Identity-centric SASE with Cisco SD-WAN and Microsoft’s Security Service Edge Solution

In today’s rapidly evolving IT landscape, enterprise WAN requirements have evolved with hybrid work becoming the norm. Security for both on-premises and cloud workloads is crucial, especially for secure access to the internet, Microsoft applications, and other critical office applications. Organizations need a flexible solution that protects against advanced threats, optimizes application performance, and simplifies network management.

Cisco Catalyst SD-WAN offers unparalleled choice, meeting customers where they are in their security journey and supporting an open ecosystem. Catalyst SD-WAN allows customers to build secure access service edge (SASE) architectures tailored to their business needs by seamlessly integrating with a broad spectrum of third-party secure service edge (SSE) vendors and, now, Microsoft.These integrations help organizations maximize their investment in cloud security by simplifying the integration process with Catalyst SD-WAN.

Bridging the Gap Between Networking and Security

With Cisco Catalyst SD-WAN and Microsoft, businesses can enjoy a more unified and consistent experience for networking and security, all managed through a single dashboard.

The new integration with Microsoft’s Security Service Edge solution (SSE) bridges the gap between connectivity and protection, ensuring that data transmitted across the network is not only optimized for performance but also safeguarded against threats. Combining Cisco Catalyst SD-WAN with Microsoft’s SSE solution delivers a resilient, high-performance, and scalable WAN alongside a comprehensive suite of cloud-based security services designed to protect data, manage risks, and ensure compliance.

Key Benefits of the Microsoft’s SSE Solution Integration

Cisco Catalyst SD-WAN and Microsoft’s SSE solution integration provides secure access to the internet and SaaS applications with an identity-centric secure web gateway (SWG). This integration enhances the security of branch internet traffic by efficiently redirecting it through Microsoft Entra Internet Access, part of Microsoft’s SSE solution, for secure inspection, helping ensure that traffic from branch edges to the public internet or SaaS applications is thoroughly protected. The result is a secure networking solution that offers peace of mind and operational efficiency for enterprise customers.

• Enhanced security posture: Branch internet traffic is securely redirected to Microsoft’s Security Service Edge solution for advanced inspection and protection against internet-based threats, helping to ensure secure access to public internet and Microsoft SaaS applications. IT teams gain AI-powered visibility into network traffic and security events, enabling fast detection and response to threats.
• Improved cloud security: The integration leverages Microsoft’s advanced security capabilities to protect against malicious internet traffic and other cyberthreats with a comprehensive, cloud-delivered network security toolset that includes web content filtering, threat protection, information protection, and identity management.
• Seamless deployment and configuration: This integration simplifies the deployment and management process by providing an integrated solution for both networking and security. A single solution helps you to reduce operational complexity by eliminating the need for multiple point products, simplifying management, and helping you deliver a unified experience for your users. With a few clicks users can deploy thousands of branches, providing ease of configuration and the added advantage of using a Cisco validated design. Templatized workflows using SIG templates makes setup easy with end-to-end validation and enables organizations to quickly deploy new applications and services.

How Microsoft’s SSE Solution Integration Works

• Secure tunnels: Secure tunnels are created for advanced inspection, helping ensure that traffic to the internet and Microsoft SaaS applications is securely managed and enhancing bandwidth at the branch. Multiple tunnels with load balancing and ECMP give users the ability to select the nearest PoP/DC, perform an application health check through the tunnels, and steer traffic through the right tunnel.
• Traffic redirection: Relevant traffic from SD-WAN branch edges is efficiently redirected to Microsoft’s SSE solution. Users are able to select specific users and traffic, such as applications or IP addresses, to be sent to Microsoft via tunnels instead of sent directly to the internet. Enabling traffic redirection gives users granular control over traffic and allows remote workers to connect to the internet securely.
• Inspection and protection: Microsoft’s SSE solution inspects the traffic to provide robust protection against threats. Microsoft Entra Internet Access enforces unified access controls through a single policy engine and leverages multiple Entra ID integrations, including universal conditional access and continuous access evaluation (CAE), token theft protection, and data exfiltration controls.

Looking Ahead

As enterprise WAN requirements continue to evolve with hybrid work becoming the norm and applications spread across hybrid cloud and SaaS environments, both on-premises and cloud workload security are crucial. Organizations need a solution that protects against advanced threats, optimizes application performance, and simplifies network management. The Cisco Catalyst SD-WAN and Microsoft’s SSE solution integration is a forward-looking response to this need, offering businesses a powerful tool to navigate the complexities of modern networking and security challenges.

Source: cisco.com

Continue reading

Understanding the Differences between SD-WAN and MPLS

In the realm of networking, SD-WAN and MPLS are two terms that frequently arise, each offering distinct advantages and functionalities. In this comprehensive guide, we delve into the nuances of these technologies, providing clarity on their disparities and assisting you in making informed decisions for your network infrastructure.

What is SD-WAN?

SD-WAN, or Software-Defined Wide Area Network, is a modern approach to networking that utilizes software-defined networking (SDN) concepts to intelligently manage and optimize Wide Area Network (WAN) connections. Unlike traditional WAN setups that rely heavily on hardware, SD-WAN leverages software to dynamically route traffic across the network based on predefined policies and conditions.

Key Features of SD-WAN:

1. Centralized Management: SD-WAN solutions offer centralized management interfaces that provide administrators with granular control over network configurations and traffic flow.
2. Dynamic Path Selection: With SD-WAN, traffic is intelligently routed across multiple network paths, including broadband, MPLS, and LTE, based on real-time conditions such as link quality and latency.
3. Application Awareness: SD-WAN platforms often incorporate deep packet inspection and application recognition capabilities, allowing for the prioritization of critical applications and traffic shaping based on application requirements.
4. Cost Efficiency: By leveraging lower-cost internet connections alongside more expensive MPLS links, SD-WAN can significantly reduce WAN expenses without compromising performance or reliability.

