Q. What is Cisco
® User Defined Network?
® User Defined Network is a Cisco network solution that allows IT staff to give each user oversight of his or her very own network partition. Users can remotely and securely register their devices on their own personal network. Perfect for university residence halls or extended health care stays, Cisco User Defined Network grants both device security and control, allowing users the choice of who can connect to their network. Users are able to register their devices from their homes or anywhere else before they reach their designated location or connect to shared networks via an intuitive mobile app. Once the user arrives on campus, they connect their wireless devices to the regular network, then the devices are placed into their personal network.
Q. How does the Cisco User Defined Network solution work?
A. Users are able to register his or her devices while at home or anywhere else through the User Defined Network app. This is done via an app download link provided by the institution. This registration is brought to the organization’s shared network such as a university’s network via the UDN Cloud. From there the data is transitioned to the university and, thanks to Cisco DNA Center, Cisco Identity Services Engine (ISE), and Cisco Catalyst
® hardware, a separate partition is created for each user.
Q. Will the customer need to pay for cloud service?
A. UDN Cloud Service is part of the User Defined Network. There is no additional charge for this service.
Q. What are the key features and benefits of the User Defined Network?
● A homelike and personal network user experience in shared network environments.
● Secure onboarding of personal wireless devices.
● Ability to register wireless devices from a remote network.
● Ability to limit access to the user’s personal wireless devices.
● Ability for users to invite trusted users to their personal network.
● Works on all kinds of authentication mechanisms, including PSK, 802.1X, and more.
● Works on both existing and new deployments, meaning that a customer does not need to do significant work to enable the solution as long as they have all the components.
● Protocol agnostic and works for mDNS (Bonjour), Universal Plug and Play (UPnP), broadcast, Link Local Multicast (LLM), etc. and unicast traffic types.
Q. How is the Cisco User Defined Network unique?
● Ability to register a device from any location. The competition needs a physical presence in the network.
● Simplified day-one experience where users can access their registered devices. The competition has a complicated day-one experience during which users cannot access any devices.
● Mobile app provides flexibility for user notification. The competition’s solution works only with a web portal, with no user notification and forceful addition of users to the personal network.
● Ability to contain mDNS, broadcast, UPnP, Link Local Multicast (LLM), other types of LLM traffic, and even unicast traffic.
● Flexibility to enable a personal network on the location of choice.
● Cisco has Client 360 view and a UDN Assurance Dashboard that provides detailed information on the personal network. The competition’s administrator has no granular visibility into the personal network.
Q. What are some of the top use cases for the solution?
● Universities, specifically residential living
● Research teams or departments
● Nonacademic business departments
● Senior living facilities
● Hotels (long-term)
● Convention centers
● Multitenant environments
Q. What are some of the key challenges for users in the current shared network environment?
● Complex for IT to manage. Cisco User Defined Network makes it easy to manage the deployment of wireless devices onto the network with the User Defined Network mobile app.
● No secure onboarding. Without Cisco User Defined Network, users can’t limit access to their own devices, they can’t onboard devices securely, and overall they have a poor experience. With Cisco User Defined Network, the onboarding is secure, and users can limit who can join their network. Access is granted via the User Defined Network mobile app.
● Limited user control. Without Cisco User Defined Network, the user lacks the homelike experience, with no controlled visibility and no solution automation. With Cisco User Defined Network, even though the user isn’t at home, he or she will get a similar experience and familiarity to being on their home network.
● Difficult to on-board personal devices to personal network. The app can be downloaded on the Google Play or Apple App Store, with the student ID/credentials that they receive in an email from the network administrator.
● Devices limited to authorized residents only. With Cisco User Defined Network, authorized residents can add campus friends to their personal network and remove them.
Q. What are some of the key challenges for IT professionals in the shared network environment?
● Long queues filled with users who can’t deploy their devices to the network. With the Cisco User Defined Network mobile app, deployment is simple. This allows IT professionals to work on other, more critical projects.
● When an enduser first appears on campus, oftentimes they have a hard time connecting their device to the shared network. They then take their issue to the IT department. While the request isn’t complicated, but if there are a lot of new people trying to log onto the network and running into the same problems, the sheer volume of requests can be troublesome to the IT staff.
● Newcomers to campus often want their devices to connect to the network as soon as they step foot in their new living spaces. With User Defined Network app, the devices can be registered at home and can be used the minute the device connects to the new network.
Q. What is the current shared network device onboarding experience like for a user and a network administrator?
A. The experiences of IT Admins aren’t always the same from industry to industry. But there is a lot of overlap. The following example revolves around a University setting and can be extrapolated to other industries.
Mary Jane is a student at State U and wants to bring all of her devices to school. From her cell phone to her laptop to her Ring doorbell and more, she has to bring it all to the shared network on her hectic first day of school. Once on campus she finds that some of her devices connect easily and others don’t connect at all. This means that she has to file a ticket and go to the IT department so someone can take a look at her devices to make sure they can connect. Once at the IT office she’ll wait in line with other frustrated students. And she’ll wait. And wait. And wait. Due to a small staff and a large number of students with similar problems, Mary Jane will spend a considerable amount of time waiting to get her problem fixed.
Network administrator John is on the other side of this coin. He dislikes the first week of school because he knows it’s going to be chaos. Many of the students have trouble connecting their devices to the network, which means John is constantly working to fix tickets submitted from students like Mary Jane.
This goes on for a week or more. Once the deluge ends, John is still responsible for all of the work that piled up on his desk while he was fighting these fires.
Q. How will User Defined Network change how end-users connect to the network?
A. Once again, we turn to a University to review a typical scenario.
It begins in July when Mary Jane gets an email from IT with instructions on where to find the app. She downloads the app and then logs in with her university credentials. From there, she onboards all of her devices from her home. When she moves into school in September, all of her devices are onboarded and are waiting for her on the first day.
