#WirelessFriday – September 2017 – Questions & Responses

Thank you very much for your interest in the Cisco #WirelessFriday event!  This article is a quick recap of the September 2017 event with the associated questions and panel responses.  I would like to make a public thanks to Cisco Product Manager Ivor Diedricks for a great Software Defined Wireless overview and Technical Marketing Engineer Kanu Gupta her awesome demonstration of DNA Center.

I would also like to thank my panelists Ben Edwards, Brad Kincaid, Rush Johnson, and Mark Dellavalle.

If you’d like to hear the recording you can access it here.

To learn more about Software Defined Access go to www.cisco.com/go/sda or chat with your Cisco or reseller account teams.

Q. Does it mean VLANs are only required to separate locations… i.e. floors, to minimize the amount of broadcast traffic and not required at all to segment from a security perspective?
R. With SD-Wireless (Fabric Enabled), yes! Of course, this isn’t for ALL deployments. The more devices and AP’s you have, the more it makes sense.

Q. So, how does this apply to a network of 100 branches separated by MPLS?
R. Today, SD-Access is best suited to the campus network. The Assurance functionality of DNA Center can be extremely valuable for the branch and can be used independent of the fabric. We’ll do another session on Assurance soon!

Q. Will this kill Flex?
R. Consider Fabric Enabled Wireless as another deployment capability that is well suited to very large campuses. For the foreseeable future, we will see needs for Connected (local) mode, FlexConnect mode, cloud managed, and Fabric.

  • Mobility Express (FlexConnect): Well suited for small, autonomous offices
  • FlexConnect Mode: Well suited for branch offices with centralized or regional control, distributed data plane
  • Connected (Local) Mode: Well suited for large campus with centralized control and data planes
  • Meraki Cloud Managed: Well suited for campus or branch deployments with a public cloud control plane, distributed data plane
  • Fabric Enabled Wireless (SD-Wireless): Well suited for very large campus with centralized control plane, distributed data plane. L2 flexibility, wired or wireless.

Q. In fact, VLAN’s role becomes purely ‘limit the amount of broadcast’ because once user/endpoint is identified upon connection an appropriate policy will be assigned…
R. You are mostly correct. Another benefit of LISP with VXLAN and SGT is the separation of users and devices individually, further decreasing the broadcast burden.

Q. How advanced WLAN settings are configured now, such as 802.11k, 802.11v, 802.11r, band steering… everything that is available through Advanced TAB on WLC
R. DNA Center will automatically turn on Cisco best practices for wireless, but you can always go into the controller and tune it as your situation requires.

Q. Previously APs were automatically rebooted once added to AP group, has this bit been improved?
R. AP will reboot when adding to an AP Group

Q. Yeah… what’s the future of Prime Infrastructure now? 🙂
R. Great question! To be clear, PI and DNA-C are designed to do different things:

  • DNA-C: Automation and assurance. Automation is the simplification and abstraction of several networking activities or tasks
  • Prime Infrastructure: Network management. Network management is about up / down and managing the life cycle of network hardware

Q. If traffic doesn’t go through the controller, how does AVC work? The FlexConnect AVC is so out of date that I hope it isn’t that.
R. AVC is a distributed process in our Wave 2 AP’s. Within a Fabric Enabled environment, AVC would be done at the switch. The Assurance capabilities coming in DNA-C capture analytics from several vectors such as AVC, DNS, DHCP, Netflow, and others to provide health monitoring down to the application level.

Q. What does centralized mode mean, is this referring to converged access “centralized mode? or is this local mode that we know, now renamed? or flex central switching?
R. Centralized mode is Local Mode. All the control plane and data plane traffic is handled by the WLC.

Q. Please provide a validated design document we can refer to. This is an exciting approach and will need to digest it thoroughly.
R. You can have users coming in on a single SSID and based on user role have different policies applied based on SGT tag. you can also have multiple SSIDs configured for different auth types like guest for webauth or corporate SSID for 802.1x. Check out the Software Defined Access Design Guide.

Q. I have brocade switches throughout my company… does Fabric support third party switches?
R. Not at this time.

Q. What is a “stretched subnet”?
R. A textbook LAN design has VLANs unique to a physical location (floor 1, floor 2, etc). A stretched VLAN would be one you create for wireless users or for security cameras that lands on multiple access switches.

Q. I understand the complexity of the 5 Tuple, but I also know it has been a mainstay for a long time. Could this turn into a case of “If it ain’t broke, don’t fix it”?
R. Great question! The short answer is yes. The trouble is mobile and IOT devices are causing us to stretch our network so VLAN’s are no longer tied to a physical location. This means our traffic engineering (routing), QoS, and security policies get real complicated, really quick. Very large campus environments often include the need for ACL’s that are hundreds or thousands of lines long. These would be well suited for Software Defined Access with a Fabric Enabled infrastructure.

Q. When roaming from fabric AP to Fabric AP, have we introduced additional overhead that may increase roaming latencies?
R. Nothing noteworthy. All handled by Control Plane LISP Server during Fast Secure Roams. Within Fabric/Campus where LISP and WLC still must reside this is all still well within latency tolerances.

Q. What are the minimum hardware requirement to support DNA functionality?
R. DNA-Center will initially be offered as an appliance. No need to plan a hardware budget for virtual appliances.

Q. Is ISE a requirement?
R. ISE is a requirement if you are doing Security Group Tag (SGT) based policy enforcement. DNA-C will connect to any RADIUS if SGT is not necessary.

 Q. If you have a design case where WLCs connect to remote branch to Non-Cisco router, Cisco access switches and Cisco APs, can Fabric be implemented?
R. Fabric Enabled Wireless is suited well for a large campus and may not provide benefit for a branch office. The Software Defined Access Design Guide provides details of how to design.

Q. How does this solution address segmentation for IoT devices that only support PSK authentication and don’t have an AD account associated with them? Is there an assumption that all IoT devices share a single SGT?
R. This scenario may be well suited to Identity PSK. Find detail here.

Q. Not all Cisco Switches understand VRF, what model of switch is going to be required for this?
R. Catalyst 3850, 3650, 4k and the 9k series can be used to form an SD-Access fabric.

Q. Is Guest Anchoring still supported under this?
R. Guest anchor is supported in Fabric Enabled Wireless “Over the Top” (OTT) deployment, where the underlying infrastructure does not support SD-Access. With full SDA wireless integration, you don’t need a dedicated anchor WLC anymore since the infrastructure will provide VXLAN encapsulation, end-to-end.

Q. I run into issues with Flex local switching in branches because of the L2 subnet limitation, roaming across L3 does not work well. Converged access fixed it but that’s dead. What’s the plan for the branch? Meraki:)
R. As mentioned earlier, there are a number of deployment options and often times a mix of options makes the most sense. Yes, the Converge Access controller is EOL. We have a number of customers that agree that a mix of an on-premises Aironet deployment is best for the campus and Meraki is best for branch.  Depending on the L2 limitation you’re dealing with, you may have the same issue with a Meraki deployment, though.

Q. Any plans to have the WLC be part of the fabric, physically connected inside the fabric like an AP?
R. Not at this time.

Q. With DNA-C, can I configure advanced WLAN parameters, for example session timeout, max clients per AP, etc?
R. Not at this time. All best practices are enabled on DNA-C when creating a SSID.

Q. Can we co-mingle this with traditional networks for things like devices that do not log in or how do you approach that?
R. In cases where you cannot dedicate WLCs and APs in a seamless roaming area to participate in fabric, a traditional CUWN design model, also known as a local-mode model, is an option. SD-Access is compatible with CUWN “over the top” as a non-native service option, without the benefits of fabric integration and DNA Center automation. This Non-Fabric, Centralized Wireless option is described in the Software Defined Access Design Guide.

Depending on the situation, Identity PSK may be an option.  Find detail here.

Q. There has been a graphic on a few of the slides now with “single SSID,” I’m intrigued for typically corporate and guest have different Authentication Types, I am assuming you will get there?
R. You can apply different polices based on who it is for a given SSID, but if you want to encrypt your corporate via 802.1x and not your guest you still need 2 SSIDs.