Understanding MPLS

MPLS, or Multiprotocol Label Switching, is a legacy networking technology commonly used for building private, high-performance WANs. MPLS operates by assigning labels to network packets, enabling routers to make forwarding decisions based on these labels rather than IP addresses.

Key Features of MPLS:

1. Traffic Engineering: MPLS networks support traffic engineering capabilities, allowing administrators to optimize network paths and allocate bandwidth efficiently.
2. Quality of Service (QoS): MPLS offers robust QoS mechanisms, ensuring that critical applications receive the necessary bandwidth and latency guarantees to maintain optimal performance.
3. Security: MPLS inherently provides a higher level of security compared to public internet connections, as traffic remains within the confines of the private MPLS network, reducing exposure to external threats.
4. Reliability: MPLS networks are known for their reliability and predictability, making them ideal for applications that require consistent performance and uptime.

Contrasting SD-WAN and MPLS

While both SD-WAN and MPLS serve the purpose of connecting geographically dispersed locations within an organization, they differ significantly in terms of architecture, cost, and flexibility.

Architecture:

• SD-WAN: SD-WAN architectures are decentralized and software-driven, offering flexibility and scalability to adapt to changing network requirements rapidly.
• MPLS: MPLS networks are centralized and hardware-dependent, typically requiring substantial upfront investments in infrastructure and equipment.

Cost:

• SD-WAN: SD-WAN solutions often provide cost savings compared to MPLS, particularly for organizations with diverse connectivity requirements or those seeking to augment MPLS with lower-cost internet links.
• MPLS: MPLS services can be costly, primarily due to the need for dedicated circuits and long-term contracts with service providers.

Flexibility:

• SD-WAN: SD-WAN architectures offer unparalleled flexibility, allowing organizations to seamlessly integrate various transport technologies and cloud services into their network environments.
• MPLS: MPLS networks are less flexible, with limited support for cloud connectivity and scalability compared to SD-WAN solutions.

Conclusion

In summary, both SD-WAN and MPLS have their merits and are suited to different network environments and business requirements. SD-WAN excels in providing agility, cost efficiency, and flexibility, making it an attractive option for organizations seeking to modernize their network infrastructure. On the other hand, MPLS offers reliability, security, and quality of service, making it well-suited for mission-critical applications and industries with stringent compliance requirements.

Ultimately, the choice between SD-WAN and MPLS depends on factors such as budget, performance needs, and organizational priorities. By understanding the nuances of each technology, organizations can make informed decisions that align with their strategic objectives and drive business success.

Continue reading

AIOps Drives Exceptional Digital Experience Through Network Assurance

The distributed workforce―and the distributed applications and services they consume―have vastly changed the enterprise network paradigm. Many connections—such as private cloud, internet, public cloud, multicloud, and software-as-a-service (SaaS) networks—now begin and end outside of the traditional corporate infrastructure. The coexistence of these complex connections creates new layers of operational complexity for teams responsible for ensuring predictable performance and quality of service.

What is needed to combat this complexity is a network assurance platform that includes true end-to-end visibility capabilities. Insight is needed into users and their devices, locations, and connected things, as well as into access networks, network services, multiple clouds, and corporate enterprise data centers and applications (Figure 1). A solution that combines these different data sets and uses artificial intelligence and machine learning (AI/ML) to analyze the data, can help drive decisions that make network operations proactive and predictive, instead of reactive.

Figure 1. Span of end-to-end visibility required (click to enlarge)

In our 2023 Global Networking Trends Report, nearly half (47%) of respondents said they are prioritizing the adoption of predictive network analytics over the next two years, primarily to help with managing the connectivity and digital experience of their remote workforce.

A predictive network analytics solution requires the ability to correlate massive amounts of network data in real time and at tremendous scale. By continuously analyzing performance data and applying predictive modeling to forecast conditions and recommend actions, predictive capabilities can become a reality. Predictive analytics empowers teams to avoid adverse application impacts to distributed workers and to ensure the best possible user experience.

Predictive analytics for SD-WAN and an internet-centric world

For the software-defined WAN (SD-WAN), a platform that uses artificial intelligence for IT operations (AIOps) can provide predictive analytics to forecast performance (Figure 2). AIOps refers to the strategic use of AI, ML, and machine reasoning (MR) technologies to simplify and streamline IT processes and optimize the use of IT resources. By correlating and analyzing real-time and historical SD-WAN performance data and applying predictive models, AIOps can use these forecasts to deliver per-site recommendations for optimal path selection by application type to deliver an optimal experience based on available paths.

By integrating predictive analytics into SD-WAN solutions, IT teams can improve dynamic enforcement of application service levels with intelligent routing across alternative paths before any degradation occurs.

Figure 2. Predictive analytics through a continual feedback loop (click to enlarge)

Combining traffic data sets from an organization’s ecosystem of ISPs, cloud providers, SaaS applications, and other external services, further enriches predictive analytical systems. Operations teams can rapidly identify, escalate, and remediate issues with providers using internet telemetry data. When outage behavior is detected, a root cause can be identified and shared with providers to prioritize fixes or escalate to peers and transit providers.

Predictive analytics at work in the real world 

When Insight Global—one of the largest staffing agencies in the United States—allowed its employees to return to the office, they leveraged information from ThousandEyes’ WAN Insights to optimize its SD-WAN policies and improve application experiences proactively and continuously. Once the solution was in place, they gained greater visibility into critical network environments and routing, and Insight Global’s IT team was better able to detect and avoid potential issues before those issues could impact the business.

Predictive and proactive operations is the way forward

It’s time to move from reactive to proactive operations management through end-to-end visibility and AI/ML-powered predictive analytics. It’s time for a consistent way of automating operations, analyzing and diagnosing issues, and assuring the user experience across all the different networking domains.

We believe strongly in this way forward. It’s the cornerstone of Cisco’s approach to network assurance and Cisco’s Networking Cloud vision—a unified management experience platform for on-premises and cloud operating models to simplify IT, everywhere, at scale.

