Time to Get Ahead of the Wi-Fi 6 Upgrade Curve

Sometimes technical innovations strike like lightning. In a flash, shiny new tech arrives and is instantly put in the hands of millions of people. Other times innovations seem like the ocean tide. You can see the slow change coming as the waters incrementally rise, but you’re never quite sure at what point high tide arrives and you’re ready to jump in to ride the next wave.

Each generation of Wi-Fi arrives like the tide, slowly building up, not arriving all at once, but unstoppable nevertheless. Cisco has been preparing for Wi-Fi 6 for some time now. The standard is finalized. 802.11ax (aka Wi-Fi 6) certification of radios, access points, and controllers is underway. Manufacturers are busy incorporating Wi-Fi 6 chipsets into their new products.

Wi-Fi 6 Devices are Populating Enterprise Carpeted Spaces Today

Just a few generations of networking ago it was still common to have Ethernet cables in every office to connect desktop behemoths to the corporate network. As desktop PCs evolved into lightweight laptops, wireless connectivity quickly followed as the network of choice to take advantage of increasing mobility. The “app generation” came next with the BYOD wave of wireless smart phones and tablets that invaded the corporate network.

As mobility became a top priority, Wi-Fi took off in carpeted corporate spaces. Access points for Wi-Fi 4 (802.11n) and Wi-Fi 5 (802.11ac wave 1 and 2) sprouted from ceilings in every floor, conference room, and common area. In retrospect the move to wireless connectivity happened very quickly in terms of IT refresh cycles driven by a more mobile workforce requiring access to SaaS applications and IP streaming collaboration services, anytime, anywhere.

Now, Wi-Fi 6 devices are already appearing in people’s hands as progressive companies like Apple and Samsung lead with their next generation of phones. New laptops and tablets shipping today are incorporating Wi-Fi 6 as the new default, bringing the ability to run applications that require low latency and fast downloads—and uploads!—to enhance mobile computing. While Wi-Fi 6 devices will readily attach to older -ac or -n access points, the device owners will not notice any change in performance, resulting in a disappointing experience.

Collaboration Applications Benefit from Lower Latency, Guaranteed Throughput

In the enterprise, collaboration applications are becoming a must-have platform to tie together the workforce in traditional carpeted spaces, campus meeting areas, and remote and mobile offices. The importance of keeping everyone on the same page as well as providing immediate connections from field to office is making high-definition video and audio streaming a critical capability that depends on quality wireless access anytime, anywhere.

For a satisfactory collaboration experience, the network needs to provide appropriate bandwidth to handle the up and down stream video transmission with low latency for multiple connections for each meeting. Latency management is specifically addressed in Wi-Fi 6 in a couple of ways. Multi-User Multiple Input Multiple Output (MU-MIMO) enables clients and APs to split the available spatial streams among multiple client devices for both up and down transmissions. Combined with Orthogonal Frequency Division Multiple Access (OFDMA), an RF modulation technique, Wi-Fi 6 enables multiple clients to simultaneously receive data during the same transmit opportunity.

These enhancements to Wi-Fi 6 enable better Quality of Experience (QoE) for collaboration platforms. As the use of video conferencing increases in an effort to decrease costly—and carbon-footprint heavy—travel, Wi-Fi 6 is ready to take on the extra load.

Customer Experience Depends on Quality of Wireless Service

Upgrading to Wi-Fi 6 is particularly important for organizations with customer-facing applications that depend on public wireless access. Hospitality and retail enterprises want to interface with guests and customers via their mobile device of choice. In a hotel, for example, guests expect the same connectivity performance that they have in their corporate or home network. Superior network performance is a checkbox for repeat business, poor network performance results in a black mark.

In retail, customers want to use their mobile apps to find deals, send photos and videos of merchandise to friends, and use mobile payments. Deep inside a mall with weak LTE coverage, an overloaded Wi-Fi results in customer frustration and lost sales. For expansive indoor spaces, Wi-Fi 6 provides peerless coverage and roaming, fast onboarding, and the capacity to handle hundreds of connections simultaneously.

