Wednesday, 16 September 2020

Adapting to the New Work Environment through Automation

Cisco Prep, Cisco Certification, Cisco Learning, Cisco Exam Prep

This blog is one in a series focusing on aspects of Cisco DNA and intent-based networking. #IntentBasedNetworking

It’s such an odd time right now. Standing where we are, we know the world and the workforce is changing. While there’s universal consensus that nothing will be the same, no one is sure exactly what the new workforce environment will look like. Sure, there are hints. According to a recent IDC webinar—COVID 19 and Enterprise Networking—Assessing the Impact, Planning for the Future—the number of remote workers will surge from less than 7% to nearly 30%. And networks will need to change to support business continuity in this geographically dispersed workforce with application and collaboration experiences that mirror those in the office.

But what will that look like? VPN? Cloud?

One sure thing is that network automation will play an increasingly important role going forward. The same IDC report bears this out, indicating that, at 48%, the number one area of increased IT investment will be for network automation. Why? Because regardless of how IT pivots to support distributed workers, the infrastructure required to handle that load will be more complex and more demanding. The management task is simply too heavy a lift to perform manually. It must be handled through automation.

This distributed workforce requirement aligns with the core automation capabilities built into Cisco DNA Center. We have always touted the time and cost savings available using Cisco DNA Center automation capabilities. Those benefits still remain. However, the emphasis moving forward will be on business resilience and continuity.

Cisco DNA Center automation works because it uses business intent to define how a network should run. Then it defines policies and configurations to ensure the network operates as intended. Then—and here’s the real power—Cisco DNA Center automatically pushes those polices and configurations throughout the network. Even a geographically distributed network.

There are several aspects of the new workforce environment that require this higher level of automation: deployments, complexity, consistent experience, configuration changes, security, and software maintenance. Let’s take a closer look at each.

Deployments


As enterprises scramble to support work from home, the number of new device deployments—for remote access, security, and routing—has exploded. The number and overnight turnaround makes managing the deployments manually nearly impossible. An IT department with a dozen techs can’t scale up to instantaneously deploy thousands or tens of thousands of remote deployments over one weekend. And, I’ve heard story after story of that’s exactly what Cisco DNA enabled.

Complexity


Complexity is likely to grow as organizations adapt to a more remote workplace. This is because of two factors—distribution and control. First, as workers work from home, the number of points of connection will become more distributed. And, second, the organization has less control over the technology in those home office environments. Sure, you can send virtual office routers, but you won’t have control over the ISP or wiring in the house. This makes access policy more difficult to implement and enforce – and configurations more difficult to establish and manage.

It’s just not realistic to assume that any IT department would have the manual resources to tackle this complexity. That’s where Cisco DNA automation comes in. You can establish different configurations for remote offices, headquarters, even different ISPs, then use Cisco DNA Center to automatically configure all of the necessary devices to support that remote access.

Consistent Experience


One of the things I keep hearing about the shift to working remotely is that employees don’t see their home office as workplace lite. It’s their new office. To deliver the same level of productivity, employees need to have an experience that’s consistent with the one they had in the campus or branch. That means consistent application access and performance, even while working from their new home office.

Sure, some of this consistent experience is dependent on the network devices used in the remote office. But consistent configurations and access policies are even more important. Again, with the number of home office locations exploding, there is no way for an IT department to manually provision all of these offices for optimal experience. And, if they try, the manual effort is guaranteed to introduce configuration errors that diminish the expected application and access experience and create potential security vulnerabilities.

Configuration Changes


While remote workplaces will be a big part of future collaboration, so will change. Employees may more frequently migrate between remote and campus environments. And enterprises may need to continually change configurations, policies and access permissions to accommodate this new demand for flexibility.

Through the configurations templates and automated deployment already discussed, Cisco DNA Center helps you easily make these changes. More importantly, because of the intent-based templates, those changes, regardless of how quickly they need to be deployed, will maintain the same level of consistency and application support as the initial deployment.

