Securing Industrial IoT

It’s hard to ignore the ubiquity of the internet of things (IoT). Even if you’re one of those holdouts that doesn’t own consumer IoT devices such as a smart speaker, internet-connected thermostat, or a smart watch, industrial IoT (IIoT) devices—a subset of the IoT landscape—are already playing a part in your daily life. From the delivery of water and electricity, to manufacturing, to entertainment such as amusement park rides, IIoT devices are part of more industries than not, and have been for some time. Gartner recently estimated that there were 4.8 billion IIoT assets in the world at the end of 2019, and expects that number will grow by 21 percent in 2020.

The biggest issue faced in many operational technology (OT) environments, which host IIoT assets, isn’t just this growth, but also dealing with older industrial control systems (ICS) that have sometimes been in operation as long as 30 years. Many of these assets have been connected to the network over the years, making them susceptible to attacks. These legacy devices were often deployed on flat networks, at a time when the need for security took a back seat to other priorities, such as high availability and performance.

The discovery of vulnerabilities in these systems doesn’t always mean that patches are, or even can be, rolled out to fix them. Patching many of these IIoT assets means taking them offline—something that’s not always an option with critical infrastructure or production lines that rely on high availability. So patches are often not applied, and vulnerabilities stack up as devices age, leaving attackers with a large swath of exploits to attempt in the pursuit of compromising IIoT assets.

And the number of vulnerabilities discovered in IIoT devices is growing, as is evident in research carried out by Cisco Talos’ Security Research Team, whose mission is to discover vulnerabilities before the bad guys do. During their look back at 2019, Talos pointed out that they published 87 advisories about vulnerabilities in IoT and ICS devices—by far the largest category for the year. In fact, there were 23 percent more advisories published in this space than there were for desktop operating systems, the second largest category, and historical mainstay targeted by attackers.

This isn’t all that surprising in a field that’s growing this fast. But it’s worth considering how adding new assets into a network, as well as securely maintaining the OT network where assets reside, presents new challenges and naturally increases the attack surface.

So, if you’re using IIoT assets in your business, what sorts of threats do you need to look out for? And how do you protect your devices?

Getting in

The good news is that most IIoT assets aren’t directly exposed to the internet, meaning attackers must rely on other methods to get to them. In essence, the same techniques used in other attacks are used to get to IIoT assets.

The most common vector for compromise—email—certainly applies here. An attacker can attempt to gather information about engineers, plant managers, and developers that have access to IIoT systems and specifically target them with phishing emails. Compromising a computer owned by any of these users can be the most direct path to compromising IIoT assets.

Unpatched systems, simple or default device passwords, and relaxed remote access policies for maintenance contractors all offer attackers avenues of approach. Weaknesses in any of these can provide ways for an attacker to move laterally and gain access.

The reality is that IIoT-specific threats are not that common of an occurrence. There are threats that have attacked general IoT devices en mass, such as Mirai and VPNFilter. And there are threats like Stuxnet, which specifically targeted PLCs. Of course such highly targeted threats are cause for concern. But it’s far more likely that an IIoT device will be compromised and reconfigured by an attacker than be compromised by a trojan or a worm.

Scorching the earth

Let’s say an attacker sets their sights on bringing a particular business to its knees. He or she begins by crafting an enticing phishing email with a malicious PDF and sends it to HR in the guise of a job application. The employee responsible for monitoring job enquiries opens the PDF, effectively compromising the computer.

The attacker works his or her way laterally through the network, monitoring network traffic and scanning compromised systems, looking for logins and authentication tokens. Without multi-factor authentication enabled for access, they encounter few issues in doing so. The attacker eventually manages to compromise a domain controller, where they deploy malware using a Group Policy Object (GPO), successfully compromising the entire IT network.

Due to poor segmentation, the attacker manages to eventually work his or her way to the OT network. Once in, the attacker performs reconnaissance, flagging the IIoT assets present. The attacker identifies vulnerable services in the assets, exploits them, and knocks them offline.

Production grinds to a halt and the business is effectively shut down.

Defense with an arm behind your back

So how do you defend your IIoT assets and the OT network as a whole against attacks, especially for high-availability assets that can’t readily be brought down to patch?

Network monitoring is often the most effective step you can take. However, it’s important to passively monitor the traffic when it comes to IIoT assets. Active monitoring, where traffic is generated and sent through the network specifically to observe its behavior, can result in an increased load on the network, causing disruptions to device performance and even causing them to fail. In contrast, passive scanning listens to the traffic, fingerprinting what it sees, rather than introducing new traffic into the OT environment.

Keeping a current inventory of assets on the network is also very important in protecting the IT and OT networks. Passive monitoring can help to identify assets on the network, including errant and rogue devices. With a comprehensive list of devices, you can create policies for asset groups.

It’s also very important to segment your networks. Having a complete asset inventory and policies in place will help when figuring out how to segment your IIoT assets and the OT network. While this may not prevent a determined attacker from crossing the boundaries between different areas of the network, it can slow them down, providing more time to respond in the case of an attack. Explore implementing zones and conduits as discussed in ISA99 and IEC 62443 within your organization.

However, it’s worth noting that many IIoT assets leverage broadcast and multicast network communications, where one or more devices will send traffic to all other devices on the network. This can pose a challenge when aggressively segmenting a network. To address this, having a complete inventory of assets on the network is important. Strong dataflow mapping is also helpful when it comes to knowing which assets are talking to each other and how they interact as a whole.

Patching IIoT assets as soon as possible after a vulnerability is discovered is highly recommended. But if it isn’t possible to take a device offline to patch, then visibility becomes critical. It’s important to know what assets you have and the network layout to identify what absolutely must be patched. It may also be worth exploring IIoT redundancy within your network, allowing you to take one device down while others pick up the load during maintenance cycles.

Being able to detect IIoT traffic anomalies is also very helpful. Look for behavior that falls outside of what is expected, such as two IIoT assets talking to each other that shouldn’t be, unplanned firmware updates, unexpected configuration changes, or other anomalies.

Finally, threat hunting is a great way to look for and weed out threats within your OT environment. Proactively looking for bad actors doing bad things, building playbooks, and automating them will go a long way to improve your security posture.

Easing the burden

Protecting IIoT assets is arguably one of the more difficult tasks in security. There are a wide variety of devices, many of which operate in a very tailored manner and don’t respond well to disruption that could be caused by many security processes and procedures.

Fortunately, there are a number of Cisco Security products that can help.

◉ Cisco Cyber Vision gives OT teams and network managers full visibility into their industrial assets and application flows. Embedded in Cisco industrial network equipment, it decodes industrial protocols to map your OT network and detect process anomalies or unwanted asset modifications.

◉ Identity Services Engine leverages the asset inventory built by Cisco Cyber Vision to create dynamic security groups and automatically enforce segmentation using TrustSec.

◉ ISA3000 is a ruggedized industrial firewall appliance you can deploy in harsh environments to enforce zone segmentation, detect intrusions, and stop network threats.

◉ Stealthwatch is a security analytics solution that uses a combination of behavioral modeling, machine learning, and global threat intelligence to detect advanced threats. Integrated with Cisco Cyber Vision, this visibility extends deep within the IIoT infrastructure.