In the education environment, students visiting prospective campuses will immediately notice if the Wi-Fi coverage meets their expectations for performance. Students expect a flawless wireless experience in lecture halls—where everyone has laptops and mobile devices operating all at once—and demand that classwork files and videos can be instantly downloaded and streamed. In high-density environments like these, Wi-Fi 6 excels at meeting the demand for fast onboarding, stable connectivity, and low latency. Even in an environment with mixed Wi-Fi 5 and 6-capable devices, everyone benefits from the more efficient use of existing bandwidth if the access points are Wi-Fi 6 capable.

In these cases, the Wi-Fi 6 tide is in and it’s time to get your network up to date to keep up with customer, guest, and student expectations and take advantage of the latest innovation in wireless connectivity. To make wireless communications even more seamless, Cisco is in the process of rolling out OpenRoaming, which will make onboarding to wireless networks, that are part of the OpenRoaming Federation, automatic. It will also create a bridge between Wi-Fi and 5G networks to make the transition between the two transparent to the device. I will discuss this more in a future blog post.

Smart Buildings and Connected IoT Will Flourish with Wi-Fi 6

Buildings are becoming smarter to increase energy efficiency while adapting the spaces to people and organizational needs. From motion-sensing lights and HVAC systems that adjust office spaces automatically, to built-in conferencing systems and smart whiteboards, IoT devices are permeating office, factory, retail, and healthcare spaces. The cost of adding smart IoT to existing spaces is reduced when many devices can communicate wirelessly instead of threading cables in every nook and cranny.

While the goal is to create a smart environment, many of the individual IoT devices are actually fairly simple, with limited local processing, security settings, and battery power. The wireless network, therefore, must provide security, management tools for visibility into device identities, and granular segmentation to control traffic flows as well as access permissions. The smart building requires an intelligent network to manage and safeguard all the components.

Fortunately, core technology built into Wi-Fi 6 addresses many of the challenges of connecting and managing smart buildings—and ultimately smart cities. With a multitude of sensors, cameras, and all vying for bandwidth, Wi-Fi 6 access points reduce interference using BSS Coloring, which enables devices to identify the closest AP by “color” and tune out all other transmissions from nearby APs and devices. The Target Wake Time capability enables devices to conserve battery power by coordinating sleep cycles with the local AP, so instead of connecting many times a minute, they can be set to wake and transmit less frequently and still maintain a connection when needed. Reduced latency is also an important requirement for IoT applications. Wi-Fi 6 reduces latency and jitter using Orthogonal Frequency Division Multiple Access (OFDMA), which enables many low-bandwidth streams to transmit in parallel.

Monitoring network performance, identifying device types, and securing wired and wireless devices is the function of Cisco Intent-based Networking components Cisco DNA Center, Identity Services Engine, SD-Access, and Assurance. These services running on top of Wi-Fi 6 capabilities create an intelligent wireless fabric to make the smart building a holistic collaboration of sensors, devices, access points, and controllers that are all securely managed from a central portal.

It Really is Time to Take Advantage of Wi-Fi 6

Whether your organization is expanding physically with new buildings, adding employees, moving to more cloud services, or wanting to interface more directly with customers through mobile apps, upgrading to Wi-Fi 6-based infrastructure will immediately provide many benefits and prepare for future growth. Cisco Wi-Fi 6 APs and Controllers will provide not only faster data transfers, but lower latency for much more responsive applications, as well as better performance in high-density environments—all areas that are improved from previous generations of Wi-Fi. Don’t get behind the curve, the time to start your upgrade to Wi-Fi 6 is now.

Continue reading

Our World in Transition and Our Future Demands

October is Cybersecurity Awareness Month and for me, it’s a time to reflect on where we’ve been and how far we’ve come, study the trends and challenges we face today, and look ahead to the next generation of opportunities facing not only the security community, but society at large.

In my more than 30 years in the security industry, it’s been interesting to see how technology has evolved and changed the world. Security started off as a ‘systems’ conversation. Now, technology touches everyone’s lives, and as a result, cybersecurity affects us all – individuals, businesses, cities, countries, our global community.

From Use to Reliance

During our lifetimes, we’ve shifted from using technology to, in very subtle ways, becoming reliant on it. Whether we realize it or not, these subtleties have made us dependent on technology. The notion of ‘always on’ access to data is highly disruptive to us when we don’t have it. Take maps for example: using a printed map is foreign to us today, and when the maps on our devices don’t work, we’re lost, literally.