Security


With the expanded threat surface created by more remote work environments, security is a huge concern going forward. Vulnerabilities may be introduced into the network during rollout and management through deployment glitches, missed security patches and non-integrated security applications. The automation capabilities of Cisco DNA Center help with all three.

For deployments, the automated nature of the Cisco DNA deployments uses consistent configurations templates and significantly reduces manual errors, thereby greatly minimizing the introduction of security vulnerabilities through incomplete or inaccurate deployments.

Going further, Cisco DNA Center has security integrated into its automation capabilities. First, all applications are under constant attack and require effective security patch management to quickly address vulnerabilities. Cisco security advisories are made available from within Cisco DNA Center. The highest level threats for devices on your network rise to the top of the list where you can directly download and deploy the new patches to all affected devices.

In addition, Cisco DNA Center integrates several Cisco security solutions right into the solution dashboard. Stealthwatch and Umbrella can be deployed directly from within Cisco DNA Center. And rogue and adaptive wireless intrusion prevention is built right into the solution. As a result, security and network management, both in greater demand in this new environment, can be more effectively managed through the automation capabilities of Cisco DNA Center.

Software Maintenance


In the best of times, maintaining current versions of system software for all of your network devices can be a challenge. But when those devices are distributed across thousands or tens of thousands of remote worksites, the challenge is no longer possible with manual updates.

Again, Cisco DNA Center automation capabilities help you overcome this challenge. Cisco DNA Center can actively discover all the system software versions on your network devices, highlight those that are inconsistent or out of compliance, and even push the correct, up-to-date image to the identified network devices. All automatically from your Cisco DNA Center dashboard and regardless of location. In fact, you can even define different configurations by location and keep those up to date as well.

The bottom line is no one really knows the exact shape of the future workforce environment. But Cisco DNA Center automation capabilities all support the agility, flexibility, and remote access that will help you adapt as we all move forward.

Tuesday, 15 September 2020

Managing a safer return to work with Cisco DNA Spaces — An early report

As pandemic restrictions ease, we’re working to manage a safer return to the office. Our strategy includes monitoring workspace density. If people are maintaining the recommended distance, we’ll consider inviting more people back. If not, we’ll pause.

This blog is an update to the initial plans I shared in Helping to keep employees safe by measuring workspace density with Cisco DNA Spaces. As I write this, we’re using Cisco DNA Spaces to monitor workplace density in 20 Cisco offices, including several in Asia Pacific and Europe. Here are our experiences after the first few months, and what’s ahead.

Counts are accurate


Before using Cisco DNA Spaces to monitor workspace density, we needed to confirm that most people in our buildings connect at least one device—phone, tablet, or laptop. In the first offices to open, Seoul and Beijing, we assigned people to count the number of people entering and exiting each floor lobby. The count closely matched the Cisco DNA Spaces count, giving us the confidence to move ahead.

Cisco Prep, Cisco Exam Prep, Cisco Learning, Cisco Certification

To make sure we don’t count one person with a connected laptop, tablet, and phone as three people, Cisco DNA Spaces groups all devices that log in with the same username. Privacy is a top priority at Cisco, so we don’t capture or store the username. Instead it shows up as a string of random characters (a hash) that can’t be mapped back to a person.

Grouping devices by username was one of our suggestions as “Customer Zero.” While we’re not the first company to use Cisco DNA Spaces, we are the first to use it to monitor workspace density to plan a safer return to work. As Customer Zero we’re giving the DNA Spaces product team our feedback as a customer so they can continually improve the product. We’re also sharing our experiences with other customers, as I’m doing here, to help them get the most value from their own deployments.

More accurate than the access-control system


Before the pandemic, our Workplace Resources (WPR) team estimated building occupancy based on data from the access-control system. But badge-in data has limitations for measuring workplace density. One problem: it doesn’t report when people exit the building. If 500 people enter a building throughout the day, at 4:30 p.m. there could be 500 people (dense)—or 100 (less dense). Another drawback of badge data is that readers typically are only at the building entrance—not on each floor. We don’t know if everyone is on one floor or they’re spread out across all floors.