◉ AMP for Endpoints can be used to protect engineering workstations within the OT environment.

◉ Duo’s multi-factor authentication can be used to prevent an attacker from gaining access to systems on the network as a they attempt to move laterally.

◉ Cisco Email Security can detect targeted phishing emails aimed at IIoT operators and others, preventing malicious payloads from reaching their intended target.

Ultimately, a layered approach will provide the best security. For instance, Cisco Cyber Vision can automate visibility of industrial devices and secure operational processes. Integrated with Cisco’s security portfolio, it provides context for profiling of industrial devices in Stealthwatch, and maps communication patterns to define and enforce policy using granular segmentation via with ISE.

Continue reading

The Not-So-New Role of the Engineer in Complex Change: Master of Transitions

The Age of Intelligence is here, and Cisco is in the midst of a transition — again. This transition is driven primarily not by AI and machine learning, but by the voices of our customers and their need to consume technology in new ways and digitally transform their businesses. While Cisco established itself in 1984 in the midst of a technology revolution, the need to continue evolving hasn’t slowed one bit.

Challenges Everywhere

In the 1980s, Cisco’s key product was the AGS Multi-Protocol Router, and alone it could solve a host of customer challenges. Today, our efforts to solve those challenges and provide the type of experience they demand has given way to multi-vendor and cross-architectural (multi-domain) solutions. These solutions are comprised of dozens of products and architectures across an array of companies.

The cloud has not alleviated the situation, as was promised early on. In reality, cloud has created additional complexity. Most customers are not only growing their business on-premises but also contending with the requirements of a hybrid-cloud environment. Interoperability between technologies and vendors adds yet another layer of challenges to be solved.

Security is paramount as no part of a corporate infrastructure can be left unprotected. The proliferation of personal devices into corporate IT also presents a new set of challenges. The mobile nature of today’s workforce requires wireless/mobility services that not only connect seamlessly, but also demand the same speed and reliability of hardwired devices. As corporate infrastructures continue to expand, the ability to manage multiple converged technology stacks has created even more complexity in the data center. The collision between software developers and network administrators creates challenges on how each side can complement each other to provide the best possible business solution for a customer or employer.

Clearly these are busy times! The questions I often hear from customers, are “This is crazy! Who can I trust to work with and figure this out? Who will put my best interests first and help me start down a path leading to my ultimate success?”

To make it work, you need people who thrive on complexity, problem-solving and change: the engineer.

Your Trusted Advisor: Systems Engineer

There has never been a better time to be a systems engineer (SE). With continuous change, it’s a good thing engineers thrive on complexity, and are comfortable being uncomfortable. Also, it’s a great thing that engineers at Cisco and our partners think about change in the context of customers and their ultimate experience. In fact, we hear from our customers who consistently note the Cisco SE as the individual they have the highest level of trust in to help them navigate these challenging waters. When customers are surveyed, they reference phrases like “put their interests first,” “honest/forthcoming,” and “Trusted Advisor.” When I speak live with customers it’s much of the same.

At Cisco within the global SE community we use a slogan to describe who we are, which I think captures things perfectly: “Masters of Transition since 1984.” That transition is alive 35 years later, and our systems engineering community is applying its skills very much as it did in the 1980s.

Have You Met Your Field Engineer?

While much of helping customers harness technology, and how it applies to their business, falls to the SE ranks, another group is becoming as critical to Cisco as the success of our customers. Field engineers (FE) have the deepest level of knowledge within technology disciplines across multiple vendors, help customers extract the value of the technology they’ve purchased, and work directly with customers to help train their employees to incorporate technology into the fabric of their work. The FE is the truest practitioner of technology expertise that exists within our industry. In short, if the FE isn’t successful then neither is the customer, partner, or Cisco. When customers ask, “who will see this entire project through with me”? I have a simple reply, “have you met your field engineer?”

Ultimately responsible for ensuring the customer is able to not only fully extract the value of the technology purchased, the FE also assures that customers are comfortable integrating it into their existing or new business. The FE is truly where the rubber hits the road, so to speak in terms of customer receiving — and benefiting — from the technology they have acquired. With this responsibility it’s no wonder why Cisco is investing significantly in our reseller and partner FE community so that our customers are not just purchasing technology, they are activating, adopting and benefiting.

Driving Success Forward

Threats are everywhere. Outages can potentially cost millions of dollars. Change windows are harder to secure. Technology updates bombard organizations non-stop on a daily basis. Your engineering teams carry the full weight and burden of how business can (and should) realize the benefits of Cisco technology.

With complexity at its highest, pace of change at its quickest, and threats lurking around every corner, this is without a doubt a new Age of Intelligence, and engineers can lead the way forward.

Continue reading

2020 is Calling: Cisco UCM Cloud Momentum and Benefits

In a brand-new year where the market will continue to see calling as a linchpin of and strategic differentiator for enterprise digital transformation, Cisco is taking a unique approach. While other collaboration vendors are pushing their customers to the cloud without a viable migration path, Cisco is continuing to invest in our on-premise architecture while migrating our market–leading solutions to the cloud.

Read More: 210-250: Understanding Cisco Cybersecurity Fundamentals (SECFND)

The good news for Cisco on-premises customers is that traveling the path to the cloud (or to a hybrid state) does not have to take too long or be too treacherous. Cisco Unified Communications Manager Cloud (UCM Cloud) is the quickest, most natural migration path to cloud calling for customers who are looking to:

◉ Minimize disruptions with familiar user experiences

◉ Enjoy the latest UCM features

◉ Re-use existing Cisco endpoints and infrastructure

◉ Continue with existing PSTN service agreements and gateways

◉ Simplify procurement with a Cisco Collaboration Flex Plan

◉ Take advantage of generous trade-in incentives and migration programs

The UCM Cloud team is excited to communicate that we have expanded our global footprint, and our European data centers are now live, and we are actively working onboarding partners in the region. That is why our presence this year at Cisco Live Barcelona will focus on continuing to drive momentum as we expand globally.

Global Cloud Calling Momentum

Since the August Launch of UCM Cloud, we have seen tremendous global momentum with the expansion of the UCM Cloud service to Webex data centers in North America and Europe, with Asia Pacific scheduled to come online in Q1 of this calendar year. Our customers across the world can now buy their chosen service in their contract country with localization options that match our on-premises UC Manager product. These localized options include support for phone and gateway tones in 82 countries and a self–care portal in 50 languages and clients in more than 30 languages simplifying the cloud migration process.

The Benefits of Cisco UCM Cloud Calling

A recent Gartner Unified Communications forecast suggests that by 2023 there will be 167 million cloud calling and collaboration users on the planet, nearly twice as many as there are today.1

Moving enterprise calling workloads to the cloud can be a daunting prospect for organizations where daily business relies on highly customized collaboration workflows. Over the last several months, our customers have told us they need a migration path to the cloud without disrupting their business–critical day-to-day activities. These customers need the same features, functionality, third-party integrations, and customizations they have been using for years, and the desire to continue to use their existing voice and video endpoints to extend their return on investment for these assets. 

