Why Manufacturers duplicate IPv4 addresses and how IE switches help solve the issues

If this topic piqued your interest, you’re probably impacted by or at least curious about duplicate IP Addresses in your industrial network. You are not alone. It can be a little bewildering. There doesn’t seem to be any reason in this day and age to have duplicate IP Addresses, let alone do it on purpose. Let’s unravel the mystery.

Companies that build sophisticated machines have made the transition to Internet Protocol as the communication protocol within their machines. IPv4 is the easiest protocol to use. There are lots of software libraries in the ether based on IPv4. These companies’ core competency is the electrical and mechanical aspect of their machines, not the software that runs the machine and therefore they do not have sophisticated software teams. When you’re writing communication software and software is not your core competency, what is the easiest and least problematic way to identify the components within your machine? Answer: Static IP Addresses. The alternative to static IP Addresses is a more complicated process involving dynamic IP Address assignment, along with a complex task of identifying which IP Address the individual components received.

The IP Addresses were duplicated on purpose. The software in the machine uses static IP Addresses to identify individual machine components because it’s easier for the machine builders. Each machine they build has the same software (SW). Therefore, they use the same static IP Addresses. If you have purchased two or more of their machines, then you have duplicate IP Addresses. To be fair, it would be much harder and cost prohibitive to give each component of each machine a unique IP Address.

Figure 1: Robots represent multiple machines with identical components and software

The robots in the picture above are an example of a sophisticated machine. Each robot has the same components and the same software. Each component has its own statically assigned IP Address. This practice is not restricted to robots. Bottling machines and diaper making machines are manufactured in the same way.

Why is this a problem?

As long as you can contain the broadcasts of IPv4 Addresses of the components to stay within the machine, you should be OK. There’s always one publicly unique IPv4 address on the machine which represents the entire machine to the outside world. Again, as long as you only use this one IPv4 address to communicate with the machine, it should not present any problems. Most of the time this is how it’s done and everyone is happy.

Along comes the need to increase productivity. To increase productivity, you need more data. And where is this data? One place is inside the machine. Now you need to communicate with the components inside the machine. Once you have more than one machine, how should you communicate with the internal components that have the same IPv4 address? This is the problem.

Solutions

Before describing solutions, I’d like to uplevel the discussion to talk about Network Address Translation (NAT) in general.

Everybody should know about NAT. We use NAT every day whether we know it or not. The IPv4 router in our homes uses NAT. The IP Address assigned to your home devices (including your laptop and smartphone) is a private IP Address. This private IP Address is not routable on the Internet. Our neighbors all have in home devices with the same IPv4 addresses. It’s not a problem because our home routers use Network Address Translation (NAT) to convert private IP Addresses to a publicly routable IP Address so we can communicate with devices on the Internet. The Internet service providers use private IP Addresses for in home use because it’s easier for them. There are not enough IPv4 addresses in the world for every IP capable device to have a unique IPv4 address. And let’s face it, we have not converted to IPv6.

Your home is not the only place NAT is used. Industrial networks also need to use NAT because sophisticated machines have the same IPv4 addresses.

There are really only two ways to solve duplicate addressing problems for industrial networks. The most obvious way is to insert an additional Layer 3 device such as a firewall or router between the machine and the rest of the network—just to translate Private IP Addresses. This is similar to what you have at home. This solution requires a special network device for the purpose to convert private IPv4 addresses to publicly unique IPv4 addresses. The drawback is, that it’s an additional device to purchase and manage and, configuration and management of this Layer 3 network device can be complex, requiring someone with IT skills to setup and maintain them.

The less obvious way is to use a Cisco Industrial Ethernet (IE) switch to do the IPv4 translation. When the IE switch solves the duplicate IP addressing problem, it’s using Layer 2 NAT. Plus, in my biased opinion, configuring Layer 2 NAT on a Cisco IE switch is easier than configuring NAT on router or firewall. There’s probably an Industrial Ethernet switch in your network already connecting all the machines together. Why introduce an additional network device? Keep the same simple network architecture you have with a Cisco IE switch and solve your duplicate IPv4 addressing issues, too.