Cisco DNA Spaces solves both problems. We can see how many people are present right now. And we can also see which floor people are on. We can even divide floors into zones, measuring density by zone.

What if people are too close?


The sooner we find out that too many people are in a particular zone, the sooner we can take action to get back to target density. Using the DNA Spaces Right Now app, we entered rules—for example, no more than 20 people in building 14, floor 1, zone A. if that rule is broken, the app sends an alert to the specified teams—via email, in a Webex Teams space, or another system. Our WPR team prefers Webex Teams alerts so they don’t have to worry about missing an email.

Beyond density measuring


During the pandemic our WPR team is cleaning surfaces more frequently. They can see which areas are the most heavily trafficked (and need more frequent cleaning) by checking the Right Now app. Some of our other ideas:

◉ Show floor occupancy to employees to help them decide when and where to work. We plan to integrate Cisco DNA Spaces with digital signage and our employee self-check app for COVID-19 symptoms, Cisco Office Pass. Employees will see historical occupancy of different areas of the building at different times. (You might have seen this on store and hospital ER websites). We’ll use Cisco DNA Spaces Firehose API to integrate with digital signage and the mobile app.

◉ Bring more kinds of sensor data into Cisco DNA Spaces, such as Cisco Meraki door intrusion sensors and cameras.

◉ Report the location of things as well as people. We could track expensive engineering and test equipment, for example, and alert security staff when wireless devices leave the building with someone other than their registered owner.

◉ Provide wayfinding (aka blue-dot navigation) on a mobile app. We’re already trying this out in the Cisco LifeConnections Health Center.

◉ Improve safety during disasters. When a building is evacuated, we can check if any devices remain connected to Wi-Fi. We’re thinking that employees who want to associate their name with their location will be able to opt in.

Lesson learned: check if building maps are accurate


Here’s a lesson learned from our experience as Customer Zero. Be sure to double-check access point locations, height, and orientation on building maps before uploading the maps to DNA Spaces. In our case, inaccurate building maps complicated deployment for the first few buildings. The maps had “drifted” over time as building layouts changed and access points were installed and moved. If an access point isn’t where you think it is, the reported location of devices connected to that access point won’t be accurate.

Monday, 14 September 2020

Using the New Cisco SD-WAN SDK

What is a Software Development Kit (SDK)?


Put simply this is a set of tools, libraries, and documentation to simplify interacting with a REST API. The Cisco SD-WAN Python SDK is a Python-based SDK for Cisco vManage. The SDK is intended for anybody interested in automating the configuration and operation of Cisco SD-WAN deployments using Python.

What can you do with the SDK? 


The SDK enables configuration and operations of Cisco vManage via Python-based API bindings. In a traditional SD-WAN deployment, nearly all management of the SD-WAN control plane and overlay of VPNs and edge devices is done via the Cisco vManage GUI. The SDK allows automation of vManage via Python without any GUI interaction. The following examples illustrate some of the benefits of interacting with Cisco vManage programmatically.

◉ Integration with other platforms
◉ Basic management of policy or device/feature templates
◉ Backup/restore
◉ CI/CD

So, let’s get started:

Installing the Cisco SD-WAN SDK


The Cisco SD-WAN SDK is available via PyPI, so all that is required is “pip install”. It is also recommended to use a virtual environment. 

Cisco Prep, Cisco Exam Prep, Cisco Certification, Cisco Study Materials

You are now able to use the SDK. The SDK has a great help function built-in too, just in case you find yourself stuck. 