The need for a highly customizable cloud calling platform to maintain functionality is one of many factors that is driving Cisco enterprise customers to our UCM Cloud calling solution.  Our enterprise customers are not alone in this request. Recent research done by MZA shows that a majority of organizations with more than 1,000 seats are interested in a private instance cloud calling solution.

The Advantages of Cisco UCM Cloud

Addressing the needs of our customers looking for a highly customizable calling platform was one of the primary drivers behind the development of UCM Cloud. The service offers the same familiar, award-winning Cisco Unified Communications Manager (CUCM) features and user experience providing an ideal migration path to the cloud for enterprise customers with on-premise UC Manager  deployments.

 With UCM Cloud You Get: 

◉ A dedicated calling application instance hosted and operated by Cisco in Cisco Webex Data Centers

◉ A customizable calling platform with all of your favorite Cisco UC Manager capabilities along with an API strategy that enables deep third-party application integrations

◉ A large-scale, flexible architecture that can adapt quickly to new growth requirements

◉ A robust, secure platform, with a FedRAMP authorized version, cloud-enabled Cisco Unified Survivable Remote Site Telephony (SRST) features, e911 capabilities, and other key UC Manager enterprise security modalities embedded within the platform

◉ A familiar user experience that speeds migration to the cloud and bypasses the need for employee re-training

◉ A unified client for calling, messaging, meetings and team collaboration that is usable across all device types

◉ Compatibility with Cisco’s full portfolio of phones, gateways, and video devices

◉ Hybrid deployment capabilities as UCM Cloud represents the quickest path to the cloud for Cisco on-premise customers

How Cisco UCM Cloud and the Webex Single Platform Advantage Fit

UCM Cloud is a strategic component to the Webex Single Platform Advantage, helping provide Cisco customers with a cloud calling option that manages security and streamlines risk, improves scalability, and reduces costs—well–known challenges for today’s business and IT leaders. We have integrated UCM Cloud with the Webex Platform, connecting services and integrating experiences to deliver consistency regardless of which workload—calling, meetings, messaging, devices, or contact center—you use or where—desktop, mobile, or devices—you collaborate. Our single platform approach is grounded with a focus on enterprise–class security, IT control, and visibility, which helps our customers solve their digital transformation challenges.  

Continue reading

Modeling an inclusive digital future

We live in a digital world. Digital technologies are advancing at a rapid pace, connecting people around the world and creating new and exciting opportunities. More than any time in human history, people have greater access to knowledge, services and resources as a result of technological advancements. The impact of automation, artificial intelligence, and the Internet of Things (IoT) is felt almost everywhere, in all countries, industries, and everyday life. However, while the impact of digitization is widespread, the benefits it yields are distributed unevenly. It is important to understand a country’s digital readiness to help create a more inclusive future for all, which is the objective of Cisco’s 2019 Global Digital Readiness Index.

To uncover key insights and build our understanding on what it means for a country to be digitally ready, a holistic model was created that includes components beyond technology, such as basic needs, human capital development, and the business and start-up environment. Although having access to technology and the infrastructure to support digital technologies is critical, if individuals’ basic needs are not met (e.g. access to clean drinking water or lack of education or job opportunities), a country cannot fully take advantage of digital opportunities. This holistic model allows for an understanding of a country’s level of digital readiness and what interventions and investments could help countries advance in their readiness.

In this second iteration of the study, it was found that globally, countries’ scores vary on digital readiness with three stages emerging: Activate, Accelerate, and Amplify. No country scored perfectly. For countries in the lower stage of digital readiness (Activate), a focus on basic needs and human capital development is especially important. As technology is consistently advancing, there is a continuous need for developing skilled talent with the most current employable skills for the job market and creating new digital innovations. In addition to these foundational interventions, countries in the middle stage of digital readiness (Accelerate) would also benefit from investing in enhancing the ease of doing business. The study revealed that, no matter the stage of digital readiness, human capital development is essential to build a workforce capable of utilizing and creating technology on a continuous basis.

At Cisco, we believe it is important to contribute research to help the continuing dialogue on technology’s future impact. We hope to serve as a catalyst for driving an inclusive digital economy. To do so, we conduct research to gain a better understanding of what it means to be digitally ready and what would be the most beneficial to help individuals and countries thrive in the digital world. We use these insights to ensure the relevance of our key Corporate Social Responsibility (CSR) investments, such as our Cisco Networking Academy program, where over two million students worldwide gain foundational digital and entrepreneurial skills that improve their career prospects and help fill global demand for technology professionals.

To help take advantage of the opportunities technology can bring, we are working toward empowering global problem solvers – individuals who are innovators and entrepreneurs – who will be key to fueling an inclusive digital economy. Jobs of the future are not fully understood and will change constantly, but individuals who learn innovation and entrepreneurship skills using technology to solve problems will be prepared no matter what the future holds.

We can use research to design our programs and investments to develop and support global problem solvers who apply digital solutions to address social problems and foster economic development. We have a bold goal to positively impact 1 billion people by 2025 through digital solutions.

If we empower global problem solvers and prepare them with the right skills, we can help them participate in the global economy and create economic opportunity for all.

Continue reading

An Update on the Evolving Cisco and SAP Strategic Partnership

As Cisco’s SAP ambassador, I’m often asked, “Tell me about the Cisco and SAP partnership.” Many may not know, but in 2019 we celebrated twenty years of Cisco and SAP working strategically together—always with the objective of benefiting our mutual customers. Innovation has been an intense focus for the partnership, which is why, for example, Cisco became a founding sponsor of the SAP co-innovation lab in 2014.

Today, the Cisco and SAP partnership touches many business units at Cisco; what began with optimizing Cisco Data Center products to run SAP software has evolved to include other strategic areas such as Internet of Things (IoT), cloud computing, big data processing, AI/ML, and collaboration.

SAP Data Hub on Cisco Container Platform

As an example of software co-innovation, Cisco Container Platform (CCP) is certified for the SAP Data Hub and includes support for use cases such as hybrid cloud big data processing. Many SAP Data Hub customers want to run in hybrid cloud environments to leverage cloud-based services, while also keeping some data on premises to meet security and governance requirements.

SAP Data Hub is SAP’s first micro services container-based application, and it enables users to orchestrate, aggregate, visualize, and generate insights from across their entire data landscape. SAP Data Hub runs anywhere Kubernetes runs.

Unfortunately, running Kubernetes on premises has its challenges. For instance, IT must  answer questions about how to manage and support Kubernetes. In addition, it’s challenging to connect the private and public cloud environments and complicated to manage user access and authorizations across multiple environments.

The integration of SAP Data Hub with CCP addresses these challenges. CCP is a production-ready Kubernetes container management platform based on 100 percent upstream Kubernetes and delivered with Cisco enterprise-class Technical Assistance Center (TAC) support. It reduces the complexity of configuring, deploying, securing, scaling, and managing containers via automation. CCP works across on-premises and public cloud environments.

The Cisco and SAP teams are working closely to bring the next iteration  of SAP’s multicloud strategy for on-premises deployments—SAP Data Intelligence, which marries SAP Data Hub to AI/ML—to fruition.