Source: cisco.com

Continue reading

End-to-End Visibility and Actionable Insights Underpin Great Connected Experiences

Three networking megatrends have upended how businesses approach networking to support the distributed workforce.

First, cloud has become the new data center, with workloads moving from on-premises to hybrid cloud and multicloud architectures. Secondly, the internet is now the new network, with reliance on business connectivity traversing diverse networking domains. And lastly, with so many remote and hybrid workers, the office is now essentially anywhere.

This evolution has made delivering a high-quality, reliable experience—connecting everyone to everything everywhere—significantly more complex. After the need to provide secure access to applications across multiple clouds, the second biggest challenge cited by 37% of respondents in our 2023 Global Networking Trends Report was gaining end-to-end visibility into network performance and security as more traffic originates or terminates beyond the boundaries of the corporate network.

Which begs the question: How do you identify, diagnose, and remediate problems that occur throughout the digital supply chain—the domains within and outside your infrastructure and all hops between a user’s device and an application or service in the cloud? Read on to find out how.

Tackling assurance complexity across multiple network domains

Great connected experiences are table stakes for businesses today. The digital economy relies on always-on applications and services to support employees and consumers. Failure is not an option.

Prior to the hyperconnectivity of today’s digital economy, business applications and services within corporate domains were well served by network monitoring solutions and processes that were localized and handled specific domains like wireless. But to remediate issues in enterprise WANs, admins had to contact their counterparts within cloud and internet provider organizations to jointly diagnose and remediate service and security problems. Often, this resulted in a lot of finger pointing. Businesses acted reactively instead of proactively. Issues could take a long time to get resolved.

Providing network assurance for a high-quality connected experience today requires end-to-end visibility and insights across diverse clouds, network providers, the internet, devices, and geographies—each with their own operational domains (see Figure 1). Without end-to-end visibility into network performance, application responsiveness, and security, it is extremely challenging for IT teams to deliver consistent digital experiences to end users.

Figure 1. Complex digital supply chain with interdependencies, increased failure surface, and unpredictability (click to enlarge)

A person working from home, for example, might run into a problem with Slack. The wireless network in their home office would be connected to an access network that would be connected to an edge router traversing a cloud network to the Slack application. Domain-specific tools can only see a small segment of this traffic. Admins without end-to-end visibility can’t see the big picture.

End-to-end visibility is foundational for SASE

A majority (51%) of organizations in our 2023 Global Networking Trends Report said that with their adoption of more software-as-a-service (SaaS) and multicloud solutions, they see investment in a solution that provides end-to-end visibility as a top priority. This may be in response to recent research by the Uptime Institute that found third-party operators—including cloud, hosting, colocation, and telecom providers—accounted for 70% of all publicly reported outages.

End-to-end visibility, analytics, and operational workflows allow admins to take decisive action to proactively remediate connectivity issues. In a secure access service edge (SASE) architecture, for example, end-to-end visibility feeds the actionable intelligence used to optimize path selection to provide the best digital experience anywhere at any time. Reliable connectivity is foundational to securely connecting people and things in a SASE architecture. If connectivity is poor, the secure access experience will be degraded.

Even before an SD-WAN or a converged SASE architecture with security service edge (SSE) is rolled out, organizations can use end-to-end visibility to evaluate, compare, and optimize the network experience before and after adoption of these architectures. The performance of individual providers in different locations that each form part of a digital supply chain can be proactively tested and benchmarked, with the results used to make more informed vendor selections to ensure the delivery of always-on digital experiences.

Gaining visibility into every connection

A European airline transitioned its network infrastructure from MPLS to SD-WAN, moving many applications and services to the cloud. The company needed to make sure that services met agreed-upon service level agreements (SLAs). To do so, the IT department deployed end-to-end visibility, specifically to monitor and enhance the digital experiences of customers and employees. With this solution in place, the airline can now measure connection latency and other factors—with a specific focus on connections between its data center and the cloud provider, Amazon Web Services. They can continually monitor and prioritize network experiences by accelerating incident response times, introduce more proactive maintenance, and enjoy greater cost efficiency through streamlined troubleshooting.

RichRelevance, a customer experience personalization provider for 250 global retailers, reduced its outages by 88% and shrunk outage windows from an average of four hours to 30 minutes, all thanks to end-to-end visibility. IT service management software company ServiceNow identified network issues 95% faster for their customers with visibility across all network layers that focused on the application experience.

Enabling quality digital experiences through a networking platform approach

Cisco is pioneering end-to-end network visibility and driving exceptional experiences through operational simplicity. It’s a cornerstone of our Cisco Networking Cloud long-term vision, a unified management experience platform for on-premises and cloud operating models to reduce IT complexity.

End-to-end visibility relies on compute power to capture and analyze billions of daily measurements in the digital supply chains that comprise today’s enterprise networks (see Figure 2). It is a powerful and indispensable feature that helps organizations maintain top-quality digital experiences and move from reactive to preventative and automated operations.

Figure 2. Organizations need to leverage a platform-driven approach that drives end-to-end visibility throughout the digital supply chain (click to enlarge)

Continue reading

How SD-WAN Solves Multicloud Complexity

Cloud is the undisputed center of gravity when supporting distributed workforces. But managing secure connectivity in a growing multicloud environment continues to be more complex, expensive, and time consuming.

Enter the software-defined WAN (SD-WAN), a powerful, abstracted software layer that serves as a centralized control plane to enable organizations to automate, simplify, and optimize their network transport for any application to any cloud.   

Are you ready to steer traffic on demand, based on centralized policy, network insights, and predictive AI, and further enhanced by end-to-end visibility? Do you want to be more proactive instead of reactive in how you manage this traffic and run your network? If so, read on! 