Figure 2: IE-4010 connecting multiple complex machines

In figure 2 above, each robot has the same IP Addresses for its internal components. The Cisco IE switch will translate the duplicated private IP addresses of the components of each robot (ie: complex machine) into publicly unique IP Addresses as it receives the Ethernet frames from the robots.

Sample IOS CLI configuration for the Cisco Industrial Ethernet

This is how you would configure a Cisco Industrial Ethernet switch to provide L2NAT for the first two robots on the left in Figure 2. The remaining three robots would be very similar to the first two.

You start by defining which IPv4 Addresses to translate. The Cisco IE does not know which publicly or private IP addresses you want to use. You have to tell it. You define the complete translation.

Define a translation instance for each robot. The ‘leftmost’ robot would have this translation instance for 3 of its internal components. The ‘nextleftmost’ robot would have the same private IP Addresses but unique public IP addresses.

Note: The IP Addresses for the inside hosts are the same in each of the two translation instances, and the translated public IP Addresses are unique. They have to be unique if they are to be used in the upstream network to uniquely identify the robot components.

The next step in the configuration process is to apply the translation instances to the correct interface. The ‘leftmost’ robot is connected to port Gi1/2, and the robot next to it is connected to Gi1/4.

Disclaimer: This configuration, while valid, is just an example.

When it comes to configuring anything in the IOS CLI, the example above shows how simple it can be. For those of you who do not like using the IOS CLI, the same configuration can be done using the IE’sweb based GUI.

Source: cisco.com

Continue reading

Enhancing Government Outcomes with Integrated Private 5G

Enhancing Government Outcomes with Integrated Private 5G

Private 5G is now ready to be part of your enterprise wireless communications transformation strategy. While there has been extensive focus on ultra-wideband gigabit speeds from public Mobile Network Operators, there are even greater government expectations for 5G capabilities to assure the quality of service and empower new mission-critical use cases. 3GPP standards are enabling delivery of capabilities in three strategic 5G areas: enhanced Mobile Broadband (eMBB), Ultra-Reliable and Low Latency Communications (URLLC), and massive Machine Type Communications (mMTC). Private 5G is uniquely capable of addressing critical communications requiring interference-free spectrum, high throughput and/or low latency deterministic data delivery, and the ability to transfer terabytes of data without a metered service plan. The result will be a wide range of advanced public and private network wireless capabilities for high-definition video, advanced command and control, autonomous vehicles, and addressing previously overwhelming quantities of sensor data.

Private 5G Fundamentals

Cisco’s Private 5G solution is built on service provider class technology, tailored and optimized for enterprise consumption. For decades, Cisco has powered cellular networks around the world through advanced IP transport and 3GPP standards-based components, including our industry-leading Mobile Packet Core. Our new Private 5G solution delivers Wi-Fi-like simplicity through a cloud-native platform built on a services-based architecture and micro-services infrastructure. The solution offers a zero-touch delivery approach to on-premises elements that provide wireless connectivity between user devices and applications, while ensuring organizational and local data sovereignty. Cisco’s proven IoT platform manages the on-premises elements allowing for rapid turn-up and delivery of services, reducing government 5G learning curves and on-boarding burdens.

Better Together – An Enterprise Wireless Approach

An integrated private wireless strategy for Private 5G and Wi-Fi6 working together can deliver near-term transformative innovation as well as optimal user experiences and new mission-critical capabilities for the next generation of government mobility.

Bringing Private 5G enterprise mobility together with Enterprise IT and existing wireless infrastructures will ensure optimal quality of service, ubiquity of access, and enhanced security for mobile users. This integrated enterprise wireless approach, as depicted in the above picture, also enables the alignment and delivery of enterprise operational and security policies across your entire communications ecosystem. This “better together” story makes even more sense when you consider the vast majority of current 5G connections for voice and data access occur indoors, often where an existing Wi-Fi environment can be leveraged.