AppDynamics monitors SAP environments

Cisco has enhanced AppDynamics, its application performance monitoring product, to monitor SAP environments. This engineering effort includes giving AppDynamics code- level visibility into SAP ABAP, which is the primary programming language for SAP applications.

This new capability provides direct hooks that enable AppDynamics to measure the business process performance of SAP applications. And though SAP has its own monitoring solution, AppDynamics enables SAP customers to monitor their business processes across SAP and non-SAP solutions.

Monitoring is of special importance to SAP customers because their systems often consist of SAP and non-SAP components. For example, at a minimum, an online retail e-commerce system likely consists of a web server connected to an SAP ERP system, and slow checkout can potentially drive customers away. Unfortunately, it is time-consuming and difficult for engineering teams to diagnose where in the stack a performance issue is occurring.

Cisco DNA spaces

Everyone is talking about IoT and digital transformation. However, a big challenge in deploying an IoT strategy is the need to put sensors everywhere, which represents a huge investment of capital, time and resources.

As a leading network provider, Cisco can help customers meet this challenge, because,  in many cases, a wireless network is already in place. A wireless access point not only acts as a transmission device, but it can also sense things if enabled with Cisco DNA Spaces. For instance, an access point can track how many mobile phones are connected, for how long, and where they are located at all points in time. By combining geo-location information with enterprise data, businesses get closer to achieving the IoT promise of utilizing data from things to ultimately make better decisions.

Consider this scenario: the owner/operator of a shopping mall wants to know not only quantity of traffic but also where visitors to the mall go. By combining this data with SAP ERP data such as lease fees and analyzing it, the owner/operator can decide upon fair lease prices for shops located in lower- versus higher-traffic areas.

Through Cisco and SAP co-engineering, the rich on-location people and things data provided by Cisco DNA Spaces is now integrated with SAP software, enabling our mutual customers to gain additional insights into what’s happening in their businesses.

Cisco Data Center solutions for SAP

Finally, Cisco UCS-based converged infrastructure solutions—which were launched over a decade ago—are at the heart of the infrastructure running many SAP workloads today. These solutions blend secure connectivity, programmable computing, multicloud orchestration, and cloud-based management with operational analytics for our customers’ SAP data centers.

We continue to innovate around these data center solutions to support evolving use cases such as providing support for machine learning applications. Cisco Data Center solutions, for example, have now integrated NVIDIA GPUs and are certified to support Intel® Optane, which enables persistent memory, larger memory pools, faster caching, and faster storage.

The next twenty years …

As Cisco’s SAP ambassador, I’ve seen over and over again how Cisco and SAP’s portfolios complement each other. For example, a key SAP mission is to help its customers become intelligent enterprises, which requires robust connectivity at all customer touchpoints. This mission, of course, meshes with Cisco’s core competency as the world’s leading network provider.

As we continue to innovate, Cisco and SAP will continue our laser focus on co-engineering innovations that deliver the value our mutual customers require in their evolving business environments.

Continue reading

Service Mesh for Network Engineers

Learning never ends, and that’s never been truer for the trusty network engineer. Of late Network Engineers have been moving up the stack, changing the way we deliver network services, becoming programmatic and using new tooling.

A not so scientific graph of what network engineers need to be aware of in 2020

The driving force behind these changes is the evolution of application architectures. In the era of modular development, applications are now collections of loosely coupled microservices, independently deployable, each potentially developed and managed by a separate small team. This enables rapid and frequent change, deploying services to where it makes most sense (e.g. Data Centre, public clouds or Edge). At the same time, Kubernetes (K8s) is quickly becoming the de facto platform upon which to deploy microservices.

What does this mean for the networker engineer? Well, routing, load balancing and security have been the staple of many over the years. It’s stuff engineers know very well and are very good at. But these capabilities are now appearing in some new abstractions within the application delivery stack.

For example, K8s implements its own networking model to meet the specific requirements of the k8s architecture. Included in this model are network policies, routing pod to pod, node to node, in and out of clusters, security and load balancing. Many of these networking functions can be delivered within K8s via a Container Network Interface (CNI) like Nuage or Flannel. Alternatively, you could leverage a lower level networking abstraction such as the Cisco Application Centric Infrastructure (ACI), benefitting from using one common network fabric for bare metal, virtual machines and containers.

As K8s is a container orchestrator, designed for creating clusters and hosting pods, its networking model meets exactly those needs. However, K8s is not designed to solve the complexity of microservices networking. Additional developer tooling for microservices such as failure recovery, circuit breakers and end to end visibility is often embedded in code to address those aspects, adding significant development overhead.

Enter stage left service mesh.

“The term service mesh is used to describe the network of microservices that make up such applications and the interactions between them. As a service mesh grows in size and complexity, it can become harder to understand and manage. Its requirements can include discovery, load balancing, failure recovery, metrics, and monitoring. A service mesh also often has more complex operational requirements, like A/B testing, canary rollouts, rate limiting, access control, and end-to-end authentication”

The above poses the question: is a service mesh a network layer? Well… Kind of. The service mesh ensures that communication between different services that live in containers is reliable and secure. It is implemented as its own infrastructure layer but, unlike K8s, it is aware of the application. Some of the capabilities it delivers to the application are recognisable network functions such as traffic management and load balancing, but these are executed at the microservices layer, and need that intimate knowledge of the application and its constituent services. Equally, the service mesh relies on lower level abstractions to deliver network functions as well.

Service mesh networking vs K8s networking

To compare the capabilities of k8s and service mesh let’s look at the example of a canary deployment. The idea behind a canary deployment is that you can introduce a new version of your code into production and send a proportion of users to the new version while the rest remain on the current version. So, let’s say we send 20% of users to our v2 canary deployment and leave the other 80% on v1.

You can achieve this with k8s but requires some hand cranking. It would require you to create your new canary deployment in proportion to what already exists. For example, if you have 5 pods and want 20% to go to the V2 canary, you need 4 pods running v1 and 1 pod running V2. The Ingress load balancing will distribute load evenly across all 5 pods and you achieve your 80/20 distribution.

Canary Deployments with K8s and Service Mesh

With service mesh this is much easier. Because the service mesh is working at the microservices network layer you simply create policies to distribute traffic across your available pods. As it is application-aware, it understands which pods are V1 and which pods the V2 canaries and will distribute traffic accordingly. If you only had two pods, V1 and V2, it would still distribute the traffic with the 80/20 policy.

In terms of comparing them, we can think of as K8s provides container tooling whereas service mesh provides microservices tooling. They are not competitive. They complement each other.

Looking at the overall stack, we can see that there are now four different layers that can deliver specific networking functions – and you might need all of them.

Abstractions and more abstractions

How Does a Service Mesh Work?

There are a number of service mesh options in the market right now. Istio from Google probably gets most the headlines but there are many other credible service meshes such as Linkerd, Envoy, and Conduit.

