Five ways we’re improving telework with SD-WAN and telemetry

Bad dream for an IT engineer? Try this: an executive working from home gets booted off an all-hands video meeting. Then it happens again. And again.

That happened to me a couple of months ago. Fortunately, when I received the call, I could see immediately that the problem lay with the executive’s ISP, not our network. As a result, my team quickly resolved the problem and saved hours of troubleshooting time. And I slept better.

Better visibility is one of several ways our Customer Zero team is improving the telework experience at Cisco. As Customer Zero, we try out new Cisco technologies in a real-world setting so we can share our experiences with customers. Here are five ways we’re improving telework.

We’ve always had a robust telework program. Most people who work remotely use Cisco AnyConnect Secure Mobility Client on laptops and mobile devices and some teleworkers use the Cisco Virtual Office (CVO), which includes a hardware-based VPN service. AnyConnect and CVO are both what’s known as “full tunnel” solutions. All traffic from the laptop goes through a VPN tunnel to a Cisco data center. From there, cloud traffic takes another hop to its final destination.

But if I want to work on an Excel file, it doesn’t make a lot of sense for my request to go through the Cisco data center on its way to the Office 365 cloud. The detour adds latency and unnecessarily uses data center network bandwidth. It’s smarter to “split” the tunnel, providing separate routes for data center traffic and cloud traffic.

We’ve split the tunnel using our Cisco remote worker SD-WAN solution. On the Cisco vManage console, we’ve created a rule that sends traffic destined for designated trusted SaaS providers (Webex, Cisco TV, Office 365, and Box, etc.) directly to the cloud.

Our InfoSec team is strict about what they consider a trusted cloud. Other cloud traffic, like iCloud, also bypasses our data center. But rather than heading directly to its destination, it goes first to Cisco Umbrella, which blocks malicious domains and cloud applications.

The fastest path to a cloud service provider might be different at 8:30 a.m. than it is at 8:32 a.m., depending on network conditions. To deliver a consistently good experience with Office 365, we’re using an SD-WAN feature called Cloud On-Ramp for SaaS. It probes the various paths to the cloud to identify the best quality of experience at the moment and then directs the traffic over that path.

Many of us share a home internet connection. If your three kids are all in Zoom school, your Webex video might freeze. On the Customer Zero team, we’re using the QoS feature on our home ISR 1100 routers to prioritize Webex and other latency-sensitive applications. Whenever available home internet bandwidth dips below a certain threshold, the bandwidth allocated for Webex and other high-priority applications are automatically adjusted.

I’ve noticed that if an application is slow or the connection drops, a teleworker’s first instinct is to blame the equipment. I can’t count the times I’ve spent hours troubleshooting a case only to discover the source was an ISP issue. One of our favorite management tools is ThousandEyes, a software agent installed on the Customer Zero team’s laptops. ThousandEyes constantly collects user experience data—for example, the time it takes for a page to load, internet service provider issues, features used, laptop CPU utilization, runtime issues, etc. If a user opens a case but the issue disappears before we can look at it, we can go back in time to find the cause. Just last week someone reported a Webex issue, and ThousandEyes showed that at the time of the issue, laptop CPU utilization was 100%. That visibility saved us a fruitless investigation. We just explained to the user how to use a bot on Cisco Webex Teams if the issue ever happened again.

Source: cisco.com

Continue reading

Introducing the Cisco DNA Traffic Telemetry Appliance

Add-ons extend the latest technology to legacy systems, like how my old TV turned smart overnight with an additional streaming player. It is even better when the supplements work in cohesion with the primary products to deliver a seamless experience. Imagine if you could utilize the same remote to operate your TV and streaming player.

The Cisco Catalyst 9000 series wired and wireless devices enable enterprises to unlock newer network infrastructure possibilities. For instance, these platforms conduct deep packet inspection (DPI) and provide data streams for services such as the Cisco AI Endpoint Analytics and Application Assurance on the Cisco DNA Center. With Endpoint Analytics, customers are gaining unprecedented endpoint visibility, which is a crucial first step in implementing zero-trust security within the workplace and confidently deploying network segmentation without the risk of shutting down critical network services.

However, several organizations still have a portion of their network infrastructure that has not been migrated to the Cisco Catalyst 9000 series platforms. Those legacy infrastructures cannot perform the deep packet inspection required for advanced analytics. We are introducing the Cisco DNA Traffic Telemetry Appliance to bridge the gap between the new and existing deployments.

