June 10, 2019 Leave a Comment
Avatar
Inside Cisco IT

IoT—Now on the Campus Fabric: Report from the Front Lines

This blog explains why and how we’re extending our campus fabric to the Internet of Things (IoT). Just interested in the engineering? Scroll down to “Start here if you just came for the engineering.”

Our network infrastructure team has been building networks with Catalyst switches since before I started—and I still remember when a few boxes still ran CatOS. We recently put our collective experience to work on a new challenge: extending our enterprise fabric pilot to support Internet of Things (IoT) devices in a parking structure, starting with security cameras and wireless access points.

Our first reaction was, “Excellent, this is what fabric is for—to make growth painless.” But we soon learned that extending the campus fabric to a “non-carpeted” area added some new challenges.

 

Motivation: if data is gold, IoT is the shovel

Cisco IT is becoming ever more digital—with automation, APIs, playbooks, etc. We’re always looking for new ways to connect data to decisions and use it to improve the user experience. It’s now easier to collect IoT data  because 5G and WiFi 6 support increased density, scale, and efficiency.

This means our IoT device count will only grow. To get the most value from it we need to treat all data as… data. No more silos for who owns or consumes data. Scaling has to be efficient and secure, with visibility into consumption.

 

Why now?

As an IT manager, I’d argue that the main reason to integrate the custom infrastructure in non-carpeted spaces into our common campus fabric is supply and demand:

  • Our business wants to base decisions on data, so we want to enable access to IoT data (while maintaining privacy and security).
  • In Cisco DNA Center, we now have a tool that enables us to scale policy and operations without significant added costs. Reasons include zero-touch provisioning, defining security policy once and deploying it to all devices, and aligning intent with policy. To read about our early results from intent-based networking, click here.

 

Start here if you just came for the engineering

Our team is very experienced with campus networks and fabrics built on Catalyst switches, but the IE (Industrial Ethernet) switching line was new for us. We started by spec-ing and deploying an IE-4010 in the parking structure’s equipment room. IE switches now support Extended Enterprise Fabric integration and are physically designed to run in rougher spaces—for example, without environmental controls.

 

Lessons learned as customer zero

As customer zero for the IE-4010, we learned some things the expensive way. I’ll share them here so you can learn from our experience:

  • The IE-4010 works in our standard racks. But when ordered with PWR-RGD-AC-DC-250, it requires a lug terminated power cable instead of the typical (NEMA5/C13) power cord
  • Do a multi-factor space walkthrough. Many facility items that are standard and taken for granted on campus—think flexible hardware mounting options and accessible power—don’t come for free in non-carpeted spaces.
  • Cable runways are not as controlled or secure as the ones inside carpeted workspaces. As part of our security audit we encased our parking structure runs in rigid conduit to prevent easy cable access because the surround space itself isn’t access-restricted. Figure 1 shows our cable route plan.
  • Our IE-4010 with 250W PSU supports POE+. Maximum cabling length (100M) can be challenge in large spaces without an aggregation switch.
  • To bootstrap and prepare for the Cisco DNA Center Fabric join we had to manually upgrade to 2.6E2a. (The business unit is implementing our suggestion to handle this at order time.)

Joining the IE-4010 to our existing Cisco DNA Center 1.2.8 was straightforward—a matter of a few clicks. We discovered a bug: after “Fabric join as extended node,” the management channel failed randomly. The business unit resolved the issue in the 1.3 release, helping us earn our customer zero merit badge.

 

Connecting the IoT devices

I asked our deployment engineer, Raghdah Al-Shaikhli, to walk me through the next phase of the deployment. Her response: “After deploying the IE switch and ensuring that it was part of the fabric, we connected the wireless access point and IP camera. Then we assigned the ports on the extended nodes to let Cisco DNA Center know what type of devices we were adding. Cisco DNA Center started the plug-and-play process and pushed all the necessary configuration into the devices.”

Figure 2 shows the campus fabric, with a box around the extended fabric. It’s simple—and we expect to save significant time as we scale.

Configuring policies

We had anticipated simply translating existing policies (ACLs, maps, etc.) directly into Cisco DNA Center. But it quickly became clear that this approach was clumsy and inadequate. We are currently working with our Safety and Security team and other partners to design dynamic group and intent-based policies. Compared to the IP address based policy we use today, the new policies will improve scale and efficiency and create a more robust trust perimeter.

 

Payoff: assurance for hundreds or thousands of wireless edge devices

One of the best parts of being customer zero is building proof-of-value sites. This is just the first step in our progressive deployment, and already we’ve achieved all of this:

  • Identified what needs to change in our standard deployment workflows to minimize the cost to scale
  • Established an early operational runbook for extending the enterprise fabric with IE switches. So far we’ve documented service bring up, virtual networks, and unified policy. We’ll continue to add on.
  • Took advantage of investments in our campus network for non-carpeted spaces. Cisco DNA Center provides Assurance, Client 360, and Device 360—all in one place.

 

Next steps

Now we’re looking forward to proving how simple it is to grow the fabric extension. We’ll enable new digital workflows with Cisco DNA Center, like software image management (SWIM). And we’ll create policies that use IoT data (from video, sensors, etc.) to make ever better business decisions.

To learn more, listen to this podcast:  Extending Intent-Based Networking to the IoT Edge. You can also check out the Cisco Validated Design for Extended Enterprise Fabric and Intent Based Networking for IoT.

Questions? What are your ideas for extending the campus fabric to IoT devices at the edge? Please share in the comment box.