Cisco Prep, Cisco Exam Prep, Cisco Certification, Cisco Study Materials

Using the Cisco SD-WAN SDK


In this example, we can use the Always-On DevNet SD-WAN Sandbox. First we set credentials as environment variables from the sandbox supplying valid values for the following variables: 

Cisco Prep, Cisco Exam Prep, Cisco Certification, Cisco Study Materials

Next, open your python shell, in this example, I am using python. Create an authentication object and call the login function. Once you are authenticated to Cisco vManage, make API calls by creating an instance of the API object you are interested in (e.g. Device, Settings, Local Policy, etc.) and calling the functions from that object. The example below retrieves a list of all devices on the DevNet SD-WAN sandbox. 

Cisco Prep, Cisco Exam Prep, Cisco Certification, Cisco Study Materials

Source Code 

You can also get the source code, as the SDK is developed as a community project on GitHub. To get the source code go to DevNet Code Exchange.You can then install the package to your environment for development purposes: 

Cisco Prep, Cisco Exam Prep, Cisco Certification, Cisco Study Materials

Saturday, 12 September 2020

Securing Remote and Mobile Workers the Webex Way

In this unprecedented time where remote work has expanded and become the norm – Webex continues to innovate to give our customers the tools they need to keep their remote workers secure – whether they’re on the go on their personal mobile devices or safely working from home using company managed devices.

New Mobile Security and Granular Controls


Mobile Webex IT Administrators have been clamoring for more granular policy enforcement tools and also more integrations with their existing tool sets. To solve for both of these, Webex now has integration with Microsoft Intune Mobile Application management, including:

◉ Passcode/Touch ID

◉ Document sharing

◉ Preventing application backup

◉ Disabling screen capture

◉ Enforcing Application Encryption

◉ Disabling Copy and Paste

◉ Remote Application Wipe

And for those customers who aren’t using Intune, Webex allows them to secure the Webex mobile apps by self-wrapping it with their preferred Mobile Application Management solution SDK by providing app binaries.

In addition, Webex now supports AppConfig – the industry standard for Mobile Application Management. Customers can deploy several policies like disable copy and paste across virtually any MDM solution.

Finally, Webex is continuing to augment native Control Hub Mobile Application Management controls and just released a capability to block message notifications on mobile screens to prevent against data loss on unattended devices.

Cisco Prep, Cisco Tutorial and Material, Cisco Exam Prep, Cisco Security

Securing Your Remote Workforce with Granular Tools 


Another capability that we’ve added blocking file share for groups. For instance, you may have a group of contractors in your company and you don’t want to run the risk of your contractors sharing sensitive data files from their desktop – so now you set up policies for groups from sharing their files – based on their group classification in your active directory. Using Cisco Directory Connector – Webex administrators can get group information directly from their active directories – directly from the Webex Control Hub. They can set up groups of people – like contractors vs. employees; investment bankers vs. retail bankers; or groups of those who provide patient care vs. those in financial administration.

Cisco Prep, Cisco Tutorial and Material, Cisco Exam Prep, Cisco Security

Figure 1 – Active Directory groups in Webex Control Hub

Without having to back to their active directories – Webex admins can:

◉ View all active directory groups

◉ Search for a specific active directory group

◉ View all members in an active directory group

◉ View group attributes like usage, type, owner and number of members

Webex Control Hub gets this information by syncing with the customer’s active directory. And customers can choose how frequently they sync and when and what to sync. This is such a streamlined workflow for customers who are accustomed to having to sync by individual user. And we’ll be adding new security controls based on Active Directory groups in the future.

Additionally, Webex Admins can:

◉ Control file upload control or file upload and download control

◉ Only allow people to upload when they are on the corporate VPN network

◉ Define their network location by IP range and IP addresses – and they can enable file sharing restrictions based on those addresses & ranges

New Webex Space Classifications


Webex space classifications can help enable companies to safeguard content by labeling spaces and then having 100 characters of explainer text for each.

Cisco Prep, Cisco Tutorial and Material, Cisco Exam Prep, Cisco Security

Figure 2 – Webex Teams space classifications

Webex administrators can set up any five labels that they want within Control Hub.  Many companies will elect to set their policies around security – for instance:

◉ Public

◉ Private

◉ Confidential

◉ Highly confidential

◉ Restricted

And then the creator of the space would label and add up to 100 characters of explainer text for each space he or she creates.

