Avatar

The Internet of Things (IoT) presents a number of challenges for network engineers. In my previous post, I explained how Cisco is helping to address the biggest IoT challenge by far: security. In this post, we’ll cover the next challenge: scalability.

As shown in the figure below, tens of billions of devices are coming online within the next few years, which presents tremendous IoT scalability concerns.

How can organizations possibly scale security and network policies to address all of these devices? If we have to configure IoT devices the way we’ve configured network devices for the last couple decades, then we won’t be able to meet the scalability requirements that IoT is driving. The “traditional” way – manual, box-by-box configuration – is slow and prone to errors.

The answer? Automation. Deploying policies at scale using automation speeds up provisioning and makes software management far easier. This can be achieved with software-defined access.

Under the hood: Scaling IoT in Cisco DNA Center

Allow me to explain. Let’s say you want to apply a network policy to your IoT devices. All of the IoT devices must be on their own VLAN, separate from the rest of the devices on the network. The objective being to prevent an attacker from using an IoT device as a toehold into the rest of the enterprise network.

With Cisco DNA Center, adding a new virtual network is as simple as naming the network and selecting which groups of users, devices, and/or applications should be on it. These are represented as Scalable Groups. The network operator selects each of the groups that belong on the new virtual network by simply dragging and dropping the appropriate icons from the left to the right side of the screen and clicking save. With just a few clicks, IoT devices are effectively segmented so that they can only communicate with the other devices as specified in the virtual network. There’s no need to assign VLANs and DHCP scopes, program ACLs, etc. – as a network operator, you don’t have to speak the language of networking policies and access control lists to nearly instantly create your network.

The Scalable Group Tag (SGT) is what makes this process so easy. A Scalable Group is a logical policy object to “group” users and/or devices. The SGT identifies anything that you want to apply a policy to: endpoints, users, or applications. SGTs are used to manage IP address-independent “Group Based Policies.” That means policies are applied to the Scalable Group, instead of individual IP addresses. In the past, network operators would often apply policies to device IP addresses because they are ubiquitous, end-to-end and consistent, but that approach gets messy. By applying policies primarily to the SGT, in addition to the segmentation of the virtual networks, you can be scalable, effective, and flexible in policy expressions on software-defined access networks for IoT.

The process above is the same process used to manage devices on the enterprise network. IoT devices, however, don’t typically have all the higher capabilities and compute resources as, say, switches in a data center. They’re typically lighter in weight and have a smaller form factor, lower power draw, and smaller hardware capabilities.

In order to play in this software-defined world, we need to adapt and reconcile these two constraints: one of providing segmentation and policy, the other of allowing the hardware to remain as lightweight as possible. This is where Cisco Software Defined Access Extended Nodes come in. Here’s how they work:

  • Extended node connects to a single Edge node using an 802.1Q Trunk port (single or multiple VLANs) using static assignment
  • Switchports on the Extended node can then be statically assigned to an appropriate IP Pool in Cisco DNA Center
  • SGT mapping is accomplished by Pool to Group mapping in Cisco DNA Center on the connected Edge node
  • Traffic policy enforcement based on Scalable Group ACLs is performed at the Edge node

Scaling enterprise networks was hard enough when network operators had to manually configure individual boxes. It’s downright near impossible with IoT. Fortunately, Cisco has solved this challenge in enterprise networks using software defined access and automation. And now those same solutions can be applied to IoT. With Cisco as your partner, you can scale efficiently and effectively using the same management interface you use for the enterprise network.

Want to learn more? View our on-demand webinar, Cisco IoT: Drive Transformation in the Public Safety, Oil and Gas, and Manufacturing Sectors. And don’t forget to check back on the Cisco IoT blog for the other top challenges facing enterprise IoT, including security.



Authors

Tim Szigeti

Principal Engineer

IoT Technical Marketing