Category: Cisco

Cisco acquired Valtix: What is Valitx?

On By MikeIn Cisco, CloudLeave a comment

Valtix is a cloud-native network security company that provides next-generation firewall and web application firewall (WAF) solutions for businesses looking to protect their cloud-based infrastructure. The company was founded in 2018 by seasoned technology executives who recognized the need for a modern approach to network security in the cloud.

Valtix’s cloud-based approach to network security is designed to be both scalable and flexible, allowing businesses to secure their cloud-based infrastructure without having to worry about the complexities of managing hardware or software. By leveraging cloud-native security technologies, Valtix enables businesses to deploy security policies that can be enforced consistently across their entire infrastructure, regardless of the cloud provider or network topology.

One of the key benefits of Valtix’s approach to network security is its ability to provide real-time threat detection and response capabilities. Using advanced machine learning algorithms, Valtix can analyze network traffic in real-time, identifying potential threats and responding quickly to mitigate any risks. This helps businesses stay ahead of the constantly evolving threat landscape and ensure their infrastructure remains secure.

In addition to its advanced threat detection and response capabilities, Valtix also provides businesses with granular control over their network security policies. This allows businesses to tailor their security policies to their specific needs, ensuring that their infrastructure is protected in the most effective way possible. With Valtix, businesses can easily manage their security policies from a centralized dashboard, making it easy to enforce policies consistently across their entire infrastructure.

Valtix’s cloud-based approach also makes it easy for businesses to scale their network security as their needs evolve. Whether they need to protect a small cloud environment or a large, complex infrastructure, Valtix can provide the necessary security solutions to meet their needs. This flexibility allows businesses to focus on growing their business, rather than worrying about managing their network security.

Finally, Valtix’s cloud-native approach to network security is designed to be highly automated, which helps businesses reduce the burden of managing their network security. By automating many of the routine tasks associated with network security, Valtix enables businesses to free up their IT resources to focus on more strategic initiatives.

In conclusion, Valtix is a cloud-native network security company, recently acquired by Cisco that provides businesses with advanced threat detection and response capabilities, granular control over their security policies, and the flexibility to scale their security solutions as their needs evolve. With its cloud-based approach and automated processes, Valtix helps businesses stay ahead of the constantly evolving threat landscape while reducing the burden of managing their network security.

https://valtix.com/blog/ciscos-intent-to-acquire-our-journey-and-why-it-matters/

Mike

Advertisement

Upgrade to ISE 3.1 on AWS

On By MikeIn Cisco, SecurityLeave a comment

Below is the prep work for migrating from ISE2.4 to ISE3.1+ for AWS, and the migration steps are here, but I have summarize them below.

Cisco ISE is available as an infrastructure-as-code solution leveraging AWS CloudFormation making the deployment of ISE a very light lift. I’ll be walking you through how to deploy ISE on AWS in a later post.

Step 1 – Base, Plus, Apex, and Device Admin licenses need to be migrated to Smart Licenses
Step 2 – VM licenses need to be converted
Step 3 – Migration can occur. Once licenses are prepped and converted, you go to the AWS Marketplace ISE BYOL listing and choose your deployment size. 

Cisco ISE on AWS Marketplace

ISE Licensing

  1. AWS ISE requires ISE 3.1+
    1. If upgrading to 3.1 from an existing 2.X release, it is required that a customer migrate their existing licenses to the new licenses and then upgrade to the 3.0 release. I.e. These are the Base, Plus, and Apex license that need to be upgraded. Device Admin licenses are grandfathered and need to be upgraded to a Smart License as well.
  2. This requires a Cisco Smart License Account. 
  3. Please refer to the Migration Guide for instructions.

ISE VM – You need to register the VM Common license for ISE 3.1 and later.

  1. Customers need to migrate their ISE License to the new “Common License.”
    1. To migrate the legacy VM license to the VM Common license, customers need to obtain the $0 upgrade Product ID (PID), “L-ISE-VMC-UPG=, from Cisco. This is the same PID regardless of what current size of VM license you have today.
    2. https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-migration-guide-og.html

2. To obtain a VM Common License for a net new deployment you’ll need the new VM PID, “R-ISE-VMC-K9=” Refer to the table below for a 1:1 mapping.

These VM licenses are valid in Cisco ISE 3.0 and earlier releases. Again, when you upgrade your Cisco ISE to Release 3.1, you will need to have VM Common license.  

Upgrade FromUpgrade ToRatio
R-ISE-VML-K9=R-ISE-VMC-K9=1:1
R-ISE-VMM-K9=R-ISE-VMC-K9=1:1
R-ISE-VMS-K9=R-ISE-VMC-K9=1:1

How to migrate license

To migrate the legacy VM license to the VM Common license, customers need to obtain the $0 upgrade PID, “L-ISE-VMC-UPG=,” in CCW. See ISE Licensing Migration Guide for the detailed process.

Support for VM and License

Q. What support do customers receive with the new ISE licenses?

A. The same as with current subscription licenses. With the new ISE software licenses, customers receive embedded SWSS—which covers 24x7x365 Cisco Technical Assistance Center (TAC) support and software updates. However, now Essentials will also have this support.

