Why Your Campus Network Needs Intent

In this blog, we look at the campus network, where IT professionals have traditionally required intricate, expert knowledge and extensive configuration expertise to manage a wide range of technologies and devices arranged in multi-tier switched or routed-access networks, complemented by wireless-overlay networks.

Campus networking can be hard! But help is at hand…

Access networks are at the heart of many IT teams’ operations, yet it can be no easy task for IT teams to authenticate, authorize, segment, monitor, and allocate the appropriate resources in a campus network. However, recent innovations in intent-based networking can bring relief throughout all phases of its operational lifecycle. Let’s explore how.

Simplify Provisioning for Campus Networks

With a Cisco intent-based network, administrators can start by automating software-defined-access (SD-Access) network configurations. Switches are added to the network using Digital Network Architecture LAN Automation, leveraging Cisco plug-and-play functionality. The DNA Center then pushes the correct configuration (consistent with the role of the device). The result? Automated provisioning of an entire campus network within minutes.

Manage by Identity, Not IP Address: Group-Based Policies for Endpoints

Before intent-based networking IT had to plan Internet Protocol (IP) addressing and virtual-local-area-network (VLAN) structure to separate users and devices into confined segments. IT teams have also had to take care of the associated Authentication, Authorization and Accounting (AAA) policies. These policies may have:

◈ varied by device type (think IoT) or user-group

◈ treated wired and wireless access differently.

Each device needs to be configured to represent the application policies that IT teams wish to implement for users or end-devices throughout the access network, in order to achieve the desired transport treatment.

In an intent-based network, endpoints are referenced by a natural expression of their identity, as opposed to classification by IP addresses.

Endpoints can then be grouped together based on their natural attributes, and a group-based policy (GBP) can then be applied. A large number of endpoints can then be treated as one – in a single group – which reduces the scale and complexity of the network (from the operator’s perspective). Overall, these natural and highly powerful abstractions can dramatically improve the human understandability and ease of operating a network.

Segmentation policies are abstracted by means of overlay networks.

Users and devices in a group-based policy can then be placed into their own virtual networks that are constructed independently of virtual local-area network (VLAN) tags or internet-protocol (IP) prefixes.

No more mental acrobatics!

In an intent-based-network application, policies – such as quality of service (QoS) – are also applied through the abstracted expression of intent. For example:

◈ applications can be marked (including: “business critical”, “default” or “irrelevant”)

◈ a Cisco DNA controller can then derive the desired configurations to support the intended application policy, taking the controller’s holistic knowledge of devices and state into account.

Automation then drives the desired capabilities into the network. No more mental acrobatics for network managers to determine command-line interface (CLI) commands! And no manual steps to configure each switch (and its operating system) in the network, individually via command-line interface (CLI)!

Express your segmentation policy by first associating devices or users with groups, and then groups to network segments – it’s that simple!

Since segmentation policies are anchored by a group tag in the virtual extensible LAN (VXLAN) frame headers, both wired- and wireless-connected devices can be treated consistently and in a unified manner.

Know What’s Going on in Your Campus Network

Comprehensive assurance functions provide a Cisco intent-based access network with major advantages over a traditional switched campus.

Historically network administrators have had limited visibility across a network, and limited tools to confirm that the network is operating as desired. Often, problems were only realized after the fact, when something in the network went wrong.

The assurance functionality of an intent-based network now provides ongoing visibility into network operations. Various forms of network data are gathered, recorded and analyzed continuously using sophisticated algorithms and machine learning to determine if the campus network is behaving as intended.

In case of discrepancies between the desired intent and actual operation, the assurance capabilities can even suggest remedies to take corrective actions.

Continue reading

Scaling Visibility and Security within the Operational Technology (OT) Environment

Mid- to large-sized enterprises have for many years built the operational technology (OT) environment like an egg – a hard exterior protected by traditional security elements such as firewalls, IDS/IPS, and malware detection (if you are lucky), but a soft interior leaving critical operational assets at risk against advanced threats and non-existent visibility.

As companies continue to digitize, more and more devices are getting added to the network. Therefore, visibility into the operational network has become critical in order to maintain secured operations. The image below highlights some of the things you may want to consider when it comes to securing the operational environment in today’s threat landscape.

Cisco Stealthwatch overcomes the visibility and security analytics challenges by maximizing existing investments in your network infrastructure. It collects the rich network telemetry (NetFlow, sFlow, etc.), and performs a baseline of the network environment using behavioral analytics and multilayered machine learning to detect what is abnormal. We will discuss this in more detail but first let’s discuss the challenges most organizations are faced with today.