Istio Control Plane and Sidecar Proxies

Typically, a service mesh is implemented using sidecar proxies. These are just additional containers (yellow in the diagram above) that proxy all connections to the containers where our services live (blue in the diagram above). A control plane programs the sidecars with policy to determine exactly how the traffic is managed around the cluster, secures connections between containers and provides deep insights into application performance. (We will have some follow-up blog posts going under the service mesh covers in the coming weeks).

Ok. Great stuff. But what does this mean for the network engineer?

Many of the service mesh features will be familiar concepts as a network engineer. So, you can probably see why it’s important for network teams to have an understanding of what a service mesh is, and how, why and where these different capabilities are delivered in our stack. Chances are, you may know the team that is responsible for the service mesh, you may be in that team, or end up being the team that is responsible for the service mesh.

Delivering microservices works great in an ideal world of greenfields and unicorns, but the reality is that most don’t have that luxury, with microservices being deployed alongside or integrated to existing applications, data, infrastructure stacks and operational models. Even with a service mesh, delivering microservices in a hybrid fashion across your data centre and public cloud can get mighty complex. It’s imperative that network engineers understand this new service mesh abstraction, what it means to your day job, how it makes you relevant and part of the conversation, and perhaps it spells great opportunity.

If you want to learn more then there are a number of service mesh sessions at CiscoLive Barcelona.

Service Mesh for Network Engineers – DEVNET – 1697

Understanding Istio Service Mesh on Kubernetes – DEVNET-2022

DevNet Workshop: Let’s Play with Istio – DEVWKS-2814

But..why do I need a Service mesh? – BRKCLD-2429

Continue reading

Cisco 8000 Series Powering the Internet for the Future

On December 11th 2019, Cisco announced a set of new offerings – silicon, optics, software, and routing systems – specifically designed to power the Internet for the future. In my time at Cisco, I’ve had the privilege of launching a few notable routing systems – the ASR 9000, the NCS 6000, and the NCS 5500, but introducing the new Cisco 8000 Series is an exceptional moment, both for my team and me. It’s the result of a bold decision we made five years to totally rethink our approach and revisit every assumption we were taking for granted when designing new devices.

We are thrilled to add the Cisco 8000 Series to our routing portfolio. For our customers, it complements the NCS 5500 Series, resulting in a broader choice of 100G and 400G-optimized systems. And for those speculating about the future of the NCS 5500 Series, it is not going away; we continue to strengthen our investments in these platforms. Our customer’s technology and business needs vary, and a routing portfolio that includes both the Cisco 8000 Series and the NCS 5500 Series can best address those needs. This fact was recently confirmed with a TCO analysis from ACG Research, demonstrating that each of the platforms has an economic sweet spot.

This decision to build the new Cisco 8000 Series was indisputable when we looked at IP traffic projections. The Internet traffic carried by service providers’ networks is growing exponentially, at an annual rate of 20-30%. The growth is fueled by connections – more subscribers and devices connecting to the network, and by the type of interactions, as enterprises’ push to store more data in the cloud. Meanwhile, video, a particularly bandwidth-hungry service, continues its colossal growth rate. All this means that the massive scale at which service providers operate today will grow even larger in the years to come, and it’s the very near future when the current network economics start to break.

There was no time to wait. We needed to think differently and lay the groundwork for new routing economics and new routing systems that would bring not only a quantum leap in total capacity but also deliver unprecedented economics efficiency.

With a clean-sheet design, we had the latitude to innovate across multiple dimensions – down to the “molecular” level of routers, the silicon. The Cisco 8000 Series is the result of this approach; it redefines routing with unprecedented petabit scale, trustworthiness, and cloud-enhanced technology.

Designed to build the Internet for the future

We introduced fixed and modular form-factor systems, respectively the Cisco 8200 Series and the Cisco 8800 Series.

The Cisco 8200 Series uses the new Cisco Silicon One Q100 as a Router-on-Chip (RoC) to deliver full routing functionality with a single ASIC per router. The RoC architecture supports for large forwarding tables, deep buffers, more flexible packet operations, and enhanced programmability, which differentiates it from System-on-Chip (SoC) switches.

There are 2 fixed platforms – each of these platforms providing 10.8Tb/s of network bandwidth with very lower power consumption – 4 Watts/100G:

◉ The Cisco 8201 is a 1RU fixed configuration with 24x400GbE and 12x100GbE ports

◉ The Cisco 8202 is a 2RU fixed configuration with 12x400GbE and 60x100GbE ports

In one single rack unit, the Cisco 8201 router delivers the routing capacity that once required a full rack and 15 times the power only five years ago. This steep function in efficiency enables broader market possibilities for scenarios such as CDNs, 5G sites, and colocation as 10.8 Tb/s routers can be deployed in space and power footprints once reserved for only 100s of Gb/s.

The 8800 Series provides the highest bandwidth via modular chassis with a redundant control plane and switch fabric:

◉ The Cisco Router 8808 is an 8-slot, 16RU chassis initially delivering up to 115.2 Tb/s, equivalent to 288×400 GbE ports at full line-rate

◉ The Cisco Router 8812 is a 12-slot, 21RU chassis delivering up to 172.8 Tb/s, equivalent to 432×400 GbE ports at full line-rate

◉ The Cisco Router 8818 is an 18-slot, 33RU chassis delivering up to 259.2 Tb/s, equivalent to 648×400 GbE ports at full line-rate

All these systems come without oversubscription, with full fabric redundancy, and power efficiency of 11 Watts/100G.

Designed for handling future traffic growth

The platforms shipping today support 100GbE and 400GbE connectivity at mass scale, but that’s not the end of it. The Cisco 8800 systems are engineered to deliver the capacity service providers require for at least the next decade.

Unlike platforms that support 400GbE connectivity at the end of their lifecycle, the Cisco 8800 Series routers are delivering 400GbE at the very beginning of its lifecycle. The extra space required to cool advanced optics, highly efficient power supplies and fans, and electrical connectors have been anticipated for future expansion into higher densities using 800GbE, 1.6TbE, and beyond.

Designed for cloud-enhanced network operations

Service providers need network reporting and analytics services to complement their internal network optimization and automation infrastructure.

The design of the Cisco 8000 Series incorporates cloud-enhanced network operations and currently leverages the following SaaS offerings:

◉ Crosswork Network Insight to assess network routing health

◉ Crosswork Trust Insight to gather network evidence, and visualize/report on trustworthy infrastructure

◉ Crosswork Qualification Environment to automate qualification of new OS releases in a custom-fit environment

With cloud-based SaaS services, deployment can happen quickly with low operational costs. And these services provide continuous updates enabling service providers to always operate with the most up-to-date and critical features.

Designed for trustworthy critical infrastructure

Over the last decade, network attacks have become more sophisticated. Threats continue to manifest in software, but physical tampering with hardware infrastructure is also increasing.

The best security practices demand multiple layers of defense.  Trustworthy systems are no different.

