ESHARP.NET

Technology and life with Eyvonne Sharp

Why Every Great Network Engineer is also a Good Project Manager

By Leave a Comment

Much to the dismay of  network engineers, our projects do not exist in a vacuum.  In an organization of any size, IT silos separate technology ownership into groups of subject matter experts who are responsible for a small piece of the technology pie.

Any time we undertake a sizable network project, we will need the cooperation of other teams.  We will need to clearly explain the purpose of our project, enumerate the tasks that need to be completed, and assign owners and timelines to each task. Once tasks are created, followup is required.  You’ll need to know if your colleagues are on track, if they’ve run into issues, and how any delays will impact the project as a whole.

In short, you cannot implement a successful network project without a clear understanding of all the work required to make the total implementation a success.

Even a project that is straightforward from a technical perspective, for example creating a new wireless SSID, may require significant coordination.  Has the new SSID been tested on the various clients that will connect to it?  How will the SSID be distributed to clients?  Will users be notified of the change and if so how, when, and by whom?  Who will users contact for help?  What are the boundary use cases?

You may see all of these questions and respond with, “But I’m just the network engineer.”  Or, “Don’t we have project managers for that?”

I understand the sentiment.  But in the reality of IT project implementation, no one understands the intricacies of the work to be accomplished more than the technologists doing the work.  While your PM may be familiar with organizational structures, paperwork requirements, and communication channels, they likely will not know the tasks that need to be performed or the duration or potential impact of those tasks.  Project managers can contribute to the success of the project by following up, managing communication, and keeping an up to date task list.  But as a network engineer on a network project, you must take the lead to keep all moving parts of your project well-oiled and in sync.

I’m not suggesting you pursue project management certifications or spend hours learning project management tools. Simple tools you use every day, like spreadsheets, Evernote, documents, and text files, can provide a simple framework to keep track everything you need to be successful. Most importantly, you must own your role in the project.

Ultimately, when a network engineer is the technical lead on a project, the network team will receive either kudos or chastisement based on the overall success of the project — regardless of how or where problems occur.  You cannot argue that all of your configurations were correct and your implementation was flawless from a network perspective when the user experience was poor. Leadership simply doesn’t care.   It is therefore in your best interest, and the best interest of your organization, that you learn to manage your projects effectively enough to ensure their success.

Identity Matters, ISE and the Future of Networking

By 5 Comments

The more I work with Cisco ISE (Identity Services Engine), the more possibilities I see. In my opinion, it is the most exciting Cisco product since UCS. It’s the only product I’ve seen that provides such a high level of flexibility, control, and centralized configuration for network edge access.

With ISE, you can authenticate, profile, and posture any wired or wireless device that connects to your network. Policy is configured in a centralized controller and pushed to clients when they connect to the network. Based on a myriad of identity and profiling criteria, you can apply a vlan, push a DACL, or inject a Security Group Tag for each client. Today, all of that information is used only for security purposes, but think about the possibilities!

What if every packet on your network is tagged with an identifier based on an amalgam of criteria including: user identity, device type, AD group, application flow, etc? Consider the opportunities if each packet is proactively encoded with a handle that distinguishes it based on complex criteria. What if this criteria is centrally managed and abstracted into a structure that allows you to make quick decisions in hardware? It’s reasonable to conclude that not only security decisions, but routing, QOS, and optimization could be configured based on this identity tag in the packet. And, all of this policy can be pushed from a centralized controller into a data plane of your network.

Granted, ISE doesn’t do this today. It provides authentication, authorization, profiling, and posture services and is solely a security tool. However, the potential power of the platform is limitless.

Of course, ISE is a proprietary Cisco solution that only works well in an all Cisco environment. Aside from standard radius authentication, all of the great ISE features are Cisco only. However, if the solution were more open and interoperable with other networking vendors, it could become a huge platform to improve the entire networking industry.

For Cisco, ISE should be a huge component to their long-term strategy for centralized network control, automation, and security. For a vendor that receives a lot of flack that they’re not a software company, ISE is a great software product.

Configuring Cisco FlexConnect AP to Support Dynamic VLAN Assignment with ISE

By 4 Comments

I am in the middle of an ISE proof of concept and have been running the product through its paces. Since nearly all of my access points are in FlexConnect mode (formerly known as H-REAP), they require additional configuration to allow dynamic VLAN assignment with ISE. FlexConnect supports local switching which allows you to map a local VLAN ID from the AP’s switch to an SSID instead of tunneling all traffic back to the Wireless LAN Controller to be switched centrally.

In order to dynamically assign a VLAN ID with an ISE authorization profile, the VLAN must exist on the access point. FlexConnect Groups accomplish this task.

From the Wireless menu, select FlexConnect Groups and click the New button. Once you create the group, click the group name to open the edit menu (seen below). On the General tab, add the access points to the FlexConnect group. To add the VLAN ID, select the ACL Mapping tab and then the “AAA VLAN-ACL mapping” tab. Enter the VLAN ID and select the ingress and egress ACLs. In my case, I selected “none”. Click Add and then Apply.

Your VLAN ID’s have been added to your access point and can be assigned with an ISE authorization policy.

For more information see Cisco documentation

ise_wireless_flexconnect_vlan

Screen shot from Cisco 5508 Wireless Lan Controller version 7.4.100.0

Thoughts on moving from SMB to the Enterprise

By

After working in small business IT for over a decade, I made the leap to a large healthcare enterprise. Although I had been very successful in providing solutions in the SMB space, I didn’t know how well my skill set would transfer into a larger environment. Three years into my experience in the enterprise, I’ve learned there are several similarities and a few differences between SMB and enterprise IT.

Read more on my post at Packet Pushers, or listen to Lauren Malhoit and me discuss over at Adapting IT.