EoS and EoL roll-up for Cisco AirOS Wireless, ASA, and Switching

End of Sale and End of Life dates for AireOS Cisco Wireless LAN Controllers – AIR-CT-3504AIR-CT-5520AIR-CT8540AIR-CTVM 


End of Sale and End of Life dates for ASA 5506, 5512 & 5515, 5508 & 5516, 5525, 5545 & 5555, 5585-X, 5585-X FP

End of Sale and End of Life dates for Cisco Catalyst – 2960X/XR2960L/P3650SUP9E

Mike

Evolving Smart Licensing, what’s coming and when?

Does anyone else feel like they need a Ph.D. in Cisco licensing?! Good news is that there are some changes coming to help make our lives easier.

Most of you are likely familiar with Smart Licensing. However, you can go here if you need more information. During Cisco’s transition to subscription-based licenses, Smart Licensing (SL) was introduced. Cisco believed Smart Licensing would streamline the way customers activate and manage Cisco licenses across the organization. Transitioning from the traditional PAK based licensing method to SL wasn’t the only goal for Cisco. Amongst others, it served as a way to combat the grey market gear. The thought was that upon purchasing a product from Cisco, a Smart Account would be associated with the order, which in return would entitle the organization to their licenses, products, and services.

A Smart Account is hierarchical and serves as the top-level domain for the organization. You can further organize your Smart Account into sub-accounts, known as “Virtual Accounts.” It is very much structured, like a domain. A “DEFAULT” Virtual Account serves as your catch-all bucket and is persistent and can’t change.

After Cisco launched the new licensing model, they found that the customers purchasing processes became complicated, increased their operational overhead, and challenged their security practices. Therefore, Cisco took this feedback and decided they needed to evolve SL to be less detrimental. 

You can find the current list of Smart License enabled products here

Introducing Smart Licensing Using Policy

Starting with IOS-XE 17.3.2/17.4.1 all products running these versions of the software will only support Smart Licensing Using Policy. These currently include. 

  • Cisco Catalyst 9000 series switches. 
  • The routing platforms such as the ASR1K, ISR1K, ISR4K. 
  • The Next Generation virtual routers starting with Polaris IOS-XE release 17.4.1 
  • Cisco Catalyst 9800 Series Wireless Controllers and APs. 
  • Internet of Things (IoT) Next Generation platforms such as Industrial Router IR 1101, Industrial Ethernet IE
  • 3200/3300/3400 and any Next Gen IoT products will also adopt Smart Licensing Using Policy. 
  • Collaboration products; CUBE, SRST, and CME with their November release.

With Smart Licensing Using Policy you can expect: 

  1. The product will not boot in evaluation-mode (see screen shots below)
  2. per product software registration is not required
  3. And on-going communication every 30 days with Cisco isn’t needed.

Registering a device before use and on-going communication is going away. However, reporting to Cisco may still be a pain point. The good news? Reporting is only required if there is a change in software level for Perpetual or Subscription. Changing software levels doesn’t happen too frequently, so it may not be too big of an issue. 

For example, if you purchase a Catalyst 9120 access point with DNA Essentials from the factory and 30 days later, you realize you need EasyQoS. You’d have to change to DNA Advantage, which means you now need to report this change to Cisco. 

This change would need to be reported within 90 days to Cisco. 

What happens if you don’t? Most of the products will turn into a nag box, sending out syslog/alarm notifications. However, you should review the enforcement rules specific to the particular device to avoid potential interruptions.

You can find the enforcement rules per product here

Reporting

You can report to Cisco in a couple of different ways. 

1. New reporting utility called Cisco Smart Licensing Utility (CSLU): which is a small Windows application that can be configured to send the data to Cisco in with a push or pull operation. 

2. Cisco DNA Center controller with Cisco Smart Licensing Utility (CSLU): Cisco DNA Center has connectivity to Cisco Smart Software Manager (CSSM). Periodically, exchange information with Cisco to keep in sync with CSSM. 

3. Offline: where the data is taken off the device onto a storage and then uploaded into CSSM.

In the end, not having to register a product before makes sense but reporting may be still be cumbersome. I’m thinking theres a way you could script this with Python.

Here’s a screen shot of pre IOS-XE 17.3.2 and post IOS-XE 17.3.2.

Mike

Smart Software Licensing Overview. (2020, November 26). Retrieved from https://www.cisco.com/c/en/us/products/software/smart-accounts/software-licensing.html

Cisco DNA Software Subscription Matrix for Wireless. (2020, November 17). Retrieved from https://www.cisco.com/c/m/en_us/products/software/dna-subscription-wireless/en-sw-sub-matrix-wireless.html?oid=porew018984

(n.d.). Retrieved from https://www.cisco.com/c/dam/en/us/products/collateral/software/smart-accounts/smart-licensing-feature-roadmap-by-pf-external-v20201102.xlsx

(n.d.). Retrieved from https://software.cisco.com/download/home/286285506/type/286327971/release/1.0.0-2

Networking Hype, Cisco’s SDWAN Catalyst 8000 Edge Platform

Cisco announced the Catalyst 8000 Edge Platforms designed to accelerate the next generation of WAN, 5G, and enable connectivity to hybrid and multi-cloud applications. The Catalyst 8000 Edge Platform includes the 8500 Series for aggregation, Catalyst 8300 Serries for access, and Catalyst 8000V Edge software for virtual/cloud deployments.