A hard exterior may include one, many, or all of the following items: firewalls, intrusion detection/prevention systems, content protection, DNS based controls, malware inspection, and email. These controls and inspection points may exist at the edge of the operational environment and/or within the business network. In the past, this was able to reduce a significant amount of risk to the operational environment but in today’s world it’s no longer enough. A soft interior presents a variety of risks which may include:

◈ Supply Chain: The firmware you downloaded was compromised by a bad actor – would you be able to determine or alarm on subtle behavioral changes to the network indicating something of interest?

◈ Normal Operations: Do you truly understand how the network operates 24x7x365 and are you able to detect changes based on new behaviors? These changes may be related to a security event but also may be based on a misconfiguration.

◈ Localized Malware: Malware introduced to systems from field technicians, contractors, USB keys, etc. Would you be able to detect the changes to the network behavior based on this new threat?

◈ Protection Agents such as anti-virus: Not all of your assets within the operational environment will support agents and/or the vendor will not allow agents onto systems and if installed, the vendor may revoke support. The network provides an opportunity to detect anomalous and/or bad behaviors without an agent

◈ Confidence in the control: Are you certain the controls in place are working 100% of the time. What about the fat finger syndrome when adding a control? Are systems talking to systems they should not be? The network can provide this much needed insight

◈ Compliance/Audit: Today, the audit process may include examining multiple access control lists and requires multiple teams highlighting if a control exists and if the communication to the environment meets the compliance requirement. Does this really ensure that the control was accurate throughout the year or only during the audit? The network can provide you the ability to go back throughout the year and prove the control was in place and no unauthorized communication took place

These are some simple examples of some of the challenges and risks when deploying a hard exterior only. As the operational environment continues to evolve and IP becomes more prevalent deeper within the operational environment, there is an opportunity to gain greater visibility leveraging network telemetry data; something that your operational environment may produce today. Note: not all telemetry data is the same but leveraging a technology that supports multiple network telemetry is advantageous to the consumer allowing for greater coverage.

Some of the benefits of leveraging the network not only include visibility into the operational process but also assists in troubleshooting the environment. I have captured a few of the business outcomes we have seen in customers’ environments as a result of deploying Cisco’s Stealthwatch solution.

◈ Host group zoning (or creating a logical boundary) within the operational environment to alarm on communications activity that violated the logical trust boundary. Business outcome: risks to the environment identified earlier in the process to maintain secure and trusted operations

◈ Anomaly detection discovered a compromised camera port-scanning the network. Business outcome: significantly reduced the time to detect and allowed the team to mitigate the threat sooner. No business operation disruption

◈ Problematic wireless access point on the factory floor that was occasionally flooding the plant floor with goofy packets. Business outcome: issue was mitigated sooner, which ensured that the integrity of the network was maintained

◈ Connectivity aberrations in the distribution network – abnormal but not necessarily an attack. Business outcome: optimized the network ensuring maximum operational uptime before the incident was realized within the operational environment

◈ Systems chatting with things that were supposed to be retired. Business outcome: removal of retired assets reducing the potential threat vector from the environment and optimization of the environment

◈ A spike in traffic that was not an attack itself but an indicator of change that may have disrupted the operational network if left unexamined. Business outcome: quickly identified the issue which allowed the right team to be engaged to mitigate the spike in traffic. This also removed the concern around a potential security breach optimizing resource allocation and reduced mean time to repair.

Cisco Stealthwatch provides deep visibility leveraging metadata (telemetry) from the network providing security at scale. It also integrates with other solutions to do full packet capture in areas where this is required. Stealthwatch can ingest any kind of telemetry from across the extended network including end-points, branch, data center, and cloud. Behavioral-based analytics, machine learning, and global threat intelligence that is 100% out-of-band is a recipe for success both in IT and OT environments!

Continue reading

What is CCNA Routing and Switching?

The Cisco Certified Network Associate (CCNA) certification is the second level of Cisco's five-level career certification process. A CCNA certification certifies a technician's ability to install, set up, configure, troubleshoot and operate a medium-sized routed and switched computer network. This also includes implementing and verifying connections to a wide area network (WAN).

What are the other CCNA tracks? "Cisco Associate Level Certifications"

◈ CCNA Security

◈ CCNA Wireless

◈ CCNA Collaboration

◈ CCNA Service Provider

◈ CCNA Data Center

◈ CCNA Cloud

◈ CCDA "Design"

◈ CCNA Industrial

◈ CCNA CyberOps (Cybersecurity Operations)

Which track considered the best?

There are 10 different CCNA tracks. Each of them is valuable but some are more valuable than others. The statistics show that cybersecurity track will be in a great demand in the coming years. Hundreds of thousands of cybersecurity specialists and experts will be in demand each year for the coming few years. So CyberOps will have a great value for the near future and most probably for the long term.

I’m not saying you should go for the CCNA CyberOps right now, I’m just talking about the market demands and statistics. You can read more about the most demanded CCNA certification here → What is the difference between the CCNA exams?

The main point I want to refer to in this topic is that no matter what track/s you decide to study and specialize, you first need to study the fundamentals and basics which you get only in the CCNA Routing and Switching.

Continue reading

Secure Your Mobile Connections with New IP Blocking Feature

When downloading an application from the App Store, do you actually check the logistics of it? For example, how is it connecting to the internet? Or an even more relatable scenario: that game you were playing while waiting in line paused to present an advertisement, was it triggered by an IP address or a DNS request? The majority of times, users don’t check or understand those nitty gritty details. We simply see something we like, click, and begin launching the app onto our devices.

However, what if that application is connecting to a malicious IP address? And in a case that your employee is using a corporate-owned iOS device and downloads that app; this presents a security gap.

Cover All Your Bases: IP Addresses and DNS Requests

The Umbrella extension within Cisco Security Connector serves as a first line of defense against threats by protecting users from malicious domains. Umbrella delivers both DNS-layer encryption and enforcement on top of an intelligent proxy that provides URL and file inspection for risky domains. Therefore, when your employee attempts to make any connections to the internet, Cisco Security Connector is there to protect your business against suspicious app and user-initiated network requests.

But applications can also connect to malicious IP addresses. To counter that, Cisco Security Connector is continuing to innovate with a newly added IP Blocking feature as a part of Clarity. This IP Blocking feature now provides complete network protection for your corporate-owned iOS devices. With just a few clicks, adminscan simply add a suspicious IP address to their blacklist and regulate that list accordingly; giving more control to businesses. Now, whether it’s a direct IP connection or DNS request, Cisco Security Connector can secure your users end-to-end.

Image: iOS Events List

Cisco Security Connector

Cisco Security Connector allows businesses to gain deep visibility and control across all devices. With the ability to integrate with existing MDM/EMM such as Cisco Meraki Systems Manager, VMware AirWatch Cloud EMM, and MobileIron on-premises EMM, Cisco Security Connector ensures ease of deployment as well as adaptability to a business’s current environment.

With similar Cisco Advanced Malware Protection (AMP) capabilities extended to iOS devices, users can now gain insight into all application and device behaviors on all devices. Though most importantly, as part of the AMP console, admins can now have one single location to manage all their endpoints.

Unfortunately, we can’t control our employee’s actions on our network, but what we can control are the results of it. So, cover all your bases with Cisco Security Connector.

Continue reading

Network Management: Don’t React – Act

The future will bring a lot of changes for telecoms, internet and cable service providers: more data, more devices and more services. Cisco’s research predicts that by 2021, annual global IP traffic will reach 3.3 zettabytes (that’s 3.3 trillion gigabytes).

There are two ways things can go for service providers. They can buckle under the pressure. Or they can find new operational approaches, that help them grow their business by creating the agile, powerful services their customers need.

Proactive Control with Cisco Crosswork

For service providers who want to maintain their competitive edge, the key will be automation: programming large, complex workflows so they can take care of themselves. Automation improves the way your network functions by reducing human error, inconsistencies, and service disruption. It allows you to stay on top of operations, with time to focus on what really matters.

Automation isn’t simple. But our engineers have spent a long time working out how it can best be supported. The result is Cisco Crosswork, a new framework for approaching network operations. With its three key pillars – mass awareness, augmented intelligence, and proactive control – it enables service providers to work with unprecedented precision and efficiency.

Cisco Crosswork gathers comprehensive data and then runs this through a sophisticated analysis, enabling actionable insights. At its heart is the Cisco Network Services Orchestrator (NSO), which uses advanced data models for intent-based networking, and is proven to work across network elements from different vendors.

This creates many benefits for service providers. It helps them protect themselves against ever-evolving security threats, maintain stringent service level agreements, and discover valuable new revenue streams.

Transforming Level 3’s* Network

One service provider that has adapted to meet new customer demands is Level 3 (*now part of CenturyLink). Level 3 realised that their customers increasingly expected instantly available services with less complexity and less overhead – and that included capacities like integrating third-party cloud services.

Powered by the Cisco NSO, the business put together a powerful set of programmable wide area networks that enabled it to automate a wide range of services in markets around the world.

This meant that Level 3 could design and deliver services more quickly, using a single modelling language and a single data store. The company was able to automate tens of thousands of tasks monthly, offer bandwidth scalability of up to 300%, and enable the management of 5,000 network devices around the world. Services could be adapted within minutes or even seconds while running, with no disruptions.

Innovation Through Automation

Results like these explain why many service providers are considering automating their networks as they look to ensure they are capable of meeting new challenges. Intelligent, end-to-end automation offers them a transformed landscape. Instead of constantly trying to play catch-up with events, they can make more informed decisions, using information about the service, the end user, and all of the multi-vendor devices in their service chain.

We want to help service providers bring about a shift in their approach to running networks. To move away from managing functions in separate silos, towards a world of intelligent, holistic operations. Forward-looking service providers understand that if they can transform their network in this way, they will boost their innovation and effectiveness for years to come.

Continue reading

Scaling to PB within Minutes – The Road to Full Automation for Scale-Out Storage with Cisco UCS

Building Scale-Out Storage solutions can be now fully automated to reduce the overall amount of work and to easily scale software-defined storage environments within minutes. Partners and customers can begin to leverage this capability using Ansible modules and playbooks for UCS Manager.

I have to admit that working in a Business Unit can be sometimes very challenging and fast and then there is no time to reflect and see the big picture, no matter which company you are working for. But sometimes projects are crystal clear, you can’t wait to see the result. One of those projects is Automation for scale-out storage.

Big Picture

In the 1990’s, where I started working in the storage industry, we handled GB of data and managed it by doing a lot of manual steps. Initial configuration and installation took a long time, sometimes days. In the 2000’s, storage arrays and disks got larger and we handled then TB of data but with the same problems as in the 1990’s. Now in the 2010’s the situation hasn’t changed that much. We’re now talking about PB of data, even EB but the initial work in the beginning is still the same and challenging.

There are exceptions but as soon as you come to a project where you need multi-PB, you run into an issue of scaling your work of configuration and installation.

Problem #1:

People might think of traditional storage systems solving their problem but they are limited in their ability to easily and cost-effectively scale to support large amounts of unstructured data. With now about 80 percent of data being unstructured, x86 servers are proving to be more cost effective, providing storage that can be expanded as easily as your data grows. Software-defined storage is a scalable and cost-effective approach for handling large amounts of data. Sounds good?

Problem #2

When scale-out storage grows, it can get complex in configuring and installing. This is one of the major obstacles when it comes to enterprise-readiness for software-defined storage. Touching each server and configuring network ports, disk for storage, or even the install media can take a long time and is mostly error-prone. And it’s a difference to prepare 5 servers or 50 servers.

Solution

But there are two ways out of the dilemma that can help a lot and reduce the overall amount of work to a minimum. Even large environments don’t take longer than smaller environments when it comes to the configuration and installation of the scale-out storage hardware.

◈ Cisco UCS Manager: Creating policies and profiles and associating them to servers simplifies scale-out storage solutions a lot. There is no need to repeat specific configurations for each server. Just assign the previously created Service Profile and you’re done. Cisco is doing it now for almost 9 years very successful.

◈ UCS Manager Ansible Modules: Sometimes it doesn’t make sense to create everything via the UCS Manager GUI and you want to further simplify the whole process for configuring and installing servers. Then Ansible for UCS Manager is the right way to move forward. You run a complete Ansible Playbook with all variables you need and within less than 2 minutes your UCS Manager Service Profiles get associated.

There are many ways to do it but we’ve seen a very good adoption of using Ansible for automation in data centers.

We have now published all Ansible Modules for UCS Manager to configure a complete scale-out storage solution. A couple of options for you to run a scale-out storage Ansible Playbook for UCS Manager:

◈ Ansible Role: You can use the Ansible Role

◈ Playbook:You could either use a hardcoded playbook or a playbook with variables and a JSON file.

I did a quick test of configuring and installing 2 x S3260 Dual Node Chassis. You could use much more hardware – the time would be around the same as the process of association works in parallel. Take a look at the 2 minute video.

That gives us now a couple of advantages:

◈ As much as I like the simplicity of UCS Manager GUI – when it comes to scaling and automation then Ansible for UCS Manager can do it in a much shorter time.

◈ You can run the playbooks as often as you want, even if you only want to change a small thing like MTU size for the storage network.

◈ The story gets even better when you integrate the northbound Cisco Nexus switches in Ansible.

