest for faster-wired link speeds, higher wireless bandwidth, and wider channels. Another focus area is power optimization to achieve usage-proportional energy consumption for better sustainability. A third focus area is determinism in latency/jitter to handle time-sensitive and immersive (AR/VR/XR) applications.

Control Plane

Engineers working on the control plane are involved with designing and implementing networking protocols that handle topology and routing, multicast, OAM, control, endpoint mobility, and policy management, among other functions. Modern network operating systems involve embedded software application development on top of the Linux operating system. Key focus areas in this layer include scaling of algorithms; privacy and identity management; security features; network time distribution and synchronization; distributed mobility management; and lightweight protocols for IoT.

Management Plane

Engineers working on the management plane work with protocols for management information transfer, embedded database technologies, and API design. A key focus area in this layer is scaling the transfer of telemetry information that needs to be pushed from network devices to the controllers to enable better network assurance and closed-loop automation.

Understanding the Controller Software Stack

Next, we will look at the layers of the stack that run on network controllers. Those can be broadly categorized into four layers: the runtime environment layer, the control layer, the assurance layer, and the northbound API layer.

◉ The runtime environment layer is responsible for the lifecycle management of all the software services that run on the controller, including infrastructure services (such as persistent storage and container/VM networking) and application services that are logically part of the other three layers.

◉ The control layer handles the translation and validation of user intent and automatic implementation in the network to create the desired configuration state and enforce policies.

◉ The assurance layer constantly monitors the network state to ensure that the desired state is maintained and performs remedial action when necessary.

◉ The northbound API layer enables the extension of the controller and integration with applications such as trouble-ticketing systems and orchestration platforms.

State-of-the-art controllers are not implemented as monolithic applications. To provide the required flexibility to scale out with the size of the network, controllers are designed as cloud-native applications based on micro-services. As such, engineers who work on the runtime environment layer work on cloud runtime and orchestration solutions. Key focus areas here include all the tools needed for applications to run in a cloud-native environment, including:

◉ Storage that gives applications easy and fast access to data needed to run reliably,

◉ Container runtime, which executes application code,

◉ Networks over which containerized applications communicate,

◉ Orchestrators that manage the lifecycle of the micro-services.

Engineers working on the control layer are involved with high-level cloud-native application development that leverages open-source software and tools. Key focus areas at this layer include Artificial Intelligence (AI) and Natural Language Processing (NLP) to handle intent translation. Other critical focus areas include data modeling, policy rendering, plug-and-play discovery, software image management, inventory management, and automation. User interface design and data visualization (including 3D, AR, and VR) are also crucial.

Engineers developing capabilities for the assurance layer are also involved with high-level cloud-native application development. However, the focus here is more on AI capabilities, including Machine Learning (ML) and Machine Reasoning (MR), to automate the detection of issues and provide remediation. Another center of attention is data ingestion and processing pipelines, including complex event processing systems, to handle the large volumes of network telemetry.

Engineers working on the northbound API layer focus on designing scalable REST APIs that enable network controllers to be integrated with the ecosystem of IT systems and applications that use the network. This layer focuses on API security and scalability and on providing high-level abstractions that hide the complexities and inner workings of networking from applications.

It’s an Exciting Time to be in Network Engineering

As networking evolved over the years, so did the networking stack technologies. What started as a domain focused primarily on low-level embedded systems development has expanded over the years to encompass everything from low-level hardware design to high-level cloud-native application development and everything in between. It is an exciting time to be in the networking industry, connecting industries, enabling new applications, and helping people work together where ever they may be!

Source: cisco.com

Continue reading

Deploying the Wi-Fi Network at Cisco Live EMEA 2023

It is now the fourth time in a row that I had the chance to be part of the Cisco NOC team for Cisco Live EMEA.