When technology is unavailable, in many respects we feel ‘out of the loop’ and behind in knowing what’s going on. There’s a lagging indicator that says, ‘Now that we have access to current information, we always expect this level of connectivity – we depend on it.’ That reliance makes securing the data and the systems that deliver it to us that much more vital.

A Confluence of Change – All in Three Years

Since 2017, three major transitions have occurred that illustrate how complicated cybersecurity has become for us all globally. These transitions have caused security professionals to feel the pressure and scrutiny from a number of organizations that have upped their games. They’re having to catch up to a confluence of changes, all occurring at the same time:

1. Technology

Prior to 2017, IT predominantly built and ran an organization’s technology infrastructure, spending on security and hoping it works, relying on best-of-breed products, and managing it all reactively.

We all needed cybersecurity, but how could we net the best results – the greatest level of efficacy – from the solutions we purchased? Exactly how much value are we getting when spending on a solution? Is it all integrated as a best strategy or are we simply buying technology from the leading brand name or best advertised?

Today, leading IT teams build, buy and run security, use a ‘best-of-integrated’ architecture approach and emphasize visibility, controls, measures and proactive approaches to security that drive efficacy and value.

2. Laws, Regulations, and Customer Requirements

This transition shows the increasing influence that laws, regulations and customer requirements have on a technology or service provider to its clients, and in turn, to their customers, citizens, colleagues, families and friends.

The formalization of laws and regulations – from the EU-NIS Directive to GDPR to the Australian Government Protective Security Policy Framework to the California Consumer Privacy Act, to name a few – have driven greater scrutiny and reform. It’s accelerated substantially in a short period of time, from ‘do-it-yourself’ disharmonious regulations and rule, to a set of country, inter-country and international use standards.

Now corporate and government leaders across the international community are being held accountable. This transition from varying self-rule and self-regulation to accountability, breach reporting and disclosure highlights the implications of mishandling data and privacy through significant fines and executive firings.

In many respects, it’s been a long time coming. What’s interesting is that now that it’s here, it’s caught many off-guard – and it’s by no means slowing down.

3. Internal Oversight

When I started in InfoSec, security was mainly an engineering or computer science discipline. The security team was often avoided so that they couldn’t suppress innovation because of security concerns. The business was self-governing with inconsistent levels of oversight.

Today, internal reporting to and oversight by executive leadership, the CEO, the board of directors and shareholders are becoming standard practice to ensure proper governance. In part, it is a response to the regulatory landscape and the need for higher levels of accountability and oversight from within. It’s also based on the criticality of technology moving from something we use to something we rely on to deliver a service.

All three of these transitions came to the fore in a very short period of time to know how to effectively react, govern and solve for it. By the way, we’re all going through this and determining our own strategies to face the challenges, net the value they deliver, and understand how to be safe and secure in and around it all.

Our Future Demands

Today, there are about 4 billion internet users globally – all told about 10X of what it was in 2000. We’re in a world where everything is being connected and generating data. This will have significant impact on the next few years in particular and even more substantially into the future.

By next year, there will be about 200 billion devices ‘on air,’ which includes cars, telemetry in cities, sensors and a multitude of other connected devices. Two-hundred billion is almost an ephemeral number, but it’s not to be underestimated because the number of vendors creating IoT-connected technology is growing probably 3-4X every year than the prior year. That’s a trend that I don’t see slowing down any time soon.

By 2021, cybercrime is estimated to be a $6 trillion industry – a very profitable industry, though I don’t recommend it as a career choice. It does illustrate the depth and breadth of the challenge – that it’s an international and global issue that we all have to work together to solve because it’s something that we all face.

Raising the Bar for a More Secure Future

Governments and businesses globally are raising the bar to meet the challenge around product assurance, cloud assurance, IoT, lawful intercept, data protection, privacy and the like. Some 30-odd countries are writing or revising their cybersecurity strategies and each can have profound implications on how data is shared and how systems are built.

So, during Cybersecurity Awareness Month, consider what you can do to make the world more safe and secure, and take action. What can you do as individuals? How are you protecting yourself online and helping your business, colleagues, friends and family to do the same? Each individual act, when taken together, can move us all to a more secure future.