Abstracting the complexity of multicloud 

Enterprises accelerated their transition to cloud and software-as-a-service (SaaS) during the pandemic to support their distributed workforces at home and on the go. This has seen multicloud environments become the norm. Our 2023 Global Networking Trends Report found that 92% of respondents used more than one public cloud in their infrastructure and 69% used over five SaaS applications.  

Connecting to different providers and network layers in multicloud environments has led to a patchwork of infrastructure and management controllers. This results in more complexity and cost for organizations looking to ensure a secure, consistent user experience.  

Networking complexity, from first to last mile 

Let’s look at these networking layers and why IT simplification is crucial in connecting today’s highly mobile workforce to business-critical applications.  

In the first mile, users access services from offices and campuses near data centers or remotely, from uncontrolled facilities using various devices (Figure 1). Workers connect through Multiprotocol Label Switching (MPLS), broadband, Wi-Fi, and cellular. Remote workers use their internet service provider (ISP) to connect them to concentrators at regional peering points of presence (PoPs).

Figure 1. New architecture for the distributed workplace  

The middle mile is the long-haul transport layer that has grown in complexity with the migration to the cloud. It serves as the connective tissue between first and last mile, interconnecting different types of cloud services, cloud applications (e.g., SaaS, IaaS), and data centers. Specialized middle-mile providers like Equinix and Megaport provide cross-connects between business networks, the internet, and cloud providers globally. Adding to the array of choices in the middle mile, public cloud providers like AWS, Google Cloud, and Microsoft Azure offer customers the ability to access their apps with site-to-cloud, site-to-site, region-to-region, cloud-to-cloud, and other connection options with different quality of experience metrics.  

The last mile is the connection between the data center or service provider and the end user’s device and application.    

Managing multicloud complexity with SD-WAN integrations  

Using applications distributed across multiple clouds and SaaS, workers have widely different experiences depending on their location. Adverse and unpredictable amounts of downtime, latency, and speed, for example, can threaten business continuity. So, establishing reliable, consistent, high-quality experiences is very much on the minds of enterprise IT managers today. 

More than half (53%) of respondents to the 2023 Global Networking Trends Report said they are prioritizing integration with cloud providers to improve connectivity to cloud-based apps from distributed locations. Additionally, 49% said they are using SD-WAN integrations across providers and multiple clouds to provide a simpler, consistent, optimized, and secure IT and application experience. 

SD-WAN unifies the entire WAN backbone and brings secure, private, cloud-aware connectivity that is agnostic to all kinds of link types, providers, and geographies (Figure 2).  

Figure 2. SD-WAN integrations with IaaS, SaaS, and middle-mile providers are vital for a better IT and user experience 

With SD-WAN providing connectivity between cloud, SaaS, and middle-mile providers, real-time traffic steering based on centralized policy and end-to-end analytics is possible. Network admins can be proactive instead of reactive, changing traffic parameters on demand, according to application, congestion, location, user, device, and other factors. 

SD-WAN multicloud integrations in action 

Tamimi Markets, a major Saudi Arabian supermarket chain, was having trouble providing a consistent experience to users at markets, warehouses, branch offices, and remote locations. Dependent on three ISPs for end-to-end connectivity in a hub-and-spoke architecture, they moved to a cloud architecture to eliminate the need to backhaul network traffic through the headquarters and in the process quadrupled bandwidth speeds. An integrated SD-WAN enables them to steer their traffic over a variety of link options based on network demand, cost, and quality of experience metrics.  

Asian food manufacturer Universal Robina Corporation shifted to a multicloud architecture to support remote workers after the pandemic. It uses SD-WAN to connect users and apps to its multicloud architecture securely, wherever they are located. The multicloud integrations enable secure connectivity from branches to the Microsoft Azure cloud and with Microsoft 365 for a superior application experience with informed network routing (INR) that enables the exchange of telemetry between Cisco and Microsoft while providing full visibility to Universal Robina’s IT team. 

Foundational for a SASE architecture 

Another benefit of SD-WAN is that it is one half of a converged secure access service edge (SASE) architecture. SASE radically simplifies security and networking through unified and centralized management to connect users to applications in complex and highly distributed environments. By combining SD-WAN networking infrastructure and routing traffic through a cloud-centric security service edge (SSE) solution, companies can maintain the same level of security for cloud users as data center users (Figure 3).

Figure 3. SD-WAN is foundational to a SASE architecture 

It’s a multicloud world and SD-WAN―with tight integrations to leading cloud, SaaS, and middle-mile providers―is the connective tissue from first mile to last, managing complexity and driving agility throughout sprawling multicloud environments.

What’s more, SD-WAN multicloud integrations bring together each organization’s many different types of transport connections and policies under one management system for secure, consistent service.

The cost savings from automation and the ability to steer traffic on demand with optimized routing are further compelling reasons why SD-WAN continues to grow in popularity. Once established, these features enable IT departments to build an optimized global network in a simplified, fully automated way, within hours. 

Source: cisco.com

Continue reading

Understanding Application Aware Routing (AAR) in Cisco SD-WAN

One of the main features used in Cisco SD-WAN is Application Aware Routing (AAR). It is often advertised as an intelligent mechanism that automatically changes the routing path of applications, thanks to its active monitoring of WAN circuits to detect anomalies and brownout conditions.

Read More: 300-410: Implementing Cisco Enterprise Advanced Routing and Services (ENARSI)

Customers and engineers alike love to wield the power to steer the application traffic away from unhealthy circuits and broken paths. However, many may overlook the complex processes that work in the background to provide such a flexible instrument.

In this blog, we will discuss the nuts and bolts that make the promises of AAR a reality and the conditions that must be met for it to work effectively.

Setting the stage

To understand what AAR can and cannot do, it’s important to understand how it works and the underlying mechanisms running in unison to deliver its promises.

