Wednesday, 23 January 2019

Cisco DNA Center Network Automation with Template Programmer API – Part 1

Using APIs to apply templates to network devices


Cisco DNA center provides Day0 to Day-N support for network device automation.

This blog looks at one aspect of automation, the template programmer. Specifically, it covers the API’s used to apply templates to network devices.

Network Automation, Developer, Cisco DNA, API, DevNet, Cisco Tutorial and Material, Cisco Certification

Template programmer uses the velocity templating language for templates. The templates are created via the template editor and are applied via the User Interface or programmatically via the API.

This initial blog is going to cover the basics of finding templates, getting a specific version and applying a template to a device. To better illustrate how the API calls can be used in a practical manner, I am going to use a small python script published on github.

I am going to use a common (practical example) template of changing the vlan assigned to an interface on a switch. The template will take two variables:

◈ An interface name (e.g. gig1/0/20)
◈ A vlan number (e.g. 20)

Interaction with PnP Day0


For those familiar with this blog series, I have covered day0 configuration with Network PnP and also some basic velocity examples.

Day-0 templates are applied only when the device first contacts the controller and is onboarded to the network. Depending on your operational model, the day0 configuration might be quite small (just enough to establish secure connectivity) and day-N templates are used to apply ongoing configuration changes.

Network Automation, Developer, Cisco DNA, API, DevNet, Cisco Tutorial and Material, Cisco Certification

Step 1 – Listing Templates


The first step is to find the templates available on the Cisco DNA Center.

If you downloaded the example script, you can just run it with no arguments to see a list of templates.

(in order to run this script you will need to either edit the dnac_config.py file, or set the appropriate environment variables to customize your DNA Center and loging credentials – as outlined in the README). The template of interest is called “Adam/int-vlan” .

The API call is shown below. When the script is run without any argumnets, it prints the names of all templates. The first part of the name is the template project. In this case “Adam”. A project is just a folder to group templates.

$ ./template.py
Available Templates:
https://dnac:443/dna/intent/api/v1/template-programmer/template
  Adam/acl
  Adam/binding
  Adam/int-vlan
  Adam/interface-des
  DB/prefix
  Onboarding Configuration/9300
  Onboarding Configuration/advanced
  Onboarding Configuration/basic
  Onboarding Configuration/encs-9k
  Production/base
  Production/comp1
  Production/interfaces

Step 2– Getting the latest version


To get more details on a particular template, the script can be run with the –template <template-name> option. The latest version of the template (Version: 10) is selected.

The TemplateId is then used to return the body of this version of the template.

The body is quite simple, applying an access vlan to the given switch port. This is shown in green.

The script also requires two parameters ({“vlan”:””,”interface”:””})

$ ./template.py --template Adam/int-vlan
Looking for: Adam/int-vlan
https://dnac:443/dna/intent/api/v1/template-programmer/template
TemplateId: 610a718c-0a71-484b-a632-a79b64192cb7 Version: 11

https://dnac:443/dna/intent/api/v1/template-programmer/template/610a718c-0a71-484b-a632-a79b64192cb7
Showing Template Body:
interface $interface
  switchport access vlan $vlan

Required Parameters for template body: {"vlan":"","interface":""}

Bindings []

Step 3– Applying the template


The script can be executed with a device (ip address) and params provided. Note the params are in single quote to avoid shell issues.

$ /template.py --template Adam/int-vlan --device 10.10.50.2 --params '{"vlan":"20","interface":"gig1/0/20"}'
Looking for: Adam/int-vlan
https://dnac:443/dna/intent/api/v1/template-programmer/template
TemplateId: 610a718c-0a71-484b-a632-a79b64192cb7 Version: 11

https://dnac:443/dna/intent/api/v1/template-programmer/template/610a718c-0a71-484b-a632-a79b64192cb7
Showing Template Body:
interface $interface
  switchport access vlan $vlan

Required Parameters for template body: {"interface":"","vlan":""}

Bindings []

Up to this point, the output is the same as before. The payload for applying the template is below. Some notes:

◈ The targetInfo can be a list, which means multiple devices can be provisioned at the same time.
◈ Each target has its own set of parameters.
◈ The target device can be specified in multiple ways. In this example “MANAGED_DEVICE_IP” is the type, and the IP of the device is 10,.10.50.2. UUID is also supported.
◈ The templateId is also required.

{'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'},
                'type': 'MANAGED_DEVICE_IP',
                'id': '10.10.50.2'}],
'forcePushTemplate': False,
'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}

The POST call to https://dnac:443/dna/intent/api/v1/template-programmer/template/deploy returns a task, which contains a deploymentId which needs to be polled for completion.