Q. So what does DNA-C do to ISE?
R. Direct integration with ISE

My own (PreShared) Key

Multi-tenant and IoT deployments have a unique problem. Often there are devices that need to talk to each other, like neighbors in a neighborhood, but not be allowed to talk between neighborhoods.  It’s a problem that’s been around for a long time, and it’s getting bigger as we do more with “headless” devices.

Check out this video on Cisco Identity PSK.  Let me know what you think.

Cisco ISE is Hardening Up; The Secure Access Wizard

The term “wizard” isn’t my favorite one.  It feels like I’m installing Windows for Workgroups 3.11 again or my Linksys WRT54G.  My own preference aside though, Cisco ISE 2.2 is an important release for Cisco and introduces some much needed simplification and adds some great new functionality.  This series of 7 videos took me just under 90 minutes to finish and now I’ve got a number of new things to talk about with enterprises that are looking ahead to software-defined networking.  Identity services will be an important component of that.

Many thanks to Jason Kunst (LinkedIn, Twitter), a Technical Marketing Engineer on the ISE team at Cisco!! The video’s provide a walk-through of how to deploy a few important features in about 5 minutes each:

  • Secure access and DOT1X network access
  • Guest access (hot-spot, self-registered, and employee-sponsored)
  • Bring Your Own Device using Dual and Single SSID deployment styles

Here’s the video playlist:


Here’s the breakdown of videos:

  1. ISE Secure Access Wizard Intro: If you saw early versions of this you may have seen it as Easy Wireless.  This tool greatly simplifies deployment of ISE services for wired and wireless access for employees, employee BYOD, and guest access.
  2. ISE Secure Access Wizard: Hotspot Guest Access in 5 minutes.
  3. ISE Secure Access Wizard: BOYD (Single SSID Style) in 5 minutes.
  4. ISE Secure Access Wizard: DOT1X deployed in 5 minutes.
  5. ISE Secure Access Wizard: Guest Self Registration deployment in 5 minutes.
  6. ISE Secure Access Wizard: BYOD (Dual SSID Style) deployment in 5 minutes.
  7. ISE Secure Access Wizard: Sponsored Guest Portal deployment in 5 minutes.

New Career Opportunities and Giving Back

It’s been a long time since I’ve been between positions and I’m finding it a VERY busy time. Although much of my time is consumed with phone calls, interviews, and just plain HUSTLIN’, I have still found time to give back a little. Here’s a pic of the new Gaga Ball pits installed at Seattle Hill Elementary.

For those of you no longer in elementary school, Gaga Ball is a cross between dodgeball and handball played in an octagon. Each of these pits start with 25 kids, but could easily hold 40.

As you may already know, the technology I supported as a specialist at Cisco has been absorbed in to mainstream and I am now seeking my next opportunity. If we haven’t spoken in a while, I’d love to hear from you!  Hit me up at jason@shutostrike.com or on LinkedIn.

The End of an Era, The Beginning of…

To my important CiscoFullBars.com, LinkedIn, and Twitter Community,

As you may know I have spent the last 16½ years working in sales at Cisco as a subject matter expert.  In my role, I begin each fiscal year creating a plan that will exceed growth and sales expectations. I was an overlay and because of that I include a component in each business plan that essentially eliminates my current position. That may seem weird but nearly every year I’ve been successful at it. Each year the role I take or the territories I cover change, sometimes dramatically, because we took a new, complex technology and made it mainstream. That’s why I’ve been so passionate about what I do! I get a different job just about every year, even though I’ve kept the same title.

Success has struck once again. In our US commercial business here at Cisco, the enterprise networking technologies have been absorbed in to mainstream. A dedicated overlay team is no longer required to win complex deals, build demand, or provide enablement to our internal and  partner sales teams.  My work is finished.

I would like to take this moment to thank my community here on CiscoFullBars.com, LinkedIn, and Twitter.  Thank you my friends for your support, guidance, banter, and camaraderie.

Today I look ahead as I determine what is next and I am excited for a bright future.  I don’t know yet what that future looks like but in the words of Sir Isaac Newton, “If I have seen further, it is by standing on the shoulders of giants.”

Thanks for the memories. I look forward to making more with you all.

Your humble servant,
Jason Grant

@shutostrike, jason@shutostrike.comlinkedin.com/in/jasonjgrant