To begin, let’s first define what AAR entails and its accomplices:

Application Aware Routing (AAR) allows the solution to recognize applications and/or traffic flows and set preferred paths throughout the network to serve them appropriately according to their application requirements. AAR relies on Bidirectional Forwarding Detection (BFD) probes to track data path characteristics and liveliness so that data plane tunnels between Cisco SD-WAN edge devices can be established, monitored, and their statistics logged. It uses the collected information to determine the optimal paths through which data plane traffic is sent inside IPsec tunnels. These characteristics encompass packet loss, latency, and jitter.

The information above describes the relationship between AAR and BFD, but it’s crucial to note that they are separate mechanisms. AAR relies on the BFD daemon by polling its results to determine the preferred path configured,  based on the results of the BFD probes sent through each data plane tunnel.

It is a logical next step to explain how BFD works in SD-WAN as described in the Cisco SD-WAN Design Guide:

On Cisco WAN Edge routers, BFD is automatically started between peers and cannot be disabled. It runs between all WAN Edge routers in the topology encapsulated in the IPsec tunnels and across all transports. BFD operates in echo mode, which means when BFD packets are sent by a WAN Edge router, the receiving WAN Edge router returns them without processing them. Its purpose is to detect path liveliness and it can also perform quality measurements for application aware routing, like loss, latency, and jitter. BFD is used to detect both black-out and brown-out scenarios.

Searching for ‘the why’

Understanding the mechanism behind AAR is essential to comprehend its creation and purpose. Why are these measurements taken, and what do we hope to achieve from them? As Uncle Ben once said to Spider-Man, “With great power comes great responsibility.”

Abstraction power and transport independence require significant control and management. Every tunnel built requires a reliable underlay, making your overlay only as good as the underlay it uses.

Service Level Agreements (SLAs) are crucial for ensuring your underlay stays healthy and peachy, and your contracted services (circuits) are performing as expected. While SLAs are a legal agreement, they may not always be effective in ensuring providers fulfill their part of the bargain. In the end, it boils down to what you can demonstrate to ensure that providers keep their i’s dotted and their t’s crossed.

In SD-WAN, you can configure SLAs within the AAR policies to match your application’s requirements or your providers’ agreements.

Remember the averaged calculations I mentioned before? They will be compared against configured thresholds (SLAs) in the AAR policy. Anything not satisfying those SLAs will be flagged, logged, and won’t be used for AAR path selections.

Measure, measure, measure!

Having covered the what, who, and the often-overlooked why, it’s time to turn our attention to the how! ?

As noted previously, BFD measures link liveliness and quality. In other words, collecting, registering, and logging the resulting data. Once logged, the next step is to normalize and compare the data by subsequently averaging the measurements.

Now, how does SD-WAN calculate these average values? By default, quality measurements are collected and represented in buckets. Those buckets are then averaged over time. The default values consist of 6 buckets, also called poll intervals, with  each bucket being 10 minutes long, and each hello sent at 1000 msec intervals.

Putting it all together (by default):

◉ 6 buckets

◉ Each bucket is 10 minutes long

◉ One hello per second, or 1000 msec intervals

◉ 600 hellos are sent per bucket

◉ The average calculation is based on all buckets

Finding the sweet spot

It’s important to remember that these calculations are meant to be compared against the configured SLAs. As the result is a moving average, voltage drops or outages may not be considered by AAR immediately (but they might already be flagged by BFD). It takes around 3 poll intervals to motivate the removal of a certain transport locator (TLOC) from the AAR calculation, when using default values.

Can these values be tweaked for faster AAR decision making? Yes, but it will be a trade-off between stability and responsiveness. Modifying the buckets, multipliers (numbers of BFD hello packets), and frequency may be too aggressive for some circuits to meet their SLAs.

Let’s recall that these calculations are meant to be compared against SLAs configured.

Phew, who would have thought that magic can be so mathematically pleasing? ?

Source: cisco.com

Continue reading

Deploy and manage networks globally with Cisco SD-WAN Multi-Region Fabric

How often do we prefer to avoid a detour to reach our home, office, restaurant, or subway station? The answer is – every time! We do not have the time for detours and delays in life as it affects our productivity and schedule. Similarly, business networks also need non-stop connectivity for greater performance and scalability.

As enterprises continue to grow and expand, they need a network that scales at the speed of their business. New business models drive the need for a network design that ensures seamless connectivity and greater application performance.

Multicloud infrastructure necessitates the need for networks with global connectivity

The accelerated adoption of a cloud-first strategy has changed how IT teams should design and deploy networks to manage global connectivity. With applications and workloads moving to multicloud architectures, businesses need to ensure that their SD-WAN design & architecture can scale easily without impacting connectivity and performance end-users expect across the globe. To achieve network scalability, organizations are pivoting to designs that involve splitting up the network into multiple regions, with geo-specific points-of-presence (PoPs) or Service Exchanges leading to a hierarchical architecture. This hierarchical architecture enables customers to use different traffic transport service providers for each region and for the central core-region network to optimize costs and deliver greater traffic and application performance. To make the best use of these different transports, enforce common- routing and business policy intent across regions, and leverage several rich features within SD-WAN, enterprises are leaning towards deploying end-to-end SD-WAN fabric across such networks.

Figure 1. The challenges of a tiered or hierarchical network design

Adopting a multi-region network design demands resolving a few network and operational challenges. To benefit from a multi-region type of network architecture, the use of a middle-mile WAN or global backbone WAN network is becoming increasingly prevalent. Enterprises are looking for ways to easily integrate middle-mile WANs with the rest of their network without the added complexity of operating, configuring, monitoring, and troubleshooting these networks as separate entities. As these deployments grow in complexity and scope, enterprises need a more effective way to scale connectivity across different regions to deliver greater application performance. An easy approach to accomplish this is to extend the SD-WAN fabric over the middle-mile WAN as well, thus enabling them to use SD-WAN to manage both intra- and inter-region site-to-cloud, site-to-site traffic via a single pane of glass.