Executing template on:10.10.50.2, with Params:{"vlan":"20","interface":"gig1/0/20"}
payload {'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'}, 'type': 'MANAGED_DEVICE_IP', 'id': '10.10.50.2'}], 'forcePushTemplate': False, 'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}
https://dnac:443/dna/intent/api/v1/template-programmer/template/deploy
Response {u'duration': u'0 seconds', u'deploymentId': u'Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.ApplicableTargets: [10.10.50.2]Template Deployemnt Id: 41ac69b9-8f2b-43a5-bb4b-622936f0f244', u'endTime': u'', u'startTime': u''}

The deploymentId status needs to be polled until the deployment is competed.

waiting for deploymentId 41ac69b9-8f2b-43a5-bb4b-622936f0f244
https://dnac:443/api/v1/template-programmer/template/deploy/status/41ac69b9-8f2b-43a5-bb4b-622936f0f244
{u'status': u'INIT', u'templateName': u'int-vlan', u'projectName': u'Adam', u'devices': [{u'status': u'IN_PROGRESS', u'name': u'', u'detailedStatusMessage': None, u'deviceId': u'e05075e8-eb5b-42f5-9f60-d56380702655', u'startTime': u'04:33:56 15/01/2019', u'duration': u'0 minutes 0 seconds', u'endTime': u'', u'ipAddress': u'e05075e8-eb5b-42f5-9f60-d56380702655'}], u'deploymentId': u'41ac69b9-8f2b-43a5-bb4b-622936f0f244', u'startTime': u'', u'duration': u'0 seconds', u'endTime': u'', u'templateVersion': u'11'}
Task=41ac69b9-8f2b-43a5-bb4b-622936f0f244 has not completed yet. Sleeping 2 seconds...
https://dnac:443/api/v1/template-programmer/template/deploy/status/41ac69b9-8f2b-43a5-bb4b-622936f0f244
{u'status': u'SUCCESS', u'templateName': u'int-vlan', u'projectName': u'Adam', u'devices': [{u'status': u'SUCCESS', u'name': u'', u'detailedStatusMessage': u'Provisioning success for template int-vlan', u'deviceId': u'e05075e8-eb5b-42f5-9f60-d56380702655', u'startTime': u'04:33:56 15/01/2019', u'duration': u'0 minutes 2 seconds', u'endTime': u'', u'ipAddress': u'e05075e8-eb5b-42f5-9f60-d56380702655'}], u'deploymentId': u'41ac69b9-8f2b-43a5-bb4b-622936f0f244', u'startTime': u'', u'duration': u'0 seconds', u'endTime': u'04:33:57 15/01/2019', u'templateVersion': u'11'}

Once completed, the status is displayed. The status (SUCCESS/FAIL), time taken, template name, version and deviceId are all shown.

Response:
{
  "status": "SUCCESS",
  "templateName": "int-vlan",
  "projectName": "Adam",
  "devices": [
    {
      "status": "SUCCESS",
      "name": "",
      "detailedStatusMessage": "Provisioning success for template int-vlan",
      "deviceId": "e05075e8-eb5b-42f5-9f60-d56380702655",
      "startTime": "04:33:56 15/01/2019",
      "duration": "0 minutes 2 seconds",
      "endTime": "",
      "ipAddress": "e05075e8-eb5b-42f5-9f60-d56380702655"
    }
  ],
  "deploymentId": "41ac69b9-8f2b-43a5-bb4b-622936f0f244",
  "startTime": "",
  "duration": "0 seconds",
  "endTime": "04:33:57 15/01/2019",
  "templateVersion": "11"
}

The interface Gig1/0/20 on the switch has successfully been provisioned into vlan 20.

Tips and Traps


One of the most obvious issues when testing is an error message related to “deployed with same params”, an example appears below.

Executing template on:10.10.50.2, with Params:{"vlan":"20","interface":"gig1/0/20"}
payload {'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'}, 'type': 'MANAGED_DEVICE_IP', 'id': '10.10.50.2'}], 'forcePushTemplate': False, 'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}
https://dnac:443/dna/intent/api/v1/template-programmer/template/deploy
Response {u'duration': u'0 seconds', u'deploymentId': u'Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.ApplicableTargets: [10.10.50.2],Template int-vlan:11 is already deployed with same params,. Not deploying it.None of the targets are applicable for the template. Hence not deploying', u'endTime': u'', u'startTime': u''}
Error: 11 is already deployed with same params,. Not deploying it.None of the targets are applicable for the template. Hence not deploying

By default Cisco DNA Center will not deploy the same template, with the same parameters twice (if the first attempt was successful). There are times where you may want to change this behaviour. The –force option can be used to set the ‘forcePushTemplate’: False, option to True.
One other thing you may find confusing is the following message.

Executing template on:10.10.50.20, with Params:{"vlan":"20","interface":"gig1/0/20"}
payload {'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'}, 'type': 'MANAGED_DEVICE_IP', 'id': '10.10.50.20'}], 'forcePushTemplate': False, 'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}
https://dnac:443/api/v1/template-programmer/template/deploy
Response {u'duration': u'0 seconds', u'deploymentId': u'Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.nonApplicableTargets: {10.10.50.20=Device is not applicable for the template due to mismatch of deviceType or softwareType or softwareVersion}.ApplicableTargets: NoneNone of the targets are applicable for the template. Hence not deploying', u'endTime': u'', u'startTime': u''}
Error: Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.nonApplicableTargets: {10.10.50.20=Device is not applicable for the template due to mismatch of deviceType or softwareType or softwareVersion}.ApplicableTargets: NoneNone of the targets are applicable for the template. Hence not deploying

At first glance, you might think the device type of the template does not match that of the device. This could be true however, somewhat confusingly, it could also be the device IP address cannot be found on the controller. Be careful with devices that have multiple IP addresses, make sure you use the same IP as the controller used to discover and manage the device. In this case 10.10.50.20 is not a valid device in the controller inventory. 10.10.50.2 was used in the earlier examples.