Better Together Outcomes – Optimized Experience / Minimized Costs

“Better Together” is a commonsense approach for government organizations that are bringing 5G into existing communications environments and complements the significant wireless investments that most government organizations have already made. And what could be more important in this age of hybrid work? A recent example: working in partnership with Dish Wireless, Cisco has teamed with Internet2 and Duke University to integrate Duke’s campus wireless network with Internet2’s upgraded fifth-generation national research and education network. “Rather than providing two separate infrastructures throughout campuses for cellular and Wi-Fi, the holy grail has always been for a single, common network delivering both cellular and high-speed private Wi-Fi,” said Tracy Futhey, VP and CIO at Duke University.”

This ability to deliver the right wireless technology to optimize overall experience and performance and to ensure enhanced and cost-effective mission and business outcomes are essential for government enterprises focused on user experience and security (and also meeting multiple Executive Orders and President’s Management Agenda requirement mandates).

Key Zero Trust and Security Considerations

Comprehensive, real-time visibility is needed across the wireless enterprise for optimal automation, orchestration, and performance and more importantly, delivering zero trust security. The “better together” approach fully supports Zero Trust mandates to continuously verify trust as called out in both federal mandates and the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model. This integrated Private 5G and Wi-Fi 6 approach:

◉ Enables optimal Visibility & Analytics and Automation & Orchestration to better protect workloads, applications, and data;

◉ Ensures access control is as granular as possible to isolate user environments, applications, and data;

◉ Provides richer data for more effective anomalous activity mitigation.

Source: cisco.com

Continue reading

Security Resilience in APJC

As the world continues to face formidable challenges, one of the many things impacted is cybersecurity. While recent challenges have been varied, they have all contributed to great uncertainty. How can organizations stay strong and protect their environments amidst so much volatility?

Lately we’ve been talking a lot about security resilience, and how companies can embrace it to stay the course no matter what happens. By building a resilient security strategy, organizations can more effectively address unexpected disruptions and emerge stronger.

Through our Security Outcomes Study, Volume 2, we were able to benchmark how companies around the world are doing when it comes to cyber resilience. Recent blog posts have taken a look at security resilience in the EMEA and Americas regions, and this post assesses resilience in Asia Pacific, Japan and China (APJC).

While the Security Outcomes Study focuses on a dozen outcomes that contribute to overall security program success, for this analysis, we focused on four specific outcomes that are most critical for security resilience. These include: keeping up with the demands of the business, avoiding major cyber incidents, maintaining business continuity, and retaining talented personnel.

Security performance across the region

The following chart shows the proportion of organizations in each market within APJC that reported “excelling” in these four outcomes:

Market-level comparison of reported success levels for security resilience outcomes

There is a lot of movement in this chart, but if you take a closer look, you will see that many of the percentage differences between markets are quite small. For example, 44.9% of organizations in the Philippines reported that they are proficient at keeping up with the business, with Mainland China closely following at 44.4%.

The biggest difference we see between the top spot and the bottom spot is around retaining security talent—42.4% of organizations in Australia reported that they were successful in that area, while only 18.3% of organizations in Hong Kong reported the same.

Next, we looked at the mean resilience score for each market in the region:

Market-level comparison of mean security resilience score

When we look at this, we can see the differences between the top six and bottom seven markets a bit more clearly. However, as the previous chart also showed, the differences are very slight. (When we take into account the gray error bars, they become even more slight.)

There are many factors that could contribute to these small differences when it comes to security resilience. But the most important thing to be gleaned from this data is how each market can improve its respective resilience level.

Improving resilience in APJC

The Security Outcomes Study revealed the top five practices—what we refer to as “The Fab Five”—that make the most impact when it comes to enhancing security. The following chart outlines the Fab Five, and demonstrates how each market in the APJC region ranked its own strength across these practices.

Market-level comparison of reported success levels for Fab Five security practices

If we look at Thailand, for example, 69.1% of organizations say they are adept at accurate threat detection, while only 28% of organizations in Taiwan say the same. Like in the previous charts, there is a lot of movement between how various markets reported their performance against these practices. However, it’s interesting to note that Taiwan remained consistent.