Cisco SD-WAN Multi-Region Fabric – Your pathway to global network connectivity

Cisco SD-WAN Multi-Region Fabric is a new suite of capabilities that divides a single Cisco SD-WAN overlay network into multiple regions with a central core-region network for managing inter-regional traffic. You can scale the network architecturally and operationally by introducing the concept of regions and device roles natively into your SD-WAN solution. It enables you to extend the Cisco SD-WAN fabric across multiple regions within your network as well as the middle-mile, to provide:

◉ End-to-end SD-WAN capabilities and control​

◉ End-to-end encryption of inter-region traffic

◉ Transport independence​

◉ Performance measurements

◉ Greater control over traffic paths between domains

Figure 2. Multi-Region Fabric reducing operational complexity by introducing ‘regions’ and device ‘roles’ natively into Cisco SD-WAN

Multi-Region Fabric offers advanced capabilities such as region-aware routing, simplified site scalability for higher throughput, and reduces the complexity of network architecture and policy configuration. It provides the ability to enforce a common traffic steering policy across the entire WAN or on a per-region(s) basis and end-to-end WAN segmentation – all via a single dashboard (vManage) to configure, monitor, and troubleshoot the network. This new capability within the SD-WAN fabric allows the creation of a globally distributed network in minutes with just a couple of clicks.

Multi-Region Fabric means reduced complexity, increased scalability & greater performance

This new architecture can provide significant benefits for customers, partners, and Managed Service Providers (MSPs) who are considering the adoption of a hierarchical network design (with a middle-mile) for use cases such as:

◉ Regionalization of network services such as Security, Identity Management, Netflow, Logging, WAN optimization, etc.

◉ Improving multicloud and SaaS user experience by providing high-quality onramps into Software as a Service (SaaS) and any cloud infrastructure providers like Amazon Web Services, Microsoft Azure, Google Cloud Platform) via regional PoPs.

◉ Reducing time spent on the last mile for user traffic.

◉ Adapting network scale, compliance, or resiliency in a geo/segment/region-specific manner.

The Multi-Region Fabric Advantage  

◉ Scalable architecture to address dynamic network needs & business intent across regions

◉ Simplified policy design brings operational simplicity by eliminating the need for complex business/routing policies

◉ Flexibility to select the best transport for each region provides better performance for traffic across geographical regions

◉ Operationally easier to deploy and manage

Your growing business needs a network that can keep up with it, and Cisco SD-WAN Multi-Region Fabric can help you build and manage that network for you!

We understand deciding how to deploy SD-WAN for the best network scalability can bring uncertainty. How you reduce costs and complexity, simplify policy management, provide secure, seamless connectivity, and ultimately deliver superior user experience may also be difficult to fully understand. Join us for a live webinar and demo to learn more. Our speakers Hamzah Kardame, Leader, Product Management for Cisco SD-WAN, and Tahir Ali, Technical Marketing Engineering Technical Leader for Cisco SD-WAN will discuss:

◉ Why do networks need more scalability and flexibility in today’s hybrid and multicloud environments?

◉ How are WAN architectures evolving today and rise of middle-mile WAN-based network designs?

◉ The challenges that come with adopting such next-gen WAN architectures

◉ Multi-Region Fabric capabilities are available within Cisco SD-WAN to help support this transition.

◉ How Cisco SD-WAN Multi-Region Fabric works and what is ahead

Source: cisco.com

Continue reading

Want SASE? Just Add Software!

Twenty-first-century networking

It seems like a simple idea. All you want is to get the network to do what you intend it to. Nothing more, nothing less. But in today’s world, there are so many factors when it comes to networking: more users, more devices, security concerns, various domains, distributed applications, cloud, artificial intelligence (AI), 5G, IoT — the list goes on and on.

Cisco’s SD-WAN can help you. It transforms a legacy manual network into a software-defined overlay that helps both automate deployment and management and provides more intelligence with policies for path selection to improve user experience. Those policies are then applied consistently across the network, a network that now uses insights and automation to continuously monitor and adjust network performance to meet your business intent. Think of it as a continual feedback loop of incremental improvement.

Building upon the connectivity of SD-WAN, secure access service edge (SASE) is an architecture that combines connectivity and security. Coined by Gartner in 2019, SASE unifies SD-WAN networking and security services into a cloud-delivered architecture to provide access and security from edge to edge — including the data center, remote offices, roaming users, and beyond.

Is your wide area network underpinned by a 1000 Series ISR? Are you running 4000 Series ISRs? Do you have a few ASR 1000 Series units? Did you have a Cisco ONE license? Did you recently renew your Software Support Service (SWSS) on those devices? Consider this: the Cisco routing devices you currently have in your wide area network may already hold your ticket to entry into the world of SD-WAN and SASE.

You don’t need a forklift

“How can that be?” you may be wondering. The answer lies in the magic of software.

Think of it this way. In the past, if you wanted to upgrade the performance of a car, you had to swap out hard parts. Camshafts. Differentials. Transmissions. Engines.

Today, many cars just need a software update to the engine control module (ECM). Dinan for BMW. Cobb Tuning for Mitsubishi. And of course, Tesla and its downloadable software updates to unlock the high-performance “Ludicrous Mode.”

Figure 1. Tesla Driver Console

Not a car buff? Then how about mobile phones? Same hardware, but new Android or iOS software with added functionality. For example, the iPhone 6S came out in September 2015 running iOS 9. Six years and an equal number of major software releases later (iOS 15.2 was released on December 13, 2021), the iPhone 6S can be still upgraded to iOS 15.2.

Why shouldn’t it be the same for networking hardware? Upgrade the software and enjoy new functionality on your old hardware. Did you know that your Cisco routers are also software-based? This may enable you to migrate from traditional routing to SD-WAN with the hardware you have today. You may even have the Cisco DNA software entitlement already and not know it!