Additionally, Webex administrators can build data loss prevention policies in their Cloud Access Security Broker – using the APIs that Webex provides – for instance – they could prohibit file uploads in a space that’s classified as “Top Secret.”  Or they can set up policies for when users collaborate with someone outside of their company – and those external users will get an alert that the space they are entering has a classification.

Users also have the ability to elevate the space classification – but they can’t lower the space classification. For instance, if someone in a space starts introducing confidential information in a public space, the creator or space owner could change that space classification to “confidential.”

Unparalleled Security for Remote Work


Whether it’s the ability to secure mobile devices so users can safely use Webex on the go, or granular tools to prevent data leakage – Cisco has unparalleled security to secure your remote work force.

Thursday, 10 September 2020

Introducing Stealthwatch product updates for enhanced network detection and response

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Stealthwatch, Cisco Cert Exam

We are very excited to announce new features of Cisco Stealthwatch! With release 7.3.0, we are announcing significant enhancements for the Stealthwatch Administrator and the Security Analyst to detect and respond to threats faster and manage the tool more efficiently.

Automated Response updates


Release 7.3, introduces automated response capabilities to Stealthwatch, giving you new methods to share and respond to alarms through improvements to the Response Management module, and through SecureX threat response integration enhancements.

New methods for sharing and responding to alarms

Stealthwatch’s Response Management module has been moved to the web-based UI and modernized to facilitate data-sharing with 3rd party event gathering and ticketing systems. Streamline remediation operations and accelerate containment through numerous new ways to share and respond to alarms through a range of customizable action and rule options. New response actions include:

◉ Webhooks to enhance data-sharing with third-party tools that will provide unparalleled response management flexibility and save time

◉ The ability to specify which malware detections to send to SecureX threat response as well as associated response actions to accelerate incident investigation and remediation efforts

◉ The ability to automate limiting a compromised device’s network access when a detection occurs through customizable quarantine policies that leverage Cisco’s Identity Services Engine (ISE) and Adaptive Network Control (ANC)

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Stealthwatch, Cisco Cert Exam

Figure 1. Modernized Response Management module with new response action options

SecureX threat response integration enhancements

Get granular and be specific with flexible rule configurations that provide the ability to:

◉ Define which alarms from Stealthwatch are shared with SecureX threat response

◉ Base shared alarms off multiple parameters, such as alarm severity, alarm type, and host group

◉ Share alarms from mission critical services with the ability to define incident confidence levels, how target objects are formed, and rule conditions based off targets created for internal or external hosts

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Stealthwatch, Cisco Cert Exam

Figure 2. Customize which alarms are sent to SecureX threat response by severity

SecureX platform integration enhancements

Cisco’s SecureX platform unifies visibility, centralizes alerts, and enables automation across your entire security infrastructure on a single dashboard. Maximize operational efficiency, eliminate repetitive tasks, simplify business processes, and reduce human errors by:

1. Automating responses with pre-built workflows through SecureX’s orchestration capabilities
2. Creating playbooks with all your integrated security tools through SecureX’s intuitive interface

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Stealthwatch, Cisco Cert Exam

Figure 3. SecureX’s pre-built workflows and customizable playbooks

Enhanced security analytics


As threats continue to evolve, so do the analytical capabilities of Stealthwatch to deliver fast and high-fidelity threat detections. The cloud-based machine learning engine (Cognitive Intelligence) has been updated to include:

◉ New confirmed detections
◉ New machine learning classifiers for anomalous TLS fingerprint, URL superforest, and content spoofing detections
◉ Smart alert fusion in the new user interface (currently available in beta)
◉ New Stealthwatch use cases including Remote Access Trojan and Emotet malware detections

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Stealthwatch, Cisco Cert Exam

Figure 4. An example of the new content spoofing detector classifier in action.

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Stealthwatch, Cisco Cert Exam

Figure 5. Stealthwatch’s new GUI with smart alert fusion.

