ASR 9901 – More choice and flexibility in your hands

Innovation, quality and customer focus are part of Cisco DNA. Our customers expressed the need to have a platform that is compact, dense, flexible, feature rich and supports programmability.

I’m thrilled to announce the availability of ASR 9901 – a compact Two-Rack-Unit (2RU) platform designed for a wide variety of use-cases across Service Provider, Enterprise and Hyperscale Web providers. It complements nicely our impressive ASR 9000 portfolio.

The platform is scalable and delivers incredible 800 Gbps of throughput while also providing flexibility in terms of port speeds supporting 1/10/100 Gbps with industry leading MACsec encryption support on all ports. The ASR 9901 platform shares the same Operating System (OS) and custom silicon as the ASR 9000 family thereby providing operational consistency and advanced features such as Segment Routing, Ethernet VPN (EVPN), model-driven programmability & telemetry and other enhancements we brought into IOS XR.

Where does this box fit?

The ASR 9901 fits well into small Points of Presence (PoP), Colocation Centers (CoLo), where typical bandwidth demand is sub 500G but requires port flexibility, high 1G/10G density. The platform paves the way for customers to move to 100GE without having to sacrifice on Edge features. This platform supports broader applications such as Broadband Network gateway (BNG), Distributed Provider Edge, Internet Peering, Metro Aggregation, Data-Center Interconnect (DCI), Data-center/WAN Aggregation and Backbone router functions for Enterprises.

BNG

ASR 9000 as a Broadband Network Gateway (BNG) provides the fastest, densest and most reliable solution in the market. With industry leading geo-redundancy solution, you can let the network take care of maintaining the session states as well as management. The IOS XR BNG solution runs the same code base from a fixed 2RU solution to a multi-terabyte full rack chassis. This gives customers a huge portfolio of options without having to worry about re-validating their solution on every node. Now with BNG being pushed closer to the user, deploying ASR 9901 makes more sense with the system supporting higher BNG scale than the existing fixed chassis with support for automation, telemetry etc.

Distributed Provider Edge

Service Provider customers have been predominantly using the fixed systems as Aggregators and distributed PE’s because the platforms support the same scale as their modular counterparts. Continuing the tradition, the ASR 9901 will support the industry leading multidimensional scale (FIB, QoS) on the new compact chassis.

DCI

ASR 9000, more specifically ASR 9001 (fixed 2RU), has been deployed by customers as a Layer2 & Layer3 DCI, primarily supporting 10/40G speeds within data-centers. The ASR 9901 with the full support for EVPN & VXLAN capability will be a more viable solution for our customers as the DCI router with Nexus 9K integration through OpFlex .

Central Office Fabric

With customers looking for programmable fabric (CO Fabric) with Segment Routing (SR) underlay and EVPN overlay, ASR 9901 provides the smallest building block for feature rich service termination. Customers can drop in additional service PE’s if they need to support more services. This platform addresses the SR requirements with multiple MPLS label stacks (10 Labels) as well as deep buffers, hierarchical QoS and faster convergence.

In a nutshell, this new platform provides our customers with greater flexibility without having to compromise on features and also move to 100G in Small PoP’s, Colo’s.

Continue reading

Why Your Campus Network Needs Intent

In this blog, we look at the campus network, where IT professionals have traditionally required intricate, expert knowledge and extensive configuration expertise to manage a wide range of technologies and devices arranged in multi-tier switched or routed-access networks, complemented by wireless-overlay networks.

Campus networking can be hard! But help is at hand…

Access networks are at the heart of many IT teams’ operations, yet it can be no easy task for IT teams to authenticate, authorize, segment, monitor, and allocate the appropriate resources in a campus network. However, recent innovations in intent-based networking can bring relief throughout all phases of its operational lifecycle. Let’s explore how.

Simplify Provisioning for Campus Networks

With a Cisco intent-based network, administrators can start by automating software-defined-access (SD-Access) network configurations. Switches are added to the network using Digital Network Architecture LAN Automation, leveraging Cisco plug-and-play functionality. The DNA Center then pushes the correct configuration (consistent with the role of the device). The result? Automated provisioning of an entire campus network within minutes.

Manage by Identity, Not IP Address: Group-Based Policies for Endpoints

Before intent-based networking IT had to plan Internet Protocol (IP) addressing and virtual-local-area-network (VLAN) structure to separate users and devices into confined segments. IT teams have also had to take care of the associated Authentication, Authorization and Accounting (AAA) policies. These policies may have:

◈ varied by device type (think IoT) or user-group

◈ treated wired and wireless access differently.