The final thing to be careful of is some parameters might be “typed”. For example, I could have type “int” for vlan in this example (rather than a string). Make sure the payload reflects that.

Sunday, 20 January 2019

Performance, Scale, and Flexibility for Accelerating AI / ML

A famous line: “I feel the need–the need for speed!” When I talk to data scientists, they often express the same sentiment. Charged with the responsibility of mining value out of numerous data sources, they often feel that they need ever more speed to do their jobs quickly. To support the data scientists, IT teams are always looking for performance, scale, and flexibility. Clearly, the need for accelerating artificial intelligence and machine learning performance is critical to enterprise’s success.

Performance


In anticipation of Cisco Live Barcelona, I am excited to share some of the recent development on the UCS team to help customers to accelerate AI/ML deployment.

First, Cisco has published the performance characteristics of the UCS C480 ML. With 8 x NVIDIA V100 Tesla GPUs, this server is optimized for deep learning workloads as demonstrated with the various popular convolutional neural networks for image classification.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material
C480 ML TensorFlow Training Performance

Scale


While the performance of a single server is important, customers are demanding that a cluster of servers to scale to increasing demands. At Cisco Live Barcelona, we are looking forward to show 2 demos.

NGC on Hortonworks 3

Many customers already have a big data lake, and almost everyone is looking to mine additional value out of the data. With Hortonworks 3, the Hadoop cluster is able to support containers running on CPUs and GPUs. This unified cluster architecture enables customers to do traditional data extract, transform, and load (ETL) before feeding the data to a deep learning algorithm. Since Cisco announced intent to support NVIDIA NGC-Ready program, which provides GPU enabled software containers, Cisco Live Barcelona will be the first time where Cisco demonstrate NGC containers running on UCS, in this case, as part of the Hortonworks cluster. In short, the Hortonworks Hadoop cluster is able to support the complete data pipeline.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material
NGC on Hortonworks 3

NGC on Red Hat OpenShift

While some customers prefer Hadoop as the clustering tool, others are choosing Red Hat OpenShift as the Kubernetes container orchestrator with enterprise support. In Barcelona, we will also show NGC running on OpenShift enabling support for multiple data scientists with both interactive and batch workloads.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material
NGC on Red Hat OpenShift

Flexibility


Kubeflow Pipelines

While many customers have the bulk of their data on-premise, some data scientists would like to do machine learning experiments in the cloud. In November, 2018, Google announced Kubeflow Pipelines. At Cisco Live Barcelona, in partnership with Google, Cisco will demonstrate Kubeflow Pipelines running on both Google Cloud and UCS enabling a true hybrid cloud experience.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Inferencing on Hyperflex 4.0

Inferencing is also a critical part of machine learning. At Barcelona, we are also showcasing HyperFlex 4.0 as a edge computing system in a retail environment where video streams can be used for customer sentiment analysis.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material
HyperFlex 4.0 for Inferencing on the Edge

Cisco Live Barcelona 2019


I can’t wait to share with all of you the UCS solutions that can accelerate artificial intelligence and machine learning adoption. With the raw performance of the UCS C480 ML, scale with Hortonworks 3 and Red Hat OpenShift, and flexibility with Kubeflow and inferencing on HyperFlex 4.0, I am looking forward to help our customers to make a genuine difference with the business problems.

Friday, 18 January 2019

Forrester’s Zero Trust or Gartner’s Lean Trust?

Zero trust is misnamed


There’s been many management approaches that include the “Zero” term. In shipping, there was “Zero Inventory”. In manufacturing, there was “Zero Defects”. In environmental planning, there’s “Zero Waste”. So, it’s not surprising that the security industry has adopted “Zero Trust” or its “Zero Trust Networking” (ZTN) and “Zero Trust eXtended” (ZTX) variants as it’s buzzword. I bet you will see this term plastered on vendors booths at RSA Conference this year. But without trust, how would your digital business get things done? Gartner’s Neil MacDonald makes the argument that “zero trust is misnamed” in his latest report, “Zero Trust Is an Initial Step on the Roadmap to CARTA”. Whether it’s Forrester ZTX or Gartner CARTA, both approaches allow businesses to operate in a risk-appropriate manner by enabling better access security decisions.

Use cases that matter


Before we jump into any comparisons, let’s explore some use cases to illustrate why it matters to your business. One example is your CEO accessing Microsoft Office 365—maybe even with her unmanaged iPhone. How do you know that she didn’t get phished and an attacker is logging in with her stolen credentials? Is her device’s screen-lock turned on, OS and browser up to date, and not jailbroken? Another example is your HVAC system accessing the campus network. Were you aware that the OT team installed this without telling IT? Do you know if it meets your IoT requirements or if it’s communicating with things it should not? And don’t forget about your in-house app with containerized workloads accessing each other across a hybrid cloud data center infrastructure. Did your DevOps team document how it’s supposed to communicate or how its services stay up to date? Unlikely, so how do you learn this as it changes over time? It’s now harder than ever for IT teams to enforce access decisions everywhere. But is the answer just denying your CEO, HVAC and app from working? Of course not. Yet “Zero Trust” essentially says to begin with an initial security posture that has no implicit trust between different entities, aka. default deny. If you’re a CISO, does zero trust clearly explain to other business execs why new security investments are needed?