Easier management


Web UI improvements

Don’t let the setup process slow you down! Optimize installation with web UI enhancements that reduce deployment time and support full configuration of (both?) the appliance and vital services before the first reboot to save time.

Flow Sensor versatility and visibility enhancements

Get visibility into more places than ever before through ERSPAN (Encapsulated Remote Switch Port Analyzer) support now added to Flow Sensors. Benefits include:

◉ Visibility improvements through the ability to see within VMware’s NSX-T data centers to facilitate Flow Sensor deployment and network configuration

◉ Removed requirement of direct physical connectivity

◉ ACI traffic monitoring from Spine and Leaf nodes

Wednesday, 9 September 2020

Teleworker Solution Using OEAP on Catalyst 9800 WLC

As knowledge workers continue to work remotely, work from home has rapidly escalated from one of many remote work options to “the remote work option”. For Network Administrators, this means enabling employees with the basics –  laptops and corporate network connectivity, and optimizing application delivery despite unpredictable network performance due to bandwidth contention and latency. This can also result in increased tech support calls from the end-user complaining about the VPN connectivity and poor network performance.

Cisco’s OfficeExtend Access Point (OEAP) allows a Network Administrator to extend the secure, scalable, and manageable corporate WLAN across the internet to the Teleworker’s (employee’s) home. This allows the Teleworker to securely connect back to the private network from their home simply using their regular wireless profile and not having to set up a VPN or other type of remote access.  Remote users will be able to connect, have access to corporate resources, and “feel” just like they are connected to the wireless network at the corporate office.

The ease of work from home for employees should not come at a cost of increased administrative load and pre-configuration of access points for network admins. To address this, Cisco’s Office Extend feature makes the remote work option seamless for employees as well as for network administrators using zero-touch deployment.

The simple architecture of OfficeExtend consists of the remote site and corporate office components. The remote site is the home network of the Teleworker and consists of a home router and Cisco’s OfficeExtend Access Point. The Office component consists of Cisco PnP cloud and Catalyst 9800 Wireless LAN Controller.

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Certification, Cisco Guides

Cisco OfficeExtend architecture.

How does it work?


Cisco’s Teleworker Solution using OfficeExtend AP focuses on zero-touch deployment and significantly reduces the extra efforts of employee-specific access point configuration. The network administrator does not have to preconfigure the access points and it can be directly shipped to the Teleworker’s home with no configuration. Teleworker will just need to power up the Cisco AP and connect it behind the home router. The AP will boot, connect to the corporate Wireless LAN Controller (WLC), and will start broadcasting the corporate wireless network at the Teleworker’s home.

Admins can use Cisco’s Network Plug and Play (PnP) to provision the AP’s. On the PnP cloud, admins will have the profiles defined for AP’s based on the AP serial number. The controller profile has information about the primary and secondary IP address of the corporate WLC. The admin can simply import the AP serial numbers using a CSV file and assign them a controller profile.

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Certification, Cisco Guides

Workflow for Cisco Teleworker Solution using OfficeExtend AP.

Let’s explore the workflow in detail. After initial boot up, the AP will get the IP address from the home router and connect to the PnP cloud at software.cisco.com. When the PnP cloud receives redirection requests from the AP, it will check for the serial number, assign controller profile, and send the details of corporate wireless controller’s IP address to the AP.  The AP will then use this IP address to form a secure CAPWAP tunnel with the corporate WLC.

Once the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel is formed, the AP will download the latest available software and all the advanced configurations from the corporate WLC. After the AP joins the controller as OEAP it will start broadcasting the corporate wireless network at the Teleworker’s home. The teleworker now can connect to this wireless network using secure enterprise authentication, and access the corporate resources and the internet. To make sure that unauthorized AP’s should not join the corporate WLC, the admin can enable the AP authentication on WLC.

What are the Added Advantages of OfficeExtend AP over VPN?