So does implementing the Fab Five improve resilience across organizations in APJC? Looking at the chart below, it’s safe to say that, yes, implementing the Fab Five does improve resilience. Organizations in APJC that did not implement any of the Fab Five practices ranked in the bottom 30% for resilience, whereas those that reported strength in all five rose to the top 30%.

Effect of implementing five leading security practices on overall resilience score

Boost your organization’s cyber resilience

While building resilience can sometimes seem like an elusive concept, we hope this data provides some concrete benchmarks to strive for in today’s security programs.

Source: cisco.com

Continue reading

6 Steps to Unlocking ThousandEyes for Catalyst 9000

Modern businesses rely on network connectivity, including across the Internet and public cloud. The more secure, stable, and reliable these networks are, the better the user experience is likely to be. Understanding WAN performance, including Internet transit networking and how it affects application delivery, is key to optimizing your network architecture and solving business-impacting issues.

Troubleshooting any technical issue in environments so distributed and fast-changing can be a difficult and tedious process. First, there is the scope of what the problem could be. Is it a configuration error? An application issue? Did someone forget to change a DNS entry? Without knowing what domain the problem resides in, it is hard to approach troubleshooting effectively.

To help enterprises meet the needs and requirements of their expanded enterprise networks, new and existing Catalyst 9300 and 9400 switches customers have a powerful entitlement in their toolkit: ThousandEyes Enterprise Agents. ThousandEyes runs on many platforms, but there are several advantages to running ThousandEyes tests from Catalyst 9000 switches.

Installing it is easy, and you can use your existing resources to monitor connectivity and digital experience as close to the end-user as possible.

Not to mention it is cost-effective. There is no extra hardware, software, or license required to leverage ThousandEyes with this entitlement.

How does this entitlement work?

The ThousandEyes entitlement is based on units. And there is a certain number of units required for each ThousandEyes test, depending on many factors like the type of agent, type of test, and frequency of the test.

Each active Advantage license from Catalyst 9300 or 9400 switch translates into an equivalent of 22 ThousandEyes units each month. These units are enough to run one test every 5 minutes and can also be pooled to run more tests and/or an increased frequency of tests. (Please note: this entitlement only corresponds to Enterprise Agents.)

These units are automatically provisioned for new switches but are also available on request for existing Catalyst 9300 or 9400 customers.

A Step-by-Step Guide on Activation

When you are ready to begin, you will need the following:

1. A Cisco Smart Software Manager (CSSM) account

2. The email address configured on your Smart Account or Virtual Account

Step 1 – Log in to Cisco Smart Software Manager (CSSM)

Navigate to Cisco.com –> Smart Software Licensing –> Manage Licenses

Navigate to Inventory –> Licenses

Step 2 – Select Licenses to upgrade

These entitlements are automatically deposited and have an expiration matching your existing DNA licenses.

Locate “ThousandEyes Enterprise Agent Tests” entry.

Note that the legend above indicates “+7 pending” licenses, representing the number of switches in your environment with unused ThousandEyes credits. This snapshot was taken in an environment with seven Catalyst 9300 switches.

Navigate to Actions –> Complete Upgrade

Step 3 – Select Licenses to upgrade

In this step, we need to select the quantity of DNA licenses we want to leverage for ThousandEyes activation. The most common use case is to select the whole quantity available.

Step 4 – Review & Submit

Click Submit

The submission automatically triggers the provisioning call to ThousandEyes. Afterward, you will be able to see the DNA licenses in your account that are used for the ThousandEyes entitlement.

Step 5 – Confirm Your Account

Your ThousandEyes Account is created, and the units are now in your account.

To get access to the ThousandEyes dashboard, you must confirm your account via the customer welcome email. To ensure you receive this confirmation email, be sure to have access to the email address configured on your Smart Account or Virtual Account.

Step 6 – Install Agent and Begin Running Tests

You are ready to install the ThousandEyes Enterprise Agent in your switch using CLI or DNA Center and start reaping the benefits of end-to-end visibility from your campus all the way to the private, cloud, and SaaS networks.