We’re not looking for headlines that show ‘good’ or ‘bad.’ We need trend lines that show that what we’re doing collectively is moving us all towards lower risk. As long as the trend line is going in the right direction, we’re doing what we need to do – and we must all do our part.

For governments, companies and individuals alike, Cisco’s Cybersecurity Awareness Month site offers events, activities and educational content, and ways to get involved. The Cisco Trust Center also offers resources to help you with security, data protection and privacy. Both feature links to security reports, videos, threat intelligence, thought leadership and more that will keep you informed.

Continue reading

How To Get Good Score in Cisco 300-135: CCNP Routing and Switching (TSHOOT) Certification Exam in Short Time

• Exam Name: Troubleshooting and Maintaining Cisco IP Networks
• Exam Number: 300-135 TSHOOT
• Exam Price: $300 USD
• Duration: 120 minutes
• Number of Questions: 15-25
• Passing Score: Variable (750-850 / 1000 Approx.)
• Exam Registration: PEARSON VUE
• Sample Questions: Cisco 300-135 Sample Questions
• Practice Exam: Cisco Certified Network Professional Routing and Switching Practice Test
• Recommended Training:
• Troubleshooting and Maintaining Cisco IP Switched Networks v2.0 (TSHOOT)
• Cisco E-Learning for CCNP TSHOOT v2.0
• Cisco Learning Labs for CCNP TSHOOT v2.0
• CCNA and CCNP Premium Training Package

Continue reading

Artificial Intelligence: Leveraging Data from Edge to Cloud

Artificial Intelligence (AI) will transform every industry, including government, by enhancing organizational effectiveness and speed of operation. But AI will also change the nature and pace of threats organizations will face. If we’re to achieve the full promise of AI and transform data into intelligence and action, we must lead with an insight driven approach to everything we do. In addition, we must take advantage of cognitive capabilities wherever possible. All while leveraging the full potential of data across private, hybrid and multicloud environments – from the edge to the cloud.

Artificial intelligence delivers insights when and where they are needed

To gain a competitive advantage, organizations need to start with a solid foundation, one that takes advantage of the best infrastructure options. This should include embedded analytics capabilities across edge, datacenter, and cloud environments. It should also include the capability to deliver insights when and where they are needed. And do so while incorporating continuous intelligence through real-time context. To unlock the strategic value of your data, you must have the ability to:

◒ Process and analyze data from distributed data sources

◒ Stream real-time data from edge devices

◒ Have the ability to store, analyze, apply AI/ML and deliver insight back to the edge devices to make intelligent decisions.

Artificial intelligence and cloud-scale architecture

At Cisco, we’ve been working on a cloud-scale architecture that brings together big data, compute farm, and storage tiers. They work together as a single entity yet scale independently to address IT and operational needs. Through this approach, we have created an architecture that enables:

◒ Extremely fast data ingest and data engineering done at the data lake

◒ An AI compute farm that allows for different types of AI frameworks and compute types (GPU, CPU) to work on this data for further analytics

◒ Gradual retirement of data that has been worked on to a storage dense system with a lower $/TB, providing a better TCO (storage tiering)

◒ To seamlessly scale the architecture to thousands of nodes with a single pane of glass management using Cisco Application Centric Infrastructure (ACI).

Cisco Data Intelligence Platform caters to this evolving architecture, bringing together a fully scalable infrastructure with centralized management, plus a fully supported software stack (in partnership with industry leaders in the space) to each of these three independently scalable components of the architecture, including data lake, GPU and object storage.

As you think about how to leverage artificial intelligence, ask yourself three key questions:

1. Are you architecting to enable your organization to drive value from data across environments?

2. Is your team ready to manage data spread across multiple clouds?

3. Will you be leveraging the full potential of your data?

Continue reading

Remote Access Trojans

You’re working for a high-profile technology company, close to releasing a market-changing product to the public. It’s a highly contested space, with many competitors, both domestic and international. There’s also a lot of buzz in the media and online speculation on the scope and impact your new product will have. And it goes without question that customers are keen to know more about the upcoming game-changer.