The OfficeExtend establishes a secure Datagram Transport Layer Security (DTLS) connection between the access point and the controller. With simple onboarding, the end-user does not need to install any VPN software and can connect multiple devices to the corporate network. Having corporate SSID broadcasted at home makes it easy to connect and eliminates the need to ever sign on to a VPN.

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Certification, Cisco Guides

Advantages of OfficeExtend AP over VPN.

How does the Teleworker Solution Benefits Network Admin and Teleworker?


Teleworker:

Cisco OfficeExtend AP provides the highest level of security and enables the deployments of additional hardware such as Cisco IP phones. This effectively creates a small office for the employee giving them all the access they will expect while at the office. In addition, the solution allows spouses and children to access the Internet, using custom personal SSID, without introducing additional security risks to corporate policy.

Network Administrators:

By using the same management, operations, and infrastructure as the corporate WLAN, the OfficeExtend solution simplifies the process of extending real-time, high-performance network services to remote locations. Network admins have more control and visibility which helps in troubleshooting any connectivity issues from the Teleworker side and gives them the ability to differentiate issues between ISP versus corporate. Admins do not have to define new security policies and the existing Cisco TrustSec policies can be extended to have a more secure network.

Recommended Products for Teleworker Solution on IOS XE Software 17.3.1 release:

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Certification, Cisco Guides

Teleworker Solution on IOS XE Software 17.3.1

Tuesday, 8 September 2020

Cisco User Defined Network: Defining the Boundaries of Your Network

Networks are the roadways that connect and allow communication to occur between our devices. We take several aspects of our home network for granted. On our home networks, we can have smartphones, personal computers, smart TVs, smart internet-connected video playback devices (i.e., Apple TV and Google Chromecast), and much more. And there’s something unique that our personal home network allows us to do with these devices. It builds routes — paths for data to communicate amongst the various devices — and only amongst the devices on that network. Pretty simple, user-friendly, and convenient stuff, right?

Let’s discuss a specific use case: sharing content from an iPhone to an Apple TV. If we want to share content from an iPhone to an Apple TV, it starts by simply clicking on the AirPlay icon on an iPhone; which allows us to view the Apple TV that may be on our network. This is because our private home network realizes which devices are connected to it, and it is maintaining that information in cache, allowing for quick streaming access from the iPhone to the Apple TV. At home, with just one SSID — of course, you may have more in your particular setup, for example, an additional Guest SSID, but let’s assume we only have one for our scenario — we have simplicity because we’re able to see and utilize the particular link-local-multicast-based protocols (like mDNS based AirPlay) that the smart-devices allow. We can use these services securely and seamlessly on our private network.

That means a neighbor cannot cast to the Apple TV that resides on my personal network from her iPhone unless she joins my home network. Amazing right? And that’s how it should work. Our home network is where we get to define who gets to utilize the functionalities that our smart devices offer.

But now let’s take that same use case and place it into a different setting: we have a university student named Eddy, living at the campus dormitory at his university, with multiple smart devices, including an iPhone, MacBook, Apple TV, gaming console, printer, and more. Just like Eddy, there are many other students in the dormitory that also have smart devices. But there’s only one SSID for Eddy and all the other students to connect to; and all of Eddy’s smart devices (and also those of others) are all connected to the same SSID. Which is fine. Everyone gets to have routes to the internet and can stream content.

So far, so good. But there’s a caveat now. When Eddy tries to AirPlay from his iPhone, not only does he see his own Apple TV, but he also sees all the other Apple TVs connected to his dormitory’s SSID (see Figure 1). He can cast content to his, or any of the other Apple TVs on the network. This can be a problem as there is no ability to control who uses whose personal devices.

Cisco Certification, Cisco Exam Prep, Cisco Learning, Cisco Tutorial and Material

Figure 1: Multiple AirPlay sources available for use on a large network.