The Catalyst 8000V will be available with Cisco SD-WAN 17.4, so you will have to wait just a bit longer.  

 It’s an “edge platform.” Not a router. 

Typically the Catalyst family line is analogous to Cisco switching; however, the branding and messaging align with Cisco’s intent-based networking (IBN) portfolio. The “Catalyst” name now unifies the LAN and the WAN.

With distributed locations, flexible deployment models, and hosting containerized services, the term “router” has evolved to be more of a WAN edge device. Calling these devices “edge platforms” versus “routers” seems to be more appropriate. 

The platform fits nicely into the Cisco SD-WAN portfolio as it addresses security, on-box, and support for Umbrella’s cloud base FWaaS. Cloud-native agility provided by Cloud OnRamp for IaaS and SaaS for distributed applications. (If you haven’t seen this in action, it’s eye-opening!) 

Expect other vendors to begin adopting these features into one solution as Gartner has already coined the term “SASE” (Secure Access Service Edge) pronounced “sassy” to describe the solution. 

In addition to the above, the edge platform functions as an edge router like you’d expect with some new beefiness to it. 

Catalyst 8300 Series, compared to the ISR 4400 Series offers:

  • Up to five times faster data plane performance 
  • Up to 12 Core CPU 
  • Native support for 10GE 

Catalyst 8500 Series, compared to ASR1001-HX and ASR1002-HX offers:

  • Improved data plane with Cisco’s custome 3rd gen ASIC Quantum Flow Processor (QFP)
  • Inline Cyrpto
  • Native support for 100GE and 40GE

Catalyst 8000v Series, compared to CSR1000V offers:

  • Support for up to 16vCPUs
  • 25Gbps Interfaces

and Many more

Lastly, there is no End-of-Life announcement for the previous platforms that the Catalyst 8000 line intends to replace, as of 10/20/20. I’d be willing to bet that these platforms adopt ThousandEyes at some point, which is an absolute game-changer.

Mike

Valente, Jean-Luc “Introducing the Catalyst 8000 Edge Family, Cisco’s New SD-WAN Platform” Oct. 20, 2020, Retrieved From https://blogs.cisco.com/networking/catalyst-8000-edge-platforms

Cisco “Cisco Catalyst 8000 Edge Platforms Family” Oct. 20, 2020, Retrieved From
https://www.cisco.com/c/en/us/products/routers/cloud-edge/index.html?ccid=cc001903

Lener, Andrew “Say Hello to SASE (Secure Access Service Edge)” Dec. 23, 2019, Retrieved From
https://blogs.gartner.com/andrew-lerner/2019/12/23/say-hello-sase-secure-access-service-edge/

AWS Well-Architected Framework

Businesses require more computing and networking resources to meet their current market and future growth trends than they may have anticipated only a few months ago. The lack of leasable space or the desire to build out existing data centers drive many to adopt a cloud or hybrid cloud deployment model. In fact, According to Amazon, one of the “Six Advantages of Cloud Computing” is to stop spending money running and maintaining data centers and focus on projects that differentiate your business (Sajee Mathew, 2014).

Unfortunately, overestimated cost-savings often overlook the value of cloud-accredited guidance. An enterprise must understand the associated trade-offs when architecting in the cloud. To assist in navigating these trade-offs, AWS has a Well-Architected Framework. 

Similar to Cisco Validated Design (CVD), AWS Well-Architected Framework is a set of best practices and strategies for architecting systems in the cloud. It emerged from AWS principal engineers working with customers during customer cloud architect reviews and defining best practices from those sessions. The Framework allows CTOs, architects, and developers to understand the trade-offs and risks when architecting in the cloud.

The Framework identifies a set of general design principles known as “pillars” and best practices to facilitate excellent design.   

The five pillars

  • Operational Excellence
  • Security
  • Reliability
  • Performance
  • Cost Optimization

Each pillar has an associated white-paper that you can review in much more detail. I have mind mapped the AWS Well-Architected Framework and have made it available for your reference. 

If you need to understand how to align your engineering efforts with your business need or require a foundation of AWS best practices, I suggest starting with the Framework.

Amazon “AWS Architecture Center” (n.d), Retrieved From   https://aws.amazon.com/architecture/?nc1=f_cc

Sajee Mathew “Overview of Amazon Web Services” January 1, 2014, Retrieved From https://docs.aws.amazon.com/whitepapers/latest/aws-overview/six-advantages-of-cloud-computing.html

Mike

Remote working for a secure and collaborative future: Meraki MR Teleworker

The interruption of our daily work life that COVID has caused will not go forgotten. Increased pressure from employees, stakeholders, and investors will change the industry’s perception of what productive and innovative work environments can be. With the realization that the more we work from home, the more likely we will continue to work from home beginning to set in. Organizations are looking for solutions. 