Your goal is to keep the secrets under wraps until the public announcement. Unfortunately, your surprise is about to be spoiled. It happens sometimes, as much as we work to prevent it—from accidental embargo slips to insider leaks. But in this case, it’s arguably the worst-case scenario: Your company has been breached and information about the product was stolen.

It’s unfortunate, but such breaches are not an uncommon occurrence—it’s something security professionals are far too familiar with. They occur across sectors, yet the way the data is stolen often includes familiar patterns. There are plenty of possible suspects, and untangling their motives is difficult. But in this cybersecurity game of “Clue,” we’re less concerned if it were Mrs. Peacock or Professor Plum. We want to know what the weapon was and how to prevent future murders.

There are a variety of useful weapons in an attacker’s arsenal. Downloaders, administration tools, and infostealers all often play a part in such an attack. But the go-to tool in many scenarios like this today are remote access trojans, often referred to as a “RATs.”

The anatomy of a RAT

A RAT is a swiss army knife of sorts. Distributed through familiar vectors, such as malicious downloads and email attachments, many RATs include all the weapons mention above, and more, making it easier for an attacker to leverage each component when carrying out an attack. In short, a RAT consolidates a number of tools into one package.

There is a lot of variation from RAT to RAT. Some are generalist tools, meant to be used across a variety of attack scenarios. Others are highly tailored to a specific attack. Some RATs use predetermined proxies to help mask an attacker’s ultimate location. Other RATs may leverage command-and-control (C2) infrastructure to do the same.

While the functionality and infrastructure used by a given RAT will differ, what follows are common features found within many RATs. To illustrate an attack, let’s take it back to our tech company breach, showing how an attacker can leverage a RAT to gain access to, and steal, sensitive files on your upcoming product.

Gather system information

The attacker managed to breach the defenses in your company using a phishing email that included a link to the RAT. However, that doesn’t mean that they will immediately know where they are on the network. They’ll naturally want to learn more about the computer they compromised. Is it an administrative assistant’s desktop, a laptop belonging to finance, or a web server? Performing reconnaissance on the system helps the attacker learn how deep into an organization they have penetrated, if they need to move laterally, or if they’re reached their intended target. Some reconnaissance tools even allow an attacker to scan other systems, gathering information about them.

Steal usernames and passwords

The attacker got onto one machine, but it wasn’t the intended target. They’d compromised a computer belonging to someone in the engineering group, but the materials they were after resided on a shared server. To move laterally, they may want to try searching for login credentials on the system they’ve already compromised. Many RATs include the ability to scrape saved and cached passwords, and once the usernames and passwords are in hand, the attacker can attempt to log into the shared server.

Log keystrokes

The attacker scanned the compromised computer looking for the login credentials, but no luck. Good news? Yes, but it’s only a minor setback. Many RATs include information-stealing components like keyloggers, meaning all the attacker has to do is enable it, and wait for the user of the compromised system to log into the shared server. When they enter login credentials, the attacker can capture them, and later attempt to log into the server themselves.

Download further malware

The attacker was able to obtain login credentials; however, their attempt to log in failed. (Perhaps your company uses multi-factor authentication?) To get to that shared engineering server, the attacker is going to have to call in reinforcements. They’ve identified a vulnerability on the shared server, and they need an attack toolkit to exploit it and gain access. Given how networks vary widely, many RATS include the ability to download further tools to assist them in gaining further access. In this case, the RAT operates like a downloader, pulling down an attack toolkit that allows the attacker to progress.

Accessing and uploading files

The attacker managed to gain access to the shared server, traversed its directory structure, and located documents that outline your new product’s features. The next step is to exfiltrate those files. Most RATs contain the ability to upload files to a predetermined location. This is often done with help of a proxy or through a C2 infrastructure, thus covering the attacker’s tracks as they steal the documents in question.

Recording audio, video, and taking screenshots

There may be times that an attacker isn’t satisfied with simply stealing design docs. Perhaps they obtained a slide deck, but it lacks context in certain slides. In order to learn more, they might want to return their attention to the initially compromised computer and have the RAT to record audio and/or video. The RAT might overhear the engineer speaking to a coworker or capture a video of a presentation meeting that discusses the product. RATs can often take screenshots as well, capturing critical documents on display.

