Wednesday, 22 May 2019

How to Get On the Road to Cloud Calling Success

A Road to Somewhere


Taking your business to a cloud calling model can sometimes feel like starting out on a long, cross-country drive without a map, nor a clear destination, nor timeline. There are so many options that make it hard to navigate. That’s why many businesses get lost along the way and lose heart.

Cisco Study Materials, Cisco Certifications, Cisco Guides, Cisco Learning

It doesn’t have to be that way. Getting your business to a bright cloud communications and collaboration future can be a much more predictable and enjoyable experience.

Elevation Gain


The move to the cloud is picking up pace. Market statistics show global annual growth rates in the 15-20% range, with even higher growth as you move into market segments above 100 users. Leading analysts are predicting as many as 90% of IT leaders will no longer buy new on-premises PBX or unified communications equipment beyond 2021.

The growth in cloud calling is happening for some very clear reasons. Technology innovation cycles are faster for cloud services, which can now deliver a richer feature set that’s more tightly integrated with other important cloud business services, like Office 365, G Suite, Salesforce, and others. Cloud can also offer distinct advantages in scalability, reliability and even security.

Roadblocks


So where’s the difficulty? Well, not all cloud services are alike. Most vendors offer only one pathway to the cloud. These vendors might provide multiple feature packages, but the cloud migration is an all, or nothing proposition, one size fits all. They aren’t really offering you a pathway that respects your business strategy and any current depreciable investments in licensing, phones and equipment you may have. This creates a major disconnect.

Course Correction


Because Cisco is the leader and pioneer in both on-premises PBX systems, as well as cloud PBX services, we can offer a much more practical, business-friendly transition to the cloud, at any pace that makes sense for your business.

With Cisco, your cloud journey starts with a Cisco partner taking the time to understand your strategy, locations, workforce, communication patterns, and infrastructure. This provides the background to work out a transition timeline and technology path that meets your business objectives and will serve your business well going forward.

Navigation Support


First, it’s important to understand where you want to end up. Will you be moving your entire business to the cloud, or are there certain sites, or functions that will continue to use on-premises systems for the foreseeable future. This early discussion of the end-game will help define which Cisco calling platforms will be the best fit for your business future.

Then together we plan your transition by identifying a set of logical phases for cloud adoption. It may be based on sites, regions, workgroups, or any combination thereof. We have found the best transition plan involves a three-step approach defined as cap, surround, migrate.

Cap is where you define the limit for any future spending for on-premises PBX systems. We identify this demarcation point during the pre-planning process.

Surround is where you begin, as soon as possible, to surround your people and processes with rich Webex collaboration capabilities, added to their calling, meetings and team interactions, all delivered from the cloud.

Migrate is where group-by-group, team-by-team, or site-by-site you begin to move your people away from on-premises systems to their new cloud service.

Vehicle Protection (or Predictable Cost)


Cisco Study Materials, Cisco Certifications, Cisco Guides, Cisco Learning
As you transition your business to the Cisco cloud, we protect your investment with Cisco in a number of ways. Most Cisco IP phones purchased to run on Cisco Unified Communications Manager (UCM) in the past few years become Cisco cloud ready with just a firmware change. Another area of savings is when you purchase your UCM licenses through the Cisco Collaboration Flex Plan, you pay for UC licenses either on a subscription model, or you will receive trade-in credits to apply when you choose to migrate those licenses to the Cisco cloud. Either way, you save money.

Cisco cloud calling platforms make it simple to transition to the cloud, by site or by user, while keeping everybody connected, with common dial plans and directories. Our unique portfolio enables us to deliver an exceptional collaboration experience, with calling, meetings, teams, contact center and devices all intelligently integrated for better performance.

Cisco Webex Calling is a great solution for mid-sized to large enterprises looking for a simple cloud transition. For businesses that require a more customized approach, Cisco Hosted Collaboration Solution (HCS) is an excellent option. And with Cisco you can choose to purchase from any of our qualified cloud channel partners, that include over 600 leading service provider and VAR channel partners around the world.