There are numerous solutions to provide a productive remote working environment. Traditional client and client-less VPNs, VDI solutions like Citrix XenApp/Desktop come to mind. These solutions have worked for years, and most certainly still do. Often this requires some infrastructure to support it. 

If you were an organization fortunate enough to have the infrastructure in place pre-COVID, transitioning to remote work was probably a pure uplift for you. You may have needed to scramble to get more VPN licenses or lease more bandwidth to meet capacity.

Unfortunately, some organizations don’t have a work from home policy or even a contingency plan, let alone the infrastructure to support remote workers.

The MR Teleworker VPN is a solution that extends the corporate LAN to employees at remote sites with Meraki AP’s. It may be the path of least resistance for those organizations that have temporarily or permanently shifted to remote working.

A Meraki AP at a remote site or your home establishes a layer two connection using an IPSec-encrypted UDP tunnel back to the corporate LAN. The L2 tunnels are built on a per SSID basis and terminate at a headquarters on a Meraki MX security appliance.  

An access point would typically require a switch with PoE capabilities to power the Meraki AP, but that’s not usually something an average worker has. So for my setup, I’m using a PoE injector with a Meraki Wifi6 MR36 access point plugged into a LAN port on my router.  

Optionally we could take this one step further and provide split tunneling. Let’s say you wanted to offer a personal SSID for your remote workers. You could enable split tunneling, which would prevent the traffic from hairpinning to the headquarters before egressing to the internet. 

Again, the VPN tunnels are built on a per SSID basis, so you would create a new SSID for personal use and change the VPN tunnel type. Three VPN rules will be enabled by default. You might add more specific rules above the last statement, the default rule, if you required them. 

Agility will be a new competitive advantage in a post COVID world. It will require companies to reimagine where their applications live, where their workers work, and how to secure all of it while meeting their customer’s needs. The MR teleworker VPN is only one example of many that will meet the requirements for remote workers.

Mike

Protecting the WFH workforce – Defending against COVID-19 malicious domains

Many organizations have implemented work from home (WFH) strategies due to COVID-19. This measure, although enabling business continuity for many, introduces increased risk to cyber threats and attacks.

Cisco Talos has been proactively hunting COVID related outbreaks, educating the public, and pushing these discoveries to all Cisco Security tools for blocking. I encourage you to read the Talos blog, “Threat Actors attempt to capitalize on coronavirus outbreak” and “Threat Update: COVID-19“.

Talos goes as far as to list ways that you can defend against COVID related attacks. Cisco Umbrella, in particular, can leverage threat intelligence from Cisco Talos, to uncover and block these malicious domains, IPs, URLs, and files that are used in attacks. It’s not just Talos intelligence that Umbrella can leverage, however. You can take advantage of 3rd party threat intelligence platforms (TIP) that you may have and create a completely robust, kickass defense for your work from home workforce.

Here’s how –

Turn on – Newly Seen DomainsAs part of Cisco Umbrella intelligence, some domains may be blocked as Newly Seen Domains (NSD). Newly created domains related to COVID-19 will also be flagged as NSD as long as they fit the criteria.

Third Party Integration: Umbrella support integrations with SIEM, threat intelligence platforms, or homegrown systems. This feature utilizes the ‘Enforcement API‘ in Umbrella.

Here are the default integrations.

In this case, I want to show you how to leverage a homegrown system. We’ll call it “COVID-19-BLOCK”

When you add a new integration, an API key is generated. This API key can be used to make requests to and from Umbrella.

Our homegrown system is nothing more than a simple python script that makes POST requests to Umbrella.

# Custom integration - ADD EVENT URL
import requests

url = "https://s-platform.api.opendns.com/1.0/events?customerKey=c988727a-XXX-XXXX-XXXX-XXXXXXXXX";

payload = "{\n    \"alertTime\": \"2013-02-08T11:14:26.0Z\",\n    \"deviceId\": \"ba6a59f4-e692-4724-ba36-c28132c761de\",\n    \"deviceVersion\": \"13.7a\",\n    \"dstDomain\": \"coronadiseasenews.com\",\n    \"dstUrl\": \"http://coronadiseasenews.com/a-bad-url\",\n    \"eventTime\": \"2020-03-31T09:30:26.0Z\",\n    \"protocolVersion\": \"1.0a\",\n    \"providerName\": \"Security Platform\"\n}"
headers = {
  'Content-Type': 'application/json'
}
response = requests.request("POST", url, headers=headers, data = payload)

print(response.text.encode('utf8'))

After running the script, we can confirm that our request to block the COVID-19 malicious domain was successful.

As you can see, we were successful in adding this malicious domain to our block list.

Now, take a moment to expand on this custom integration that we just made. There are roughly 70,000 COVID-19 malicious domains and growing daily. What if we were able to take all of the published COVID-19 molicous domains and add them to an Umbrella block policy like we did above?

I think that would make any CSO smile.

Mike