For John, a Network Administrator, it’s even easier. In July he sends out the how-to email to new and returning students. When September rolls around, he sees fewerIT tickets when students return. John is a conscientious employee, so while he may see fewer tickets, he still double-checks with Cisco DNA Assurance to make sure things are working smoothly. He can see lots of additional historical individual device detail that he could not capture before Cisco DNA Assurance. It all looks pretty good, so he finishes up his other projects.
Q. Where can users find the User Defined Network app?
A. Apple users can find the User Defined Network app in the Apple App Store. Android users will be able to download the app from Google Play.
Q. What components are needed to deploy this solution?
A. In order to deploy the User Defined Network solution, it is recommended that the following hardware be installed: Cisco Catalyst 9800 Series Wireless Controllers and Cisco Catalyst 9100 Access Points (or Cisco Aironet
® 802.11ac Wave 2 access points). All of this hardware should be updated to be running Cisco IOS
® software version 17.2 and above. In addition, Cisco DNA Center, Cisco ISE, Cisco UDN Cloud Service, and the Cisco User Defined Network app need to be running on the network. Also required, the UDN mobile app integrated to the SSO gateway either on-premises SD via SAML 2.0 or via Azure AD.
Q. What license type is needed to deploy this solution?
A. User Defined Network needs Cisco DNA Advantage with ISE plus licenses or comes with the Cisco DNA Premier licensing bundle.
Q. What happens when the licenses expire?
A. On expiration of licenses, the customer can use the license evaluation period to renew the licenses. If the licenses are not renewed during the evaluation period, the customer will lose access to the UDN Cloud Service and will not be able to administer it until the licenses are renewed. The solution will still continue to function.
Q. What scale is supported with User Defined Network?
A. User Defined Network scale is defined by the scale of the Cisco Catalyst 9800 Series controller; hence it supports up to 64,000 UDNs for the 9800-80 controller.
Q. Can I see the status of my User Private Networks from within the Cisco DNA Center dashboard?
A. Yes, you can. You can find the status in the Assurance tab where we call a User Defined Network a “Room.” Each Room has a unique number, for example Room 72. When Client 360 View is opened, any client endpoint (such as an iPhone or Roku or camera) that has been included in a User Defined Network will be indicated with the Room number. If Cisco DNA Assurance has flagged an issue with a specific device one can easily see the room number where this client end point is located. This facilitates contacting the user of that specific client for any troubleshooting needed.
Q. Is inter controller roaming supported?
A. No. Inter controller roaming is not required.
Q. Is flex and fabric deployments supported?
A. No. This is supported in local mode APs only.
Q. How is the on boarding mobile app made available to the users and what is the customization possible?
A. The client onboarding app User Defined Network will be available via Apple App store for Apple iOS devices and Android play store for Android devices . The logo for the App can be customized via the institutions using the cloud portal.
Q. Does Cisco provide App SDK for integration to Customers existing app?
Q. What level of control does the network administrator has on the devices that users register?
A. Admins will have the ability to monitor the devices added by user via the Cisco DNA Center Assurance dashboard.
Q. Does User Defined Network require all devices to be on the same SSID?
A. No. Devices participating in User Defined Network can be on different types of SSID, such as PSK, 802.1x or even an open SSID. But they should all be on the same Wireless LAN controller.
Q. Will Cisco create a different SSID or password for all my devices via the on-boarding app?
A. No. The User Defined Network app will let the users securely register their devices’ mac addresses via the App. Once registered, when the device with that mac address joins the User Define Network enabled SSID, the network can group all of the devices in their own segment so that it can restrict the mDNS and link-local multicast advertisements to those devices.
Q. Will registration via the app automatically connects my device to the Wi-Fi network?
A. No. The User Defined Network App will only let the users securely register their device’s mac addresses via the App. The device needs to be connected to the Wi-Fi or the wireless network through the existing mechanisms already in place.
Q. Will this User Defined Network work if we have mDNS or UPNP gateways available in the network?
A. Both mDNS or UPNP gateway are used to advertise and proxy for the mDNS or UPNP across multiple local broadcast domains (VLANs). User Defined network functionality integrates with the mDNS gateway on the Cisco Catalyst 9800 Wireless Controller to provide the User Defined Network functionality. It does work with external mDNS Gateway. Catalyst 9800 Wireless controllers do not support the UPNP gateway functionality but the solution works with the UPNP devices in the same broadcast domain VLAN.
Q. Should I disable peer-to-peer (p2p) blocking on the Wireless SSID?
A. Yes. For the wireless devices to talk to each other, the P2P functionality should be disabled. However, the User Define Network offers a similar functionality which lets the administrator disable wireless devices not belonging to a user to prevent from talking to each other.
Q. How does UDN enable secure onboarding and allow for increased protection?
Visibility and Control: When an end-user uses UDN to onboard her devices, the devices are now 100% visible to IT. Her devices are automatically assigned to a profiled group by Cisco DNA Center, and the existing access policy is applied and enforced by Cisco Identity Services Engine (ISE). Organizations are now able to improve user experience without increasing organizational risk and sacrificing protection. Not only is device onboarding streamlined, but provisioning of policy is also automated, and all of the end users’ devices are now visible to and access to university resources can be controlled by the IT Admin.
Limit the blast radius: UDN isolates a user’s group of devices into their partition to effectively segment each users’ devices from others within the same domain. In the event of a security incident, this shrinks the attack surface, limits the lateral spread of ransomware, and enables rapid threat containment. Now when the end user clicks on the wrong phishing email malicious traffic is no longer spread throughout the entire dorm and is contained within her single device or UDN.