Cisco User Defined Network Plus FAQ

A.  Cisco ^® User Defined Network Plus is a Cisco wireless solution that allows IT staff to give each user their very own network partition in an area or building with shared network resources. Users can remotely and securely register their devices on their own personal network. Perfect for university residence halls or extended healthcare stays, Cisco User Defined Network Plus provides the IT team with an easily deployed, managed, and monitored solution that reduces overall IT staff support for dorm connectivity, while simultaneously providing each user with their own personal, homelike network on shared WLAN resources.

Users can register their devices remotely through a Splash Access registration page. With a link provided by the institution, the user accesses the Splash Access device registration web portal using a personalized URL to register the MAC addresses of their devices. Splash Access communicates with Cisco’s Identity Services Engine (ISE) via pxGrid APIs and stores the MAC addresses in the ISE database. When the user’s device connects and authenticates on the organization’s Wi-Fi network with User Defined Network Plus enabled, that device is assigned to that specific user’s segmented User Defined Network.

A.  Some typical areas where User Defined Networking Plus would be beneficial include:

A.  To deploy the User Defined Network Plus solution, we recommend having the following hardware installed: Cisco Catalyst ^™ 9800 Series Wireless Controllers and Catalyst 9100 Access Points (or Cisco Aironet ^® 802.11ac Wave 2 access points). All hardware should be updated to Cisco IOS ^® software version 17.3.1 IOS XE or above. Cisco ISE and Splash Access licenses are needed for the User Defined Networking Plus solution. Cisco Catalyst Center is optional for User Defined Network Plus.

A.  Splash Access is an essential part of the User Defined Network Plus solution. Splash Access licenses are required and should be purchased. Request a demo account and a quote for Splash Access at https://www.splashaccess.com/udn-request/.

A.  Splash Access is an exclusive Cisco partner that also supplies the registration web portal for the equivalent Cisco Meraki ^™ solution, Meraki Wireless Personal Network (WPN). Cisco is simplifying and optimizing the on-premises User Defined Networking Plus solution to provide a common workflow regardless of our customers’ management preferences, by using Splash Access for both solutions.

A.  User Defined Network Plus requires Cisco DNA Advantage with ISE as well as licenses for Splash Access.

A.  On expiration of the Cisco DNA licenses, the customer can use the license evaluation period to renew the licenses. If the ISE licenses are active, User Defined Networking Plus will continue to function. If the ISE licenses are not renewed, or if the Splash Access licenses expire, the User Defined Networking Plus solution will not function, as these are critical components.

A.  User Defined Network Plus scale is defined by the scale of the Cisco Catalyst 9800 Series controller. Up to 64,000 UDNs are supported for the 9800 Series controller.

A.  No. Intercontroller roaming is not required.

A.  No. User Defined Network Plus is supported in Local mode access points only.

A.  Administrators can monitor the devices added by users via the Cisco Catalyst Center Assurance dashboard.

A.  No. Devices using User Defined Network Plus can be on different types of SSID, such as PSK, 802.1X, or even an open SSID if these SSIDs are serviced by the same wireless controller.

A.  No. Splash Access allows users to securely register their devices’ MAC addresses. Once registered, when the device with that MAC address joins the UDN-enabled SSID, the network can group all the user’s devices in their own segment so that their personal network or partition can restrict the mDNS and link-local multicast advertisements to those devices.

A.  No. Splash Access is the registration portal for a user’s devices. The device will need to connect to the Wi-Fi or the wireless network through the existing mechanisms already in place.

A.  Both mDNS and UPnP gateways are used to advertise and proxy for the mDNS or UPnP across multiple local broadcast domains (VLANs). The User Defined Network Plus solution integrates with the mDNS gateway on the Cisco Catalyst 9800 Series Wireless Controller to provide the User Defined Network Plus functionality. It will operate with an external mDNS gateway. Catalyst 9800 Series Wireless Controllers do not support the UPnP gateway functionality, but the solution works with the UPnP devices in the same broadcast domain VLAN.

A.  Yes. For the wireless devices to talk to each other, P2P blocking should be disabled. However, the User Defined Network Plus solution offers a similar functionality that lets the administrator disable wireless devices that do not belong to a user to prevent them from talking to each other.

A.  Security and visibility: User Defined Network Plus enables users to onboard their own devices to the network while giving IT visibility using the wireless controller. Devices are registered with Splash Access, and the existing access policy, enforced by Cisco ISE, is applied. This improves the user experience without compromising protection or increasing organizational risk. Device onboarding is streamlined, policy provisioning is automated, and IT staff can control access to network resources.

Limit the blast radius: User Defined Network Plus confines a user’s devices to their partition, separating each user’s devices within the same domain. This reduces the attack surface, curtails ransomware spread, and quickens threat containment during security incidents. So, if a user clicks a malicious phishing email, the harmful traffic is confined to their device or network segment, preventing the threat from spreading.