Outlook:

The project won’t stop here. Our next steps for scale-out storage automation are:

◈ The full story obviously comes with the integration of scale-out storage vendors. Stay tuned for the first end-to-end Ansible full automation in the industry, from network to compute to storage to software.

◈ The big picture for the Cisco UCS team is certainly Cisco Intersight. Mid-term, we want to integrate the scale-out automation into Cisco Intersight to make it easy for customers and partners to use from a central user interface.

Continue reading

The Factory: A Living Organism for Wireless and Mobility

We live in a wireless world. We almost never plug our computers into a network. Our mobile phones and tablets provide constant connectivity. Some of us wear health tracking devices like Apple Watches, Fitbits, and Garmins. These devices count our steps, measure our heart rates, and log the number of hours we sleep. In doing so, health tracking devices create incredible volumes of data we use to monitor our personal health and improve the quality of our lives. When we don’t feel well, we can look back at hours slept and pulse rate to understand the cause and effect of our bodies’ inputs and outputs.

In many ways, our bodies are like machines requiring inputs like food for fueling, sleep for recovery, and exercise for maintaining optimal performance. When we take care of our bodies, we are rewarded with optimal outputs including increased awareness and productivity.

The same is true for machines on the factory floor. They require electricity for fuel and raw materials to manufacture products. Historically, machinists and engineers were the experts in operating their tooling. They learned through years of experience. Over time, sensors connected to the equipment and computers collected data used to monitor and improve visibility into operating characteristics. Sensors measure equipment performance like vibration, current draw, and lubricant temperatures assisted equipment operators in gaining maximum productivity from their equipment.

Initially many of these sensors and computers were wired and tethered. Over time, sensors became wireless and hard-wired computers morphed into wireless laptops, tablets, and mobile devices. And with wireless becoming pervasive, manufacturers gained considerable flexibility to monitor and manage the health of their factory equipment.

The shift to mobility

Previously, we described networks as being wireless. Over-time, we shifted from wireless to mobile and mobility. With mobility, we can drive the business benefits associated with the wireless features.

Building a mobile manufacturing network creates many challenges. The fundamental challenge is to ensure the wireless capabilities are built on a solid foundation. The foundation requires robust security and a common network infrastructure. Historically, the factory network operated independently of the enterprise network. However, today, it’s possible to secure and converge both the factory and enterprise networks with Cisco’s standard platform.

Once the foundation has been established, the mobile environment must be configured for the three foundational use cases.  These use cases enable data, communications, and video capabilities.

Although it sounds obvious, data drives everything.  Sensors enable access to data.  The simplest type of IoT sensors- vibration, current, particle, temperature, humidity, etc. connects wirelessly. These sensors then communicate with our networks where we secure, move, and reduce data we want to persist or keep, as well as discard the data when it’s perishable.

When we move to communication, the most tangible and relatable mobility use case, we typically think about providing workers with mobile devices like tablets and phones. Mobile communications enable workforces to do their jobs at the place of work. Wi-Fi enabled voice, makes it possible to replace licensed use of hand-held paid spectrum and cellular fees by shifting to Wi-Fi enabled communicators.

Of course, with Wi-Fi mobile communicators, everyone on the factory floor gains immediate access to factory floor personnel as well as receive real-time notifications, pages, and safety alert messages.

Wireless video has become part of our daily lives, typically through applications like Cisco WebEx, Facetime, and many others. On the shop floor or in a warehouse, the video capabilities take communications to the next level. Video on the shop floor, whether enabled by a mobile phone or tablet, immediately takes away the mystery of trying to imagine what is happening or what has happened.

The business benefits of mobility

Because every dollar spent in manufacturing is tied to a return on investment, it’s crucial to map mobility capabilities to business needs and benefits.

Ultimately, factory wireless solutions enable essential business benefits like less downtime, fewer line stoppages, improved worker efficiency, increased cycle time and higher OEE, which means better productivity, availability, and quality.

The Cisco Factory wireless platform includes our products, services, partners and solution implementation plans. Together, all of these components provide what’s necessary for customers to deploy and scale their wireless capabilities.

A manufacturing plant is like a living organism – requiring care and feeding in all areas. Every organism must be part of a connected ecosystem, sensing and sharing information across all parts to ensure not just survival, but growth as well.

While we wouldn’t attach a Fitbit to a piece of manufacturing equipment, we will deploy wireless and mobility capabilities in our factories to monitor and connect our equipment, resulting in operational benefits with improved cost, quality, and delivery.

Continue reading