Each device needs to be configured to represent the application policies that IT teams wish to implement for users or end-devices throughout the access network, in order to achieve the desired transport treatment.

In an intent-based network, endpoints are referenced by a natural expression of their identity, as opposed to classification by IP addresses.

Endpoints can then be grouped together based on their natural attributes, and a group-based policy (GBP) can then be applied. A large number of endpoints can then be treated as one – in a single group – which reduces the scale and complexity of the network (from the operator’s perspective). Overall, these natural and highly powerful abstractions can dramatically improve the human understandability and ease of operating a network.

Segmentation policies are abstracted by means of overlay networks.

Users and devices in a group-based policy can then be placed into their own virtual networks that are constructed independently of virtual local-area network (VLAN) tags or internet-protocol (IP) prefixes.

No more mental acrobatics!

In an intent-based-network application, policies – such as quality of service (QoS) – are also applied through the abstracted expression of intent. For example:

◈ applications can be marked (including: “business critical”, “default” or “irrelevant”)

◈ a Cisco DNA controller can then derive the desired configurations to support the intended application policy, taking the controller’s holistic knowledge of devices and state into account.

Automation then drives the desired capabilities into the network. No more mental acrobatics for network managers to determine command-line interface (CLI) commands! And no manual steps to configure each switch (and its operating system) in the network, individually via command-line interface (CLI)!

Express your segmentation policy by first associating devices or users with groups, and then groups to network segments – it’s that simple!

Since segmentation policies are anchored by a group tag in the virtual extensible LAN (VXLAN) frame headers, both wired- and wireless-connected devices can be treated consistently and in a unified manner.

Know What’s Going on in Your Campus Network

Comprehensive assurance functions provide a Cisco intent-based access network with major advantages over a traditional switched campus.

Historically network administrators have had limited visibility across a network, and limited tools to confirm that the network is operating as desired. Often, problems were only realized after the fact, when something in the network went wrong.

The assurance functionality of an intent-based network now provides ongoing visibility into network operations. Various forms of network data are gathered, recorded and analyzed continuously using sophisticated algorithms and machine learning to determine if the campus network is behaving as intended.

In case of discrepancies between the desired intent and actual operation, the assurance capabilities can even suggest remedies to take corrective actions.

Continue reading

Scaling Visibility and Security within the Operational Technology (OT) Environment

Mid- to large-sized enterprises have for many years built the operational technology (OT) environment like an egg – a hard exterior protected by traditional security elements such as firewalls, IDS/IPS, and malware detection (if you are lucky), but a soft interior leaving critical operational assets at risk against advanced threats and non-existent visibility.

As companies continue to digitize, more and more devices are getting added to the network. Therefore, visibility into the operational network has become critical in order to maintain secured operations. The image below highlights some of the things you may want to consider when it comes to securing the operational environment in today’s threat landscape.

Cisco Stealthwatch overcomes the visibility and security analytics challenges by maximizing existing investments in your network infrastructure. It collects the rich network telemetry (NetFlow, sFlow, etc.), and performs a baseline of the network environment using behavioral analytics and multilayered machine learning to detect what is abnormal. We will discuss this in more detail but first let’s discuss the challenges most organizations are faced with today.

A hard exterior may include one, many, or all of the following items: firewalls, intrusion detection/prevention systems, content protection, DNS based controls, malware inspection, and email. These controls and inspection points may exist at the edge of the operational environment and/or within the business network. In the past, this was able to reduce a significant amount of risk to the operational environment but in today’s world it’s no longer enough. A soft interior presents a variety of risks which may include:

◈ Supply Chain: The firmware you downloaded was compromised by a bad actor – would you be able to determine or alarm on subtle behavioral changes to the network indicating something of interest?

◈ Normal Operations: Do you truly understand how the network operates 24x7x365 and are you able to detect changes based on new behaviors? These changes may be related to a security event but also may be based on a misconfiguration.

◈ Localized Malware: Malware introduced to systems from field technicians, contractors, USB keys, etc. Would you be able to detect the changes to the network behavior based on this new threat?