More Question and Answers here

Support associated with the legacy VM licenses

When customers upgrade the version of their legacy VM to VM Common license, they can continue to receive support based on the support contract purchased on legacy VM license PID. They can renew the support until the legacy VM license PID is EOL and reaches the last service renewal date per the EOL bulletin. There is no support for migration. For seamless support, the customer should request the legacy VM PID to be replaced with the desired VM PID in order to renew and receive support.

Mike

EoS and EoL roll-up for Cisco AirOS Wireless, ASA, and Switching

On By MikeIn Cisco, Security, SwitchingLeave a comment

End of Sale and End of Life dates for AireOS Cisco Wireless LAN Controllers – AIR-CT-3504AIR-CT-5520AIR-CT8540AIR-CTVM 


End of Sale and End of Life dates for ASA 5506, 5512 & 5515, 5508 & 5516, 5525, 5545 & 5555, 5585-X, 5585-X FP

End of Sale and End of Life dates for Cisco Catalyst – 2960X/XR2960L/P3650SUP9E

Mike

Evolving Smart Licensing, what’s coming and when?

On By MikeIn CiscoLeave a comment

Does anyone else feel like they need a Ph.D. in Cisco licensing?! Good news is that there are some changes coming to help make our lives easier.

Most of you are likely familiar with Smart Licensing. However, you can go here if you need more information. During Cisco’s transition to subscription-based licenses, Smart Licensing (SL) was introduced. Cisco believed Smart Licensing would streamline the way customers activate and manage Cisco licenses across the organization. Transitioning from the traditional PAK based licensing method to SL wasn’t the only goal for Cisco. Amongst others, it served as a way to combat the grey market gear. The thought was that upon purchasing a product from Cisco, a Smart Account would be associated with the order, which in return would entitle the organization to their licenses, products, and services.

A Smart Account is hierarchical and serves as the top-level domain for the organization. You can further organize your Smart Account into sub-accounts, known as “Virtual Accounts.” It is very much structured, like a domain. A “DEFAULT” Virtual Account serves as your catch-all bucket and is persistent and can’t change.

After Cisco launched the new licensing model, they found that the customers purchasing processes became complicated, increased their operational overhead, and challenged their security practices. Therefore, Cisco took this feedback and decided they needed to evolve SL to be less detrimental. 

You can find the current list of Smart License enabled products here

Introducing Smart Licensing Using Policy

Starting with IOS-XE 17.3.2/17.4.1 all products running these versions of the software will only support Smart Licensing Using Policy. These currently include. 

  • Cisco Catalyst 9000 series switches. 
  • The routing platforms such as the ASR1K, ISR1K, ISR4K. 
  • The Next Generation virtual routers starting with Polaris IOS-XE release 17.4.1 
  • Cisco Catalyst 9800 Series Wireless Controllers and APs. 
  • Internet of Things (IoT) Next Generation platforms such as Industrial Router IR 1101, Industrial Ethernet IE
  • 3200/3300/3400 and any Next Gen IoT products will also adopt Smart Licensing Using Policy. 
  • Collaboration products; CUBE, SRST, and CME with their November release.

With Smart Licensing Using Policy you can expect: 

  1. The product will not boot in evaluation-mode (see screen shots below)
  2. per product software registration is not required
  3. And on-going communication every 30 days with Cisco isn’t needed.

Registering a device before use and on-going communication is going away. However, reporting to Cisco may still be a pain point. The good news? Reporting is only required if there is a change in software level for Perpetual or Subscription. Changing software levels doesn’t happen too frequently, so it may not be too big of an issue. 

For example, if you purchase a Catalyst 9120 access point with DNA Essentials from the factory and 30 days later, you realize you need EasyQoS. You’d have to change to DNA Advantage, which means you now need to report this change to Cisco. 

This change would need to be reported within 90 days to Cisco. 

What happens if you don’t? Most of the products will turn into a nag box, sending out syslog/alarm notifications. However, you should review the enforcement rules specific to the particular device to avoid potential interruptions.

You can find the enforcement rules per product here

Reporting

You can report to Cisco in a couple of different ways. 

1. New reporting utility called Cisco Smart Licensing Utility (CSLU): which is a small Windows application that can be configured to send the data to Cisco in with a push or pull operation. 

2. Cisco DNA Center controller with Cisco Smart Licensing Utility (CSLU): Cisco DNA Center has connectivity to Cisco Smart Software Manager (CSSM). Periodically, exchange information with Cisco to keep in sync with CSSM. 

3. Offline: where the data is taken off the device onto a storage and then uploaded into CSSM.

In the end, not having to register a product before makes sense but reporting may be still be cumbersome. I’m thinking theres a way you could script this with Python.

Here’s a screen shot of pre IOS-XE 17.3.2 and post IOS-XE 17.3.2.

Mike

Smart Software Licensing Overview. (2020, November 26). Retrieved from https://www.cisco.com/c/en/us/products/software/smart-accounts/software-licensing.html

Cisco DNA Software Subscription Matrix for Wireless. (2020, November 17). Retrieved from https://www.cisco.com/c/m/en_us/products/software/dna-subscription-wireless/en-sw-sub-matrix-wireless.html?oid=porew018984

(n.d.). Retrieved from https://www.cisco.com/c/dam/en/us/products/collateral/software/smart-accounts/smart-licensing-feature-roadmap-by-pf-external-v20201102.xlsx

(n.d.). Retrieved from https://software.cisco.com/download/home/286285506/type/286327971/release/1.0.0-2