Other uses

This is just one scenario where a RAT could be used end-to-end in an attack. RATs can be used in other situations as well. For instance, what if an attacker is hoping to exfiltrate financial data? A RAT can be leveraged to scrape banking details from a compromised computer or collect credit card numbers using a keylogger.

What’s important to highlight is that most RATs provide command line access to the systems that have been compromised. If adequate administrative rights are gained on these computers, an attacker can use a RAT to do just about anything that he or she desires.

Notable RATs

RATs have been around for a long time, and many prominent RATs have come and gone. Some recent RATs that have been prevalent on the threat landscape include Orcus RAT and RevengeRAT, which have been used by a variety of threat actors. Another commonly seen RAT is ExileRAT, which has been used in attacks with possible espionage-related motives, and shares a C2 infrastructure with the LuckyCat family of threats.

Not all RATs are built from the ground up either. Some are semi-legitimate tools, repurposed or reconfigured for malicious use. Two such examples include Imminent RAT and Remcos.

There are a number of attack groups monitored by Talos Intelligence that use RATs in their malicious campaigns. The SWEED threat actor often used Agent Tesla, the Panda threat actor has been seen dropping Gh0st RAT, and the Tortoiseshell group, who was recently caught scamming veterans, uses a RAT called IvizTech.

To catch a RAT

So the attacker managed to get into your network and obtain your product plans this time. How do you prevent them from doing it next time?

Fortunately, there isn’t anything particularly special about the way a RAT gets onto a system. They’re distributed in much the same way as other types of malware: they’re sent by email, dropped by droppers, set up as the payloads for exploit kits, along with other common attack vectors. Consider the following:

• A good endpoint protection application is very useful in protecting against RATs. AMP for Endpoints blocks malware at point of entry, then detects, contains, and remediates advanced threats.
• Monitoring network traffic for unauthorized activity is also important. Cisco Stealthwatch is the most comprehensive visibility and network traffic security analytics solution that uses enterprise telemetry from the existing network infrastructure.
• Many RATs encrypt their traffic, as we discussed in last month’s Threat of the Month blog, so be sure you can monitor such traffic as well. Encrypted Traffic Analytics provides insight into threats in encrypted traffic, without the need for decryption, using network analytics and machine learning.
• Being able to connect to C2 domains is vital for many RATs to function. Blocking known malicious domains can go a long way in stopping a RAT in its tracks. Cisco Umbrella uses DNS to stop threats over all ports and protocols—even direct-to-IP connections—preventing connections to attacker’s servers.
• Multi-factor authentication products can prevent an attacker from logging into a system if they manage to obtain login credentials. Verify users’ identities with applications such as Cisco Duo.
• A good email security solution, as well as a strong network perimeter, will help to ensure that RATs are blocked outright. Cisco Email Security is your best defense against such attacks via email, while Cisco’s Next-Generation Firewall can stop attacks at the network boundaries.
• A web security appliance with data loss prevention (DLP) features will also assist in cases where a RAT gets in and is attempting to steal sensitive information through the network. The Cisco and Digital Guardian DLP solution is a high-performance, comprehensive security solution for data in motion.

Continue reading

The SD-WAN Factor: Partnering for Success

Some partners resell Cisco products. Some go beyond selling and offer services. And some of them believe in the products so much, they use them internally. Such is the case with Katalyst, a certified Cisco Gold Partner and managed service provider; they do all three. I recently had a chance to speak with Jesse White, Field CTO at Katalyst, specifically about the benefits of Cisco’s SD-WAN solution, why they use it internally, how its white-label managed service offering is transforming its customers’ networks, SD-WAN Security, and more. It was a fantastic experience to learn first-hand, the power of this technology.

The “Katalyst” for Selecting Cisco SD-WAN

When Katalyst selects a new product to deploy, whether internally or at a customer site, there’s little room for error; getting it right the first time isn’t just important, it’s a must. Katalyst’s stringent decision criteria looks at a number of attributes, including management, ease of use, cost savings, programmability, stability, and more.

SD-WAN end-users realize better SaaS application performance, branch offices and acquisition sites are brought online in minutes rather than hours or even days, and businesses are seeing cost savings through the utilization of broadband links. IT teams are also seeing a huge benefit with a centralized console (vManage) that provides them with a comprehensive view of all devices and clients connected to the network. They can make configuration changes, add security policies, see the health of their links and much more directly from within vManage.