Shift to lean trust


Zero trust also says to “always verify”. So, we could verify the CEO’s identity. And we could assess her iPhone’s hygiene. Or we could check the compliance of the HVAC system’s profile. And we could baseline workloads’ communication behaviors. One could say that these verifications and assessments are rebuilding trust at a higher level of the IT stack. Not based on network IPs, but establishing user-device, IoT or workload trust. So, it does seem like “zero trust” is a misnamed term. Gartner’s CARTA (Continuous Adaptive Risk and Trust Assessment) framework argues that the goal is “lean trust”. MacDonald says to better enable new digital business, cloud and mobile initiatives that we need to continuously assess the combination of risk and trust throughout the duration of a network interaction and beyond the network to all infosec processes.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material

Be practical


Whether you tell your boardroom that you’re going to adopt zero trust or lean trust, you need to decide how and where to start your multi-year journey. Forrester’s Zero Trust eXtended concept includes every security technology—those designed to eliminate or establish trust as well as those to prevent or detect threats. So, it opens the flood gates to dozens of vendors positioning nearly every product to help you adopt zero trust. Cisco agrees that zero trust is a useful security concept but extending it to all aspects of security makes adopting the approach less practical and prescriptive. MacDonald instead recommends starting two specific projects in 2019—one granting more access protection for users and devices and another delivering more attack protection for workloads and apps. These projects are known as software-defined perimeters to let the good guys in and microsegmentation to keep the bad guys out, respectively.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material

Maintain balance


In the CARTA framework, MacDonald splits his “Adaptive Security Architecture” (circa 2014) into two balanced access and attack protection approaches with four stages each. This aligns more closely with how Cisco recommends that customers complement the threat-centric security solutions (already deployed or being considered), such as NGFW and SIG, with newer trust-centric security solutions, such as MFA and SDP (see acronym definitions below). Across Cisco’s portfolio, we feel it’s more practical and prescriptive to focus on the subset of services and products that align to the app and network access-focused tenets of CARTA or Zero Trust. We call these trust-centric solutions Cisco Trusted Access. And Cisco is adding continuous verification capabilities across this portfolio to establish a CARTA-inspired “lean trust” level for users and their devices, headless IoT devices, and app workloads. Cisco’s integrated portfolio will ensure that dynamic context gained from your threat-centric solutions adapt trusted access based on your risk tolerance levels. Thereby, eliminating silos across your multi-domain security policy.

Wednesday, 16 January 2019

The Next Netflix of the SD-WAN Blockbuster: Cisco SD-WAN Security

Much like Blockbuster Video, who paid a final late fee, most SD-WAN vendors will soon pay for ignoring the market’s demand for security integrated within their SD-WAN appliances.

The video rental business was a thriving industry in the early 80s and Blockbuster Video was its undisputed leader. Through years of high-resolution technology innovations, Blockbuster Video kept pace with market demands, upgrading its inventories from the early VHS videos to DVDs and ultimately to Blu-rays. Modernizations on its content delivery process, on the other hand, was a bust. Customers had to visit a video store to rent a movie and return it before a certain deadline. Many factors like an uncomfortable rental process, late fees, limited rentals times, too few copies of new releases per stores, and the occasional bad quality of the rented movies all contributed to customers searching for a better solution.

Fast forward to the present and the complex process and experiences that customers are going through with securing their SD-WAN solutions are very similar to the Blockbuster Video rental process. Over the past few years, there has been an increased interest within enterprise organizations in migrating from traditional WAN to software-defined WAN (SD-WAN). A significant appeal of SD-WAN, for many organizations, is the ability to establish a direct branch-to-cloud and branch-to-Internet connectivity. The direct internet access (DIA) from branches, using less-expensive broadband services, requires deploying strong security at each branch.

Adding Up the Costs


It was estimated that late fees contributed to a substantial amount of Blockbuster’s yearly revenues.  In fact, in 2000 they earned over $800M, or roughly 16% of their revenue, out of late fees alone. Like Blockbuster’s late fees which could have added up to several times of the rental price, a common two-box set for connectivity and security in most of today’s SD-WAN solutions makes the overall platform more expensive to implement and maintain.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material
But why a two-box solution?

SD-WAN’s direct internet access exposes branches to the outside world’s threats and risks. As more sophisticated threats are emerging from the application level (layer-7), customers are looking for defenses against these advanced threats at layer-7 plus better visibility and control. The majority of current SD-WAN vendors are not inherently built to provide such a granular security and are forced to use an additional security device for their branch connectivity.

Adding the costs of an extra security appliance, its license fee and support, its management tool, and the expertise to install and manage it could easily surpass the forecasted operational expenses.

End-Users’ Experience


Blockbuster’s movie renting process was lengthy and cumbersome for everyone. Customers had to physically go to the store, find a movie, rent a movie, and then return the movie back to the store within a small-time frame. Depending to the location of a video store, just renting a movie could have taken hours instead of minutes. What an inferior content delivery process compared to the modern online rental process that takes just a few clicks!