Source: cisco.com

Continue reading

Networking Demystified: Protecting Endpoints is Job #1

Enterprise networking is a constantly evolving set of technology solutions. From an engineering perspective, it presents an endless series of fascinating problems to solve as we strive to connect more people, devices, and applications around the world. Cisco customers also have a seemingly endless list of use cases that they need our help in solving as they progress through their own digital transformations. We are starting this “Networking Demystified” blog post series to explore different aspects of networking technology that impact everyone today. This first deep dive is into the “mystery” of protecting endpoints like your laptop, phone, sensors, cameras, and the other thousands of types of devices that are so critical to running our modern world. Join us on this journey and maybe you too will be the next engineer to solve the hard problems of enterprise networking.

So, what is an endpoint? In simple terms, it is a device that connects to a network to serve a purpose: from something as simple as delivering IoT sensor data, to connecting people socially or professionally, accessing SaaS and cloud applications, or performing machine to machine exchanges of information to solve complex problems. Endpoints are everywhere. In our homes, office spaces, manufacturing floors, hospitals, and retail shops—literally everywhere, serving a multitude of purposes.

The Good, the Bad, and the Ugly

In an ideal world we expect all endpoints will behave the way they are supposed to and do no harm, just like the people interacting with the endpoints. But in the real world this is not actually the case. As a result, we need to categorize endpoint behavior into The Good, The Bad, and The Ugly.

◉ Good endpoints follow all the rules for network onboarding, use secure protocols for access, have up-to-date secure software installed, and do only what they are supposed to do.

◉ Bad endpoints are those outliers that still do what they are supposed to do but have loopholes which can be exploited to create security and performance problems.

◉ Ugly endpoint behavior can be categorized as being actively exploited and creating problems from local to global scale.

So, what do we do? We reward good behavior by providing the right level of access to permitted network resources. We punish bad and ugly behavior by restricting access or completely isolating an endpoint from the network based on how it is behaving.

But wait, how do we decide on the levels of access? We need to know what the endpoint is, before giving it the required access because we cannot protect what we don’t know. A printer does not need access to financial servers. Similarly, a CT scanner in hospital does not need access to patients’ medical records. But if we do not know whether the endpoint is a printer or a CT scan machine, how can we manage their behavior? We can assign a generic access policy to endpoints so that they can do their job, but that opens up a host of security problems. So how to identify and tag endpoints to determine the right access? Follow the breadcrumbs—the trail endpoints leave on the network as they communicate with other endpoints.

Great, that seems easy! So now our endpoints and network are secured. Unfortunately, not yet. Will endpoints behave in the same way all the time? They may not! If we want to secure all endpoints, we need to continuously monitor them to identify any change in behavior so that the network can act on the next steps, which could be a warning to the endpoint owner, a restriction on access via segmentation, or a more severe punishment—such as completely cutting off network access—until the behavior is fixed.

So, we need technology that focuses on how to identify endpoints effectively to assign the right level of network access, plus continuously monitoring endpoint behavior to determine when endpoints are acting abnormally. At Cisco, we think about this a lot. At a global scale there will soon be 30 billion+ endpoints connected by various private and public networks as well as the internet. Around 30-40% of endpoints may be of an unknown type when they first connect. This creates an incredibly large threat surface available for the bad guys to compromise endpoints and networks. To defend the enormous range of endpoints requires innovative networking access protection technologies. With the biggest market share in endpoint connectivity, Cisco understands the problem of secure access to defend networks and assets.

Breadcrumbs, Surgical Procedures, and Analytics

Let’s talk about the methods that Cisco uses to identify endpoints and defend the network before diving into some of the technical details.

Each type of endpoint coming on the network uses different protocols throughout its lifetime. For some of the protocols, these details are readily available in the network and can be used to understand the endpoint type. That is one of the simplest approaches. For some protocols, the information about endpoint identity is hidden deep inside the packets and we need a surgical procedure called Deep Packet Inspection (DPI) to reveal their secrets. Like any surgical procedure when surgeons open the human body to diagnose or fix the problem, DPI opens up and examines protocol packets until enough information is extracted to enable an endpoint to be identified. Since no two protocols work in same exact way (no two operations are same, right?), the challenge is to catalog each protocol and then methodically plan protocol operations (analytics) to identify endpoints.