With a long history and vast experience working with Cisco ISR routers and leveraging Viptela SD-WAN, Jesse tells me it was the logical next step to deploy Cisco’s latest iteration of the solution that brings the two together. In fact, Katalyst has deployed the solution at a number of customer sites, both big and small, and across industries including financial, manufacturing, and retail. “Cisco SD-WAN has continued to be the clear winner for us,” Jesse says.

And Katalyst’s track record, together with Cisco, is able to drive change, and customers are taking notice. A recent IDC report states that, “Cisco holds the largest share of the SD-WAN infrastructure market, fueled by its extensive routing portfolio that is used in SD-WAN deployments…”

SD-WAN Tastes Pretty Good!

“Customer experience is at the center of what we do at Katalyst,” says Jesse. “There is no bigger priority for us.” To that extent, Katalyst follows the motto of ‘eating their own dog food’ or ‘sipping their own Champagne’, whatever vernacular you prefer. And that’s exactly what Katalyst did when it decided to implement SD-WAN on Cisco ISR routers across its offices in the Southeast, United States. “Our needs and applications are no different than that of our clients” says Jesse. Katalyst’s network and applications are distributed across multiple SaaS providers, with some residing on premise (they also make use of the Cisco Hyperflex HX platform) delivering on a true hybrid cloud approach.

“Cisco SD-WAN gives us the opportunity to leverage our investments and achieve our desired business outcomes,” says Jesse. “No longer do we have to discriminate against applications due to provider brownouts, our SD-WAN solution seamlessly finds the best path at the best time and orchestrates the desired outcome.” Pretty awesome if you ask me!

Simplifying SD-WAN

During our conversation, Jesse emphasized that customers are begging for simplicity and more importantly, more flexibility and control. And Katalyst has responded with a white-labeled Cisco-based SD-WAN managed service for its customers. In fact, many of Katalyst’s customers choose to deploy SD-WAN via the company’s managed service to reduce the complexities associated with in-house WAN deployments and accelerate access to cloud applications. The reasons are numerous and include cost savings, security enhancements, simplification and consolidation, lack of internal skills and or resources to manage it, expanding to multiple branches, and more.

“The commoditization the industry has experienced in the last half a decade has allowed our clients to strategically shift dollars from large private connectivity costs, into connectivity that is both smarter and closer to the final destination,” says Jesse. “This ultimately provides our own clients with a superior user and application experience.

SD-WAN Security

Lastly, we spoke about Cisco SD-WAN Security and the benefits associated with an integrated solution. The security aspects and integrations in Cisco SD-WAN are paramount for Katalyst’s customers that have highly secure environments — think financial and retail environments. “It’s a big driver for them to consume SD-WAN,” says Jesse. Integrated security features including Duo, Umbrella, Firewall, IPS, URL Filtering, AMP and more, mean Katalyst and its customers can leverage investments and integrations in protections they already have and are familiar with. This turns out to be a really big bonus for Katalyst and many of its customers.

“In our region alone,” says Jesse. “We are seeing more than 5,000 security positions going unfilled year after year, clients know they can’t compromise, and have to look for integrations and scalability.” This is where Cisco SD-WAN and Katalyst’s managed services solution really shine, by offering customers a no-compromise, scalable, and integrated solution.

Continue reading

Cisco DNA Center Template Archive/Restore

Background

I have written a number of blogs about CLI templates in Cisco DNA Center.  These templates can be used as part of the “provisioning” workflow in the UI, or programmatically directly from the API.

One question that often comes up is the ability to share templates through archive and restore.  This utility provides this capability.  This is useful when sharing templates or taking templates from one DNA Center to another (e.g. Development -> Production).

Installing

The code can be cloned from  github. I recommend you use a virtual environment, but this is optional.

git clone https://github.com/CiscoDevNet/DNAC-TemplateTool.git

python3 -m venv env3
source env3/bin/activate

There is one dependency, that is the dnacentersdk. This is contained in the requirements.txt file.

pip install -r requirements.txt

The final step is to setup the environment variables to connect to dnacenter. There is a sample in env_dnac. You will need to edit these to point to your DNA Center. You need to use the source command to make these active.

source vars_dnac

Getting Started

Once you have installed the dependencies and modified the environment variables, you can run the script. Running the script with no arguments will dump the templates in json format. You can save this to a file.