If we go even further back in time, I had the chance to go to Cisco Live for the Technical Design Clinics back in London and Berlin. The pressure was on the shoulders of the NOC team who had to deliver a working Wi-Fi network with so many random client devices connected. I did not envy their position (although I admired it). I particularly remember a bug from smartphone vendors in Cisco Live London that was repeating the event SSID as a personal hotspot, causing a lot of trouble to other client connectivity. This was the year the CiscoLive SSID went from fully open to a pre-shared key SSID to prevent that type of problem.

End of 2017, the NOC team invited me to be part of the Wireless Controller team for Cisco Live Barcelona 2018. I accepted quickly mostly for the sake of being part of the Cisco Live event, which I consider a privilege. I discovered since then how setting up a large events network is such a unique endeavor and will try to give some insights into certain choices and decisions.

The Planning

Around summer the year before the event, the first meetings start. We set up a team and make sure we have the best people for the job at every position. This is the responsibility of Remco Kamerman, the Cisco Live NOC team lead and pretty much the only fixed team member since he recruits the rest of us. Some people from the software engineering teams, some salespeople, and some CX people (TAC, Customer Success, and Professional Services): team members are not picked for their job role but for their expertise. If you are one of the top people in your technology, chances are that you already know a good part of the NOC team for having worked with them throughout the year since they are the top people too.

Mapping Madness

We receive the venue plans and event blueprints early on but they keep changing until the very last day (less and less as time goes by of course). This is the challenge of the design folks in the team (Professional Services and System Engineers mostly) who have to do a wireless design mostly by looking at regularly changing plans. A few site visits were organized to get a feeling of the venue. I was there on the first day the building team started building for the event and can testify that the number of physical changes the venue goes through in just a couple of days is unthinkable if you are not used to such events.

Maps are an important part of managing a wireless network. We could leverage the interoperability between the venue maps on the RAI Prime Infrastructure appliance, the Cisco DNA Center we used for the event, and the Ekahau design software we used for the design. Maps were cross-imported between those 3 places so that we could have the proper maps for design and day-to-day management.

Keynote Design

A specific challenge was the keynote area which consisted of 4500 chairs around a central stage in an empty hall. 50 9104 stadium antennas were used to provide coverage from the trusses. Mounting those APs/antennas required very close collaboration with the keynote area build team as there are specific moments where the truss is down and accessible and then brought up (after which you need a scissor lift to access it and you want to avoid that as much as possible for efficiency)

The Build Up

The majority of the NOC team consists of people actually physically building up the network. That requires deploying hundreds of switches throughout the venue and the cabling that goes with that without anything visible to the naked eye. It also requires deploying hundreds of wireless access points in various places. They can be on poles, walls, or ceilings, and mounting elegantly and efficiently becomes an art.

Figure 1: Mounting APs and antennas on the structure

Similar to the Fira Barcelona, we inherited around 400 Wi-Fi access points from the RAI Amsterdam venue. They were nice enough to let us control their access points for the duration of the event. This way, we don’t have to deal with two separate wireless networks. A good part of the venue APs were Cisco 9120s with directional antennas mounted on the very high ceiling (as well as some 9104s in one Hall) which are perfect for providing general coverage.

Indeed the RAI hosts a lot of different shows that have nothing in common (Cisco Live was between a horse show and a pregnancy-related show) and their Wi-Fi network needs to stay stable between events. However, since we are Cisco and we are willing to deploy a network just for our own event, we could add access points at the ground level and be better oriented for specific applications (in general, the close the AP is to the clients, the better, if you can afford it). We knew the high-density areas and more complicated ground areas where additional coverage would be welcome and that’s what our design consisted of.

Figure 2: 9104 stadium antennas mounted on a truss that will go up in the Keynote area

Event Wi-Fi Choices

Historically, the main SSID is WPA2 PSK SSID and the organization prints the key on the event badge everyone wears. We added EduRoam support for our education customers to have an SSID their device already knows and can connect to, using their education credentials. We also added OpenRoaming, where your device automatically connects to the Wi-Fi as soon as you enter the venue if you already had an OpenRoaming profile installed on your device. If you didn’t you can install one from the CiscoLive event app. Personally, I installed an OpenRoaming profile on my iPhone after my local supermarket created a profile for me from their app. My phone automatically connected, in a secure and transparent manner, to the venue as soon as I arrived with my profile from my local supermarket thanks to the RAI also having an OpenRoaming SSID even before Cisco arrived onsite.