With this in mind, you might think that endpoint classification using DPI must require special separate hardware in the network. Fortunately, with Cisco’s innovative application recognition technology embedded in Cisco Catalyst switches, you don’t need any new hardware. All processing of endpoint types occurs within the IOS XE switching software. How cool is that? The capability adds up to a lot of CapEx savings.

With Cisco’s Deep Packet Inspection technology, we can reduce the unknown endpoint count significantly. But is that enough? Not really, because the number of endpoints connecting to a network is going to increase exponentially, with manufacturers creating new types of endpoints that use different types of protocols to communicate. Just trying to keep pace with the changing types of endpoints is going to be a huge challenge. Does it mean we leave these newer endpoints on network operating without supervision—remember, you can’t protect what you don’t know.

Bring on Cisco AI/ML Analytics, the solution to reduce the number of unknown endpoints. AI/ML Analytics identifies endpoints and groups them according to similar operating and protocol characteristics and show them in context to IT. As AI/ML Analytics learns more about millions of endpoints across enterprise networks, its understanding improves significantly to assign endpoint identities with increasing accuracy. The result is that hundreds of thousands of endpoint identities can be categorized with minimal effort from IT.

The Next Level of Access Security

The above technologies help identify endpoint types and assist in applying the right access policy for an endpoint to do its job. But the story doesn’t end there. Using continuous, anomaly-focused monitoring, any change in endpoint behavior can be detected, enabling access decisions to be automatically updated. A simple example could be an IoT sensor device that usually delivers telemetry to a controller, but is suddenly communicating with other endpoints, indicating the device may be compromised. AI/ML Analytics detects that it is not behaving as per its normal traffic pattern and raises an alert for IT to examine or quarantine the device as needed to secure the network.

So, what is Cisco doing to expand this technology? The solution offering that combines these multiple technologies is called Cisco AI Endpoint Analytics, which is destined to be the single pane of glass for understanding endpoint identity and trust. It is currently being offered as an application on Cisco DNA Center. We are also extending the technology to other Cisco solutions, such as Cisco Identity Services Engine (ISE), to enhance and automate endpoint profiling.

Figure 1. Cisco AI Endpoint Analytics on Cisco DNA Center

Join Cisco in Making IT More Secure

So how can you help? What we discussed here is just the beginning of development activities for reliably determining endpoint identity and behavioral monitoring. It is an evolving area that needs a lot of attention and exploration to continuously improve the techniques employed. In fact, many of us consider endpoint protection as Job #1. It’s an exciting area to work in, knowing the impact you can have on helping to secure our ever-more interconnected world.

If you were to join Cisco, what is there to do to make your mark in this space? A lot! We are working on four key areas in AI Endpoint Analytics: Endpoint Identity, Endpoint Behavior, Enforcement, and Endpoint Data Analytics.

So, would you like to be part of the Cisco AI Endpoint Analytics journey and proudly tell others that you help protect endpoints everywhere? Because without secure, defended endpoints, there is no network!

Source: cisco.com

Continue reading

Deliver Industrial Wireless to Enable Digital Transformation

As industrial plants look to digital transformation to take their operations to the next level, industrial wireless becomes a key enabler. It’s hard to imagine a smart, digitalized facility not leveraging wireless technology because the cost of laying cables can be enormous.

A key consideration is that wireless designed for enterprise environments doesn’t necessarily have the capabilities required to run reliably in an industrial environment. Industrial environments face unique challenges and conditions, including dense infrastructure and hazardous environments. Overcoming these challenges requires a different approach.

This is where the collaboration between market leaders Cisco in IT solutions for enterprise networking and Emerson in OT solutions comes in. Together, we create wireless access solutions designed for the toughest industrial environments, helping customers improve productivity, safety, and security.

Our newest joint solution combines the Emerson Wireless 1410S Gateway with the Cisco Catalyst IW6300 Heavy Duty Series Wi-Fi Access Point, enabling facilities to create a robust, secure wireless infrastructure from the two leading IT and OT providers.