Figure 2. Cisco Router Families

Where the bytes meet the copper

You likely have some or all of the three product families shown above (the ISR 1000 Series, the ISR 4000 Series, and the ASR 1000 Series) supporting your traditional routing network. And they have undoubtedly been doing an exemplary job. But those devices are capable of so much more. In fact, these models can be upgraded to our latest software for routers: Cisco IOS XE SD-WAN. With this new software they can handle your changing traffic pattern: the tsunami of traffic headed to new cloud services and software-as-a-service (SaaS) applications in public clouds and the internet.

Cisco makes this upgrade easy with an SD-WAN conversion tool that greatly facilitates migrating from traditional routing to SD-WAN. This tool analyzes your current router configuration and automatically creates a new router configuration for SD-WAN. Not only does this save countless hours of work, but it also guarantees consistency in the configuration of each branch router. You can even automate the software installation with Cisco vManage zero-touch upgrading.

All it takes to unlock these nascent capabilities is Cisco DNA Software for SD-WAN and Routing. Three subscription tiers are available: Essentials, Advantage, and Premier. Each is aligned to the degree of enhancement network managers need in SD-WAN security, management, and automation. Every Cisco DNA Software for SD-WAN and Routing subscription also includes a perpetual license that covers all aspects of traditional routing, a license that never expires.

Figure 3. Cisco Subscription Licensing for SD-WAN

For those of you looking to continue your journey with SD-WAN into the world of SASE, Cisco provides all the core building blocks of a SASE architecture and Cisco DNA Premier is your tier. Once in place, you can layer on Cisco Umbrella for security, Cisco Duo for zero-trust network access, and Cisco ThousandEyes for internet and cloud visibility. This combination of best-in-class networking, connectivity, security, and extended visibility capabilities helps you deliver an exceptional user experience across a distributed IT landscape. 

You don’t want to miss out!

If you recently upgraded your Cisco SWSS for your routers, you may not have noticed that Cisco DNA Essentials for SD-WAN and Routing are included. This means that initiating the jump into SD-WAN may be a no-cost endeavor for you. You really do owe it to yourself to at least explore the possibility of migrating over to SD-WAN to avail yourself of its benefits, especially if you already own the license to enjoy it.

And finally, don’t let that subscription lapse. The traditional routing perpetual license is nice to have, but there are two things you need to be aware of with that license. First, any network management you enjoy through Cisco DNA Center is contingent upon a valid Cisco DNA license. And second, you will lose the entitlement to use any SD-WAN functionality should the subscription license expire.

Source: cisco.com

Continue reading

Cisco vAnalytics: Simplifying Your Network Operations

“Change is the only constant in life” – this famous quote by the Greek philosopher Heraclitus is often used in a positive light. Try saying this to a network administrator, however, who constantly has to deal with changes in the network environment, and he will likely frown!

Cisco vAnalytics within an SD-WAN network

Over the past few years, SD-WAN has evolved to securely connect the hybrid workforce of an organization to applications deployed across multiple clouds and data centers. Typically, SD-WAN is built over a variety of transport paths, and it implements application-aware traffic routing to connect users to applications via the optimal transport path. However, there are many moving parts in these underlying transport paths that organizations do not control, and they are often in constant flux. Hence, organizations seek analytics solutions that offer greater visibility into their networks and provide insights that help these organizations take proactive measures to improve application delivery. Cisco vAnalytics is a cloud-hosted SaaS service that aggregates a large volume of telemetry data gathered from various vantage points within an SD-WAN network and produces insights that are otherwise hard to discern from raw monitoring data.   

Cisco launched a new version of its vAnalytics service, and here are its key benefits:

Enhanced Visibility

◉ Quickly assess your overall network and applications health – get a pulse on the quality of application experience and the uptime of your WAN circuits and sites.

◉ Get a perspective into the long-term historical behavior of your application and network performance metrics in order to establish benchmarks and detect deviations.

◉ Compare the performance of your applications and understand ongoing trends such as a drop in the quality of application experience (QoE) and a rise in application usage or latency.

Figure 1. Summary Dashboard showing an aggregated network and application health while drawing attention to problem areas

Faster Diagnosis with Actionable Insights

◉ Quickly detect applications experiencing problems and the magnitude of these problems to assess their overall impact.

◉ Get a multi-dimensional 360-degree view of an application experience alongside its associated network health—both at the aggregate and individual site level—to quickly isolate problem areas and reduce mean time to resolution (MTTR).

◉ Identify if your application or network issues are local to a site or a region, and accordingly narrow your target area to reduce mean time to identification (MTTI).

Figure 2. Application behavior over time with the correlated application-layer and network-layer performance indicators

Proactive Analytics

◉ Facilitate the exchange of telemetry data between Cisco SD-WAN and Microsoft 365 to optimize the delivery of Microsoft productivity applications using Cisco Cloud OnRamp for SaaS capabilities.

◉ Assess the quality of application experience across different application classes and adjust your application-aware routing policies to achieve optimal delivery.

◉ Schedule periodic reports for offline review and analysis in order to further optimize your network.

Figure 3. Application Dashboard with rich insights on application behavior, usage, trends, and distribution by application classes

You do not need to dive into deep waters to discover these nuggets – all the information listed above is available in just a few clicks through intuitive workflows built over a state-of-the-art graphical interface. Furthermore, this analysis can be exported as a password-protected pdf report.

Figure 4. A Sample Site Summary Report

Source: cisco.com

Continue reading

EIS in Transition: Impacts on Digital Transformation for Federal Networks

For Federal agencies, Enterprise Infrastructure Solutions (EIS) has provided a comprehensive, solution-based method to address their IT telecommunications and infrastructure needs. Over the years, EIS has seen many changes that directly impact stakeholders. But its primary purpose as a key driver for the digital transformation of enterprise telecommunications and networking solutions remains unchanged. Yet many agencies, such as Networx and WITs, face contract expirations on May 31, 2023. To maintain momentum for digitization, Federal agencies must begin the transition now by strategically mapping how and where it should start.

What’s next for Federal Digital Transformation?