The IOS® XE-based telemetry sensor platform generates telemetry from mirrored IP network traffic from Switched Port Analyzer (SPAN) sessions of switches and wireless controllers. The appliance inspects thousands of protocols using the Network-Based Application Recognition (NBAR) technology to produce a telemetry stream for the Cisco DNA Center to perform analytics. The Cisco DNA Traffic Telemetry Appliance can handle 20-Gbps of sustained throughput traffic and inspect 40,000 endpoint sessions for device profiling.

Cisco DNA Traffic Telemetry Appliance serves two use cases: endpoint visibility and application assurance. The Cisco AI Endpoint Analytics service on the DNA Center analyzes the data received from the Telemetry Appliance to provide you with granular endpoint profiling details such as endpoint type, manufacturer, model, operating system, and others. The Cisco DNA Center also receives qualitative application performance metrics from the Telemetry Appliance and calculates application health data for business-critical applications. It analyses essential metrics such as delay, jitter, and packet loss to isolate and troubleshoot application performance issues efficiently.

Next time someone connects a TV to your network powered with the Cisco DNA Traffic Telemetry Appliance and the Cisco DNA Center, you will not only know the make, model, operating system, and other details about the endpoint. But you will also know if the user behind the device is accessing Netflix, YouTube, and other applications.  Remember, as you do this, you will also be operating both the legacy infrastructure and the new add-on appliance from a single controller, the Cisco DNA Center.

Continue reading

Why Cisco Joined the Confidential Computing Consortium

Building a Networked Mesh of Hacker-Resistant Software

The world’s digital devices are based on layered software stacks.  Each of these layers has its own security vulnerabilities. A successful attack made into one of the layers of software is typically leveraged to exploit another layer.

Some digital devices embed internal protections to limit potential damage. These protections are constructed using shared keys, certificates, or even passwords. Unfortunately, these shared secrets also can be compromised. Additionally, application software layer must implicitly trust underlying layers such as the Operating System or hypervisor manager. And, for these applications, there is little that can be done when the most fundamental layers of a device are actively being exploited.

Over the years, a variety of security technologies have been implemented to protect digital devices. From anti-virus to firewalls to intrusion detection systems, entire industries have been born. But hackers continue to overcome these protections. As long as developers continue to build traditional layers of software, and as long as our protections depend on software-based shared secrets, security exploits will continue.

Confidential Computing offers a new paradigm. Built upon secrets which never leave the specific computing chips, one layer of software can now be protected from exploits originating in another layer. Additionally, a hacker who has gained administrative privileges for a device’s Operating System will be unable to read or change an application’s data or code.

There are two foundational Confidential Computing technologies that enable this new paradigm. The first is the hardware-based Trusted Execution Environment (TEE). There is a class of TEE which allows application code to be compiled, signed, and encrypted by a software developer. That code can only be decrypted and executed within a compliant TEE. Subsequent memory or disk exchanges with the CPU are fully encrypted. Even a root hacker cannot look into the memory.

But using a TEE to run a verifiably genuine application is only part of the solution. This is where the second foundational technology plays a role. This technology is known as Remote Attestation. With Remote Attestation, an application within a TEE can externally assert the secure context in which it is running. Consequently, the TEE’s remote peer can verify that it is interfacing with a known, secured instance of untampered software.

Once two peers have verified each other’s identity, it becomes possible to integrate multiple sets of trustworthy peers together. The result is a mesh of directly connected trusted software. This eliminates entire classes of Operating System and hypervisor manager compromises from the list of attack surfaces that a hacker might exploit.

Getting to these trustworthy meshes will require agreements on the inter-device protocols needed for Remote Attestation. Some of these protocols will not be a surprise. For example, we can assume technologies like Transport Layer Security (TLS) might be used to connect the TEE. But within TLS, we will still need an industry-accepted language for communicating Remote Attestation claims about a TEE. Such standardization of these protocols will take time and work.

The good news is progress is being made. One place to look is the IETF’s Remote Attestation Working Group. In this venue, architectures for such specifications are nearing completion. But neither the IETF nor other traditional standards bodies have yet to float specific protocol proposals. Implementers only have access to a set of vendor-driven proposals. And each of these proposals has been framed upon the assumptions underlying a vendor’s specific TEE chipset.

