Bad dream for an IT engineer? Try this: an executive working from home gets booted off an all-hands video meeting. Then it happens again. And again.
That happened to me a couple of months ago. Fortunately, when I received the call, I could see immediately that the problem lay with the executive’s ISP, not our network. As a result, my team quickly resolved the problem and saved hours of troubleshooting time. And I slept better.
Better visibility is one of several ways our Customer Zero team is improving the telework experience at Cisco. And by combining cloud managed SD-WAN technologies with cloud-based security technology, we are on the road to a full Secure Access Service Edge (SASE) implementation that provides consistently secure access wherever Cisco employees choose to work. As Customer Zero, we try out new Cisco technologies in a real-world setting so we can share our experiences with customers. Here are five ways we’re improving telework.
We’ve always had a robust telework program. Most people who work remotely use Cisco AnyConnect Secure Mobility Client on laptops and mobile devices and some teleworkers use the Cisco Virtual Office (CVO), which includes a hardware-based VPN service. AnyConnect and CVO are both what’s known as “full tunnel” solutions. All traffic from the laptop goes through a VPN tunnel to a Cisco data center. From there, cloud traffic takes another hop to its final destination.
But if I want to work on an Excel file, it doesn’t make a lot of sense for my request to go through the Cisco data center on its way to the Office 365 cloud. The detour adds latency and unnecessarily uses data center network bandwidth. It’s smarter to “split” the tunnel, providing separate routes for data center traffic and cloud traffic.
We’ve split the tunnel using our Cisco remote worker SD-WAN solution. On the Cisco vManage console, we’ve created a rule that sends traffic destined for designated trusted SaaS providers (Webex, Cisco TV, Office 365, and Box, etc.) directly to the cloud.
Our InfoSec team is strict about what they consider a trusted cloud. Other cloud traffic, like iCloud, also bypasses our data center. But rather than heading directly to its destination, it goes first to Cisco Umbrella, as part of our SASE architecture, which blocks malicious domains and cloud applications.
The fastest path to a cloud service provider might be different at 8:30 a.m. than it is at 8:32 a.m., depending on network conditions. To deliver a consistently good experience with Office 365, we’re using an SD-WAN feature called Cloud On-Ramp for SaaS. It probes the various paths to the cloud to identify the best quality of experience at the moment and then directs the traffic over that path.
Many of us share a home internet connection. If your three kids are all in Zoom school, your Webex video might freeze. On the Customer Zero team, we’re using the QoS feature on our home ISR 1100 routers to prioritize Webex and other latency-sensitive applications. Whenever available home internet bandwidth dips below a certain threshold, the bandwidth allocated for Webex and other high-priority applications are automatically adjusted.
I’ve noticed that if an application is slow or the connection drops, a teleworker’s first instinct is to blame the equipment. I can’t count the times I’ve spent hours troubleshooting a case only to discover the source was an ISP issue. One of our favorite management tools is ThousandEyes, a software agent installed on the Customer Zero team’s laptops. ThousandEyes constantly collects user experience data—for example, the time it takes for a page to load, internet service provider issues, features used, laptop CPU utilization, runtime issues, etc. If a user opens a case but the issue disappears before we can look at it, we can go back in time to find the cause. Just last week someone reported a Webex issue, and ThousandEyes showed that at the time of the issue, laptop CPU utilization was 100%. That visibility saved us a fruitless investigation. We just explained to the user how to use a bot on Cisco Webex Teams if the issue ever happened again.
Cisco is moving toward a zero-trust model. The basic idea is that no matter where a user is (Cisco office, home office, park), we’ll verify the user’s identity and device security before granting access to an application. We’re starting to move certain applications off the VPN. Teleworkers will access them directly over the internet through Cisco Duo Network Gateway.
I welcome your questions or comments about making telework better with SD-WAN.
Learn more about our journey to an advanced network
architecture by clicking through our interactive journey map