◈ Protection Agents such as anti-virus: Not all of your assets within the operational environment will support agents and/or the vendor will not allow agents onto systems and if installed, the vendor may revoke support. The network provides an opportunity to detect anomalous and/or bad behaviors without an agent

◈ Confidence in the control: Are you certain the controls in place are working 100% of the time. What about the fat finger syndrome when adding a control? Are systems talking to systems they should not be? The network can provide this much needed insight

◈ Compliance/Audit: Today, the audit process may include examining multiple access control lists and requires multiple teams highlighting if a control exists and if the communication to the environment meets the compliance requirement. Does this really ensure that the control was accurate throughout the year or only during the audit? The network can provide you the ability to go back throughout the year and prove the control was in place and no unauthorized communication took place

These are some simple examples of some of the challenges and risks when deploying a hard exterior only. As the operational environment continues to evolve and IP becomes more prevalent deeper within the operational environment, there is an opportunity to gain greater visibility leveraging network telemetry data; something that your operational environment may produce today. Note: not all telemetry data is the same but leveraging a technology that supports multiple network telemetry is advantageous to the consumer allowing for greater coverage.

Some of the benefits of leveraging the network not only include visibility into the operational process but also assists in troubleshooting the environment. I have captured a few of the business outcomes we have seen in customers’ environments as a result of deploying Cisco’s Stealthwatch solution.

◈ Host group zoning (or creating a logical boundary) within the operational environment to alarm on communications activity that violated the logical trust boundary. Business outcome: risks to the environment identified earlier in the process to maintain secure and trusted operations

◈ Anomaly detection discovered a compromised camera port-scanning the network. Business outcome: significantly reduced the time to detect and allowed the team to mitigate the threat sooner. No business operation disruption

◈ Problematic wireless access point on the factory floor that was occasionally flooding the plant floor with goofy packets. Business outcome: issue was mitigated sooner, which ensured that the integrity of the network was maintained

◈ Connectivity aberrations in the distribution network – abnormal but not necessarily an attack. Business outcome: optimized the network ensuring maximum operational uptime before the incident was realized within the operational environment

◈ Systems chatting with things that were supposed to be retired. Business outcome: removal of retired assets reducing the potential threat vector from the environment and optimization of the environment

◈ A spike in traffic that was not an attack itself but an indicator of change that may have disrupted the operational network if left unexamined. Business outcome: quickly identified the issue which allowed the right team to be engaged to mitigate the spike in traffic. This also removed the concern around a potential security breach optimizing resource allocation and reduced mean time to repair.

Cisco Stealthwatch provides deep visibility leveraging metadata (telemetry) from the network providing security at scale. It also integrates with other solutions to do full packet capture in areas where this is required. Stealthwatch can ingest any kind of telemetry from across the extended network including end-points, branch, data center, and cloud. Behavioral-based analytics, machine learning, and global threat intelligence that is 100% out-of-band is a recipe for success both in IT and OT environments!

Continue reading

What is CCNA Routing and Switching?

The Cisco Certified Network Associate (CCNA) certification is the second level of Cisco's five-level career certification process. A CCNA certification certifies a technician's ability to install, set up, configure, troubleshoot and operate a medium-sized routed and switched computer network. This also includes implementing and verifying connections to a wide area network (WAN).

What are the other CCNA tracks? "Cisco Associate Level Certifications"

◈ CCNA Security

◈ CCNA Wireless

◈ CCNA Collaboration

◈ CCNA Service Provider

◈ CCNA Data Center

◈ CCNA Cloud

◈ CCDA "Design"

◈ CCNA Industrial

◈ CCNA CyberOps (Cybersecurity Operations)

Which track considered the best?

There are 10 different CCNA tracks. Each of them is valuable but some are more valuable than others. The statistics show that cybersecurity track will be in a great demand in the coming years. Hundreds of thousands of cybersecurity specialists and experts will be in demand each year for the coming few years. So CyberOps will have a great value for the near future and most probably for the long term.

I’m not saying you should go for the CCNA CyberOps right now, I’m just talking about the market demands and statistics. You can read more about the most demanded CCNA certification here → What is the difference between the CCNA exams?

The main point I want to refer to in this topic is that no matter what track/s you decide to study and specialize, you first need to study the fundamentals and basics which you get only in the CCNA Routing and Switching.