This is where the Confidential Computing Consortium (CCC) is well positioned to play a role. Within the CCC, there are projects for acquiring attestable information out of TEEs. One of these projects is Open Enclave SDK for Intel SGX. Other venues exist for parallel efforts such as OP-TEE for Arm TrustZone. But these projects just scratch the surface of what can be Remotely Attested. Only now is the industry in a position to attempt to generalize and agree upon:

◉ The definitions of specific attestable TEE claims

◉ The level of trust that can be associated with a type of TEE or even on a specific TEE instance

◉ Acceptable stacks of network transport protocols and encodings

◉ How the initiator of a request can verify only approved TEEs have been used to deliver an end-to-end function

Accomplishing any of these objectives will require effort. Simultaneously allowing protocol extensibility and vendor neutrality will be non-trivial. The CCC can influence these discussions.

At Cisco, we care a great deal about the trustworthiness of networking peers. Our reasons for joining the CCC are simple. We are going to advocate for Remote Attestation interoperability. And we are going to integrate Remote Attestation into our Network Admission Control portfolio. We believe both have significant potential to reduce the risks that come from today’s layered software stacks.

Continue reading

Improving DNS Security While Preserving Resiliency

The IETF’s Discovery of Designated Resolvers

The Domain Name System (DNS) has played a key role in the Internet’s success. It was designed to be scalable and resilient to handle enormous growth. The DNS has also proven to be a strong control point used to identify and remediate threats as Cisco Umbrella (previously Cisco OpenDNS) has repeatedly demonstrated. As the industry seeks to strengthen privacy, it must find methods to do so that retain resilience or risk large outages. Used correctly, an emerging technology known as Discovery of Designated Resolvers (DDR) can facilitate secure discovery of resolvers. It’s a significant security feature and is the topic of this blog.

Figure 1: DNS traffic growth over four years (Source: Akamai)

Introduction

DNS has scaled well to meet the needs of over four billion people since its inception in the 1980s. In that time, there has never been an Internet-wide failure of the service. That is thanks to the millions of caching resolvers and large numbers of root servers spread around the world, along with redundancy at every other level. This architecture is no accident; it represents a solid design combined with decades of experience by people globally handling the Internet’s evolutionary growth in both size and capability.

One of the most important capabilities of the DNS is its use as a control point. For example, if bad actors attempt to use the DNS as a command-and-control (C&C) channel between them and their bots, the good guys use the DNS to identify and block those C&C channels. In the case of the recent attack on Solar Winds, this meant blocking queries to [*]avsvmcloud[.]com. A key value of Umbrella and similar services is that they are backed by expertise and ongoing operations to identify such threats. With IoT devices using mechanisms such as Manufacturer Usage Descriptions, the DNS can restrict communications from devices to a known set of destinations. Another use of the DNS is as a security control point to block or redirect answers for known malware sites.

What Has Changed?

For the past few years, the industry has been working on standardizing the privacy of DNS queries. This is a capability that OpenDNS has offered for quite some time through DNSCrypt. DNS over HTTP (DoH), which OpenDNS also supports, encrypts queries and responses over a RESTful interface and transmits them over HTTP. This is a strong technological advancement. However, the DoH standard does not define how an application should choose the resolver. Until recently, there were two ways to discover a DoH server: attempt to access DoH on the resolver handed to the application by the operating system or use one provided by the application provider.

The first method involves a bit of a guessing game. When applications try to use DoH on existing resolvers, they attempt an HTTP request over port 443 to the resolver that they learn from the operating system. The request is tested to see if a valid response is received. This requires that the DoH capability be directly bound to the existing hosts that offer DNS over UDP port 53. While this might be a reasonable first attempt to bootstrap DoH, in the longer term these services may have different scaling qualities. In addition, if the version of HTTP changes, applications would have to determine this by trying one HTTP version and then another. Also, in general, it is not good to send requests that the other side might not expect to receive.

Figure 2: Normal DNS versus Application-Controlled DNS

When non-cooperating applications or platforms choose their own resolvers, they bypass the DNS-based malware protections available to the IT administrator (illustrated in Figure 2). This circumvents the will of the user or administrator. If your resolvers are not seeing DNS queries from browsers, this may be what is happening. Moreover, if browser developers were to use a small number of DNS resolver services, one could reasonably expect the existing resolver infrastructure capacity to diminish over time due to lack of demand. This is where we begin to become concerned about overall system resilience. Many of these services on their own are highly resilient. But when they fail, they risk taking out a very large number of services for large portions of the population—at the same time. Because DNS is a fundamental service used by every application, we must pay close attention to this risk.

One key form of protection from these sorts of failures is choice. When enterprises and individuals have the choice of product, the risk of large-scale failures due to a monoculture is considerably diminished.

Enter Discovery of Designated Resolvers

The new proposal, known as Discovery of Designated Resolvers (DDR), provides a new way for clients to query locally designated resolvers for a record that indicates whether the DoH service is available. Either an application or the underlying platform can make use of DDR to locate a DoH resolver by first querying for a list of resolvers using a new DNS record called Service Binding (SVCB). SVCB works similarly to the highly tested, well-known service (SRV) record, but also allows for additional application parameters, such as Application-Layer Protocol Negotiation (ALPN) information for transport layer security (TLS). The current proposal offers several different approaches for clients to authenticate resolvers. One requires that a certificate contain an IP address. Another approach omits that requirement but requires that the IP address of the DDR-discovered resolver have the same IP address as the unauthenticated resolver. A third approach bases the resolver discovery on a name rather than an IP address. We expect these models to develop further as the DDR proposal matures.

Figure 3: Discovering DNS over HTTP with DDR

DDR resolves both visibility and scalability concerns, avoiding guesswork by developers. The infrastructure can be exercised so that a large and thriving resolver ecosystem can continue to flourish, with queries and responses encrypted, and reduce the risk of concentration of resolver services. DDR also has the potential to reduce individual device configuration complexity that is handled today by mobile device managers. What is needed are a few new records in resolvers and appropriate certificates on the resolvers.

There are several issues that DDR needs to resolve, such as how to address scaling of large numbers of resolvers, and it sometimes requires validation of IP addresses in certificates. That is a mechanism with which we currently have limited experience at scale. It also often relies on unauthenticated processes to discover the IP addresses of the resolvers that need to be in those certificates. Also, how to securely identify resolvers in devices outside an enterprise environment needs a bit more consideration.

Moving Forward and What Cisco Customers Should Do Now

As currently envisioned, DDR is the best secure resolver discovery proposal to date, but we expect this entire solution space to continue to evolve. A list of DNS resolvers is just one critical element of network configuration that needs to be securely learned. There are many others. The key is to establish trust between the end device and the network infrastructure and then rely on that trust to receive configuration information.

How do we bootstrap that trust? That is another area that the industry needs to devote more time and resources to establish.

For our enterprise, industrial, and small business customers, Cisco’s recommendation is that administrators deploy a secure and reliable resolver service that provides a layered defense against exfiltration and BOTnets—for all devices at all times whether at home, work, or elsewhere. Combined with DNSCrypt or DoH, Cisco Umbrella offers a needed level of protection for safety, security, scalability, and stability.

Because the stability and security of the Internet is an important topic, you may also wish to participate in this discussion hosted by the IETF. DDR will be discussed over the coming months and then submitted for approval. Participation in IETF activities is open to all and there is no cost to join the mailing list discussions.

Source: cisco.com

Continue reading

New Catalyst Products Bring 5G and Accelerated SASE to the WAN Edge

Cisco is expanding its Catalyst 8000 Edge Platforms Family and Catalyst Cellular Gateways to help customers build a resilient, reliable digital footprint that spans data center, cloud and branch deployments. The new announcements extend the both the Catalyst 8000 Edge Platforms Family and Cellular Gateways to include a new 5G Cellular Gateway, a new virtual CPE edge device that can host Cisco or third party VNFs, as well as extensions to the Catalyst 8500 aggregation and Catalyst 8300 branch portfolio.

Whether you’re streaming video, hosting a conference call, checking emails or accessing other critical business applications, you need secure, seamless connectivity no matter where these applications are hosted. These new Cisco Catalyst Edge Platforms accelerate  multicloud journeys with choices that include on-premises and cloud-delivered security. All Cisco Catalyst 8000 Edge Platforms contain the latest Cisco Trust Anchor technology, a secure core providing a hardware-embedded root of trust for enhanced device authenticity and data privacy.