For decades, Cisco has built a strong relationship with the U.S. Federal Government. Our portfolio of products, solutions, and services provide Federal agencies with the critical technology and support they need to enable the transformation of their networks within the EIS contract.

By leveraging these existing contracts, agencies are reducing costs and acquisition time. They’ve been able to digitize aging systems and catch-up to the private sector in capabilities. But now what? Which direction should Federal agencies go as they transition contracts within EIS? The simple answer: Cisco SD-WAN.

Beyond EIS with SD-WAN

Cisco SD-WAN is the premier choice for replacing expensive and aging legacy WAN. Federal agency networks leveraging Cisco’s SD-WAN solution can benefit from:

◉ Enhanced user experience

◉ Reduced costs

◉ Simplified operations

◉ Improved performance

◉ And robust security.

Cisco SD-WAN enables more efficient bandwidth allocation, powering critical applications to faster, smoother performance. This capability is now a necessity as Federal agencies move to cloud services and witness an explosion of app-wielding users connecting remotely.

Wi-Fi6 for the Federal Government

The transition in EIS contracts also provides Federal agencies with the opportunity to rethink their adoption of new and emerging technologies. One example is Wi-Fi 6. It builds on earlier Wi-Fi standards to provide Gigabit Ethernet Access – but with the reliability and predictability that comes from a licensed radio.

Cisco Wi-Fi 6 Solutions let users of modern, more agile networks benefit from new capabilities while connecting wirelessly. Cisco’s Wi-Fi 6 gives access points the power to support more clients in dense environments, plus it provides a better experience for users of typical wireless LAN networks.

Partnering for the future of EIS

In late 2021, the General Services Administration (GSA) issued a Request For Information (RFI) seeking comments to modify the EIS contract so that agencies can more quickly obtain mobility-as-a-service (MaaS) offerings (starting in late 2022). This expansion of EIS would allow for the use of 5G and bring the benefits of edge compute to the government workforce.

At Cisco, we’re also planning to provide additional capabilities to the U.S. Government, including 5GaaS capabilities. This could be a game-changer, enabling the U.S. Government to take advantage of mobility services.

For Federal agencies, the transition in EIS contracts provides a unique opportunity to leverage innovative technologies that can maximize network agility and security while enhancing workforce productivity.

At Cisco, we understand this and are helping shape the future of government with products, solutions, and services that empower agile networks, enhanced collaboration, and a holistic security approach. By preparing now, your agency can leverage the upcoming EIS transition to help shape that future.

Source: cisco.com

Continue reading

The SASE story: How SASE came to be, and why it has quickly become the default architecture

Secure Access Service Edge (SASE) has quickly become one of the hottest topics related to cloud, networking, and security architectures. As Cisco engineers, we have seen hesitation and confusion among some customers on what SASE really means. We hope to answer most of those questions here.

What is SASE, and how is it related to the Cloud Edge, Zero Trust, and SD-WAN? SASE has positively impacted how we run our IT organization, and how we envision Enterprise IT customers will run theirs. To accurately explain what SASE is, and why SASE came to be, we must look at the evolution of how data is stored and transported within an enterprise.

Our journey started inside the data center

A decade ago, many of us lived in a data Center-centric world, and security was simpler to implement.  Here at Cisco, we were moving data inside the four walls of our data centers, and  we assumed complete trust. The corporate office, the MPLS circuits between sites, and the Cisco data centers were all within a trusted environment, which enabled us to meet our security and compliance requirements.

Move to hybrid cloud and hybrid work

However, while many enterprises still focus on data center-centric applications for their core business needs, the world is shifting towards cloud-based application development. This enables faster and more efficient deployment of software and services to meet ever-changing business needs.

IT organizations have also shifted from a model of only managed devices (PC or laptop) for use within the trusted corporate network to allowing users to work on multiple devices from just about anywhere. The emergence of BYOD (Bring Your Own Device) as well as remote work had already been gaining traction in the industry over the past few years, and this trend significantly accelerated with the onset of the COVID-19 pandemic. Now, employees are expected to be able to work from anywhere, and any device. Combined with the distribution of resources across on-prem networks and the cloud, Hybrid Work presents a significant security problem as business users and application providers are no longer fully controlled by the IT organization.

To address security concerns in the interim, network architects designed a model where all user/cloud interactions were routed back, or backhauled, through a data center — i.e. the trusted entity — prior to being redirected to the cloud application. While meeting the security needs, this model has performance and cost challenges.

Arriving at SASE

To improve security and efficiency, a SASE-like architecture was developed internally by Cisco IT. The model we used for the architecture provides every user with a security profile tailored to their access privileges and uses a Zero-Trust approach to identify and authenticate users and devices before allowing a direct connection between the cloud and the access edge.

Ultimately, SASE is the convergence of networking and security functions in the cloud to deliver reliable, secure access to applications, anywhere users work. The Cisco SASE model works by combining SD-WAN for network, with cloud-based security capabilities such as Secure Web Gateway, Firewall as a Service, Cloud Access Security Broker, and Zero Trust Network Access into one, single, integrated cloud service.

CloudPort and the evolution of SASE at Cisco

Cisco’s SASE journey started with CloudPort, which was a hardware-based, on-prem, self-managed Cloud Edge platform, delivered at Colocation data centers around the world. While CloudPort provided a single platform that delivered network and security, it also brought cost challenges, used a traditional perimeter security, and required both agility to scale up/down as well as specialized skillsets.

To address these challenges, we first modernized the on-prem CloudPort solution, and put in motion a plan to move from on-prem to as a service or hosted SASE capabilities. The Customer Zero team, which deploys emerging technology in real life environments to provide critical feedback to the BU early in the product lifecycle, created a strategy to move to SASE, testing do-it-yourself and as-a-service models. The findings from the Customer Zero internal testing have guided our external offering strategy.

During this testing period, Cisco IT has moved from a ‘do-it-yourself’ model to a Cisco hosted/managed solution.

Source: cisco.com

Continue reading