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material
Similar to the agility of a modern movie streaming experience, distributed organizations using SD-WAN solutions have the dexterity to open two or more new offshore sales offices or store branches in no time. It’s vital for IT teams to deploy, provision, and dynamically scale new branches from any location without requiring physical presence in every location. However, remotely deploying a two-box solution does not seem to be a straight forward and easy task.  The configuration and deployment of additional infrastructure using separate management tools could easily turn the provisioning process from a zero-touch into a many-touch one.

Almost every article written about SD-WAN solution benefits, one way or another, talks about delivering the best user experience. However, many of the considerations focus on the networking side to provide the best application quality of experience for end users. A subject that often gets ignored is the customer experience associated with the complexity of deploying, managing, and monitoring the additional security box at the branch with an SD-WAN solution. Integration of multiple boxes at a branch makes the deployment process complex and lengthy and the overall manageability difficult and costly.

Cisco SD-WAN Security: The Next Netflix


Cisco is taking a new leadership position in SD-WAN solutions by integrating enterprise firewall, intrusion prevention, and URL filtering capabilities directly into its SD-WAN appliance. By integrating WAN router connectivity and security capabilities into a single box, the overall complexity associated with deployment can be eliminated and its manageability made easier.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material

This innovative and unified solution uses Cisco Talos – the industry-leading threat intelligence group – for its threat prevention and provides faster security deployment with Cisco Umbrella’s cloud security service in order to protect connections to the cloud. And secure access to every application by verifying users’ identities, checking devices’ hygiene, and enforcing adaptive multi-factor authentication policies via Duo Security (recently acquired).

It’s time to get rid of the old SD-WAN “VCR” box and embrace the future with Cisco SD-WAN security “streaming” box.

Sunday, 13 January 2019

Discover Meraki APIs for Location Analytics, Cameras, and Network Health

Meraki wireless networks and security cameras are deployed in large numbers of retail outlets, hotels, campuses, and enterprises. Meraki wireless networks connect many business-critical devices, including Point-of-Sales devices, and provide internet connectivity to visiting customers. The Meraki camera provides reliable security with local and remote live viewing capabilities from Meraki cloud hosted dashboard. Both are very easy to deploy, configure, and manage via a centralized cloud management dashboard.

Meraki wireless access points and security cameras, beyond their basic functionalities, also provide valuable insight into foot traffic and behavior patterns of users. Meraki Access point collects user location information from nearby smart devices, enabling location-based analytics.

Meraki camera utilizes a powerful onboard processor to analyze video and provides valuable foot traffic insights by detecting persons using computer vision. Location insights provided by these Meraki devices enables businesses to provide better customer engagements, increase retail store traffic, and drive revenue. Meraki network location analytics and camera analytics are exposed to business owners via an easy to use Meraki dashboard.

As Meraki wireless network is enabling core business capabilities, monitoring of network health and maintaining low network latency becomes very critical to the operations team. Meraki Wireless Health features simplifies monitoring and root cause analysis of issues for all connected clients from the Meraki health dashboard. The dashboard provides a snapshot view for 1 hour, 12 hours, 1 day, and 1-week durations, along with various drill down capabilities to help identify issues.

Rich APIs for location analytics, health, and camera


Meraki pre-built dashboards for location analytics, camera analytics, and health monitoring are very useful and sufficient for many organizations. But some organizations have more advance use cases and want to retain granular data for longer periods of time. Historical data from Meraki, when combined with other business related data like Point-of-Sale, can provide very useful business insights. To enable these advanced use cases Meraki also supports rich APIs for location analytics, health, and camera analytics. These data sets can help business solve complex use-cases like:

◈ How much do foot traffic and sales increase during promotions?
◈ What is typical queue size on cash registers during specific hours of day?
◈ How many devices successfully connected (or failed to connect) to the network in specific locations throughout the business?

Merakibeat Plugin collects data from the Meraki API and stores it in an analytics database


The DevNet and Meraki teams worked together to create the Merakibeat plugin, data pipeline, and reporting dashboard based on open source technologies like Elastic Beats, Elasticsearch, and Kibana. The Merakibeat plugin enables consumption of data from Meraki wireless health, location analytics, and camera API, and stores this data in an analytics database like Elasticsearch.

Key open source components for data pipeline include:

◈ Elastic Beats is an open source platform for data shipper. The lightweight beats agent sends metrics to Elasticsearch. Beats is very flexible framework that supports pluggable input-output plugins.
◈ Merakibeat is a DevNet community contributed input plugin that can write data to any of the Beats supported output data sources like Elasticsearch, Kafka, MongoDB, Redis etc.
◈ Elasticsearch is an analytics data store that saves historical data for further analysis and reporting.
◈ Kibana is a visualization tool for Elasticsearch, that enables creating custom reports and dashboards.
◈ Business metrics, like point-of-sale data, can also be ingested into the same analytics datastore to enable data analysis of business metrics, network health, and location analytics.

Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Study Materials
Merakibeat data analytics pipeline

The DevNet team, working with Meraki engineers, developed a custom Beats plugin and reference data pipeline for Meraki APIs. This Merakibeat plugin has three sub modules –

◈ Meraki Health API module polls health APIs at configured intervals and fetches connection and latency status at network, device, and client levels. Polling interval and metrics to be collected can be configured using a config file.
◈ Location analytics scanning API supports pushing location analytics metrics to registered endpoints. The Merakibeat plugin starts a listener that accepts scanning data posted on a callback hook. The user needs to expose scanner data endpoint on external network and register callback endpoint in Meraki dashboard.
◈ Camera API: The Merakibeat camera module polls camera APIs at configured intervals and fetches average count of user presence and entrances in specific camera zones or full camera view.