Continue reading

Secure Your Mobile Connections with New IP Blocking Feature

When downloading an application from the App Store, do you actually check the logistics of it? For example, how is it connecting to the internet? Or an even more relatable scenario: that game you were playing while waiting in line paused to present an advertisement, was it triggered by an IP address or a DNS request? The majority of times, users don’t check or understand those nitty gritty details. We simply see something we like, click, and begin launching the app onto our devices.

However, what if that application is connecting to a malicious IP address? And in a case that your employee is using a corporate-owned iOS device and downloads that app; this presents a security gap.

Cover All Your Bases: IP Addresses and DNS Requests

The Umbrella extension within Cisco Security Connector serves as a first line of defense against threats by protecting users from malicious domains. Umbrella delivers both DNS-layer encryption and enforcement on top of an intelligent proxy that provides URL and file inspection for risky domains. Therefore, when your employee attempts to make any connections to the internet, Cisco Security Connector is there to protect your business against suspicious app and user-initiated network requests.

But applications can also connect to malicious IP addresses. To counter that, Cisco Security Connector is continuing to innovate with a newly added IP Blocking feature as a part of Clarity. This IP Blocking feature now provides complete network protection for your corporate-owned iOS devices. With just a few clicks, adminscan simply add a suspicious IP address to their blacklist and regulate that list accordingly; giving more control to businesses. Now, whether it’s a direct IP connection or DNS request, Cisco Security Connector can secure your users end-to-end.

Image: iOS Events List

Cisco Security Connector

Cisco Security Connector allows businesses to gain deep visibility and control across all devices. With the ability to integrate with existing MDM/EMM such as Cisco Meraki Systems Manager, VMware AirWatch Cloud EMM, and MobileIron on-premises EMM, Cisco Security Connector ensures ease of deployment as well as adaptability to a business’s current environment.

With similar Cisco Advanced Malware Protection (AMP) capabilities extended to iOS devices, users can now gain insight into all application and device behaviors on all devices. Though most importantly, as part of the AMP console, admins can now have one single location to manage all their endpoints.

Unfortunately, we can’t control our employee’s actions on our network, but what we can control are the results of it. So, cover all your bases with Cisco Security Connector.

Continue reading

Network Management: Don’t React – Act

The future will bring a lot of changes for telecoms, internet and cable service providers: more data, more devices and more services. Cisco’s research predicts that by 2021, annual global IP traffic will reach 3.3 zettabytes (that’s 3.3 trillion gigabytes).

There are two ways things can go for service providers. They can buckle under the pressure. Or they can find new operational approaches, that help them grow their business by creating the agile, powerful services their customers need.

Proactive Control with Cisco Crosswork

For service providers who want to maintain their competitive edge, the key will be automation: programming large, complex workflows so they can take care of themselves. Automation improves the way your network functions by reducing human error, inconsistencies, and service disruption. It allows you to stay on top of operations, with time to focus on what really matters.

Automation isn’t simple. But our engineers have spent a long time working out how it can best be supported. The result is Cisco Crosswork, a new framework for approaching network operations. With its three key pillars – mass awareness, augmented intelligence, and proactive control – it enables service providers to work with unprecedented precision and efficiency.

Cisco Crosswork gathers comprehensive data and then runs this through a sophisticated analysis, enabling actionable insights. At its heart is the Cisco Network Services Orchestrator (NSO), which uses advanced data models for intent-based networking, and is proven to work across network elements from different vendors.

This creates many benefits for service providers. It helps them protect themselves against ever-evolving security threats, maintain stringent service level agreements, and discover valuable new revenue streams.

Transforming Level 3’s* Network

One service provider that has adapted to meet new customer demands is Level 3 (*now part of CenturyLink). Level 3 realised that their customers increasingly expected instantly available services with less complexity and less overhead – and that included capacities like integrating third-party cloud services.

Powered by the Cisco NSO, the business put together a powerful set of programmable wide area networks that enabled it to automate a wide range of services in markets around the world.

This meant that Level 3 could design and deliver services more quickly, using a single modelling language and a single data store. The company was able to automate tens of thousands of tasks monthly, offer bandwidth scalability of up to 300%, and enable the management of 5,000 network devices around the world. Services could be adapted within minutes or even seconds while running, with no disruptions.

Innovation Through Automation

Results like these explain why many service providers are considering automating their networks as they look to ensure they are capable of meeting new challenges. Intelligent, end-to-end automation offers them a transformed landscape. Instead of constantly trying to play catch-up with events, they can make more informed decisions, using information about the service, the end user, and all of the multi-vendor devices in their service chain.

