The Catalyst

Cloud Strategy
Leonardo Ferreira
TSA EN Brasil

June 2023
Recap: Cisco Live US 2022
Your IT Operation Model, Your Way

On-Premises Cloud
Management Management
Do-it-Yourself
Cloud Cloud first IT Transformation
Operational Flexibility Monitoring Operational Simplicity

Cisco Physical Appliance

DNA
Center Virtual Appliance

High-Touch Low-Touch

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Adoption Placeholder

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Feedback from the market and the field
Positive:
• Excited to see us bringing Catalyst and Meraki together

• Common hardware is valuable

Constructive:
• Perception of an ‘all or nothing’ value proposition

• Still a choice between Catalyst features and Meraki cloud operations

• Go faster!

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Evolving the strategy

Cloud Monitoring
Architectural
Experience

Common Unified
Experience
Architecture

Lean IT
Experience
Management Migration

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Benefits of a unified architecture

Consistent Behavior

Feature Velocity

Quality and Security

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Cloud Monitoring Roadmap Roadmap subject to change

H1CY23 H1CY24^ Pending Prioritization ^

(Availability TBD)
• New features • Catalyst Wireless monitoring • 9400 & 9600 support (switching)
• Alerts (via email & webhooks) ✜ • 9800 controllers
• Configuration console (switching)
• Packet capture • 9100/x800 APs
• Event Logging • App-less onboarding • DNA Center co-existence
• Troubleshooting console (‘show’)
• App-less onboarding (switching) • Feature enhancements (alerts,
• New platform support pcap, image upgrades…)
• 9200CX ✜ and 9300LM ✜ • Layer 3 monitoring (switching)
• 9500X
• TACACS device support
H2CY23 H2CY24 ^
• Wireless enhancements
• IOS-XE image upgrades (switching) • Wireless enhancements • WLC web UI from dashboard
• Config backup (switching) • Image upgrades • RF and RRM performance and
troubleshooting
• Config backup
✜ Available now
^ Higher minimum IOS-XE version may be required
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Monitoring for Wireless

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Monitoring for Wireless – GA Scope

Supported Models Capabilities Architecture

C9100 series APs WLC status Physical WLCs only
CW9100 series APs WLC <-> AP mappings Standalone WLC supported
2800 series APs AP status Active/Standby HA supported
3800 series APs Client and traffic visibility
4800 series APs Topology
9800 series WLCs Subset of live tools
Subset of health features

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Positioning the Cisco Catalyst Cloud Strategy

Lean into the synergies between Meraki Dashboard and Catalyst (Hardware
and Features): 1+1 = 3
Sell into your customers outcomes – position the right solution set:
Cloud First

Cloud Hybrid

Cloud Averse

The Catalyst Cloud Strategy enables customers with:

• The flexibility to Bring Your Own Config (BYOC) and use IOS-XE features
• Catalyst telemetry sent to the Meraki Dashboard enabling customers to leverage the
Meraki Health/Assurance capabilities

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Winning with the Cisco Catalyst Cloud Strategy

The competition attacks us on the gray areas

between our platforms
“We can’t win with Meraki because it doesn’t have
advanced features”

Don’t lose alone

• Don’t silo your strategy in ”one or the other” domain
• Leverage Cisco’s entire portfolio

Change the narrative

Focus on better together for our platforms

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 • Understand our evolved cloud
management and monitoring
strategy for Catalyst platforms
• Explain the Cloud Monitoring
direction to your customers
Help your customers
Key Takeaways
•
understand what will be
included in Cloud Monitoring
for Wireless at launch and
when that will be delivered

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Call to Action

• Educate and engage your

customers on this strategy
• Onboard your hybrid customers
to cloud monitoring
• Use the full Cisco Networking
portfolio to serve our customers

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
References

• Updated Cloud Monitoring

roadmap will be posted in
Webex space and on
SalesConnect

internal
Ask Cloud Management
• Join the Switching and Wireless and Monitoring for Catalyst
sessions during this week's VT
event to learn more about the
management strategy for those
product lines

external
Cloud Monitoring for
Catalyst Overview
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Cloud Monitoring Today

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Tunnel
Dashboard
Unified monitoring and Management
• Provides connectivity from device to cloud
API Nextunnel

• A secure channel for

• management/control and Catalyst
Adaptation
• monitoring/visibility TLS Tunnel

• Used to determine device connectivity

Internet Internet

Onboarding Catalyst Meraki MS

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TLS tunnel – The now Dashboard
API

Catalyst Adaptation
• Used for Cloud Monitoring TLS
TLSGW
TLSGW
GW

TLS NLB
• Client on the device and server in the cloud
• Deployed as a horizontal scaling Kubernetes service
Internet

TLS Client

Onboarding Catalyst

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TLS tunnel – The now Dashboard
API

Catalyst
Adaptation
• Onboarding application TLS GW

Download
• Provisioning of tunnel configuration
• Standalone application Internet

mTLS

TLS Client

Onboarding Catalyst

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TLS tunnel – The now Dashboard
API