◉ Trustworthy starts by building hardware with critical infrastructure outcomes in mind; this requires tamper-proof hardware that serves as the root of trust, what we call the Trust Anchor module, which can prevent tampering with chipsets and secure storage. Cisco Chip Protection, introduced in the new Cisco 8000 Series routers, enables ‘hardware fingerprints’ and detects any physical tampering with components, like the modification or replacement of a chip (CPU, ASICs, etc…) on the router

◉ The next layer involves booting hardware from a known authentic image and booting the OS from the root of trust. Cisco Chip Protection expands the measurement of hardware integrity as part of the Cisco Secure Boot process

◉ Finally, systems stay online for long durations of time, which requires run-time checks to verify against known good behaviors of running processes. With the Trust Anchor module and Cisco Chip Protection, irregularities can be rapidly identified and flagged

Embraced by Tier-1 service and cloud providers

Contrary to some of our competitors who “future” announce new platforms, the Cisco 8000 Series is available today.

We are very pleased to see that the Cisco 8000 Series is already gaining traction with some major service providers:

◉ STC, the leading telecom services provider in the Middle East, Northern Africa region, marks the first customer deploying the new technology
◉ On-going trials include Comcast and NTT Communications among others

Hyperscale cloud operators are also very interested in the Cisco 8000 Series. Microsoft has noted how important the support of SAI (Switch Abstraction Interface) is as it rapidly onboards new systems, using the advanced programmability and scale that Cisco Silicon One delivers:

“Cisco’s support for SAI on Cisco 8000 modular routing platforms is a major step forward enabling the SONiC community to combine the latest innovations in silicon and port speed with the density and power efficiencies delivered in chassis-based systems. This greatly contributes to the continuous scale up efforts of cloud infrastructure providers in the face of unceasing traffic growth.”Yousef Khalidi , CVP, Azure Networking, Microsoft Corp

Continue reading

The Future of Meetings in 2030

Meetings of the Future

What excites me about working on the bleeding edge of technology is not the technology itself, but what it enables. Everything we do in Cisco’s Collaboration organization is to build the best tech we can to bring people together. Our technology should never be at the forefront of the interaction. If we’re doing our job right, you shouldn’t even notice it’s there. What I find truly exciting is the experience we’re creating. The feeling of togetherness.

Humans have been communicating and working together since the beginning of time. We smile, gesture, use our eyes, hands, and posture to communicate meaning. We come to life when we meet face to face. We share. We bond. We dream. We explore. We create.

Closing the Gap Between Digital Data and the Physical World

How do we replicate that experience—not the exactness of it, but the essence of it—in a fully connected, ambient experience that draws on the best, fluid blend of physical and virtual elements?

Perhaps the best way I can share this is to describe what I want a typical meeting to be like in 2030:

It’s 9:28 am. My amorphous intelligent agent, Kodi, reminds me that I have a meeting in two minutes. I turn away from the blank wall I was just looking at that held a digital representation of my work area and face the couch and couple armchairs in my bright, sunlight home office. The wall behind me reverts to a lazy afternoon view of Venice from the viewpoint of an apartment window overlooking a quiet canal. My brain-computer interface detects my upbeat mood and changes the view to overlook the bustling Grand Canal. Sensors register my reactionary microexpressions and switch to an aerial backdrop of New York’s financial district and the brisk moving pedestrians in the rising sun of morning rush hour. I smile. Infrared sensors also detect my slightly elevated heartbeat and swap the dark roast in my espresso maker for decaf as it percolates a fresh cup.

At 9:30 am a pleasant bell tone sounds and my colleague, Cullen, materializes as a photorealistic hologram seated on the couch in front of me and we exchange hellos as another tone sounds and our mutual colleague, Jia, materializes standing next to the armchair to my right. I walk over to Jia’s outstretched hand and feel the sensory feedback of resistance and pressure as we haptically share a virtual handshake. Jia and Cullen’s holograms nod to each other in greeting and Jia’s hologram takes a seat in the armchair.

As we begin talking, Kodi captures key takeaways from the meeting and cycles 2 displays of information that continuously update and refresh as the conversation evolves. The first, visible to all three of us, is a constantly updating array of resources cycling across the surface of the coffee table between us showing past meeting notes, actions, and related research and news articles. The second array is visible to me only and floats at the periphery of my view with more personally attuned information—recent conversations I’ve had or notes I’ve taken, calendar updates, and my biometric readings as well as data aggregated from the three of us reflecting the tone and mood of the room. It also indicates that my coffee is ready, so I switch from full-form mode to face-only mode and Jia and Cullen can continue to see my facial expressions in real-time as my hologram remains seated facing them, but I physically get up to grab my coffee refill. As I sit back down in my armchair I toggle back to full-form mode as I shift positions in my chair and take a sip.

As we discuss an upcoming event, my calendar flicks to the foreground of my view showing the event details and surrounding events and locations before and after. I push this view into the middle of the room which enables Cullen and Jia to see my calendar view as well, but in moving from private to shared, the details of my appointments are masked. A moment later, the shared view updates to include Jia and Cullen’s schedules as they push their views into the shared space as well. Based on the context of our conversation, Kodi overlays major industry events over the top of our calendars. Jia points out a gap in activities about a week prior and suggests we target that date for our announcement. Kodi registers from the content that we will need a final review meeting and 3 potential meeting slots highlight on our shared calendar 3 days prior. We agree on the best one and our respective calendars are updated with the invite including key takeaways from today’s meeting and links to prior discussions on the same topic.

As we’re wrapping up, Cullen mentions he has an updated version of the prototype we are planning to announce. The object materializes in front of us as Cullen enables his share feature. On Cullen’s side, he is holding the physical object, but Jia and I see an identical virtual replica as Cullen points out the changes he’s made. He then shifts from physical share to virtual share and explodes the object out to the size of the room so we can see the updates at the internal component level. I get up and walk closer to Cullen, stepping inside the object, which I can then reach out and touch to manipulate, highlight, or edit. The changes look great and I turn and give Cullen a haptic high-five.

As our conversation wraps up, I see the actions and updates Kodi has added to my calendar and to-do list in my periphery. I wave goodbye to Jia and Cullen and they fade out of my room. It’s 10 am, and according to Kodi, it’s a good time for a morning break.

Combining AR in the Collaboration Space

Okay, some of this may still be out there on the time horizon, but some components are becoming a reality today. The above experience relies on a seamless mesh of natural language processing, adaptive algorithms, connected sensors, non-invasive biometrics, brain-computer interfaces, extended reality, and haptics. While some fields, like brain-computer interfaces and haptic feedback, are still in early stages, other areas like machine learning and natural language processing are becoming table stakes today.

Extended reality (augmented, virtual, mixed) is one area I’m particularly excited about. At Cisco, our Collaboration group has been fairly vocal about enabling augmented reality experiences with our Webex and Webex Teams APIs, specifically for a remote expert use case. Where we’ve been less vocal is what mixed reality can bring to the collaboration table, but we’ve been building something in stealth mode for the last couple of years which is truly exciting.

Proof of Concept for Three-Dimensional Collaboration in Real-Time

We’re not quite ready to share what we’ve been prototyping, but it’s been exciting challenging the current concept of what a meeting is and could be. We’re tapping into our internal knowledge of hardware, software, and networking, and we’ve been working behind closed doors with industry vendors at the top of their game—paradigm shifters who are opening up a whole new world of possibilities for creators, inventors, and dreamers everywhere.