Safe Arrival


As you can see, Cisco has put in the work and planning that enables you to select a cloud PBX journey designed to serve your specific business needs, rather than try to force you into a one-size-fits-nobody arrangement. You have the freedom to choose your speed, select the technology course that’s right for your business, and the Cisco partner best suited to serve as navigator for your journey. We’ve even made sure you get the most out of your investment in your current calling vehicle (phones and licenses) along the way.

Tuesday, 21 May 2019

Announcing the Availability of the Dual-Rate 10/25G Long Reach Transceiver Module

We’re excited to release a new addition to our portfolio of dual-rate pluggable transceivers: The 10/25G LR (Long Reach) SFP28 transceiver module, also known as SFP-10/25G-LR-S. Here’s some info about the new product that you may be wondering about.

What is the SFP-10/25G-LR-S?


The SFP-10/25G-LR-S is a SFP (Small Form Factor), dual rate (10GE and 25GE), Long Reach (LR) transceiver for SMF (Single Mode Fiber) applications. The transceiver enables high speed connectivity between platforms that accept SFP28’s at distances of up to 10km (~6.2miles) with appropriate software support.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

SFP-10/25G-LR Applications


SFP-10/25G-LR transceivers are needed in an assortment of applications including Enterprise, Data Center and Service Provider networks where transmission of 25G (and 10G) ethernet is used over SMF.

For Enterprise applications the SFP-10/25G-LR is used in the Intra-Building Backbone to connect Wiring Closet switches to Distribution switches and in the Inter-Building Backbone to connect Distribution switches to enterprises core switches and routers.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

For Data Center applications the SFP-10/25G-LR is used to connect Top of Rack (ToR), Middle of Row (MoR) or End of Row (EoR) switches to Servers or to connector ToR, MoR and EoR switches to Leaf switches.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

For Service Provider applications the SFP-10/25G-LR is used to connect the Service Provider Edge Routers that are in their Central Offices to their customer’s routers or Node switch.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

Cisco platforms that support the SFP-10/25G-LR-S


The SFP-10/25G-LR-S is supported in wide variety of Cisco platforms including Catalyst switches, Nexus switches, NCS routers and USC platforms.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

Other 25G transceivers available from Cisco


Cisco has a complete family of 25G transceivers including SMF & MMF (Multi Mode Fiber) transceivers, DAC (Direct Attached Cables) and AOC (Active Optical Cables) for a multitude of applications.

SP360: Service Provider, Cisco Certifications, Cisco Guides, Cisco Learning

Monday, 20 May 2019

Cisco AMP for Endpoints excelling in AV Comparatives Business Main Test Series

AV-Comparatives have long been the benchmark of 3rdparty testing in the endpoint security space. This year, for the first time ever, AMP for Endpoints participated in AV-Comparatives malware testing. The Business Main Test Series was broken up into two main sections: the Malware Protection Test and Business Real-World Protection Test.

Cisco Study Materials, Cisco Certifications, Cisco Tutorials and Materials

While the full report will be released in July, AV-Comparatives released a short fact sheet today. Because the test is only partially completed, the results will continue to vary, but Cisco AMP for Endpoints expects to maintain consistently high scores.

Overview


First, let’s give the brief facts behind the Business Main Test Series:

◈ 19 products are participating
◈ All products tested on a Windows 10 RS5 64-bit
◈ All vendors were allowed to configure their products
◈ Cloud and PUA detection activated in all products

Given these parameters, the 19 products will participate in a fourth month test culminating in July. At this midpoint, however, the products have participated in the two aforementioned tests.

Malware Protection Test 


In this test, the products were tested with 1,311 different malware samples. Based on criteria defined by AV-Comparatives in their report, the products were given parameters to detect the malware samples.

So far, AMP for Endpoints is one of eight products to have a malware protection rate of 99.8% or higher. In addition to this extremely high detection rate, AMP for Endpoints registered 0 false alarms on common business software.

Cisco Study Materials, Cisco Certifications, Cisco Tutorials and Materials

AV-Comparatives also performed tests on non-business software. This will not affect the final “Approved Business Product” rating they deliver, but the results are notable as it helps to demonstrates how well a product can really delineate between good and bad. Cisco AMP for Endpoints was granted the highest rating of “very low “which denotes 0-5 false positives on non-business software.

Cisco AMP for Endpoints consistently pledges to deliver elite threat detection, investigation, and response. The 99.8% malware protection rate so far highlights Cisco AMP for Endpoint’s ability to deliver on that pledge. At the same time, the low number of false positives shows that Cisco AMP for Endpoints does not need to bog down IT professionals with useless alerts allowing them to focus on what’s really important.

Real-World Protection Test


Over the course of two months, the products encountered 389 test cases. Of the 389 test cases, Cisco AMP For Endpoints has blocked all but three while producing ZERO false alarms. Resulting in a 99.2% protection rate so far. Cisco AMP For Endpoints is only one of three products to have zero false alarms. Others have already flagged up to 18 false alarms.

Saturday, 18 May 2019

Artificial Intelligence Partner Opportunity

A short time ago I had the opportunity to participate in the AI Partner and Customer events that we had in our Innovation Centers in Paris, London and Berlin. The excitement and interest of both our customers and partners was palpable.

Artificial Intelligence, Cisco Study Materials, Cisco Guides, Cisco Learning

You might have seen some of the headlines in the news around Artificial Intelligence (AI) and Machine Learning (ML) and how in the US, the European Union and Asia many countries are increasing their public and private investment in this field. AI is present everywhere nowadays, from a simple semantic search on the internet to some of the latest self-driving vehicles already available in many places. It is expected that by the year 2022 worldwide spending in AI systems will reach 78 billion US dollars and that the spending in AI servers will grow from 5 billion to 18 billion US dollars. These figures alone represent a substantial opportunity for Cisco and for our Partners.

Another interesting learning from these events was that contrary to what most people might think, a larger percentage of Machine Learning deployments are deployed on-premise as opposed to on cloud. This poses an immediate opportunity for Cisco and our partners in terms of supporting our customers with their initial deployments in their own Data Centers. There are some intrinsic benefits for deploying ML on premise, among them we can list the data gravity integration and application performance, governance and TCO (Total Cost of Ownership), while on cloud deployments provide faster deployments and simplicity.

An AI/ML solution requires multidisciplinary skills and a deep collaboration between different stakeholders, including Data Scientists and Data Engineers, the CIO and the different business leaders as well as the IT team. Without all these different teams working together with a common and joint objective a successful deployment would be really difficult to realize.

The Cisco AI/ML offering focuses on Full Data Life Cycle, Simplicity, and Manageability and includes:

◈ A full portfolio for all AI/ML computing needs.
◈ Validated solutions with technology partners
◈ Natural extension of existing computing environment

The Cisco AI/ML Architecture includes UCS (Unified Computing Systems) Servers, Cisco Infrastructure Management and Cisco Networking Solutions that power a Virtualization Layer, a Converged Infrastructure for AI and Big Data Clusters which in turn sustain the AI/ML Software platforms which eventually provide the business outcomes that AI delivers. This Architecture helps to bridge the gap between IT and the Data Scientists.

There are some real use cases examples that were highlighted in these AI events which I found quite relevant and that our partners can leverage to initiate the discussion with their customers. Some of them include:

Banking

◈ Customer-Centric Marketing

◈ Product recommendation

◈ Experience personalization

◈ Attrition prediction

Operations

◈ Improve customer experience

◈ Predicting Failures

◈ Automatically Position Spares at Depots

◈ Optimizing Supply Chain and Customer Experience

Auto

◈ Autonomous Vehicle Simulations

◈ Complex simulation modelling

◈ Massive storage requirements

◈ High volume data inputs

AI/ML can also help resolve some of the Internet of Things new set of technical challenges such as:

◈ Harsh environments

◈ Hyper-scale

◈ Randomness and unpredictability

◈ Determinism

◈ Subject to (even subtle) attacks

We can also make use of AI/ML to predict performances of the IoT, detect subtle attacks, and make the network reactive at scale as well as for Cognitive and Predictive Analytics.