Cisco Catalyst 8500L: 1/10G optimized WAN Edge Aggregation

The Cisco Catalyst 8500L is a new model within the 8500 series targeted to meet entry-level 1G/10G aggregation use cases. It’s powered by twelve x86 cores and up to 64GB memory to support secure connectivity for thousands of remote sites and millions of stateful NAT and Firewall sessions.  The Catalyst 8500L provides ultra-fast IPsec crypto performance and advanced flow-based forwarding to keep up with the demands of today’s high-speed, secure connectivity.

Like the multicloud journey in prior years, the emerging need to support remote workers is creating further architecture shifts in customer deployments. Today, businesses find that establishing aggregation sites at either core locations or colocations helps them own the first mile on their branch and remote worker journeys to the internet and other software defined cloud interconnects (SDCI). The Catalyst 8500L comes in a slim 1RU form factor that can be easily racked and stacked in a colocation or core site to support more distributed architectures.

Cisco Catalyst 8200: Expanding the WAN Edge Branch Portfolio

The Catalyst 8200 Series Edge Platforms complement the Catalyst 8300 launched in October to address diverse connectivity needs for branch deployments. The Cisco Catalyst 8200 supports 8 CPU cores for high performance packet forwarding, 8Gb of default RAM to run the latest security services, and Intel® QuickAssist Technology (QAT) for hardware-accelerated performance.  The Catalyst 8200 Series gives up to 1Gbps of aggregate forwarding throughput, which is double the performance of its ISR 4300 predecessor.

The Catalyst 8200 platform offers modular access with a diverse set of WAN connectivity choices via shared NIM/PIM interfaces with the Catalyst 8300 and ISR 4000 series. On-premises integrated security or cloud-delivered security solutions are critical for businesses looking to connect and secure their WAN edge and remote traffic. Yet, many businesses seeking greater simplicity and automation in their IT setup have limited IT staff.

Catalyst 8000 Edge Platforms contain a user-centric design that makes device setup simple with RFID tags on each device to cut inventory management time, rounded corners for better handling and installation, and centralized cloud-based orchestration for easy bring-up. Improved device air flow via circular hex-pattern reduces the need for external cooling, while support for HVDC electricity reduces energy costs even further. The Catalyst 8200 comes in a modest form factor with a physical depth that’s less than 12” to most remote and mobile environments, allowing you to extend SD-WAN into the farthest reaches of your network.

Cisco Catalyst 8200 uCPE: Software-Defined Small and Lean Branches

For service providers and businesses seeking maximum flexibility with network functions virtualization (NFV), Cisco Catalyst 8200 Series Edge uCPE is the latest addition to our SD-Branch portfolio. The platform is purpose built for customers and service providers who need to offer performance alongside shifting technology needs and flexibility. Its 8 CPU cores support up to 500 Mbps aggregate IPsec performance and still have cores left to support additional Cisco or third-party virtual network functions (VNF).

The compact 1RU footprint, shallow depth and the ability to add PIM/NIM interfaces (shared with ISR 4000 and the Catalyst 8000 family) for cellular and WAN connectivity options gives the customers utmost flexibility vs. a white box solution. Catalyst 8200 uCPE can be deployed in SDWAN mode with vManage playing a common orchestrator for configuring the overlay and the underlay.

Cisco Catalyst Cellular Gateway 5G (Sub 6Ghz)

5G brings faster downloads, lower latency and increased capacity to the Wide Area Network. This, combined with SD-WAN, gives customers high speed bandwidth capacity at lower costs which helps them meet the growing throughput demands of an ever-expanding branch.

The latest Cisco Catalyst Cellular Gateway brings Sub 6Ghz 5G connectivity to businesses for ultra-fast wireless WAN and wireless SD-WAN links. Catalyst Cellular Gateways are simple to setup, able to be plugged into your router or edge platform via Power over Ethernet (PoE). Whether your edge device sits in the most remote closet or deepest basement matters little, simply run the Catalyst Cellular Gateway to the nearest reception point and power your network with the latest in 5G.

Broadband connectivity may not be available or reliable in certain locations, yet businesses there can still carry on with their digital transformation thanks to 5G cellular technology which is expanding rapidly in its roll-out. Set up and management are further simplified using Cisco vManage.

Simplified Tiered Licensing

The software capabilities available in feature-rich IOS XE and vManage can be easily consumed through a simplified, three-tiered DNA licensing model.