I have the pleasure and privilege of leading initiatives for our innovation team where we are asking questions like: What if you could have real-life interactions that are better than what is currently possible in real life? What if conferencing didn’t have to be limited to a 2-dimensional plane? What happens when “real” and “virtual” are no longer distinct ideas?

There’s a lot to figure out and we’re not quite ready to tell the world what we’re building, but I can tell you, you’ve never experienced anything like this before because it’s never been done before! Stay tuned; you won’t want to miss it. These are exciting times to be a dreamer because, yes, dreams really do come true.

Continue reading

Artificial Intelligence Translational Services Use Cases in Cisco Contact Centers

Artificial Intelligence and Translational Services

The world is flattening; thus, with the business becoming increasingly global, the existing language barriers demand new solutions across vertical markets, especially when dealing with a company to a consumer.

Europe, with its 24 official different languages, is certainly posing some extra challenges to those companies delivering services across countries part of the union, and that’s nothing considering that there are more than 200 languages spoken on the continent.

The language barrier is undoubtedly and historically adding complexity to international business, and this is especially true when we consider Contact Centers and the high-quality customer experience they have to deliver in business-to-consumer services. While in business to business, there is a de facto international language, which is English. If there are consumers involved, that’s no longer an option —companies have to deal with the many languages spoken across countries.

Narrowing the Call Center Gap

With new generations of new consumers speaking their mother tongue language when calling a contact center, the translation problem will not disappear anytime soon. We should even expect the problem to become further challenging because of the increasing immigration of people. In 2017 2.4 million immigrants entered the EU from non-EU countries, and a total of 22.3 million people (4.4 %) of the 512.4 million people living in the EU on 1 January 2018 were non-EU citizens*

While these new immigrants will learn the local languages, they need to access services, especially public services, and this is quite a challenge, in particular for public administrations. In theory, a Contact Center could afford these challenges employing multilanguage agents or more agents. Still, it’s rather clear that this is far to be an optimal solution, and the associated costs are not negligible.

Apart from that, we are not talking about supporting two or three different languages, but rather a multitude of idioms; to depict the complexity of such a model, consider the challenges that this poses to a European contact center service in terms of WorkForce Management and Optimizations. When delivering a satisfied Customer Experience, it’s no longer just a matter of the number of agents we need each hour of the day, of the week, and the week of the month, but rather how many different languages they can speak — an authentic nightmare.

The Growing Need for Multilanguage Agents

It is also happening quite often that the multilanguage agents might be good at speaking two or three languages but not necessary at writing those. Therefore, the challenge is even higher for Digital Contact Centers.

Recent advances in speech technology and Natural Language Understanding (NLU) have the potential to transform today’s challenges into new opportunities. Artificial Intelligence, integrated into Cisco Cognitive Contact Centers, could deliver an excellent solution to business problems like those described above. For example, a digital Cisco Cognitive Contact Centers could leverage Google AI DialogFlow capabilities to provide a Chat Translation Assistance Service, literally able to remove the language complexity and costs from the “Contact Center Work Force Optimization equation.” Let’s see how in the following proof of concept example:

Watch the Video:

This is the logical architecture used in the video.

Another use case we may want to consider as a proof of concept is when traditional audio-only contact centers are located in a country abroad, where the cost of labor is cheaper. There are agents able to speak the required language even if they aren’t mother tongue. For example, this is the case for North African French-speaking contact centers, Est European Italian contact centers, and many more.

In cases like these, Cisco Cognitive Contact Centers powered by Artificial Intelligence could deliver an Audio Transcription and Translation Agent Assistance Service meant to assist the agent in dealing with foreign languages in a more natural, quicker, and more productive way. Let’s see how in the following proof of concept example:

Watch the video:

This is the logical architecture used in the video.

Transforming Customer Experience with Contact Center AI

The Contact Center business is going through a series of significant changes driven by the technology innovation, the raise of socials, and the new consumption models that are being evaluated by most of the companies.

From a technology angle, there is very little doubt that the advent of Artificial Intelligence is transforming traditional call centers into Cognitive Call Centers. This arrival is turning an IT cost into a business strategy tool to increase Customer Experience, achieving higher customer service levels and quality, increasing the productivity of agents, and even lifting their traditional role to the new one: customer ADVISORS and CONSULTANTS.

Cisco has a portfolio of on-premise, hybrid, and cloud contact center solutions. That covers the undergoing migration to Cloud and the demand for a versatile, open, consistent architecture across on-premises, hybrid, and cloud solutions able to grant a smooth transition to the broad base of existing customers and at the same time allowing a consistent innovation adding digital channels and artificial intelligence.

Continue reading

CLEUR Preview! Source of Truth Driven Network Automation

It’s a new year and a new decade, so it’s time for a NEW BLOG about network automation. I am getting ready for Cisco Live Europe 2020 and want to give everyone a preview of some of what I’ll be talking about in my session How DevNet Sandbox Built an Automated Data Center Network in Less than 6 Months – DEVNET-1488. If you’ll be in Barcelona, please register and join me for a look at how we approached this project with a goal to “innovate up to the point of panic” and brought in a lot of new NetDevOps and network automation processes.  But don’t worry if you’re reading this from far off in the future, or aren’t attending CLEUR, this blog will still be wildly entertaining and useful!

Today’s blog I want to build on those by showing where the details that provide the INPUT to the automation comes from – something often called the Source of Truth.

What is a Source of Truth?

If you’ve been kicking around the network automation space for awhile, you may have run across this term… or maybe you haven’t, so let me break it down for you.

Let’s say you are diving into a project to automate the interface configuration for your routers.  You’re going to need 2 things (well likely more than 2, but for this argument we’ll tackle 2).

First, you’ll need to develop the “code” that applies your desired standards for interface configuration.  This often includes building some configuration template and logic to apply that template to a device.  This code might be Python, Ansible, or some other tool/language.

Second, you need to know what interfaces need to be configured, and the specifics for each interface.  This often includes the interface name (ie Ethernet1/1), IP address info, descriptions, speed/duplex, switch port mode, and so on.  This information could be stored in a YAML file (a common case for Ansible), a CSV file, dictionaries and lists in Python, or somewhere else.

Then your code from the “first” will read in the details from the “second” to complete the project.

The “Source of Truth” is that second thing.  It is simply the details that are the desired state of the network.  Every project has a “Source of Truth”, even if you don’t think of it that way.  There are many different tools/formats that your source of truth might take.

Simple Sources of Truth include YAML and CSV files and are great for small projects and when you are first getting started with automation.  However, many engineers and organizations often find themselves reaching a point in their automation journey where these simple options are no longer meeting their needs.  It could be because of the sheer amount of data becomes unwieldy.  Or maybe it’s the relationships between different types of data.  Or it could be that the entire team just isn’t comfortable working in raw text for their information.

When text based options aren’t meeting the needs anymore, organizations might turn to more feature rich applications to act as their Source of Truth.  Applications like Data Center Infrastructure Management (DCIM) and IP Address Management (IPAM) can definitely fill the role of the Source of Truth.  But there is a key difference in using a DCIM/IPAM tool as an automation Source of Truth from how we’ve traditionally used them.