Friday, 17 May 2019

Practical Ways to Reduce Ransomware Impact: Actions You Can Take Today

During the past year, Cisco Security Incident Response Services has provided emergency incident response services for many customers dealing with incidents that sometimes become a ransomware event. In many cases, we were engaged by the company at the first sign of trouble and were able to help contain the initial incident and reduce the ability of the attacker to shift to a ransomware phase. In other incidents, we were asked to help long after the attackers were in the environment and the systems were already encrypted.

In this blog post, I will share some practical tips that our team use with our customers to help mitigate the risk of ransomware causing a significant business outage.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

Figure 1: Phases of an attack.

If we follow the standard attack lifecycle (Figure 1), the first step that we need to consider is how we would address the initial attack vector. For this blog post, let us assume the initial access vector is email (which we have observed is often the case).

Initial Attack


The first thing to consider is intelligence-based email monitoring and filtering. An example of this would be the Cisco Email Security Appliance (ESA) product which integrates Cisco Talos threat intelligence into an active email inspection platform.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

ESA should be deployed to examine email, both inbound and outbound, from the organization. This filtering should be tied to an intelligence feed that dynamically adds new known malicious domains, IP addresses, behavioral indicators, signatures, etc.

By itself, this will not fully protect an organization but without this, you expose your users and your environment to preventable email-based attacks. This control should create log events into the security monitoring system. These events should be reviewed regularly by a member of the monitoring team and if possible correlated with other events (involving the same time, internal hosts, external IP/Domain, and any malware detected). The capability of being able to also review email historically for suspicious attachments or previously unidentified malicious files is helpful for scoping and understanding the scale of the incident and can be used for hunting if the initial detection somehow fails.

User Actions


Subsequent to the initial malicious email entering an environment, the next obvious question is “did the user open it” or “did the user click the link”? To answer these questions, we require some specific log telemetry from within the environment.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

DNS logs such as those available by using Cisco Umbrella, can be invaluable to identify if a user/IP address/device made a request that is related to a known suspicious domain or IP address. If there is an active incident, these logs should be examined for any requests associated with the incident. These DNS logs should be part of the overall logging environment and the events should also be used to block and track requests to known malicious domains. Again, this should be correlated into events of interest for the monitoring team to consider. This helps us understand if the domain was requested, but does not by itself indicate what the interaction was between the user and the destination.

To gather information on the interaction between the user and the destination, we require logs from a deployed web proxy system that captures the outbound web requests and the responses. Cisco Web Security Appliance (WSA) is an example of an active web proxy/filtering system, powered by Cisco Talos threat intelligence. These systems can often block or filter known malicious sites (based again on intelligence) and also retain the http transaction between the user’s web browser and the destination. This can help us to answer the question of what was done on the site, or what the site sent as a response.

To address the question of “did the user open the file” we recommend the implementation of the Windows SysInternals System Monitor (Sysmon) which can help to answer the question of user behavior and activity. Alternatively, many endpoint security tools may also be able to answer this question. Be sure to test your tools before an incident, so you know what normal activity looks like before you get into an incident and have to try to parse the alerts.

Account Compromise


Following the attack life-cycle, the next phase is account compromise:  did the user either provide their credentials (e.g., if they were prompted to enter their password to access what appeared to be a legitimate company web page) or did the malware gather local cached account data from the system? This is where we recommend multi-factor authentication (MFA) as the standard for all environments.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

We frequently recommended multi-factor for “high risk” accounts, or for “all externally facing services”, but with the current attack patterns we recommend multi-factor for all Active Directory environments. There can be technical limitations on implementing MFA for some legacy systems, legacy access types, etc. Those exceptions should be identified and very closely monitored for unexpected activity, or isolated into separate Organizational Units or Groups. This may allow early detection of misuse and may limit the impact of these systems or credentials, should they become compromised.