The first tier into Cisco DNA Software for SD-WAN and Routing is Cisco DNA Essentials.  It encompasses core SD-WAN capabilities such as: circuit load balancing, (DIA), centralized management & orchestration, and traffic path steering. It enables a robust blend of the latest routing capabilities (NAT, BGP, DNS, etc.) and base security capabilities (MACsec, ACLs, Snort IPS, Enterprise Firewall, etc.).

Moving up to Cisco DNA Advantage, subscribers receive everything in Cisco DNA Essentials plus more advanced routing capabilities (MPLS BGP Support, IGMPv3, etc.), more advanced security functionality (Advanced Malware Protection, SSL proxy, etc.), expanded SD-WAN capabilities, vAnalytics, plus access to Cisco’s Cloud OnRamp for SaaS, for IaaS, and for Colocation.

The most advanced Cisco DNA Premier subscription delivers the Cisco’s complete SASE portfolio with a single license! The integration of Cisco Umbrella SIG Essentials into Cisco DNA Premier enables customers to centrally manage the security posture for all remote and branch locations and implement effective cloud security throughout the Cisco SD-WAN fabric.

Designed for an intent-based network, the Catalyst 8000 Series Edge Platforms are the gateway to hybrid and multicloud applications across your cloud, data center and edge locations. The new portfolio announcements augment the Catalyst 8300, 8500, and Cellular Gateway launched last October. These new edge devices offer the resiliency, performance and security needed for today’s multicloud world.

Source: cisco.com

Continue reading

Latest Cisco CCNP Data Center 350-601 Certification Exam Sample Questions and Answers

Cisco CCNP Data Center DCCOR Exam Description:

This exam tests a candidate's knowledge of implementing core data center technologies including network, compute, storage network, automation, and security. The course, Implementing Cisco Data Center Core Technologies, helps candidates to prepare for this exam.

Cisco 350-601 Exam Overview:

• Exam Name:- Implementing and Operating Cisco Data Center Core Technologies
• Exam Number:- 350-601 DCCOR
• Exam Price:- $400 USD
• Duration:- 120 minutes
• Number of Questions:- 90-110
• Passing Score Variable:- (750-850 / 1000 Approx.)
• Recommended Training:- Implementing and Operating Cisco Data Center Core Technologies (DCCOR)
• Exam Registration:- PEARSON VUE
• Sample Questions:- Cisco 350-601 Sample Questions
• Practice Exam:- Cisco Certified Network Professional Data Center Practice Test

Related Articles:-

• 7 Amazing Tips on How to How to Pass Cisco 350–601 DCCOR Exam
• PROVEN TECHNIQUES TO PREPARE FOR A CISCO 350-601 DCCOR EXAM
• Need Some Extrinsic Motivation While Preparing for Cisco 350-601 DCCOR Exam? Click Here.

Continue reading

The Whole Shebang with the Cisco Catalyst 9105 Access Point

If you’re reading this blog, I’m betting you’re a technology enthusiast and that you’ve heard of all the hottest innovations in wireless today. Whether it be the gargantuan increase in throughput-efficiency with Wi-Fi 6, the exciting new possibilities enabled by the Internet-of-Things (IoT), or the powerful yet easy-to-setup wireless home office solutions, they’ve all become a reality and are deployment-ready today!

This begs the question, what is the right wireless platform that will benefit us from these innovations?

Assuming you’ve caught up on the news, you’ve probably heard the commotion from the different wireless companies boasting about their flagship access points (AP), lined up with insane hardware specifications. Something on the lines of having 8×8 radios to support the densest of the client environments, being armed with some state-of-the-art chip that provides users with full visibility into the RF, and integration with their ultra-modern software application for complete network control. You might be thinking, soon enough, well, even some built-in AI software that will predict your future!

Jokes aside, what a time to be alive; all this incredible innovation, and it’s just a matter of time before they’re adopted by enterprises all over the world. However, are these flagship APs right for everyday people like us in our current situation?

It’s not news that most of us are working from home, so if your corporate adopts these new APs, we won’t be able to experience it for days to come. In addition to having a high price point, with standard smartphones and most laptops maxing out with just 2×2 radios, all that fancy hardware specifications on these APs are unfortunately overkill for a simple household anyways.

So, what platform should we use to support our remote working situation?