We definitely wanted to keep the number of SSIDs offered as low as possible to avoid confusion and to keep the wifi network efficiency to the maximum possible, but the convenience (and the security!) of OpenRoaming and Eduroam convinced us to offer those as extra services.

Wi-Fi 6E

This year, we wanted to offer 6ghz Wi-Fi as 6E is the newest coolest thing. The difficulty is that providing this across the whole event would have meant purchasing hundreds of 9166 access points. This is not possible as we prioritize customer deliveries for the first time on a new device. It would also have meant replacing all the venue APs which is impractical for us. We then covered the entire Meeting Village hall with the 40 9166 we had. The challenge with this hybrid approach is that Wi-Fi 6E requires WPA3 and we did not want to make the main SSID WPA3 yet.

Even if the CiscoLive population is typically nerdy (it’s a compliment nowadays I think) and well equipped, you wouldn’t believe some of the older devices that connect to the network and WPA3 support is just not at 100% yet we believe. We had to create a separate WPA3 SSID which was broadcasted both in 5Ghz and 6Ghz (but 6ghz being only available in the Meeting Village) for compatibility reasons.

Legacy and “Bells and Whistles” SSIDs

As a general rule, is good practice to have some kind of legacy SSID and some kind of more performing SSIDs with more bells and whistles. Some years ago, it meant we provided a Cisco Live Legacy SSID which existed on 2.4ghz, while the 5Ghz was the main and “cool” SSID.

In Cisco Live 2023, we completely gave up on 2.4ghz and the CiscoLive SSID was only available on 5Ghz. This meant the main CiscoLive SSID needed to have the most compatible settings to ensure all the clients could connect and that meant giving up on some great Cisco features (like Device Analytics) for the sake of maximum compatibility. I predict that very soon, the WPA3/6Ghz SSID will become the main SSID and the 5Ghz-only/WPA2 SSID will be the legacy one. Maybe too early for that to happen next year but why not 2025?

How the Event Went

Keynote and 6ghz

The event went very well overall. During the keynote or the party, throughput tests returned surprisingly good results. The 9104 antennas were really surprised by their well-defined coverage area with very small leakage outside of the coverage direction. This really helps with channel reuse in a large venue hall.

It was a good surprise to see more than 60% of the Wireless clients using Wi-Fi 6. However, only a few dozen supported 6E. We expect a sharp increase by next year, but it will stay a minority of clients. There were a couple of 802.11n clients but really not many.

The top simultaneous client count was around 13 500. It is slightly lower than the last event in Barcelona. We expect the event to grow by next year since this was the first one post-Covid.

Figure 3: Our custom telemetry graph

Hardware and Software Considerations

It was the first Cisco Live we ran 100% on the Catalyst 9800 in EMEA and 100% on Cisco DNA Center. Indeed in 2020, they were there but we still had 8540 WLCs in the network. We ran the 17.9.2 CCO software and only had minor issues to report. As is becoming more and more commonplace, most of the time we spent troubleshooting was on interoperability issues with specific device types and features. Completely disabling 2.4Ghz was a great idea because we noticed an increased usage of Bluetooth among the attendees and the Wi-Fi network would have disturbed all those Bluetooth devices.

Not everything was perfect though, it can never be in such a large event with so many new technologies. But I’m glad we keep improving year after year. There are always areas of complaint when the client density is higher than what we anticipated: there were some very successful sessions in Devnet theater or World of Solutions and connectivity was subpar during those events. We’ll make sure to come up with an improvement plan for next year to make that better.

Source: cisco.com

Continue reading