Another key consideration is to monitor the system used to manage the multi-factor authentication. We have seen attackers attempt to bring these systems offline, to attempt to access these systems, or to successfully access these systems and either create one-time use passcodes or create a new account that was allowed to bypass the multi-factor requirement. These systems must be closely monitored for all access and modifications to the users, groups, or creation of one-time use codes.

Privilege Escalation


The next phase is privilege escalation.  In this phase, we recommend a multi-pronged approach as there are multiple risks to address. The first risk is if the environment has a shared local administrator password across multiple devices. This is still a very common practice in many environments due to a number of factors.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

A solution that can assist with this is implementing the Microsoft Local Administrator Password Solution (LAPS). This provides a better method to manage local accounts. The second risk is an attacker compromising one of the privileged accounts in the environment. If multi-factor authentication is required on these accounts, this should be unlikely, but these accounts must still be monitored for mis-use. Additionally these privileged groups should be monitored for modification (adding/deleting or users, or change to the group roles). These are also events that should trigger alerts that are evaluated by the monitoring team.

Lateral Movement


Lateral movement occurs next. To detect and thwart this, we need to reduce the ability for a user account to move freely within the environment without being validated or having authorization.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

This can be started by reducing the internal network access from the standard user segments and VPN devices. Network segmentation can be complex to implement across the entire environment, but it is often achievable to make some small restrictions using virtual LANs (VLANs) to reduce which networks can access critical segments. Privileged activity or Administrator activity should always originate from an approved “jump box” that is hardened and monitored, and has specific access restrictions for only users that require this access. Role-based access should also be enforced, not everyone should have access to production, not everyone should have access to the code base, or sensitive data. Access (successful and failed) should be logged and correlated. Reducing the number and type of ports and protocols within the environment may also help to reduce the spread of malware or lateral movement that is expecting specific capabilities, such as the Server Message Block (SMB) protocol, for example.

Encryption of Data


The ultimate risk of a ransomware attack is in the final phase. This is when the attacker is able to encrypt critical business systems or services, causing a business outage. The impact of this outage varies based on the function of your business, your tolerance (or your customers’ tolerance) for downtime, and many other factors.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

For environments that have critical services that impact life and safety of people, we strongly recommend partnering with the disaster recovery and business continuity teams to test existing plans and update them accordingly with steps that cover full data center loss via ransomware. Other questions that should be considered: Are your backups offline and secure from the possible ransomware? Does your online backup system use the same credentials as your Active Directory environment? Has your organization practiced what a data restore would look like and how long it would take? Is the necessary hardware (or virtual space) available to be able to restore your environment? Is there an understanding of dependencies and other tactical considerations?

Take Action Today


These recommendations will help you improve your ability to detect attacks in the earlier (pre-ransomware) stages and will reduce the overall impact of a ransomware incident. You must take key preventative steps, while also readying your team to act when it strikes. If you feel you need hands-on, expert assistance, consider contacting our team – our incident responders can help you prepare your own team with proactive services and we can work alongside your team during active incidents.

Thursday, 16 May 2019

Ansible: Powered by Cisco DNA Center

We have all seen the segmentation of people and technologies into what we lovingly refer to as ‘silos.’ Initially, these silos were formed to group together teams with common skill sets, ownership, accountability, etc. The effect that we see from this division into functional groups typically manifests as some level of communication hindrance that limits full cooperation between the groups to obtain a higher level objective.

If you look at the technology industry, the same sort of logical grouping is prevalent. For example, we have technology silos like Campus Networking, Data Center Infrastructure, Security, and Storage.