Introducing the Catalyst 9105

Well, I’m proud to present to you our newest and cutest AP in Cisco’s Wi-Fi 6 portfolio, the Catalyst 9105AXI (Infra model), and 9105AXW (Wall Plate Model). With robust 2×2 radios capable of performing Wi-Fi 6, state-of-the-art software supporting Cisco’s IoT solution, and an efficiently designed internal hardware enabling its small form-factor design, the Catalyst 9105 is not only the perfect AP for small to mid-size offices but also your home.

Figure 1. Catalyst 9105AXW (left) and 9105AXI (right)

With the Catalyst 9105AXI and 9105AXW having dimensions of just 5.9″ x 5.9″ x 1.2″ and 6.3″ x 3.5″ x 1.3″ respectively, these two APs are by far the smallest members of the Catalyst 9100 family. However, when we hear the word small, we automatically assume less powerful, but let me assure you; this platform is far from weak, so why don’t we speak a language that deters any skepticism. Let’s talk numbers.

Wi-Fi 6 with 2×2 Radios

Before we get into the specific features of Wi-Fi 6, I’d like to set the stage by directly presenting to you the raw speeds the Catalyst 9105 can execute with single 2×2 Wi-Fi 6 endpoints associated with its 80 MHz channel. From the tables below, you can see that regardless of the endpoint’s model, each can achieve between 700 to 800 Mbps downstream and 500 to 700 Mbps upstream. For an access point smaller than an average book, these numbers are incredible.

Figure 2. Cisco internal Catalyst 9105 throughput test results

To bring it up a notch, let me ask you this. What is the first thing we think of when the topic of Wi-Fi 6 comes up? Faster speeds? Lower latency? Higher security? Less interference? How about all of the above, enabled by Wi-Fi 6 specific features such as OFDMA, BSS Coloring, Target Wake Time, WPA3, and 1024 QAM. Quite the list of innovations, and while both Catalyst 9105 models support each of these features, let’s focus on the most exciting one, OFDMA!

To my experienced wireless readers, why OFDMA is under constant spotlight comes as no surprise.  However, for those who are new to wireless, OFDMA stands for Orthogonal Frequency-Division Multiple Access and, when enabled, significantly improves the wireless network’s efficiency in serving multiple clients at a time. Before OFDMA, we had OFDM, where a single wireless frame would take up an entire channel’s width for a certain period, essentially forcing each packet regardless of size to wait in a queue. With the introduction of OFDMA, the channel can now be shared by multiple packets simultaneously, enhancing the network’s ability to serve multiple endpoints in parallel.

Figure 3. OFDM vs Wi-Fi 6’s OFDMA

For a more technical explanation, let takes a 20 MHz channel, for example. When using OFDM, a 20 MHz channel has only a single subcarrier (consisting of 242 resource units). As an analogy, this can be interpreted as a one-lane highway, only capable of processing a single packet at a time. When it comes to OFDMA, the 20 MHz channel can be divided into a maximum of 9 subcarriers (consisting of just 26 resource units). The highway’s overall width that we’ve mentioned earlier remains the same but can be divided into multiple narrower lanes and are adjusted based on the incoming packets’ sizes. This means that an AP that supports the full capability of OFDMA can serve nine endpoints at the same time. Since the Catalyst 9105 is intended for less dense environments, it’s designed to support four endpoints in parallel, which is not only incredible, it’s revolutionary for an AP of this size.

Figure 4. A 20MHz channel divided into resources units with OFDMA

To prove what I said is not just colorful marketing, let’s talk numbers. We’ve had Miercom, the well-known third-party network testing firm, run performance tests with Cisco’s 9105, Aruba’s AP505, and Ruckus’s R550 with OFDMA enabled to compare performance. During the test, the APs were first loaded with ten endpoints and gradually up to eighty endpoints passing traffic in parallel. You’ll observe that Cisco’s 9105 maintained a significantly superior throughput lead from the graph below than the other two vendor’s APs. In fact, you’ll observe that even with 80 endpoints associated, Cisco’s 9105 can provide almost the same throughput experience as the other vendor’s APs with just ten endpoints associated. The takeaway is obvious, while the Catalyst 9105 is small in size, it is mighty!

