Latest Innovations in Cisco DNA Software for Switching

Cisco continues to deliver on its promise of innovation in our Cisco DNA software for Switching subscription. By deploying the latest innovations in Cisco DNA software for Switching along with Cisco DNA Center, you can unlock the full power of your Catalyst switches in a user-friendly way. It’s no question that Cisco DNA Center is the most powerful management platform for your Catalyst devices over any third-party network management system.

What’s new?

ThousandEyes integration (Application assurance): Cisco DNA Center can provide visibility into how your applications are performing, which is improved as a result of the out-of-the-box integration with ThousandEyes (TE). TE agents are included in Cisco DNA Software subscriptions at the Advantage level in specific models, they just need to be deployed out to your switches. You can see applications that TE agents are monitoring in the dashboard and get a performance summary (loss, latency, jitter) with the ability to drill down further. Not only does TE provide insight into your internal network, but also service providers.

Figure 1: ThousandEyes integration in Cisco DNA Center

Client Health: This feature allows you to quickly and efficiently understand how well the network is supporting end-users. The impact of any issues can be minimized for end users as well as IT staff in terms of issue resolution. You have the ability to drill down and search for specific users and get a 360 view of the health of their devices to pinpoint any downtimes.

Figure 2: Client 360 in Cisco DNA Center

PoE analytics: As people return to the office, it is important to be able to understand the power in remote offices. PoE analytics will allow IT to troubleshoot issues by looking at key attributes of PoE. For example, if a device is pulling more power, it is usually an indication that it may break. Action can be taken to disable specific ports or even power cycle ports.

Figure 3: PoE Analytics

Group Policy with ISE: The integration of Cisco DNA Center and ISE to control policy on a Cisco network provides a level of security that is unmatched in the industry. You can visualize what’s going on in your network and what devices and servers are communicating with each other. This allows you to make corrections as needed and ultimately prevent any security breaches.

Figure 4: Cisco DNA Center integration with ISE

Cisco DNA Spaces for Smart Buildings: Cisco DNA Spaces, a cloud-based data platform for IoT devices, gives smart building managers an all-encompassing view of operations and power consumption of smart lighting and shades, conference room availability, and cleaning frequency, and asset location, to name a few. Cisco DNA Spaces entitlement for Smart Buildings (See and Extend) is included in Cisco DNA Advantage licenses for Cisco Catalyst 9300 and 9400 Series Switches.

Figure 5: Cisco DNA Spaces

How can I get these features and more?

If you already have a Cisco DNA Advantage subscription in Switching along with Cisco DNA Center, you will get to utilize these features at no additional cost to you.

If you do not have a Cisco DNA Advantage subscription or if you have a Cisco DNA Essentials subscription, the time to upgrade is now. We will continue to innovate and add more wireless features to our advantage tier.

Cisco is expanding the deployment options of Cisco DNA Center to provide greater operational flexibility and choice.

Cisco DNA Center is currently installed on a dedicated appliance. However, we recently announced at Cisco Live a new option for Cisco DNA Center customers, the Cisco DNA Center Virtual Appliance. The virtual appliance which is targeted for general availability next year will give customers new deployment options for a network controller to deploy in a public cloud on AWS or on VMware ESXi within a company data center or in a private cloud.

Source: cisco.com

Continue reading

Catalyst 9000 Simplifies Network-Based Threat Detection Using Inline Security Telemetry

The term Catalyst is synonymous with accelerating change, stimulating actions, and facilitating transformations. The Cisco Catalyst 9000 family of switches and access points support these qualities for enterprise networks around the world, making it the fastest ramping product in Cisco’s history. Based on a powerful and flexible Programmable ASIC with Unified Access Data Plane (UADP) that unites wired and wireless data planes, the enterprise networking platform has delivered continuous innovations since its introduction, including:

◉ Purpose-built Zero-Trust Fabric for campus to branch with Cisco SD-Access

◉ Docker-based application hosting enabling use cases such as running ThousandEyes Agents on the switch

◉ Network-Based Application Recognition Engine (NBAR) for identification and control of 2000+ applications

As enterprise networks expand from centralized data centers and campuses to support a distributed workforce and thousands of edge IoT devices, IT faces unique security challenges. While the workforce can take advantage of zero-trust multi-factor authentication to ensure proper access security, IoT devices cannot. Now Cisco is leveraging the programmability of the UADP ASIC to deliver zero-trust security for the world of IoT devices.

Zero Trust for IoT Using Network Telemetry Analytics

IoT devices should be continuously assessed to check for unusual behavior such as pretending to be trusted endpoints using MAC Spoofing, Probe Spoofing, or Man-in-the-Middle techniques. IoT devices—typically smart building technologies such as lighting, HVAC, and security cameras—need to be segmented from Information Technology assets to prevent threats from moving laterally in the network. The key to segmenting IoT devices is to accurately profile and classify them according to type, communication protocols, and traffic patterns. To implement Zero Trust with least privilege access, both historical and real-time traffic telemetry needs to be available to Trust Analytics to detect sudden changes in device behaviors.

To attempt to accomplish this in the past, overlay solutions required spanning of live traffic from switches to collectors that run analytics on samples of telemetry. These additional components, as depicted in Figure 1, introduce deployment, configuration, and maintenance complexity, thereby increasing the TCO as well as IT overhead.

Figure 1. Typical Overlay Model for Telemetry Generation

The unique way Catalyst 9000 switches and access points solve this problem—in conjunction with Cisco SD-Access—is by generating inline telemetry directly on the switches. This capability, based on the power of the UADP ASIC, eliminates the need to make copies of traffic from every switch to send to multiple services—exporters, brokers, collectors, and analyzers for each kind of traffic—to generate the necessary security telemetry. The capability to stream full telemetry information directly from Catalyst switches provides operational status of the network as well as Deep Packet Inspection of traffic flows so that Cisco DNA Center can detect the true purposes of device-to-device communications. Since DPI telemetry is generated directly by Catalyst switches, the need for expensive extraneous appliances is eliminated, as shown in Figure 2.

Another advantage is that since all Catalyst 9000 switches are generating telemetry simultaneously, there is no single point of failure—such as when a data broker is offline—increasing the reliability of catching abnormal traffic patterns being generated by an attempted infiltration by a threat actor.

Figure 2. Deep Packet Inspection and Telemetry Generation with Catalyst 9000 Switches

Maintaining Zero-Trust Across Campuses

Wired and wireless traffic telemetry in one platform provides an expansive view across the campus for pinpointing security anomalies and threats from devices of all types. Cisco SD-Access plus Catalyst 9000 switches and access points uniquely provide traffic telemetry to Cisco DNA Center to identify device types, categorize devices by security group tags, and monitor every device for behavior anomalies.

For example, with all traffic telemetry streaming from Catalyst 9000 switches and access points, Cisco DNA Center can analyze the traffic being generated by each individual device and identify the type—security cameras, motion sensors, lights—tagging them with access policies for segmentation. Should a camera start talking in laptop language from a man-in-the-middle attack, the trust level of the camera will automatically be downgraded and isolated to prevent the lateral spread of an infection.

The Cisco SD-Access Zero-Trust Journey

Connect, Secure, and Automate with Catalyst 9000 Infrastructure

The software-defined network fabric consisting of Cisco Catalyst switches and access points becomes a vast matrix of sensors supplying data for security analytics that monitor, detect, isolate, and report on threats as they occur. The Catalyst 9000 family of switches provides real-time security telemetry from millions of devices across multiple campus sites, from inner to outer edge of the network for endpoint analytics, policy analytics, and trust analytics to connect, secure, and automate the enterprise.

Source: cisco.com

Continue reading

As the landscape evolves, so must the enterprise backbone

Most organizations today take advantage of cloud services. From software as a service (SaaS) to infrastructure as a service (IaaS), these cost-effective solutions help accelerate business and offer new opportunities for innovation.

Within the Cisco network, we’ve seen an impact from changing traffic patterns as our clients adopt to Cloud Services. We see more and more traffic going to the Internet and cloud services, and this level of traffic is growing at a very fast rate. This change meant we saw a 200 percent increase in peak Internet and cloud traffic within just 12 months. During that time, growth across our internal, private enterprise backbone also rose steadily, primarily due to large transfers between data centers. We quickly realized the traditional enterprise network is not ready to deliver the scale and resiliency needed to support this drastic shift in traffic patterns.

Technologies such as cloud, bring your own device (BYOD), and Internet of Things (IoT) require us to think differently about security. The enterprise network is becoming more segmented and each segment has different connectivity and security needs. Previously, the private backbone was a single, flat network; it now needs to deliver multi-tenancy and the ability to extend security segments across the globe.

These challenges have put us on an evolutionary path from a traditional enterprise backbone design to a software-defined and cloud-ready backbone. (Figure 1)

Figure 1. New software-defined design in the Cisco Cloud Backbone

From an enterprise-like backbone to a service-provider-like backbone

Cisco IT is deploying a new global backbone powered by Cisco ASR 9000 Series Aggregation Services Routers running Cisco IOS-XR software. This highly scalable and programmable platform provides a strong foundation for the new backbone and will allow us to operate more like a service provider for our internal clients.

Although our initial priority is to address Internet and backbone scalability challenges, we also need to offer more advanced services to support our users. For example, can you imagine a day, a few hours, or even a couple of minutes without access to the Internet and your business-critical SaaS apps? To avoid this potential disruption, our new backbone needs to deliver an always-on and excellent user experience. It needs to detect failure conditions and automatically steer traffic over resilient peering connections across the globe.

By more intelligently routing traffic over the new backbone and augmenting it with cheaper bandwidth, we hope to increase capacity without affecting our telecom budgets. By supporting multi-tenancy, the new backbone will be able to deliver customized services for each of our internal tenants and extend security zones globally.

From the beginning, we are taking a “no command line interface” approach, which will allow us to deploy and operate the new backbone through software. The goal of this approach is to translate the user’s intent and program it into the network within minutes instead of days.

Where Are We in our Journey?

Although standardization and simplification has always been top of mind for Cisco IT, over the 20 years of its existence our backbone has become a complex environment. This complexity makes the transition to a new backbone design a high-risk and cumbersome effort. Before using the new backbone design to deliver more advanced services, we know that it’s key to take the time to build a rock-solid foundation. This foundation work includes:

◉ Deploying Cisco ASR 9900 Series routers in 13 colocation facilities and Cisco campus buildings globally

◉ Addressing challenges of Internet route table growth

◉ Implementing a hierarchical Global Border Gateway Protocol (BGP) AS109 network

◉ Migrating existing tenants onto the new backbone

When the foundation work is completed, we will evaluate user needs in order to focus on deploying network capabilities that deliver the most business value.

Future objectives include improvements for:

◉ Delivering global network as a service

◉ Speed of delivery through programmability and automation

◉ Assurance through streaming telemetry

◉ Multi-tenancy and traffic steering through multiprotocol label switching (MPLS) and segment routing

IT needs to assure the enterprise backbone evolves to support internal business users. Cisco IT has started this transformation. Our users expect ordering IT network services to be as simple as shopping online. This new backbone will enable us to more efficiently connect our clients to Internet and SaaS applications, extend security zones globally, and interconnect sites, private clouds, and public clouds.

Continue reading

ASR 9901 – More choice and flexibility in your hands

Innovation, quality and customer focus are part of Cisco DNA. Our customers expressed the need to have a platform that is compact, dense, flexible, feature rich and supports programmability.

I’m thrilled to announce the availability of ASR 9901 – a compact Two-Rack-Unit (2RU) platform designed for a wide variety of use-cases across Service Provider, Enterprise and Hyperscale Web providers. It complements nicely our impressive ASR 9000 portfolio.

The platform is scalable and delivers incredible 800 Gbps of throughput while also providing flexibility in terms of port speeds supporting 1/10/100 Gbps with industry leading MACsec encryption support on all ports. The ASR 9901 platform shares the same Operating System (OS) and custom silicon as the ASR 9000 family thereby providing operational consistency and advanced features such as Segment Routing, Ethernet VPN (EVPN), model-driven programmability & telemetry and other enhancements we brought into IOS XR.

Where does this box fit?

The ASR 9901 fits well into small Points of Presence (PoP), Colocation Centers (CoLo), where typical bandwidth demand is sub 500G but requires port flexibility, high 1G/10G density. The platform paves the way for customers to move to 100GE without having to sacrifice on Edge features. This platform supports broader applications such as Broadband Network gateway (BNG), Distributed Provider Edge, Internet Peering, Metro Aggregation, Data-Center Interconnect (DCI), Data-center/WAN Aggregation and Backbone router functions for Enterprises.

BNG

ASR 9000 as a Broadband Network Gateway (BNG) provides the fastest, densest and most reliable solution in the market. With industry leading geo-redundancy solution, you can let the network take care of maintaining the session states as well as management. The IOS XR BNG solution runs the same code base from a fixed 2RU solution to a multi-terabyte full rack chassis. This gives customers a huge portfolio of options without having to worry about re-validating their solution on every node. Now with BNG being pushed closer to the user, deploying ASR 9901 makes more sense with the system supporting higher BNG scale than the existing fixed chassis with support for automation, telemetry etc.

Distributed Provider Edge

Service Provider customers have been predominantly using the fixed systems as Aggregators and distributed PE’s because the platforms support the same scale as their modular counterparts. Continuing the tradition, the ASR 9901 will support the industry leading multidimensional scale (FIB, QoS) on the new compact chassis.

DCI

ASR 9000, more specifically ASR 9001 (fixed 2RU), has been deployed by customers as a Layer2 & Layer3 DCI, primarily supporting 10/40G speeds within data-centers. The ASR 9901 with the full support for EVPN & VXLAN capability will be a more viable solution for our customers as the DCI router with Nexus 9K integration through OpFlex .

Central Office Fabric

With customers looking for programmable fabric (CO Fabric) with Segment Routing (SR) underlay and EVPN overlay, ASR 9901 provides the smallest building block for feature rich service termination. Customers can drop in additional service PE’s if they need to support more services. This platform addresses the SR requirements with multiple MPLS label stacks (10 Labels) as well as deep buffers, hierarchical QoS and faster convergence.

In a nutshell, this new platform provides our customers with greater flexibility without having to compromise on features and also move to 100G in Small PoP’s, Colo’s.

Continue reading

The Cisco ASR 9000 – Timeless Versatility for Future Growth

Cisco’s Aggregation Service Router 9000 (ASR 9k) has evolved into the cloud-scale, multi-service platform offering unprecedented flexibility, scale, programmability and security for Service Providers today.

When the ASR 9k was first announced in November 2008, it was a 6-slot and a 10-slot chassis—each of them capable of handling 3.2Tbps and 6.4Tbps of traffic, respectively.

Continue reading