Oil and gas customer example

As an example, an oil and gas customer realized they needed to understand the correlations among people, processes, and asset data. Understanding those correlations required the installation of wireless infrastructure–such as Wi-Fi and WirelessHART–across the refinery. These technologies are often deployed in industrial environments to connect mobile devices, access points, and sensors on plant floors and in control rooms.

More specifically, this refinery needed to address several IOT use cases–for example, deploying wireless sensors for digital transformation applications such as:

◉ Corrosion monitoring

◉ Vibration monitoring of rotating equipment

◉ Acoustic monitoring of steam traps and pressure relief valves (PRVs)

◉ Performance monitoring of heat exchangers and cooling towers

In addition, the customer deployed wireless technology to:

◉ Support plant employees and operators while performing their physical rounds and duties

◉ Collect and analyze data to improve operational performance

◉ Backhaul reliability and monitoring data independent of the control system

As result, the installed Cisco and Emerson joint solution provides:

◉ Wireless connectivity across the plant, eliminating the need to collect information manually

◉ Instant visibility into data from devices monitoring the most critical assets for operators on the plant floor

◉ The ability to quickly assess the health of those critical assets, greatly improving operator productivity

Operators and control room engineers now focus more on value-added tasks because they need less time to:

◉ Communicate with the control room to deal with antiquated processes

◉ Collect and analyze data to improve operational performance

Integrating security

Security is obviously a pressing topic for all IT and OT professionals. To help improve the security posture of the joint Cisco and Emerson solutions, Emerson is integrating with Cisco SecureX. This integrates the Cisco Secure portfolio with the Cisco and Emerson infrastructure, speeding detection, response, and recovery.

If you’d like to improve worker productivity, security and operational excellence around your industrial set of use cases, consider leveraging the investment Cisco and Emerson have made to help you digitally transform your industrial environment, improve worker productivity, and build operational excellence.

Source: cisco.com

Continue reading

What IT loves about Webex Control Hub

We work from just about anywhere. Coffee shops, airplanes, kitchen tables. The nature of our work is hybrid and when we aren’t in shared spaces with our colleagues, we rely on our collaboration suite to keep us connected. As the collaboration leader for video endpoints across Cisco, my day revolves quite heavily around Webex and delivering consistent collaboration experiences to Webex users.

As we work across the world using collaboration tools both internally and externally, managing that experience is becoming more complex. With earlier tools, learning when, where, and why our collaboration services, devices, or applications faltered was like trying to find a rogue brace in 100,000 lines of code. Shortly after we migrated to our Cisco Collaboration Meeting Rooms Cloud solution, we began working on Webex Control Hub. Ever since, we’ve become smarter about pinpointing those rogue braces.

Control Hub is a centralized collaboration management portal that offers troubleshooting, analytics and compliance capabilities for our collaboration portfolio. We have multiple services, like Webex Meetings, Webex App, Webex Devices, Webex Calling, and with Control Hub, we get to see what’s happening across the board in our environment. In a word, it’s amazing.

Diving into Webex data to troubleshoot

In the past, let’s say Fernando called to escalate a connection issue he had with Webex Meetings. We’d have to wait on Cisco Technical Assistance Center (TAC) to get backend Webex data and send it our way. Then, we’d go down a rabbit hole trying to pinpoint the issue, pulling information from different sources while trying to piece together a picture of what went wrong. Meanwhile Fernando is frustrated he can’t join calls. It’s affecting his work productivity. It’s not great for business.

Today, when Fernando says he has a problem, we find it quickly. Control Hub populates a single dashboard with data from our entire environment, from aspects like users, devices, places, and services. Control Hub visually organizes that data to show me where Fernando is having issues, whether it’s a network issue, or a loose cable on his Cisco Webex Desktop Pro device. It’s a user-friendly interface, and in an instant, I spot when Fernando’s call is disrupted, for how long, what his bandwidth was, his latency – I get the entire picture, not pieces.