This is where Cisco User Defined Network (UDN) comes into the picture. With the Cisco UDN solution, networks (even those with the largest pools of devices within the same SSID) can be segmented into smaller, defined networks that allow for users to privatize their smart-device use. For example, in terms of a university dormitory, we can segment the network, so each student is only allowed to use mDNS services amongst their own devices. This way, Eddy’s next-door roommate Mary won’t be able to cast to his Apple TV, and in turn, Eddy won’t be able to cast to hers—while all being connected to the same SSID! Each student will have their own private network, their own unique UDN (see Figure 2). But that’s not all. With the Cisco UDN solution, additional privileges can be assigned so others can use someone else’s smart devices as guest users—which we will discuss later in this blog. It is truly a smart method to privatize and secure your personal set of smart devices on a large enterprise network.

Cisco Certification, Cisco Exam Prep, Cisco Learning, Cisco Tutorial and Material

Figure 2: University dormitory network with multiple users.

Your Network, Defined by You


Cisco User Defined Network allows for the segmentation of a large network into smaller pieces, providing for a similar experience to that of a private home network. Cisco User Defined Network’s main intent is the ability to privatize and secure any individual’s set of devices, within a large, centrally switched network.

Privatize


With Cisco UDN, Eddy (see Figure 2) is the only person who has access to his devices. Therefore, Mary and John will not even be able to view the particular devices that Eddy possesses. If for example, they try using an mDNS service, they will be restricted to being able to view and use only the devices on their personal UDN. Now, Eddy can be at peace in knowing that no one will accidentally (or intentionally) try to cast or share content to his devices without his permission. He has created a private network around his set of devices.

Secure


With the ability to be private comes the benefit of security. As Mary cannot share content with Eddy’s devices (without his consent), he has the additional peace of mind of security. This of course, is in addition to the standard security measures taken by the dormitory’s network!

Getting Started


From a user perspective, the only aspect that is required for the Cisco User Defined Network is the Cisco UDN mobile app, and some information from the smart devices that are to be onboarded onto the network (see Table 1). The solution is built with simplicity in mind. Device on-boarding can happen without even being on the network on which the UDN will reside! In our university example, Eddy can onboard his devices to his university’s network and have his UDN created before he even arrives to the location.

Cisco Certification, Cisco Exam Prep, Cisco Learning, Cisco Tutorial and Material

*In most cases, the MAC address information will not be required, as the Cisco User Defined Network mobile app will be able to retrieve this information by scanning the home network on which the smart device resides.

The Onboarding Process


The user will download the Cisco UDN app on their smartphone or tablet, and from there will be able to log into the application using the credentials provided to them from their organization’s network administration team. For example, upon signing into the mobile app, Eddy will have the ability to on-board devices using multiple methods: (1) scanning the network for all the devices connected to the network and selecting which ones he would like to onboard or (2) manually adding the information for the device(s) he’d like to onboard by either doing a camera scan for the MAC addresses or by physically entering the MAC address of the device(s) into the Cisco UDN app.

Device Sharing with Guests


Not only can we utilize and use the personal devices we have allocated within our created User Defined Network, but we also have the ability to invite guests and provide access to others to utilize the devices on our personal UDN. This is also done through the Cisco UDN mobile app.

Let us assume that Eddy and John are friends and would like to play video games together on their gaming console. Or let’s say that John has a smart speaker and wants to bring it to Eddy’s dorm and allow for Eddy to also be able to cast music from his personal phone to that speaker. Eddy can invite John to his personal UDN, allowing John the ability to use the devices on Eddy’s UDN. And once John leaves Eddy’s room, Eddy can then remove John from his UDN with just a touch of a button—reclaiming control of his devices. Which is awesome!

Monitor and Control


Not only can devices and guests be added to a specific UDN using the Cisco UDN mobile app, but monitoring and maintenance of the UDN is also a great functionality allowed through the Cisco UDN app. A user can view all the devices on their UDN, see their information, add more devices, reclaim the devices that may be on a different UDN, and remove devices that they don’t want on the UDN as well. With Cisco’s User Defined Network, the privatization, security, and control of one’s own network has never been easier.