ESHARP.NET

Technology and life with Eyvonne Sharp

Can Cisco Restore Confidence with SD-Access?

By Leave a Comment

At Cisco Live 2017, the world’s leading networking vendor shone a spotlight on their new line of campus switches and their emerging software platform coined SD-Access. Some of the buzz was familiar like a new programmable ASIC with more power to process packets. We heard the expected refrain of speeds and feeds, port density, redundancy, and PoE. But we heard new things as well.

After years of industry buzz surrounding Software Defined Networking, Cisco announced their first serious foray into the software-defined space. Software-defined Access combines a suite of Cisco software products to improve usability, build automation, and aid in troubleshooting. Combining ISE and two new software tools, DNA Center and Network Data Platform, Cisco promises a fully automated, secure campus fabric.  On it’s face, it’s difficult to not get excited about SD-Access. Many of us have been begging for more robust, software-driven solutions from Cisco. In many ways, SD-Access is the first coherent unified strategy in that direction.

But…

Those of us who’ve been around networking for any length of time have history. We remember the Cisco Live where OnePK was all the rage. Sessions were packed to the gills with eager networkers learning a new API that was going to be integrated into every Cisco platform. OnePK didn’t survive a year. We remember hyped, but incomplete, products that never delivered on their promises. Beyond the failed promises, we’ve given countless sleep-hours to unexpected production outages caused by software bugs. Many of us can’t remember the last TAC case we opened whose root cause wasn’t a software bug.

At the same time, we freely acknowledge that we’ve built our careers around Cisco solutions and products. We want to believe that Cisco is entering a new era, that the leadership of Chuck Robbins is bringing about transformation inside of an organization that’s grown bloated with success.

With all that in mind, what can Cisco do to restore our confidence in the next era of software-defined solutions?

  1. Ship working products. More than anything, we must be able to trust that the products we buy will work as promised.
  2. Stay focused on delivering real solutions to real problems. Stop creating solutions that look for a problem. We have plenty of problems to solve.
  3. Integrate. Cisco’s integration of newly acquired Viptela will speak volumes.
  4. Unify the organization. Customers have grown weary of inter-BU competition and inconsistent product messaging. We expect all of Cisco to be on one team.

Even with my cautious optimism following Cisco Live, it will take a few years of successful product deployments to renew my confidence. As a follower of SD-WAN in general, and a fan of Viptela in particular, I cannot overstate the importance of the successful integration of Viptela’s full SD-WAN platform.

By next Cisco Live we should know if SD-Access is just another marketing campaign or if it’s becoming a new way of life for Cisco. We will know if SD-Access works. We will see how Cisco rolls Viptela into the fold and if they make the difficult decisions required to do so.

Until then, many of us will continue to watch and wait.

Identity Matters, ISE and the Future of Networking

By 5 Comments

The more I work with Cisco ISE (Identity Services Engine), the more possibilities I see. In my opinion, it is the most exciting Cisco product since UCS. It’s the only product I’ve seen that provides such a high level of flexibility, control, and centralized configuration for network edge access.

With ISE, you can authenticate, profile, and posture any wired or wireless device that connects to your network. Policy is configured in a centralized controller and pushed to clients when they connect to the network. Based on a myriad of identity and profiling criteria, you can apply a vlan, push a DACL, or inject a Security Group Tag for each client. Today, all of that information is used only for security purposes, but think about the possibilities!

What if every packet on your network is tagged with an identifier based on an amalgam of criteria including: user identity, device type, AD group, application flow, etc? Consider the opportunities if each packet is proactively encoded with a handle that distinguishes it based on complex criteria. What if this criteria is centrally managed and abstracted into a structure that allows you to make quick decisions in hardware? It’s reasonable to conclude that not only security decisions, but routing, QOS, and optimization could be configured based on this identity tag in the packet. And, all of this policy can be pushed from a centralized controller into a data plane of your network.

Granted, ISE doesn’t do this today. It provides authentication, authorization, profiling, and posture services and is solely a security tool. However, the potential power of the platform is limitless.

Of course, ISE is a proprietary Cisco solution that only works well in an all Cisco environment. Aside from standard radius authentication, all of the great ISE features are Cisco only. However, if the solution were more open and interoperable with other networking vendors, it could become a huge platform to improve the entire networking industry.

For Cisco, ISE should be a huge component to their long-term strategy for centralized network control, automation, and security. For a vendor that receives a lot of flack that they’re not a software company, ISE is a great software product.

Configuring Cisco FlexConnect AP to Support Dynamic VLAN Assignment with ISE

By 4 Comments

I am in the middle of an ISE proof of concept and have been running the product through its paces. Since nearly all of my access points are in FlexConnect mode (formerly known as H-REAP), they require additional configuration to allow dynamic VLAN assignment with ISE. FlexConnect supports local switching which allows you to map a local VLAN ID from the AP’s switch to an SSID instead of tunneling all traffic back to the Wireless LAN Controller to be switched centrally.

In order to dynamically assign a VLAN ID with an ISE authorization profile, the VLAN must exist on the access point. FlexConnect Groups accomplish this task.

From the Wireless menu, select FlexConnect Groups and click the New button. Once you create the group, click the group name to open the edit menu (seen below). On the General tab, add the access points to the FlexConnect group. To add the VLAN ID, select the ACL Mapping tab and then the “AAA VLAN-ACL mapping” tab. Enter the VLAN ID and select the ingress and egress ACLs. In my case, I selected “none”. Click Add and then Apply.

Your VLAN ID’s have been added to your access point and can be assigned with an ISE authorization policy.

For more information see Cisco documentation

ise_wireless_flexconnect_vlan

Screen shot from Cisco 5508 Wireless Lan Controller version 7.4.100.0