An administrator’s view of Webex Control Hub

If Fernando was on a conference call at the time of his connection issue, Control Hub offers up meeting information in a single view. All the participants, the types of endpoint clients they’re using, the meeting type, how long it takes to join the meeting, and network statistics of the call are visible. As an admin, joining the call to evaluate it in real time and troubleshoot live is an option.

In Control Hub, we pull logs from a device, whether it’s on the network or not. We comply with data privacy in every region, and while we can’t see everything, alerts and some diagnostics pop up, which is always better than nothing. We get way more troubleshooting capabilities for devices that aren’t on the network.

When viewing the logs, the simple dashboard reports when changes happen, and this information is collected. It narrows down the field of what is going on when a user says, ‘my device isn’t working’.

I’ve helped Fernando within a few minutes instead of a few hours. With analytics, I’ve identified if this is a particular pattern other users may be having and proactively monitor or alert them before it becomes an issue. Control Hub enables us to be more efficient, more resilient, and more focused on providing an exceptional collaboration experience.

Winning with user and device management

Managing thousands of devices and users comes with its own nuances, not to mention security protection challenges. Control Hub simplifies provisioning, authentication, and authorizing users on our Webex platform. We ensure that only successfully authenticated users are accessing spaces and services they’re meant to, using Key Management Service (KMS) – meaning unauthorized users will not be able to join your calls or spaces.

Once users are added, we manage their services and settings from Control Hub. This makes onboarding so much more straightforward. When new hires join Cisco, they turn their laptops on, sign in, and get straight to work meeting their new colleagues. When employees refresh their laptops or buy a new device, they don’t need to go through a long migration or setup. They log in, authenticate with Single Sign-On and Duo, and it works. We download device logs and push configuration changes to devices as well. It helps us make the collaboration experience better for everyone.

We also run proactive scripts that help us monitor devices regularly. These scripts perform audits on the devices for status, and if something pops up a couple of times, we open a case. The reason we do this is to make sure that the devices in our demo centers and offices are working to specification. Meaning, if Sam walks into a conference room in San Jose one week and into Bangalore another, her experience of the devices is consistent, no matter where she is in the world.

Simplified support and APIs

A lot of internal development went into simplifying the bot creation process with BotLite, a bot-making platform powered by MindMeld and Webex Teams. Using bots transforms so much of our work in terms of how we’re able to better support our user base and how our user base becomes more comfortable with self-service.

German Cheung, a Cisco technical systems engineer, has developed diverse tools via Webex Bots that add a lot of value to our services. The BVE Support bot, for example, provides various tools to our multi-tiers support teams based on their roles without breaking apart the role-based access permission in Control Hub. With the intelligent workflows and automations built into the bot, our support teams can interact with the bot to check, diagnose, pinpoint, and fix the issues in a few clicks. The bot helps to standardize the procedures of diagnosis, troubleshooting, validation and fixing. It also helps to reduce human intervention and the misconfiguration caused by human errors. MTTR (Mean Time to Repair) has decreased significantly. The bot remediates issues caused by access permissions, case escalations, and repeated steps. For example, one bot tool, UCM Calling Enablement in Webex, completes all checks across multiple infrastructures and services, and fixes issues automatically in about 15 seconds. Manually, that task usually takes anywhere from several minutes to several hours. The bot resolves cases quickly and more importantly, the user experience is that much better.

A great deal of information comes from various contributing platforms that help us make calls, launch applications, and develop bots. When we think of Webex, it’s not only about video endpoints and Webex meetings. We also have Webex apps that encourage engagement or streamline our workspaces too, like Miro, Slido, and M365. We manage those configurations within Control Hub.

Cisco IT has a culture of developing creative solutions. Webex has an open architecture; it allows you to develop your own solution. If we don’t offer it, it means the APIs are there if you need to develop something, just for your company and your users.

Needles in haystacks are painful and unnecessary

Is there a way to avoid twenty-questions when a senior leader says, ‘my device isn’t working’? Yes. What about when a user encounters dropped calls in Webex? Sure. Data is a beautiful thing when it’s used insightfully. While it’s still a work in progress, Control Hub gives us more time to make a great collaboration experiences even better – and with exceptional support.

Source: cisco.com

Continue reading