Network Automation, Cisco DNA Center, Cisco Certifications, Cisco Learning, Cisco Study Materials

In these technology domains, we see managers, or controllers, that are responsible to provide that Software Defined Controller role and act as the provisioner for that area. Similar to the challenge faced with people in organizations, this division can be a hindrance when trying to automate across multiple functional areas.

Ansible for Higher Level Automation


What we need to help drive a cohesive strategy for management across each of these domains is a common interface to act as the glue between them. This “higher layer” can interface with each technology domain using whatever interface is exposed by the manager or by reaching the devices directly.

Ansible is a fantastic solution to act as this glue. There are over 2000 modules to provide that communication mechanism into each domain. The coverage is broad enough to span the entire gamete.

Network Automation, Cisco DNA Center, Cisco Certifications, Cisco Learning, Cisco Study Materials

Campus Networking


Cisco Campus networking has seen significant growth in maturity with the DNA Center solution. DNA Center provides GUI driven workflows that greatly simplify complex deployments allowing the technologist to focus on what they want the network to do rather than the specific configurations.

The Assurance engine is without a parallel in the industry. Assurance provides unprecedented visibility into the health of your networks, end users, and applications.

Cisco has released the concept of DNA Center as a Platform and provides access to the APIs that drive the DNA Center solution.

Ansible Modules for DNA Center


That brings us to the point of this write up…with Ansible acting as the glue between your various technical domains combined with your newly deployed Cisco DNA Center you will need some new modules to drive the configurations of DNA Center from Ansible.

World Wide Technology has developed several new Ansible modules for DNA Center. These initial modules provide the ability to deploy configuration of the design workflows including Site Hierarchy, Common settings (DHCP Server, DNS Server, Syslog, etc), IP Pools, Create Discoveries and more.

Network Automation, Cisco DNA Center, Cisco Certifications, Cisco Learning, Cisco Study Materials

These initial modules are just the start. We will continue to develop and refine with the help of the broader, open source community as additional features and APIs are exposed.

The figure below is a snippet of YAML from a sample playbook illustrating the configuration of the DNA Center settings and sites.

Network Automation, Cisco DNA Center, Cisco Certifications, Cisco Learning, Cisco Study Materials

Tuesday, 14 May 2019

Cisco Drives Intent-Based Networking Forward with Multi-Level Segmentation

Why network segmentation matters in the enterprise of today


Network Segmentation easily gets lost in a conversation as it is a heavily used term in the industry. Everyone claims to support it when in reality most vendors support the bare minimum to simply claim compliance in an RFP (Request for Proposal) or RFI (Request for Information).

Network segmentation is a critical requirement to address the growing scale, complexity and security demands of today’s campus and branch networks. That’s because segmentation allows customers to protect their data. Segmentation divides an infrastructure into individual components and builds connection points between the relevant components based on the understanding of applications, users, consumers, and devices

The days of managing secure networks with VLANs and ACLs are ways of the old. Customers require a campus infrastructure capable to support a software defined approach for network segmentation. Networks today need to be purpose built for commencing the journey of intent-based networking. Network segmentation is a key pillar supporting the foundation of Cisco’s powerful Software-Defined Access (SD-Access) architecture.

Raising the stakes with multi-level network segmentation


Traditionally, when a customer was required to isolate a given network, VLANS and ACLs (Access Control Lists) were configured to achieve network separation. A simple use case to enforce policies for users, devices, and things were challenging to implement and complex to manage as new users and devices were added to the network. Cisco has addressed these challenges and raised the stakes for network segmentation offering a new approach to multi-level segmentation for the enterprise campus.

So, what is multi-level segmentation? As it’s called, Multi-level segmentation provides two-levels of segmentation using layer 3 virtual networks (VNs) and scalable group tags (SGTs).