./template_archive.py > all.json

You can then use this file as the input to restore the templates.

$ ./template_archive.py --restore all.json
['Cloud DayN Templates/DMVPN Spoke for Branch Router - System Default/1', 'Cloud DayN Templates/DMVPN for Cloud Router - System Default/1', 'Cloud DayN Templates/IPsec for Branch Router - System Default/1', 'Cloud DayN Templates/IPsec for Cloud Router - System Default/1', 'Onboarding Configuration/3k-stack/1', 'Onboarding Configuration/3k-stack/2', 'Onboarding Configuration/9300-sdwan/1', 'Onboarding Configuration/DMVPN Hub for Cloud Router- System Default/1', 'Onboarding Configuration/IPsec 1 Branch for Cloud Router - System Default/1', 'Onboarding Configuration/IPsec 2 Branch for Cloud Router - System Default/1', 'adam/int-desc/1', 'adam/int-desc/2', 'adam/int-desc/3', 'adam/int-desc/4', 'adam/int-desc/5', 'adam/loop/1', 'adam/loop/2', 'adam/loop/3']
Updating template:DMVPN Spoke for Branch Router - System Default, CurrentVesion:1, NewVersion:1
Skipping template DMVPN Spoke for Branch Router - System Default, version 1.  Mismatch with existing version1
Updating template:DMVPN for Cloud Router - System Default, CurrentVesion:1, NewVersion:1
Skipping template DMVPN for Cloud Router - System Default, version 1.  Mismatch with existing version1
Updating template:IPsec for Branch Router - System Default, CurrentVesion:1, NewVersion:1
Skipping template IPsec for Branch Router - System Default, version 1.  Mismatch with existing version1
Updating template:IPsec for Cloud Router - System Default, CurrentVesion:1, NewVersion:1
Skipping template IPsec for Cloud Router - System Default, version 1.  Mismatch with existing version1
Updating template:3k-stack, CurrentVesion:2, NewVersion:1
Skipping template 3k-stack, version 1.  Mismatch with existing version2
Updating template:3k-stack, CurrentVesion:2, NewVersion:2
Skipping template 3k-stack, version 2.  Mismatch with existing version2
Updating template:9300-sdwan, CurrentVesion:1, NewVersion:1
Skipping template 9300-sdwan, version 1.  Mismatch with existing version1
Updating template:DMVPN Hub for Cloud Router- System Default, CurrentVesion:1, NewVersion:1
Skipping template DMVPN Hub for Cloud Router- System Default, version 1.  Mismatch with existing version1

As expected, nothing happens as all of the templates are already present.  The script checks the version of the template before updating it.  If you were to remove a template, or a project, they would be restored.  Alternatively, you could restore to a different DNA Center and the templates would be added there.

Anatomy of a Template

Templates consist of the following sections, properties, variables and the template body. Each of these are stored together in a version.  The following picture shows three different versions of a template, each with a different set of properties, variables and template body.

Components of a template

An example of the template properties appears below.  There are two mandatory properties

◈ the device type, which can be as broad as a family (e.g. all switches) or as narrow as a particular model (e.g. Catalyst 9300).

◈ The operating system E.g. IOS-XE.

Template Properties

Variables are defined in a template ($hostname) is an indication of a variable.  A variable can have a type, a default value, or in some circumstances, be marked as not a variable.  This is useful for encrypted passwords, where “$” might appear as part of the configuration.

Template Variable Properties

The final part of the template is the body.  This is velocity syntax.  The following extremely simple template sets the hostname of a device.    Hostname is also a variable.

Template body

Templates are stored in projects, which you can think of like a folder in a directory structure.  The template name inside a project is unique, while different projects can contain a template with the same name.  Remember, although these templates share the same name, they are different instances as they are in different projects.  You can see an example of projects below. “Onboarding Configuration” and “Cloud DayN Templates” are two projects that are always present.

Template Projects

Continue reading