We want to help service providers bring about a shift in their approach to running networks. To move away from managing functions in separate silos, towards a world of intelligent, holistic operations. Forward-looking service providers understand that if they can transform their network in this way, they will boost their innovation and effectiveness for years to come.

Continue reading

Scaling to PB within Minutes – The Road to Full Automation for Scale-Out Storage with Cisco UCS

Building Scale-Out Storage solutions can be now fully automated to reduce the overall amount of work and to easily scale software-defined storage environments within minutes. Partners and customers can begin to leverage this capability using Ansible modules and playbooks for UCS Manager.

I have to admit that working in a Business Unit can be sometimes very challenging and fast and then there is no time to reflect and see the big picture, no matter which company you are working for. But sometimes projects are crystal clear, you can’t wait to see the result. One of those projects is Automation for scale-out storage.

Big Picture

In the 1990’s, where I started working in the storage industry, we handled GB of data and managed it by doing a lot of manual steps. Initial configuration and installation took a long time, sometimes days. In the 2000’s, storage arrays and disks got larger and we handled then TB of data but with the same problems as in the 1990’s. Now in the 2010’s the situation hasn’t changed that much. We’re now talking about PB of data, even EB but the initial work in the beginning is still the same and challenging.

There are exceptions but as soon as you come to a project where you need multi-PB, you run into an issue of scaling your work of configuration and installation.

Problem #1:

People might think of traditional storage systems solving their problem but they are limited in their ability to easily and cost-effectively scale to support large amounts of unstructured data. With now about 80 percent of data being unstructured, x86 servers are proving to be more cost effective, providing storage that can be expanded as easily as your data grows. Software-defined storage is a scalable and cost-effective approach for handling large amounts of data. Sounds good?

Problem #2

When scale-out storage grows, it can get complex in configuring and installing. This is one of the major obstacles when it comes to enterprise-readiness for software-defined storage. Touching each server and configuring network ports, disk for storage, or even the install media can take a long time and is mostly error-prone. And it’s a difference to prepare 5 servers or 50 servers.

Solution

But there are two ways out of the dilemma that can help a lot and reduce the overall amount of work to a minimum. Even large environments don’t take longer than smaller environments when it comes to the configuration and installation of the scale-out storage hardware.

◈ Cisco UCS Manager: Creating policies and profiles and associating them to servers simplifies scale-out storage solutions a lot. There is no need to repeat specific configurations for each server. Just assign the previously created Service Profile and you’re done. Cisco is doing it now for almost 9 years very successful.

◈ UCS Manager Ansible Modules: Sometimes it doesn’t make sense to create everything via the UCS Manager GUI and you want to further simplify the whole process for configuring and installing servers. Then Ansible for UCS Manager is the right way to move forward. You run a complete Ansible Playbook with all variables you need and within less than 2 minutes your UCS Manager Service Profiles get associated.

There are many ways to do it but we’ve seen a very good adoption of using Ansible for automation in data centers.

We have now published all Ansible Modules for UCS Manager to configure a complete scale-out storage solution. A couple of options for you to run a scale-out storage Ansible Playbook for UCS Manager:

◈ Ansible Role: You can use the Ansible Role

◈ Playbook:You could either use a hardcoded playbook or a playbook with variables and a JSON file.

I did a quick test of configuring and installing 2 x S3260 Dual Node Chassis. You could use much more hardware – the time would be around the same as the process of association works in parallel. Take a look at the 2 minute video.

That gives us now a couple of advantages:

◈ As much as I like the simplicity of UCS Manager GUI – when it comes to scaling and automation then Ansible for UCS Manager can do it in a much shorter time.

◈ You can run the playbooks as often as you want, even if you only want to change a small thing like MTU size for the storage network.

◈ The story gets even better when you integrate the northbound Cisco Nexus switches in Ansible.

Outlook:

The project won’t stop here. Our next steps for scale-out storage automation are:

◈ The full story obviously comes with the integration of scale-out storage vendors. Stay tuned for the first end-to-end Ansible full automation in the industry, from network to compute to storage to software.

◈ The big picture for the Cisco UCS team is certainly Cisco Intersight. Mid-term, we want to integrate the scale-out automation into Cisco Intersight to make it easy for customers and partners to use from a central user interface.

Continue reading