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Certifications
Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Certifications

Comparing vendors


Comparing the segmentation capabilities of Cisco, Aruba and Huawei, several key takeaways can be learned from the independent Miercom report. In the Miercom comparison the bottom line is there is a clear benefit with the automated, single touch point approach of Cisco compared to the manual – multi-touch point approaches of HPE-Aruba and Huawei.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Certifications

Aruba

Aruba’s segmentation offering is highly dependent on its mobility controller. With only a small amount of traffic, Aruba’s Mobility controller was exposed as a choke point.

Regardless of how many access layer switches and network uplinks are added, the limitation is still present until an additional Aruba Mobility controller can be purchased and added to the network. The network administrator using the Aruba architecture will constantly need to monitor the load of the segmentation service. This is because the mobility controller responsible for wireless association/ termination will become unresponsive when the data plane performance is reached.

Aruba positions their Dynamic Segmentation for Unified Policy for wired and wireless. Aruba launched this back in 2014 and are still positioning this architecture as Next-Gen. The flaws then are still present now.

Is the Aruba solution line-rate? Can it be proved via independent test reports? Can they change policy between users, whatever their respective VLAN is?

Huawei

Huawei’s Free Mobility was basic segmentation at best. Several touchpoints and dashboards are required to get the basics to work.  It’s definitely not easy to use, and requires many repetitive steps to create groups and create policy.

Huawei presents its Free Mobility solution to its customers for segmentation using group-based policy. Free Mobility is an add-on to its policy server the Agile Controller 1.0. Huawei does not offer a simple way to offer policy-based automation.  In all cases Huawei requires multiple touch points and manual based configurations via CLI and countless clicks on their Agile Controller for policy.

The 3rd party test vendor configured Huawei’s Free Mobility solution to discover that it was not as easy as expected.

Multiple steps are required to create a security group – 12 to be exact. To create a single policy between a configured pair of security groups takes 16 steps.

The key takeaway was Huawei’s inability to provide an easy to use offering for multi-level segmentation.

At best, the segmentation was basic and the network administrator was left to log back into the additional devices to enable port isolation for east-west segmentation.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Certifications

As you can imagine traditionally there are many touch points when trying to configure various levels of segmentation.

Cisco


With Cisco Digital Network Architecture (DNA) Center, the creation of virtual networks and management of scalable groups is possible and can be done via a single unified dashboard. Cisco DNA Center and SD-Access outshines and outperforms the competition. Cisco SD-Access is built using a campus fabric with built-in mechanisms to support two levels of segmentation. Other network vendors can only offer segmentation based on simple network separation.

The Cisco Catalyst Family embeds VNs and SGTs in its hardware using the Cisco UADP (Unified Access Data Plane) ASIC. This facilitates building a robust foundation based on a powerful hardware that allows customers to enable a network segmentation service without a compromise on performance. Other network vendors use older architectures which are bottleneck designs with limited data plane performance of only 10Gbps.

Our 3rd party tests, compare and assess the network segmentation offerings of each networking vendor. It can be seen from the report, with the other vendors customers will continue down the path of configuring named VLANs and mapping out the size of the subnet per VLAN preparing for deployment. Customers using either vendor will be required to configure a VLAN for wired employees, a VLAN for wireless employees, a  VLAN for wired guests, a VLAN for wireless guests, etc.

As stated, those are ways of the past …however this is how the competition will design a campus network. They don’t offer a controller based network to provide automation and the ability to deliver true software defined networking.

Cisco SD-Access not only profiles users, devices, and things but also onboards clients to a fabric. It provides customers with capabilities to move devices in a virtual network (macro segmentation) and provide flexibility to support role-based groups (micro segmentation) and control communication based on network contracts.

With Cisco’s DNA Center, the policy application allows customers to create VNs and groups using the “drag and drop” method. Once configured, network connectivity and access were tested to verify segmentation.

Segmentation doesn’t stop in the campus


Cisco also supports the ability to keep the policy intact from the Campus User to the Data Center application with SGT to EPG (endpoint group) mapping. Cisco is the only vendor capable to offer Intent-Based Networking across the Campus and Data Center.