Kibana is configured as a visualization tool for Elasticsearch, and we created a custom dashboard for wireless health status reporting. The dashboard shows different charts, like average success/failure ratios and network latencies. These charts can be viewed for various time duration (like 1day, 1week, 1month etc.) or specific date/time ranges. The Merakibeat GitHub repo also includes pre-created dashboards for Kibana that can be easily customized for user’s requirements.

To ease deployment, we bundled all components of the pipeline as Docker images, and created a Docker compose project that allows you to bring up a complete pipeline in a single command.

Merakibeat trial deployments


With one of our retail customers we deployed a trial version of Merakibeat, configured to collect wireless health and location analytics data. We also collected daily sales data from the retailer’s point-of-sale system. That enabled analyzing network health, active connections, and foot traffic with daily sales at the retail store. After collecting data for a couple of weeks we are able to create a dashboard in Kibana that helped the customer to analyze the following:

◈ Average number of customers visited per day
◈ Peak hours when customer visited retail area
◈ Correlation chart between customer count and sales revenue
◈ Percentage/count of customer devices that failed or succeed to connect wireless network

Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Study Materials
Retail dashboard, store traffic, and network health metrics overlaid with Point Of Sales data

With the Cisco Merchandise Store in San Jose we deployed Merakibeat trial version configured to collect Meraki camera analytics data. After collecting data for more than a week we created a custom dashboard and alerting solution to support the following use cases:

◈ Overall customer store visits
◈ Customers queue size at cash register
◈ Number of customers visiting specific areas in store (e.g., apparel, gadgets, greeting cards, etc.)
◈ Alerts to staff via Webex Teams if a suspicious person is detected in off-hours, or queue size is greater than an established threshold

Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Study Materials
Retail store dashboard, camera API based traffic pattern in zone of interest

The Merakibeat plugin source is available on DevNet Code Exchange, and is also contributed to the Elastic Beats community

With the Merakibeat plugin project we have not only enabled specific use-cases but created a reference data pipeline to enable correlating business metrics with various Meraki API provided data. We are looking forward to see interesting analytics and reporting use cases that users will create based on data collected and made available by Merakibeat plugin.

Friday, 11 January 2019

Localization: 6 tips for success

Software localization is often an afterthought instead of being embedded into projects from the start. In 2017, we started a localization project for the software-fulfillment process in our Tokyo office. The regional team had approached us because partners and end customers were having a “broken” user experience—from commerce applications to fulfillment process—because some applications were in Japanese, others in English.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

In 2014, we had launched a corporate extended relationship management (xRM) project, which included localizing major partner and customer-facing applications. The project had a multi-language data foundation. However, constant updates to the software and newer projects were causing us to fall behind. In addition, we faced challenges in getting partners to align with our software subscription business strategy mainly for a localized user experience. For most projects, localization support was added long after the release of the application or new capability.

Since the Tokyo project, we’ve brought localization into the initial phase of software development. Here are the six guidelines we follow.

1. Define success


The time and resources spent on localization can be hard to justify in quantitative terms because outcomes can be subjective and difficult to evaluate. For the Tokyo project, we measured success based on:

◈ Establishing strategic self-sufficiency by addressing/removing customized localization work-arounds by various users.
◈ Providing a smooth user experience between commerce and fulfillment applications.
◈ Storing consistent user language preferences and sharing user language preferences across applications.
◈ Making it as easy to add a new language during software product planning as adding a new user story.
◈ Accelerating go-to-market.
◈ Giving us a competitive advantage in international markets.


2. Realize that localization is foundation work, not an add-on



Our original localization initiative tried to address the problem after new applications and features were released. Our analysis of the software-fulfillment process in Tokyo showed that this approach led to production stoppage, re-engineering, and increased resource requirements to identify customer impacts and application dependencies. Thinking about localization from the initial phase of software development avoids these risks. To achieve this, we re-engineered the architecture to be ready for internationalization. According to Wikipedia, internationalization (i18N) is the process of designing a software application so that it can be adapted to various languages and regions without engineering changes. Localization (l10N) is the process of adapting internationalized software for a specific region or language by translating text and adding locale-specific components.

3. Know the stakeholders and key partners


Assessing localization requirements requires an understanding of all stakeholder groups, which often have a wide variety of backgrounds. Regional teams drove the discussion, but the Cisco IT architecture framework team was also involved because they owned the application platforms. There were many stakeholders like Japan sales operations, Japan strategy & planning, corporate business team, corporate IT team, global translation services team, and the architecture framework team. To achieve our localization goals within the target timeframe, we took the following steps:

◈ Aligned the business outcomes with the country’s go-to-market strategy
◈ Established a partnership with the architecture framework team to enable scalable internationalization
◈ Scheduled regular team meetings to enable dynamic collaboration across all functional teams responsible for software business adoption
◈ Implemented a phased approach to localization, starting with the highest-priority applications


4. Obtain buy-in from key stakeholders



The localization process is complex and requires commitments from business leaders as well as engineers. To obtain these commitments, we:

◈ Established dynamic teams, consisting of members from across the globe including various stakeholders who could participate in reviews and take necessary actions.
◈ Educated upper management about the importance of dynamic team sync up meetings on a regular basis.
◈ Assigned dedicated teams to re-engineer the architecture to be internationalization (i18N) ready.
◈ Encouraged dynamic team collaboration by scheduling regular meetings at times that worked for team members in different time zones.
◈ Analyzed application dependencies during the project to ensure smooth project sign-off to avoid release time surprises and re-work.