Allowed
Serials Catalyst
• mTLS connection Adaptation
TLS GW

• Authentication via SUDI cert Meraki

• Authorization via serial number Internet

mTLS
SUDI
TLS Client

Onboarding Catalyst

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TLS tunnel – The now Dashboard
API
show crypto tls-tunnel sessions
TLS-Tunnel Session Details
============================ Catalyst
Server : us.tlsgw.meraki.com[52.27.46.18]
Config : MERAKI-PRIMARY Adaptation
TLS GW
Session Create Time : 18:01:02.953 UTC Tue Apr 18 2023
Session Up Time : 1d13h
Time To Rekey **CONFIDENTIAL** 00:58:08
Timeouts:
DPD : 10
Rekey **CONFIDENTIAL** 4166
Retry : 20 Internet
Tunnel Established: True
Virtual I/F: TLS-VIF0
Datapath State: Up
Remote Prefix: 18.232.244.158/32
TLS Client
Local Prefix: 20.0.136.80
Idb in use: Vlan68

Last session Down Reasons :

- 20:14:22.693 UTC Tue Apr 18 2023 Peer TCP Closed
Onboarding Catalyst
- 01:53:34.077 UTC Wed Apr 19 2023 Peer TCP Closed

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nextunnel – The future

Dashboard
Unified monitoring and
Management
• Catalyst moving to Nextunnel
Nextunnel
• Consistent implementation
• Reduction in engineering effort
• Less cost to maintain
• No onboarding application Internet Internet

Catalyst Meraki MS

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 All About Nextunnel

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Learning goals
• What is Nextunnel?
• Why do we need it?
• How does it work?
• How is it different than Meraki's older tunnel, Mtunnel?

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meraki system overview

3
44 n1 co
m: n fi
g.m
co
a ki. era
er ki.
un
t .m
2
n2 c om
:7 7
o 30
cc 30 2 34
a
n3
n7.m :7 734
erak c om
i.c i.
om : rak

...
443 .m e
cs7
n7

...
"shards"
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why we need a tunnel

config fetch

• Poke device to fetch a new config

• Authorize a client on device
• Ask device to reboot

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why we need a tunnel

config fetch

tunneltunneled
connection from device
traffic

• Poke device to fetch a new config

• Authorize a client on device
• Ask device to reboot

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mtunnel: the original Meraki tunnel
HELLO
HELLO ACK

UDP port 7351

DATA AES+HMAC(SYN)
n7
DATA AES+HMAC(SYN ACK)

...
HELLO
HELLO ACK (every 25s)
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mtunnel high availability

mt
mtunnel.meraki.com un
n el-
ov
er-
h tt
p
gossip and
mtunnel
support-jump n7

overlay routing

n7-spare

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mtunnel pros and cons
Pros
• Simple: runs on shard, only needs to scale to 1 shard's worth of devices
• Secure: standard, strong crypto primitives: AES256 + HMAC
Cons
• Many customers must modify their firewall rules to allow UDP port 7351
• Non-standard protocol is a sales drag, especially with security teams
• Running on shard makes it hard to provide defense in depth

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nextunnel design goals
• Make the firewall conversation easy: TCP port 443
• Also switch config fetch from port 7734 to port 443, one port to rule them all

• Make the security conversation easy: mutual TLS 1.2 using TAM identity
• Take advantage of Cisco's excellent SUDI architecture
• Exact crypto algorithm is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• Add defense in depth by enforcing ACL off-shard

• Shards can only talk to their own devices, even if compromised
• Add an audit trail for access via support-jump

• Improve scalability
• Horizontally scalable system running in AWS EKS (Kubernetes) behind NLBs

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Access
Control Lists n1
Nextunnel system architecture

Shard Device

Load Balancer

Load Balancer
Server Server
n7

support-jump Shard Device

Server Server

AWS EKS (Kubernetes)

mTLS 1.2, port 443
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nextunnel scale

4M

9M

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nextunnel limitations
• No HTTP proxy support (yet)
• Need firmware modifications, development already underway
• Particularly prevalent with manufacturing companies in Japan

• Some middle boxes mess with TCP, especially on port 443

• "TLS inspection" and "secure web proxies" try to man-in-the-middle the connection
• A minority of satellite uplinks' WAN accelerators break the TLS handshake

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 NexTunnel on IOS-XE

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Current Architecture Next Gen Architecture

Dashboard
Dashboard
Unified monitoring and Management
Unified monitoring and Management
Nextunnel
API Nextunnel

Catalyst
Adaptation
TLS Tunnel

Catalyst Meraki MS
Catalyst Meraki MS
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NexTunnel - What's new on IOS-XE

• Build nextunnel-client as part of Catalyst image

• nextunnel-client runs as an IOS-XE process, no container required
• New IOS-XE process meraki_mgrd to manage tunnel config and state
• meraki_mgrd will fetch nextunnel config and start nextunnel-client
• simplified workflow - "service meraki connect"

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Dashboard (AWS/Shard)

Registration Server Tunnel Config Server Nextunnel Server

OneTime Periodic
2 Registration TunnelConfig Nextunnel
4
(mTLS) Fetch (mTLS) (grpc/mTLS)

1
Config CLI
5 Nextunnel Client
IOS Subsystem
service meraki connect
7 6
Meraki Mgrd Netconf TDL/GREEN IOS Console
CMAN 3

TAMS/ACT2 SNMP SSH

Catalyst
 Catalyst Onboarding Demo

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential