Secure Firewall & Multicloud Defense: Secure Connectivity With Simplified Policy Across Clouds

Most of our large customers today have datacenters and leverage multiple clouds to maximize flexibility and agility for meeting their business needs. Traditionally, the security for these environments has rested with different teams, each having their own tools and processes. But as our application and IT environments become more interwoven, the complexity of the environments and the challenge of securing them has massively increased. Siloed tools and teams are now part of the problem, generating new gaps and blind spots. Attackers are growing more sophisticated and taking advantage of these new challenges. In fact, last year, 39% of breaches spanned multiple environments and cost organizations an average of $4.75M per breach globally.

It is time to rethink how organizations approach the hybrid-multicloud security strategy — converging the fabrics between on-premises and cloud network security to foster collaboration across teams and deliver a unified edge security strategy.

Today, we are we’re bringing on-prem and cloud security together into one unified platform through the Cisco Security Cloud to marry the power of Cisco Secure Firewall and Cisco Multicloud Defense. Combined, these solutions provide multi-environment customers with greater visibility and protection across environments, more consistent control to reduce risk, and simplified security policy creation to alleviate complex operations.

This year at RSA Conference 2024, customers can experience where security meets the network with new capabilities between these solutions — as part of our unified security platform.

Multicloud networking: Secure connectivity from ground to cloud

Imagine you have an application on-prem that needs to talk to an application in the cloud, how would you approach this challenge? Traditionally, organizations have had to rely on 3rd party native tools. However, these services can be costly — especially as you scale applications and environments. And as you scale, the complexity increases, reducing visibility and control of critical security functions. Now, by leveraging our unified platform with the Cisco Security Cloud, customers can build these connections in house with secure site-to-cloud and cloud-to-cloud connectivity between applications and environments. With this, organizations will be able to securely scale hybrid cloud operations while reducing cost and maintain visibility and control of their connections and data.

New network object sharing further simplifies policy creation across multi-environments

In many cases today, organizations are building, deploying, and managing policies in silos. This disparate method strains teams — creating laborious, redundant steps in the policy building process, leads to increased risk of human error and cues the dreaded swivel chair scenario — hopping between numerous tools and platforms to build policies.

At Cisco Live EMEA, we announced general availability of network object sharing for static objects. Today at RSA Conference, we’re reducing multi-environment complexity even further with the ability to now share dynamic objects using our unified management fabric. This gives organizations a single location to pool objects, simplifying policy building and management across environments. Baked into the Cisco Security Cloud platform, this capability empowers organizations to easily share objects between Secure Firewall and Multicloud Defense, reducing complexity, removing duplicative processes, and stopping the pain of maintaining yet another case of siloed operations across separate solutions.

As we continue to innovate across the Cisco Security Cloud, synergies across the network security portfolio will continue to grow. The launch of these shared capabilities between Cisco Secure Firewall and Cisco Multicloud Defense is a significant step towards converging the fabrics of best-in-class data center and cloud security to protect customers from ground to cloud.

Looking to get started? Understand your risk by signing up for our free Cloud Visibility and Risk Report. Powered by Cisco Defense Orchestrator and Cisco Multicloud Defense, our solutions run alongside your clouds to help you understand your risk with pervasive visibility into assets and connections — our experts then provide you with actionable security insights and recommendations to better protect your infrastructure.

Source: cisco.com

Continue reading

To the Cloud and Beyond―A Comprehensive Model for Enhanced NetOps and User Experience

Cloud computing has become wildly popular among IT organizations for a number of reasons, including its ability to enhance efficiency, security, agility, and cost-effectiveness. But now cloud features and principles have also become the building blocks of something even bigger and more all-encompassing: a unified IT operating model that spans people, devices, networks, applications, and things across the digital infrastructure.

With end-to-end visibility and centralized, cloud-based management, IT can monitor, manage, and control an organization’s entire networking, cloud, and security infrastructure. A unified cloud operating model makes it easier for organizations to pivot as their needs change. Organizations can quickly deploy innovative applications, respond to disruptions and threats, and scale performance and capacity. The model is an antidote to separate, complex, operational silos on-premises, on the internet, and in the cloud. The overall goal of the model is to dramatically improve the efficiency, reliability, and resiliency of IT operations, as well as the quality of user experience.

The Need for a Comprehensive Operating Model 

Recent research conducted by IDC has found IT staff worldwide engaged in a struggle with highly specialized, complex, and manual management tools and procedures in use across on-premises, internet, cloud, and security silos. Between all of the silos are management and security gaps. Integration is limited. Efficiency and time-to-market suffer.

Meanwhile, IT is being asked to innovate in the use of applications and data intelligence, to create great and secure user experiences, to scale up or down in response to demand, and to do it all efficiently and cost-effectively.

Enter the cloud operating model.

With the cloud operating model, cloud principles like anywhere access, self-service dashboards, policy automation, end-to-end visibility, microservices, continuous integration, and continuous delivery (CI/CD), and extensibility can be applied across the entire digital infrastructure from access to internet to cloud (Figure 1). That includes all endpoints and systems whether they are on-premises, in the cloud, in remote offices, or mobile.

Figure 1. The Cloud Operating Model

With consistent policies and governance within and across operational domains, the cloud operating model can improve cross-functional collaboration, eliminating disparate processes and disjointed efforts that hamper better business outcomes.

An Ongoing Journey

Achieving a cloud operating model is a journey for organizations requiring a significant shift in how they approach their IT operations:

• A shift in thinking from viewing cloud and on-premises environments as separate entities to looking at how the best features of both can converge
• A cultural shift that embraces breaking down silos, promoting collaboration, and encouraging cross-functional innovation
• New skills, tools, and processes to manage infrastructure, such as automation, DevOps, and agile methodologies
• Integration of cloud management platforms with legacy systems, which requires careful assessment and a migration strategy

Achieving a cloud operating model is not a one-time event but rather an ongoing journey of continuous improvement across the entire IT environment. Cloud features and a unified management platform provide the means to monitor, optimize, and innovate to help ensure that organizations are getting the most value from their investments.

Where to Begin?

Start by evaluating which cloud principles exist in which domains. At Cisco, we’re developing a new tool that helps organizations define their various infrastructure principles within the access network, software-defined WAN (SD-WAN), and data center. By overlaying principles on infrastructures, an organization can identify opportunities to integrate silos to help meet business and operational objectives.

Some organizations are starting the journey to the cloud operating model by extending SD-WAN connectivity across multiple clouds for simpler IT management and a better application experience. With a distributed SD-WAN, they can apply policy, visibility, control, and zero trust consistently across all clouds, software-as-a-service (SaaS), and middle-mile providers. Other organizations are planning to use this SD-WAN foundation to transition to a secure access service edge (SASE) architecture to connect network and security domains across branches and remote clients.

With our broad cloud and networking platform portfolio, Cisco provides a comprehensive set of solutions with the visibility, consistent policy governance, and insights-driven automation necessary to support an effective cloud operating model. For example, in campus networking, the Cisco Meraki platform supports many key cloud principles.

The Meraki dashboard provides cloud-based management for connected access points and IoT devices, plus monitoring and management of switches. Through the dashboard, configuration and access policies can be defined and automated throughout the network. The dashboard interface is a visual representation of all connected devices, showing the real-time status of each device. And Meraki has a marketplace of partner applications that leverage APIs to extend these capabilities across the network.

Source: cisco.com

Continue reading

Application Resource Management in Healthcare

Four Ways Healthcare Providers Have Benefited from Intersight Workload Optimizer

IT operations teams are like doctors. Doctors practice preventive medicine to help patients keep their health on track. When a patient’s health goes off track, the doctor minimizes symptoms through medication and rest, and they perform assessments to identify the root cause of the ailment.

In a similar way, IT operations teams keep their organizations’ mission-critical applications on track by providing computing, networking, and storage resources. Sometimes an application demonstrates symptoms indicating there’s something wrong (such as sluggish performance). If the root cause is serious enough and goes unaddressed, it can lead to downtime and impact the end user experience.

Treating the symptoms of poor application performance

Too often IT teams spend most of their time addressing the symptoms of underperforming applications or resuscitating them when they go offline. They’re alerted when there’s an issue, but they can’t easily pinpoint the root cause. This means the symptoms get treated to keep applications running, but the underlying cause or causes go untreated, which can lead to recurring application performance issues and costly staff time spent addressing them.

How to stay ahead of application resource issues

Application resource management solutions like Cisco Intersight Workload Optimizer (IWO) provide vital capabilities to help IT teams prevent application resource issues from occurring while optimizing costs to control their budgets.

Here are four examples where Cisco healthcare customers used application resource management to maintain the health of their organizations’ applications in fiscally responsible ways.

1) Ensuring mission-critical application performance

A healthcare services provider was experiencing performance issues with mission-critical applications. They couldn’t identify where in the stack the issues were originating from, so they used AppDynamics and IWO to gain deep visibility from their applications through their underlying computing infrastructure, particularly into hundreds of virtual machines. The visibility showed them when application performance began to stretch VM workloads and how to optimize their virtual environment to ensure continuous resources for optimal application performance. In addition to providing continuous up-time for their mission-critical applications, the customer has used IWO to optimize workloads in the public cloud and reduce public cloud spend by 40%.

2) Maintaining application performance at a lower cost

1) In order to provide continuous application uptime, a healthcare provider in the midwestern United States uses on-premises infrastructure and hosting services through a public cloud provider. However, the costs for on-premises infrastructure and cloud resources were rising rapidly and not sustainable. Using IWO’s “what-if” scenario planning, Cisco worked with the client’s IT group to demonstrate how they could right-size new server purchases and identify the most cost-effective cloud resources to meet their budget requirements. As a result, the healthcare provider can continue to deliver computing resources to provide experiences their application users expect while delivering tangible cost savings.

2) A healthcare provider in the southeastern United States and Cisco UCS customer needed to improve overall infrastructure availability, specifically by getting better insight into the real-time status of VMs and other computing resources. With a restricted IT budget, they also needed to extend the life of existing systems to reduce their CapEx expenses. Using IWO, the healthcare provider identified an opportunity to reduce the number of hosts by 50% while maintaining the same levels of utilization and avoiding unnecessary CapEx investments. At the same time, the healthcare provider used IWO to ensure workload configurations comply with its policies, which has helped the customer improve its HIPAA compliance posture.

3) Conducting an EHR cloud migration analysis

This healthcare provider needed to refresh its Epic hyperspace environment for its primary electronic health record (EHR) system. Their IT team was considering moving to the EHR provider’s cloud-based IaaS solution. The Cisco team used IWO to conduct a detailed total cost of ownership (TCO)/return on investment (ROI) analysis. The study showed the ability to maintain desired application performance with fewer servers (and less cost) than the EHR provider prescribed. The analysis revealed the healthcare provider would save $500,000 per month over three years, or $18 million, by using an on-premises UCS solution instead of the hosted solution. The healthcare provider also went on to use IWO to continue optimizing its virtual environment for ongoing application resource management and cost containment.

Keep your applications in shape through application resource management

As a healthcare provider, your patients, caregivers, and others rely on your applications. With solutions like IWO at your disposal, you have the power to adopt best practices in application resource management and ensure uptime to deliver the experiences your users expect while gaining cost-containment capabilities. Rise above treating the symptoms of an ailing infrastructure; exercise proactive application resource management with Cisco Intersight Workload Optimizer to keep your applications and infrastructure in outstanding shape.

Source: cisco.com

Continue reading

Cisco Intersight Gets a New Look

New User Interface Signals Milestone for Hybrid Cloud Operations Platform

Cisco Intersight, Cisco’s hybrid cloud operations platform, passed a major milestone with the recent release of its new user interface (UI). The UI introduces Cisco’s new branding for its Cloud Networking and Computing software portfolio, brings Nexus Cloud (Cisco’s cloud-managed platform for networking) into the Intersight platform, and improves readability and task findability.

Consistent User Experience

“One of our priorities for the software-as-a-service offerings in Cisco’s Networking and Computing portfolio is to provide a consistent and familiar user experience, no matter which product someone’s using,” said Jeff New, Cisco Intersight Product Manager. Intersight is the first platform to introduce Cisco’s common UI that will be rolled out across its data center computing, networking, and security solutions to provide a more consistent experience for customers.

Cloud Networking, Newest Intersight Platform Service

Intersight’s new UI also introduces cloud-managed networking as the platform’s newest IT operations service. This signals the next step in the platform’s vision to simplify IT operations through a cloud operations model that extends the principles of the cloud to the entire cloud/network IT stack. Nexus Cloud will debut as a service on Cisco Intersight following its current tech preview.

Intersight users can select the IT operations functions they need to perform using the multi-service selector

To easily access Intersight’s services, the new UI introduces a multi-service selector. From the selector, users can choose:

◉ Infrastructure Service – visualize, control, and automate Cisco UCS, HyperFlex, and third-party computing devices

◉ Cloud Orchestrator – automate workflows with a drag-and-drop designer to accelerate delivery of apps and infrastructure

◉ Workload Optimizer – ensure applications get resources when and where needed, at the lowest cost

Nexus Cloud – deploy, manage, and operate your Cisco Nexus networks from the cloud

◉ My Dashboard – personalize a multi-service dashboard using widgets for capabilities across the services on the Intersight platform

◉ System – Claim devices, licensing, identity access management, and other account settings

Intersight users will have access to the functions they have licensed and their corresponding permissions. Once users are in a specific service, they’ll find capabilities in a familiar way.

Command Palette – Get to Actions and Information Quickly

Intersight is a comprehensive solution for hybrid cloud operations with a robust feature set. Intersight users have asked for a faster way to find specific objects in their environments as well as the actions they want to take.

To do this, we’ve introduced the Command Palette. Based on a simple search approach, users can input what they want to do and select from the search results. (“Command K” for Mac users and “Control K” for PC users.) The command palette shows suggestions based on your current context and items you’ve used recently.

Users who took part in the tech preview of the new UI report being pleased with the shortcut to specific tasks they want to execute. This lets them launch operations and begin working in fewer clicks.

Cisco Intersight users can find actions fast using the Command Palette.

Users can find actions fast using the Command Palette

The new UI also improves readability. The classic Intersight UI presented information in a dense way with heavy text on a single screen. In the new UI, users will find that readability is improved with more relevant information on individual screens and more space that allows users to focus on what’s most important.

One UI, Multiple Benefits

“The new UI is more than an improved look and feel,” said New. “The release of the new UI marks the next significant milestone on our vision to deliver a flexible hybrid cloud operations platform to help customers simplify IT operations. Cloud networking joins the suite of Intersight services, with more to come. And through the common UI, we’re lowering the learning curve for customers of Cisco software so it’s easier to get up and running.”

Source: cisco.com

Continue reading

Vacationing and IT Operations Part 3: Manage the Change

You are looking forward to a day of island hopping. The cruise has been booked, swimming trunks and snorkels packed – you are ready to dive right in. Alas, on the day of the trip the weather gods decided to rain on your parade. Literally. Now what? You can’t afford to waste a precious vacation day cooped up in a hotel room but it’s too late to plan an alternative.

Continuously Optimize for changes

Thankfully, your hotel has an awesome concierge desk. They have been monitoring the weather forecast and proactively created a few alternate options should things not go according to plan. Within minutes of your cruise being canceled, you get a call from the concierge desk offering day passes to the local indoor amusement park. Wave pool, bowling, rides, food court – the whole nine yards. Wouldn’t it be great if your IT infrastructure was this smart in handling change?

Change Management

Change is the only constant. Your IT team knows this too well. Maintaining the health of an ever-changing hybrid cloud environment is not easy: multiple layers of heterogeneous infrastructure, distributed workloads, and applications across different platforms, dynamically changing, require constant monitoring, and decisions about cost, performance and compliance are made at the speed of the cloud. This is a challenge beyond the human scale, and it requires the power of data and analytics to solve.

Transform data into insights across your entire environment

A key part of the value proposition of Intersight is how the platform optimizes your environment and constantly adapts to changes.

Increase your situational awareness and remediate faster to stay ahead of problems

Intersight leverages intelligence across all layers

Starting with Cisco Intersight Infrastructure Services, hardware and firmware are monitored to help ensure that your systems are always compliant with the Cisco Hardware Compatibility List (HCL)—any unsupported configurations cause automatic alerts. At the same time, Cisco Intersight Workload Optimizer analyzes and correlates telemetry across your full stack, from your physical servers to virtualized resources, Kubernetes clusters, and application components, wherever they are, to visualize application and infrastructure dependencies.

In addition, Cisco Intersight offers an always-on connection to the Cisco Technical Assistance Center (TAC), constantly monitoring your environment to help identify configuration issues before they become problems. It watches for anomalous infrastructure events, capturing log information and providing centralized alerts about failure notifications or policy violations.

Reduce risk and costs – optimize performance

Automate complex workload placement decisions with intelligent recommendations

All this telemetry and intelligence captured by Intersight across the different layers of your stack is used to automate tasks and decisions that would be otherwise manual, enabling your environment to truly scale. Using an AI-powered recommendation engine, Intersight continuously assures application performance by automating scaling and placement actions, provisioning resources to meet demand, or correcting misconfigurations to avoid disruptions and unnecessary costs.

Intersight gets smarter over time and adapts better to your unique needs with historical data feeds, producing better real-time recommendations and advanced scenario modelling outputs. Examples of automated tasks include applying security patches and operating system upgrades for physical servers, to licensing for databases on your virtual machines, to resizing and moving workloads for performance and cost, auto-scaling Kubernetes clusters, or applying user access policies across all layers of infrastructure etc.

Finally, Intersight can automatically generate and forward Cisco TAC support cases when required and even raise service requests and return material authorizations (RMAs) automatically.

With complete visibility into on-premises and public cloud application requirements, resource utilization, availability, and costs, Cisco Intersight can improve your overall situational awareness, reduce risk and cost, and free your teams to focus on more important things.

The show must go on

Cisco Intersight can help you smoothly manage disruptions and reduce risk and cost, through complete visibility into on-premises and public cloud application requirements resource utilization, and availability. Allowing your teams to free their focus for more important things, like soaking up that awesome wave pool. Rain or shine.

Source: cisco.com

Continue reading

Introducing Cisco Cloud Network Controller on Google Cloud Platform – Part 3

Part 1 and Part 2 of this blog series covered native cloud networking and firewall rules automation on GCP, and a read through is recommended for completeness. This final post of the series is about enabling external access for cloud resources. More specifically, it will focus on how customers can enable external connectivity from and to GCP, using either Cloud Native Router or Cisco Cloud Router (CCR) based on Cisco Catalyst 8000v, depending on use case.

By expanding previous capabilities, Cisco Cloud Network Controller (CNC) will provision routing, automate VPC peering between infra and user VPCs, and BGP IPSec connectivity to external networks with only a few steps using the same policy model.

Scenario

This scenario will leverage the existing configuration built previously represented by network-a and network-b VPCs. These user VPCs will be peered with the infra VPC in a hub and spoke architecture, where GCP cloud native routers will be provisioned to establish BGP IPSec tunnels with an external IPSec device. The GCP cloud native routers are composed by the combination of a Cloud Router and a High-availability (HA) Cloud VPN gateway.

The high-level topology below illustrates the additional connections automated by Cisco CNC.

Provisioning Cloud Native Routers

The first step is to enable external connectivity under Region Management by selecting in which region cloud native routers will be deployed. For this scenario, they will be provisioned in the same region as the Cisco CNC as depicted on the high-level topology. Additionally, default values will be used for the IPSec Tunnel Subnet Pool and BGP AS under the Hub Network representing the GCP Cloud Router.

The cloud native routers are being provisioned purposely on a different region to illustrate the ability of having a dedicated hub network with external access. However, they could have been deployed on the same region as the user VPCs.

Note: a brief overview of the Cisco CNC GUI was provided on Part 1.

Enabling External Networks

The next step is to create an External Network construct within the infra tenant. This is where an external VRF is also defined to represent external networks connected to on-premises data centers or remote sites. Any cloud VRF mapped to existing VPC networks can leak routes to this external VRF or can get routes from it. In addition to the external VRF definition, this is also where VPN settings are entered with the remote IPSec peer details.

The configuration below illustrates the stitching of the external VRF and the VPN network within the region where the cloud native routers are being provisioned in the backend. For simplicity, the VRF was named as “external-vrf” but in a production environment, the name should be defined wisely and aligned to the external network as to improve operations.

The VPN network settings require public IP of the remote IPSec device, IKE version, and BGP AS. As indicated earlier, the default subnet pool is being used.

Once the external network is created, Cisco CNC generates a configuration file for the remote IPSec device to establish BGP peering and IPSec tunnels with the GCP cloud native routers. Below is the option to download the configuration file.

Configuring External IPSec Device

As the configuration file provides most of the configuration required for the external IPSec device, customization is needed only on tunnel source interface and routing settings where applicable to match local network requirements. In this example, the remote IPSec device is a virtual router using interface GigabitEthernet1. For brevity, only one of the IPSec tunnels config is shown below along with all the other config generated by Cisco CNC.

vrf definition external-vrf

    rd 100:1

    address-family ipv4

    exit-address-family

interface Loopback0

    vrf forwarding external-vrf

    ip address 41.41.41.41 255.255.255.255

crypto ikev2 proposal ikev2-1

    encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

    integrity sha512 sha384 sha256 sha1

    group 24 21 20 19 16 15 14 2

crypto ikev2 policy ikev2-1

    proposal ikev2-1

crypto ikev2 keyring keyring-ifc-3

    peer peer-ikev2-keyring

        address 34.124.13.142

        pre-shared-key 49642299083152372839266840799663038731

crypto ikev2 profile ikev-profile-ifc-3

    match address local interface GigabitEthernet1

    match identity remote address 34.124.13.142 255.255.255.255

    identity local address 20.253.155.252

    authentication remote pre-share

    authentication local pre-share

    keyring local keyring-ifc-3

    lifetime 3600

    dpd 10 5 periodic

crypto ipsec transform-set ikev-transport-ifc-3 esp-gcm 256

    mode tunnel

crypto ipsec profile ikev-profile-ifc-3

    set transform-set ikev-transport-ifc-3

    set pfs group14

    set ikev2-profile ikev-profile-ifc-3

interface Tunnel300

    vrf forwarding external-vrf

    ip address 169.254.0.2 255.255.255.252

    ip mtu 1400

    ip tcp adjust-mss 1400

    tunnel source GigabitEthernet1

    tunnel mode ipsec ipv4

    tunnel destination 34.124.13.142

    tunnel protection ipsec profile ikev-profile-ifc-3

ip route 34.124.13.142 255.255.255.255 GigabitEthernet1 192.168.0.1

router bgp 65002

    bgp router-id 100

   bgp log-neighbor-changes

    address-family ipv4 vrf external-vrf

        network 41.41.41.41 mask 255.255.255.255

        neighbor 169.254.0.1 remote-as 65534

        neighbor 169.254.0.1 ebgp-multihop 255

        neighbor 169.254.0.1 activate

Verifying External Connectivity status

Once configuration is applied, there are a few ways to verify BGP peering and IPSec tunnels between GCP and external devices: via CLI on the IPSec device itself and via Cisco CNC GUI on the External Connectivity dashboard.

In the GCP console (infra project), under Hybrid Connectivity, it shows both the IPSec and BGP sessions are established accordingly by the combination of a Cloud Router and an HA Cloud VPN gateway automated by Cisco CNC, upon definition of the External Network. Note that the infra VPC network is named as overlay-1 by default as part of the Cisco CNC deployment from the marketplace.

Route Leaking Between External and VPC Networks

Now that BGP IPSec tunnels are established, let’s configure inter-VRF routing between external networks and existing user VPC networks from previous sections. This works by enabling VPC peering between the user VPCs and the infra VPC hosting VPN connections, which will share these VPN connections to external sites. Routes received on the VPN connections are leaked to user VPCs, and user VPC routes are advertised on the VPN connections.

Using inter-VRF routing, the route is leaked between the external VRF of the VPN connections and the cloud local user VRFs. The configuration below illustrates route leaking from external-vrf to network-a.

The reverse route leaking configuration from network-a to external-vrf is filtered with Subnet IP to show granularity. Also, the same steps were performed for network-b but not depicted for brevity.

In addition to the existing peering between network-a and network-b VPCs, now both user VPCs are also peered with the infra VPC (overlay-1) as depicted on the high-level topology.

By exploring one of the peering connection details, it is possible to see the external subnet 41.41.41.41/32 in the imported routes table.

On the remote IPSec device, the subnets from network-a and network-b VPCs are learned over BGP peering as expected.

remote-site#sh bgp vpnv4 unicast vrf external-vrf

<<<output omitted for brevity>>>

     Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 100:1 (default for vrf external-vrf)

 *>   41.41.41.41/32   0.0.0.0                  0         32768 i

 *    172.16.1.0/24    169.254.0.5            100             0 65534 ?

 *>                    169.254.0.1            100             0 65534 ?

 *    172.16.128.0/24  169.254.0.5            100             0 65534 ?

 *>                    169.254.0.1            100             0 65534 ?

remote-site#

Defining External EPG for the External Network

Up to this point, all routing policies were automated by Cisco CNC to allow external connectivity to and from GCP. However, firewall rules are also required for end-to-end connectivity. This is accomplished by creating an external EPG using subnet selection as the endpoint selector to represent external networks. Note that this external EPG is also created within the infra tenant and associated to the external-vrf created previously.

The next step is to apply contracts between the external EPG and the previously created cloud EPGs to allow communication between endpoints in GCP and external networks, which in this scenario is represented by 41.41.41.41/32 (loopback0 on remote IPSec device). As this is happening across different tenants, the contract scope is set to global and exported from the engineering tenant to the infra tenant and vice-versa, if allowing traffic to be initiated from both sides.

To the cloud connectivity

From the cloud connectivity

On the backend, the combination of contracts and filters translates into proper GCP firewall rules, as covered in details on Part 2 of this series. For brevity, only the outcome is provided below.

remote-site#ping vrf external-vrf 172.16.1.2 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

Packet sent with a source address of 41.41.41.41 !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 84/84/86 ms

remote-site#ping vrf external-vrf 172.16.128.2 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.128.2, timeout is 2 seconds:

Packet sent with a source address of 41.41.41.41 !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 132/133/138 ms

root@web-server:/home/marinfer# ping 41.41.41.41

PING 41.41.41.41 (41.41.41.41) 56(84) bytes of data.

64 bytes from 41.41.41.41: icmp_seq=1 ttl=254 time=87.0 ms

64 bytes from 41.41.41.41: icmp_seq=2 ttl=254 time=84.9 ms

64 bytes from 41.41.41.41: icmp_seq=3 ttl=254 time=83.7 ms

64 bytes from 41.41.41.41: icmp_seq=4 ttl=254 time=83.8 ms

root@web-server:/home/marinfer# 

root@app-server:/home/marinfer# ping 41.41.41.41

PING 41.41.41.41 (41.41.41.41) 56(84) bytes of data.

64 bytes from 41.41.41.41: icmp_seq=1 ttl=254 time=134 ms

64 bytes from 41.41.41.41: icmp_seq=2 ttl=254 time=132 ms

64 bytes from 41.41.41.41: icmp_seq=3 ttl=254 time=131 ms

64 bytes from 41.41.41.41: icmp_seq=4 ttl=254 time=136 ms

root@app-server:/home/marinfer#

Advanced Routing Capabilities with Cisco Cloud Router

Leveraging native routing capabilities as demonstrated may suffice for some specific use cases and be limited for others. Therefore, for more advanced routing capabilities, Cisco Cloud Routers can be deployed instead. The provisioning process is relatively the same with CCRs also instantiated within the infra VPC in a hub and spoke architecture. Besides having the ability to manage the complete lifecycle of the CCRs from the Cisco CNC, customers can also choose different tier-based throughput options based on requirements.

One of the main use cases for leveraging Cisco Cloud Routers is the BGP EVPN support across different cloud sites running Cisco CNC, or for hybrid cloud connectivity with on-prem sites when policy extension is desirable. The different inter-site uses cases are being documented on specific white papers, and below is a high-level topology illustrating the architecture.

Source: cisco.com

Continue reading

Introducing Cisco Cloud Network Controller on Google Cloud Platform – Part 2

Part 1 of this blog series demonstrated how Cisco CNC can automate cloud networking within GCP independently of security policies. Part 2 goes over additional capabilities pertaining to contract-based routing and firewall rules automation by extending the same policy model.

One of the reasons for decoupling routing and security is to give customers more flexibility. Often, organizations may have different teams responsible for cloud networking and security policies definitions in the cloud. However, for those use cases where policy consistency is a top priority followed by more governance of cloud resources, a common policy model is a must.

Policy Model Translation

Below is a high-level one-to-one mapping of the Cisco CNC policy model to native GCP cloud constructs.

Essentially, a tenant maps to a project and is the top-level logical container holding all the other policies. For cloud networking, Cisco CNC translates the combination of VRF and Cloud Context Profile into global VPC networks and regional subnets. In the scenario below, Cisco CNC will also translate security policies by combining cloud EPGs (Endpoint Groups) with contracts and filters into firewall rules and network tags in GCP.

By definition, a cloud EPG is a collection of endpoints sharing the same security policy, can have endpoints in one or more subnets and is tied to a VRF.

Scenario

This scenario has two VRFs: network-a and network-b. Additionally, cloud EPGs Web & App will be created and associated to contracts with specific security policies defined by filters. A Cloud External EPG will also be created as Internet EPG to allow internet access on network-a.