5. Know the difference between machine translation and localization



Localization is more than simply translating existing web properties. More broadly, it’s adapting content and applications for regional or local consumption. This sometimes requires modifying the flow of the user interface or requires changes to the source language (English for instance) itself and other site elements to match the user’s cultural expectations.

To ensure the quality of localization, we:

◈ Aligned the user interface to follow same user preferences across different user applications
◈ Localized every possible user interface flow
◈ Asked linguists to review application screens
◈ Utilized appropriate change management to review with teams so that no gaps arise when changing the user interface in one language, impacting the core (English) user interface flow and vice versa.


6. Speak directly to the customers in a language they understand



This guideline applies whether you’re building a website, customer application, or partner application. In a Harvard Business Review study, 72% of consumers said they’d be more likely to buy a product that’s in their own language and 56% said this was more important than price.

Progress to-date

Globalization and internationalization are becoming a standard for every Cisco IT project (Figure 1). Once the projects get realized, if the project has gone through localization, it can increase the business opportunities among international customers. The data gathered with a localized user interface can give clear visibility for data analysis.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material
Figure 1

We are working to make localization a business priority in other regions. To support that effort, we are building a strategic and holistic operating model and framework for localization across products, IT platforms, technical support documents, and channel programs portfolio

Wednesday, 9 January 2019

Planning Your Cloud Communications Migration: Connectivity And Network Service Options

Layer 1 and 2 Access Connectivity Type


In the ISO (International Standards Organization) data connectivity model, Layer 1 and 2 represent the physical and data layers. The most common Layer 1 physical connectivity are copper, fiber, and radio frequencies. This layer includes both the wiring and switching equipment. Layer 2 data connectivity protocols include things such as Ethernet, PPP, and ATM. Using these layers help to understand how quality internet services are constructed. Like a building, the integrity of the foundation is critical for the overall quality of the final structure. Trying to deliver high quality internet services on poor quality wiring is both challenging and not recommended.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

In this next section, we will do a quick review of access types and their suitability for IP-based business communications. This is not intended as a technical overview of access types but instead provides guidance for IT and procurement managers for their migration planning process. Key access types we will discuss are DSL, T1 / PRI, Coax, Ethernet over Copper, and Fiber-based access.

DSL and DSL Variants:

DSL or digital subscriber line is a family of technologies designed to deliver internet services over telephone lines. DSL variants include “asynchronous” ADSL, “synchronous” SDSL, and higher speed technologies such as “very-high-bit-rate” VDSL and “G.fast.” Although DSL technologies continue to advance and produce higher and higher theoretical speeds (even up to 1Gb/s), these technologies are dogged by the quality problems with the underlying twisted-pair phone lines on which they are built. In addition, DSL service performance is sensitive to the distance from the central office (CO). This combination of challenges brings variability to the performance of what planners can expect for specific target sites. For these reasons, DSL should largely be avoided for access connectivity planning and only be considered in limited circumstances. One of the circumstances to consider DSL is when its access capacity can be bonded with another access circuit through advanced network service such as SD-WAN. We will discuss SD-WAN in the next section and will refer back to this scenario.

T1 (DS1) / T3 (DS3) Variants:

T1 or the T-carrier family of access connectivity services is built on a four wire transmission circuit. Originally developed at Bell Labs in the 60s, this family of services is built on the aggregation of “DS0” 64Kb/s channels. Typically delivered by telecom operators, offers in this class provide symmetrical internet service and speeds of 1.544 Mb/s (T1), 2.048Mb/s (E1), and up to 45 Mb/s (T3/DS3). These services are highly reliable and served as the primary method of “last mile” internet connectivity for most businesses in the late 90s and 2000s. While the T-carrier family is largely considered a legacy access methodology, there could be instances where businesses might consider some higher capacity variants, especially from a fractional T3 or above and where more modern managed Ethernet or fiber-based services are not available. Some CSPs that still sell T3 access circuits may offer these at substantial discounts.

Coax:

This class of internet services are typically delivered by cable MSOs and lead with a coaxial copper cable for the Layer 1 physical delivery of internet service. Most cable networks are actually now engineered as hybrid fiber coaxial (HFC) with much of the regional internet traffic distributed over new fiber plant. Coaxial connectivity provides last mile connections to homes and businesses. Coax-based internet services from most Cable MSOs are offered at attractive prices and provide high bandwidth, with speeds starting in many cases at 100 Mb/s. Speeds are typically asymmetrical with higher download than upload. For communications services planning, IT managers should focus on upload speeds. Most business packages start at 10 Mb/s, enough to support a large number of IP voice channels and enough for limited HD video channels. Many coax-based services from cable MSOs are delivered as a “shared service” where all the users from a single street, neighborhood, or a strip mall may share a single pool of bandwidth. While shared services should be a concern for IT planners, consider that cable MSOs use the DOCSIS protocol to reserve bandwidth for high priority media traffic. DOCSIS is only offered on the cable MSOs’ own services and not for OTT-based services. For OTT services, IT planners should consider adding healthy buffers and/or overhead to their estimated bandwidth demands. Or, if they are engaging with a cable MSO for business internet, they should inquire about fiber and DIA-based solutions.