Figure 5. Miercom’s scaled multi-vendor OFDMA TCP performance test

Innovation within the Internet of things

But apart from the raw ability to execute Wi-Fi exceptionally, the Catalyst 9105 will also seamlessly fit into any business’s IoT solution. For readers unfamiliar with the Internet of Things, it’s the ability to leverage a wireless network to monitor and transfer data through smart devices, allowing the user to accomplish tasks in an efficient and often automated manner. Many of you probably have IoT devices in your home right now, such as a Google Home, Amazon Alexa, or a Nest thermostat. These devices being both user-friendly and practical in function, have naturally become an integral part of our day-to-day lives. This seamless enhancement is precisely what the Catalyst 9105 can accomplish but, on an enterprise-level, creating powerful yet fiscally efficient IoT solutions.

So, why do we need this? What problem are we solving?

As you can imagine, for an IoT solution to operate on an enterprise level, it requires an intricate control network that provides full visibility into every corner of the solution to ensure security. However, given that all enterprises will already have a pre-existing network, building a separate one for dedicated IoT usage is costly, complicated, and redundant.

This is where Cisco’s Application Hosting on the Catalyst Access Point feature solves these problems. Customers can now acquire custom Dockerized IoT applications from Cisco’s Solution Partner Marketplace, load them into the built-in containers on the Catalyst 9105 through Cisco DNA Center, and use them as IoT gateways to begin communicating with surrounding IoT devices.

Figure 6. The Catalyst 9105AXW integrated with Cisco’s Application Hosting IoT Solution

By allowing users to utilize their existing low-cost Catalyst 9105 network for IoT, it eliminates the looming pain of building a second network for IoT management. Integrating this solution with Cisco DNA Center, users now have an application life cycle manager that provides them full visibility into the deployment status of each IoT application. In fact, Cisco DNA Center allows users to deploy different applications to different areas of their Catalyst 9105 network, providing the ability to support multiple IoT solutions on a single network!

When it comes to real-life IoT use cases, the possibilities are endless. They can range from retail optimization with electronic shelf labels to motion sensors or cameras for building management systems and even medical wearables for health care solutions. The best part of all this is that it can be automated, creating a genuinely self-sufficient IoT solution.

Wireless Home Office Solution

Up to this point, we’ve reviewed the Catalyst 9105’s Wi-Fi 6 and IoT capabilities; however, the caveat is that most of us are still working remotely, so how can we benefit from these innovations?

As hinted earlier, the Catalyst 9105 can be deployed directly in your home. With Cisco’s remote worker solution, simply connect your Catalyst 9105 to your home network, and it will automatically associate with your company’s corporate Wireless LAN Controller (WLC) and begin broadcasting your corporate’s SSID in Wi-Fi 6.

Can it really be this easy?

Absolutely, and the solution is simple, we use Cisco’s day-0 provisioning solution, Plug-n-Play (PnP). Before shipping the AP to the end-user, the network administrator managing this solution simply needs to create a profile for this AP on Cisco’s PnP Connect cloud portal, then point it to the IP address of the company’s WLC. When the AP receives an IP address, it’ll automatically know to reach out to Cisco’s PnPConnect server through its built-in PnP agent code and will get re-directed to and join the WLC. The fact is, only step one in the diagram below is executed by the end-user; the remaining steps are completely black-boxed, making the workflow incredibly simple.

Figure 7. Remote worker solution’s three-step onboarding process

It’s no doubt convenient, but is it secure?

It’s a resounding yes, and to explain, let’s refer to the architectural diagram below. The left side of the diagram depicts a user’s home network, and you’ll observe the deployed Catalyst 9105 can associate to the corporate office’s WLC (sitting in a public DMZ) through NAT. This connection is not only secured by Cisco Umbrella but also DTLS encrypted, meaning it has the highest level of security segmentation possible.

After the Catalyst 9105 joins the WLC, it can now utilize all its back-end infrastructure, such as the radius server for corporate 802.1x network access, and even Cisco DNA Center. With Cisco DNA Center, the network administrator managing the remote worker networks can leverage features such as Network Assurance and Intelligent Capture to monitor and troubleshoot any issues in the case that they occur, ensuring a phenomenal end-user wireless experience.

Figure 8. Remote worker solution architecture

By combining this wireless trifecta of Wi-Fi 6, Internet-of-Things, and remote worker solution, the Catalyst 9105 is not only a powerful and versatile small form-factor AP, but a multipurpose networking hub, and indeed a force to be reckoned with.

Continue reading