How a DCIM or IPAM becomes a Source of Truth

In the past (before automation), the data and information in these tools was often entered after a network was designed, built, and configured.  The DCIM and IPAM data was a “best effort” representation of the network typically done begrudgingly by engineers who were eager to move onto the next project.  And if we are honest with ourselves, we likely never trusted the data in there anyway.  The only real “Source of Truth” for how the network was configured was the actual network itself.  Want to know what the desired configuration for a particular switch was?  Well go log into it and look.

With Source of Truth driven network automation, we spin the old way on its head.  The first place details about the network are entered isn’t at the CLI for a router, but rather into the IPAM/DCIM tool.  Planning the IP addresses for each router interface – go update the Source of Truth.  Creating the list of VLANs for a particular site – go update the Source of Truth.  Adding a new network to an existing site – go update the Source of Truth.

The reason for the change is that the code you run to build the network configuration will read in the data for each specific device from the Source of Truth at execution time.  If the data isn’t in your DCIM/IPAM tool, then the automation can’t work.  Or if the data isn’t correct in the DCIM/IPAM tool, then the automation will generate incorrect configuration.

It’s also worth noting now that a Source of Truth can be used as part of network validation and health tests as well as for configuration.  Writing a network test case with pyATS and Genie to verify all your interfaces are configured correctly?  Well how do you know what is “correct”?  You’d read it from your Source of Truth.  I call that “Source of Truth driven Network Validation” and I’ll tackle it more specifically in a future blog post.

Source of Truth Driven Automation in Action!

Enough exposition, let’s see this in action.

The Source of Truth that we use in DevNet Sandbox for most information is Netbox.  Netbox is an open source DCIM/IPAM tool originally developed by the network automation team at Digital Ocean for their own needs, and has been popular with many engineers and enterprises looking for a tool of their own.

Let’s suppose we need to add a new network to our main internal admin environment in the Sandbox with the following basic information.

◉ The name of the network will be demo-sourceoftruth

◉ It will need an IP prefix assigned to it from the appropriate IP space

◉ Ethernet 1/3 on the switch sjcpp-leaf01-1 needs to be configured as an access port for this network

The automation to do the actual configuration of the VLAN, SVI, interface config, etc is already done, what I need to do is update the Source of Truth that will drive the automation. This involves the following steps:

1. Creating a new VLAN object

2. Allocating an available prefix and assigning to the new VLAN

3. Updating the details for port Ethernet 1/33 to be an access port on this VLAN

Note: You can click on the screen images that follow to enlarge for easier viewing.

Step 1: Creating a new VLAN object

I start in Netbox at the Tenant view for our Admin environment. From here I can easily view all the DCIM and IPAM details for this environment.

I click on VLANs to see the current list of VLANs.

The “Group” column represents the VLAN Group in Netbox – which is a way to organize VLANs that are part of the same switching domain where a particular VLAN id has significance.  This new network will be in the “Internal” group.  I click on “Internal” on any of the VLANs to quickly jump to that part of Netbox so I can find an available VLAN id to use.

I see that there are 4 VLANs available between 25 and 30, and I click on the green box to add a new on in that space.

I provide the new name for this network, and indicate it’s role will be for “Sandbox Systems”.  As this new network will be part of the Admin Tenant, I select the proper Group and Tenant from the drop downs.  Netbox supports creating custom fields for data that you need, and we’ve created a field called “Layer3 Enabled on Switched Fabric” to indicate whether SVIs should be setup for a network.  In this case that is True.  After providing the details, I click “Create” to create this new VLAN.

Step 2: Allocating an available prefix and assigning to the new VLAN

Netbox is a full featured IPAM, so let’s walkthrough allocating a prefix for the VLAN.

I start at the Supernet for admin networks at this site, 10.101.0.0/21 to find an available prefix.

I click on the Available range, to jump to the “Add a New Prefix” interface.

I start by updating the Prefix to be the proper size I want, picking the Role (this matches the VLAN role), providing a good description so folks know what this is for.  I then choose the new VLAN we just created to associate this prefix to using the drop downs and search options provided in the UI.  Lastly I pick the Admin tenant and click “Create”

Now if I go back and look at the VLANs associated with the Admin Tenant, I can see our new VLAN in the list with the Prefix allocated.

Step 3: Updating the details for port Ethernet 1/3 to be an access port on this VLAN

The final step in Netbox is to indicate the physical switch interfaces that will have devices connected to this new VLAN.

I navigate in Netbox to the device details page for the relevant switch.  At the bottom of the page are all the interfaces on the device.  I find interface Ethernet 1/3 and click the “Edit” button.

I update the interface configuration with an appropriate Description, set the 802.1Q Mode to Access, and select our new VLAN as the Untagged VLAN for the port.  Then click “Update” to save the changes.

Applying the New Network Configuration

With our Source of Truth now updated with the new network information, we simply need our network automation to read this data in and configure the network.  There are many ways this could be done, including a fully automated option where a webhook from Netbox kicks off the automation.  In our environment we are adopting network automation in stages as we build experience and confidence.  Our current status is that we execute the automation to process the data from the Source of Truth to update the network configuration manually.

When I run the automation to update the network configuration with the new Source of Truth info, here are the changes to the vlan-tenant configuration for our admin environment.

hapresto@nso1-preprod(config)# load merge nso_generated_configs/vlan-tenant_admin.xml

Loading.

1.78 KiB parsed in 0.00 sec (297.66 KiB/sec)

hapresto@nso1-preprod(config)# show configuration

vlan-tenant admin

  network demo-sourceoftruth

    vlanid 26

    network 10.101.1.0/28

    layer3-on-fabric true

    connections switch-pair sjcpp-leaf01

      interface 1/3

      description "Demonstration VLAN for Blog - Interface Config"

      mode access

Here you can see the new network being created, along with the VLAN id, prefix, and even the physical interface configurations.  All this detail was pulled directly from Netbox by our automation process.

And if you’d like to see the final network configuration that will be applied to the network after processing the templates in our network service by NSO, here it is.

    device {

        name sjcpp-leaf01-1

        data vlan 26

              name demo-sourceoftruth

             !

             interface Vlan26

              no shutdown

              vrf member admin

              ip address 10.101.1.2/28

              no ip redirects

              ip router ospf 1 area 0.0.0.0

              no ipv6 redirects

              hsrp version 2

              hsrp 1 ipv4

               ip 10.101.1.1

               preempt

               priority 110

              exit

             exit

             interface Ethernet1/3

              switchport mode access

              switchport access vlan 26

              no shutdown

              description Demonstration VLAN for Blog - Interface Config

              mtu 9216

             exit

    }

    device {

        name sjcpp-spine01-1

        data vlan 26

              name demo-sourceoftruth

             !

    }

Note: The service also updates vCenter to create a new port-group for the vlan, as well as Cisco UCS, but I’m only showing the typical network configuration here.

Finishing Up!

Hopefully this gives you a better idea about how a Source of Truth fits into network automation projects, and how a tool like Netbox provides this important feature for enterprises.

Continue reading