Carrier Ethernet (over copper):

Ethernet dominates enterprise and business networks. Ethernet has grown into this position with its ease of deployment, self-configuration, and excellent price per bit and price per port. The primary limitation for Ethernet, especially over copper, is on transmission distance. For this reason Ethernet is used for most in-building and small campus links but not used for access networks that may extend thousands of feet to several miles. Vendor innovation has extended the range of Ethernet services. These innovations have enabled CSPs to offer access Ethernet services with symmetrical speeds and high quality of service. Speeds are still dependent on the distance from the CO. In most cases, speeds available are well-understood by CSPs and can be easily provided and quoted based on site address. Carrier Ethernet services are considered a state-of-the-art offer from CSPs and provide an excellent platform for cloud-based IP communications services. Service pricing will depend on geography and local competitive alternatives.

Fiber-Based Services:

Just as much Ethernet over copper is an attractive option for business IP communications, Ethernet over fiber is even more attractive. Fiber provides far greater resistance to the signal degradation that occurs when some protocols are transmitted over copper. Requesting fiber-based access for a site is often prohibitively expensive. It is for this reason that most businesses should initiate their cloud migration plan for “what is available” from current providers at particular sites. As we’ve mentioned previously in this post, fiber-based connectivity is now available at more than 50% of business sites across the US. The main question facing planners is exactly what kind of premium the business needs to pay for securing fiber-based connectivity. In addition, IT planners should be prepared to layer service assurance and network services to provide QoS for voice and video connectivity. Though fiber offers an excellent transmission medium, it can still experience contention where fiber links are stressed with lots of demanding traffic such as HD video.

Network Services to Support Access Layer Service Quality


After physical connectivity above (fiber, copper, etc.), QoS of packets and traffic flow is managed through a variety of standards and protocols. There are benefits and drawbacks to most management approaches. In most cases, businesses prefer to apply some type of bandwidth reservation for real-time media such as voice and video traffic. A basic summary of traffic demands of various communications and data traffic is provided below and can help to show the sensitivity of traffic.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Figure 5: Representation of Traffic QoS Demands by Jason D. Hintersteiner, CWNE #171

DOCSIS:

Cable MSOs use DOCSIS, “data over cable service interface specification,” to deliver IP broadband service over their hybrid fiber-coaxial (HFC) infrastructure. Within the DOCSIS standards are methods for delivering a higher class of service for specific types of traffic, specifically real-time protocol (RTP) used for IP-based voice and some video communications traffic. Priority service is achieved using unsolicited grant synchronization (UGS), which provides an immediate grant of bandwidth access from the cable modem termination system (CMTS).

MPLS:

One of the most mature and proven methods for assuring call quality, MPLS or “multi-packet label switching,” provides a virtual tunnel across the CSPs access connection to assure transmission quality across potential points of traffic contention. Considered one of the most trusted and preferred methods for assuring resilience, MPLS is considered relatively costly and may not be available across all geos. The price of MPLS has represented a barrier for some planners who might be looking at cloud migration strictly on a cost comparison basis – where MPLS port charges eat away many of the savings of PBX maintenance and TDM access trunk charges.

While MPLS port charges have been coming down in recent years, and in some geographies at a compound rate of 10+% / year, reliance on MPLS alone for access connectivity assurance is proving challenging for both CSPs and IT planners. For the economics and flexibility needed to plan a multi-site and phased migration approach, IT planners should look to a mix of MPLS and other access methods.

SD-WAN:

Perhaps the most exciting innovation in access networking and WAN services has been the innovations around SD-WAN (SD = Software Defined). In fact, Frost & Sullivan recently revealed that 94% of businesses have deployed, are deploying, or will deploy an SD-WAN service in the next two years. A key benefit of SD-WAN is that it uses multiple paths for traffic to traverse a network. SD-WAN can improve service resilience across existing access circuits (by running several parallel traffics streams) or can improve resilience by running parallel traffic streams across multiple access circuits.

In the case of overlaying multiple circuits, consider a scenario where a particular business’s site may only have IP access via DSL and a shared cable broadband service. While either service might not provide the needed resilience for the business’s traffic demands, an SD-WAN service across a combination of both the DSL and cable circuits could offer the needed performance to deploy high quality hosted communications. From an economics standpoint, the combination of DSL and cable broadband circuits plus SD-WAN services would be very cost-effective.

Note that some SD-WAN resilience measures can add overhead traffic to voice and video media. Overhead can come in the form of multiple media streams and from the increased size of some packet headers. IT managers should work with their SD-WAN and CSPs to correctly size access circuits with these overhead factors in consideration.

All in all, SD-WAN offers a lot of benefits and should certainly be seriously evaluated as a part of IP access services for cloud-based communications. Consider the 2018 report by Transparency Market Research. They forecast that the global SD-WAN market will expand at a 51.4% CAGR between 2017 and 2025 and be worth US $34.35 billion.