On GCP, these policies are translated into proper VPC networks, subnets, routing tables, peering, firewall rules, and network tags. Note that for this scenario, VPCs and subnets were already pre-provisioned.

Contract-based Routing

On Part 1 of this blog series, a route leak policy was created to allow inter-VRF routing between network-a and network-b. For this scenario, only contract-based routing will be enabled, which means contracts will drive routing where needed. Therefore, the leak route policy created previously was removed and peering between VPCs disconnected.

Contract-based Routing is a global mode configuration available in the Cloud Network Controller Setup. Note that when contract-based routing is enabled, the routes between a pair of internal VRFs can be leaked using contracts only in the absence of a route leak policy.

Note: a brief overview of the Cisco CNC GUI was provided on Part 1.

Firewall Rules Automation

The configuration below illustrates the creation of Web and Internet EPGs tied to network-a, along with their associated endpoint selectors. Those are used to assign endpoints to a Cloud EPG, and can be based on IP address, Subnet, Region, or Custom tags (using a combination of key value pairs and match expressions).

For the Web EPG, a key value pair is used with specific tags to be matched (custom: epg equals web). For the Internet EPG, a subnet selector is used allowing all traffic. Furthermore, Internet EPG needs to be type External as internet access will be allowed on network-a.

Web EPG

Internet EPG

The Cloud EPG App configuration is not depicted for brevity but is similar to that of cloud EPG Web. However, it is tied to network-b and set with its unique endpoint selector (custom: epg equals app).

On GCP, these policies get translated to dedicated ingress firewall rules and network tags for Web and App as highlighted using the following format: capic-<app-profile-name>-<epg-name>.

Note: Rebranding from Cloud APIC to Cloud Network Controller is covered on Part 1.

In the example below, cloud endpoints instantiated in GCP with labels matching the endpoint selectors are assigned to network tags and firewall rules automated by Cisco CNC.

Associating Contracts to EPGs

Now, let’s associate the web-to-app contract between Web and App EPGs using the concept of consumer and provider to define rules direction.

Upon associating the contract, additional ingress and egress firewall rules are programmed depending on the consumer and provider relationship specified. Specifically, these firewall rules are updated based on security policies defined through contracts and filters. For brevity, all traffic is allowed but granular filters can be added per requirements. On another note, these rules are only programmed once cloud endpoints matching the rules are instantiated.

Wait, what about peering between these VPCs? Since contract-based routing is enabled, it also drives routing by enabling peering and auto generating routes to each other accordingly.

Lastly, let’s allow internet access to web services residing on network-a by adding the internet-access contract between Internet and Web EPGs.

As soon as the contract is associated, Cisco CNC adds an ingress firewall rule with network tags representing the Web EPG which allows internet access to endpoints behind it.

From this point on, internet access to web-server is allowed as well as connectivity from the web-server to the app-server.

root@web-server:/home/marinfer# ifconfig ens4

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1460

        inet 172.16.1.2  netmask 255.255.255.255  broadcast 172.16.1.2

        inet6 fe80::4001:acff:fe10:102  prefixlen 64  scopeid 0x20<link>

        ether 42:01:ac:10:01:02  txqueuelen 1000  (Ethernet)

        RX packets 19988  bytes 3583929 (3.4 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 17707  bytes 1721956 (1.6 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@web-server:/home/marinfer# ping 172.16.128.2

PING 172.16.128.2 (172.16.128.2) 56(84) bytes of data.

64 bytes from 172.16.128.2: icmp_seq=1 ttl=64 time=58.3 ms

64 bytes from 172.16.128.2: icmp_seq=2 ttl=64 time=56.0 ms

64 bytes from 172.16.128.2: icmp_seq=3 ttl=64 time=56.0 ms

64 bytes from 172.16.128.2: icmp_seq=4 ttl=64 time=56.0 ms

Cloud Resources Visibility

Using a cloud-like policy model, Cisco CNC provides a topology and hierarchical view of cloud resources on a per tenant basis with drill down options. Moreover, application profile containers group together cloud EPGs and associated contracts for easy visibility of policies and dependencies.

More granular visibility is provided all the way to cloud endpoints. Firewall rules are also visible via Cisco CNC GUI under Ingress and Egress Rules.

Source: cisco.com

Continue reading