Monday, 28 January 2019

Improved performance and pay-as-you-go in Microsoft Azure

According to a recent IDC survey 85% of organizations are evaluating or using the public cloud1. As customers begin deploying workloads in the public cloud having a high-performing solution that allows them to securely extend their on-premises network to the cloud is critical. The Cisco CSR 1000V is a full-featured IOS-XE router that provides a secure way to connect your public cloud deployment to your on-premises network.

Microsoft Azure, Cisco Tutorial and Material, Cisco Learning, Cisco Study Materials, Cisco Guides

We are constantly working with our cloud partners to deliver new features and improved scale and performance. The latest software release for CSR 1000V (IOS-XE 16.10.1) delivers a number of significant enhancements for CSR 1000V on Microsoft Azure.

First, the release adds support for Microsoft Accelerated Networking which will enable customers to achieve 4x the throughput of the current CSR 1000V software release. Also, CSR 1000V will be launching support for customers to leverage pay-as-you-go, allowing for hourly consumption of the CSR. All of these improvements mean customers will be able to leverage better scale and performance for the CSR in Microsoft Azure.

Improved performance with Accelerated Networking


Cisco is adding support for Microsoft Accelerated Networking in the IOS-XE 16.10.1 software release for the CSR 1000V. By leveraging Accelerated Networking CSR 1000V is able to achieve up to a 4x increase in throughput performance across the existing instance types.

Figure 1 – Image from Microsoft Azure Documentation on Accelerate Networking

Microsoft Azure, Cisco Tutorial and Material, Cisco Learning, Cisco Study Materials, Cisco Guides

With accelerated networking, network traffic arrives at the VM’s network interface (NIC), and then is forwarded directly to the VM by-passing the host and the virtual switch. By allowing the CSR 1000V direct access to the network interface (NIC) Cisco and Microsoft are able to achieve significant improvements in the maximum throughput of the virtual router.

Azure Pay-as-you-Go


This new release for CSR 1000V also marks the launch of a new way to consume CSR 1000V on Azure. Customers will now be able to launch an hourly pay-as-you-go instance of CSR 1000V from the Azure Marketplace. With hourly pay-as-you-go, users can spin up CSR 1000V and consume it for a defined period of time based on their needs. When they are finished they can spin it down and only pay for the length of time they used it instead of being locked into an annual or multi-year contract. This pay-as-you-go instance of CSR 1000V will support all of the existing deployment models that are available today for customers who choose the bring-your-own-license consumption model for CSR 1000V.

Smart Licensing Only


In this release CSR 1000V will support only Smart Licensing. In previous release the CSR 1000V also supported classic ePAK licensing. Going forward all future releases of software for CSR 1000V will support only Smart Licensing which greatly simplifies licensing for the customer and provides greater flexibility and visibility to the licenses they own. Customers can use the Cisco Smart Software Manager (CSSM) to view all of the smart licenses they own in one place. For customers who have classic ePAK licenses they should convert their classic license to a smart licenses using the Licenses Registration Portal prior to upgrading to the 16.10.1 release.

This video provides step-by-step details on how to convert your existing classic ePAK licenses to a smart license.

Thursday, 24 January 2019

The Legacy Continues with a Modern Classic

With the ISR 900 Series, Cisco continues a 26 year pedigree.


1993 was a much simpler time. A gallon of gas cost $1.16. The Space Shuttle was still flying. Beanie Babies were launched. Intel introduced the Pentium processor to power Windows 3.1. Jurassic Park and Mrs. Doubtfire were leading the box office while Snoop Dogg and Rage Against the Machine had breakout hits. Is this making anyone else feel nostalgic or just old?

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials
1993 was also the year that Cisco introduced something that would forever change the landscape of networking in remote offices – the Cisco 2500 Series. For the first time there was a compact affordable Enterprise router with a huge spectrum of available interfaces and features to hammer just about any networking nail. The 2500 was so reliable that they can still be found in offices and data centers around the world more than a quarter century after being introduced. (I confess that I still use several 2511-RJ as terminal servers.)

Capability with Simplicity


So, what made the Cisco 2500 so great and how does that relate to a router being introduced in 2019? The answer is simple – literally. Simplicity with capability in the form of features and interfaces. The 2500 was never the fastest router in the market, but the flexibility and reliability made it a trusted friend for IT staff. With literally thousands of features and any interface type you were likely, or even unlikely, to run into, the 2500 could do it all.

That initial success led to the Cisco 2600 and 3600 Series which would morph into the first generation of Integrated Services Routers followed by the ISR G2 and 800 Series routers all running the same Cisco IOS® operating system. That’s a direct unbroken line of platforms running the same operating system since the earliest Cisco Routers, while adding new features and hardening the whole time. There just isn’t another piece of software with that pedigree anywhere.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials

Modern Hardware for a New Take on a Classic


The ISR 900 Series builds on that solid foundation with rock-solid 21st century hardware. The Cisco 900 Series is a silent, fan-less chassis designed to fit into any office. With that comes the interfaces you need today including LTE (available soon), ADSL/VDSL, Gigabit Ethernet WAN and switching. Modern components bring Cisco IOS performance on par with current branch routers including high performance encrypted VPN and firewall. Thousands of features you expect from a Cisco Branch Router, including some the 2500 never dreamed of, are built in such as MPLS, IPSLA, AVC, PfR and more with performance that’s more than 100 times what the 2500 could dream of.

Just One More Thing


There’s also one more throwback to classic small branch routers you might notice in the new Cisco 900 Series ISR and that’s the internal power supply. The Cisco 921 & 931 ISRs do away with the external power supply “brick” common to branch office devices and brings the power supply inside the router which can really clean up a cluttered branch environment.  Getting the power supply inside a passively cooled chassis with a wide temperature range is a big engineering deal. Yes, I really did just geek out over a power supply.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials
The Cisco 900 Series is a modern classic. It complements other members of the ISR portfolio, such as the ISR 1000 Series and ISR 4000 Series, while providing an easy migration path for Cisco 800 Series users. It isn’t the fastest or flashiest member of the ISR family. What it is is a solid, reliable performer with the features you need to sort out the most complex of network nightmares. Isn’t that what most IT professionals really want when the business is on the line?

This is just a teaser for what you can expect from the Cisco ISR 900 Series. Head on over to the Cisco ISR 900 Series page, cisco.com/go/isr900, for all the details.

Wednesday, 23 January 2019

Cisco DNA Center Network Automation with Template Programmer API – Part 1

Using APIs to apply templates to network devices


Cisco DNA center provides Day0 to Day-N support for network device automation.

This blog looks at one aspect of automation, the template programmer. Specifically, it covers the API’s used to apply templates to network devices.

Network Automation, Developer, Cisco DNA, API, DevNet, Cisco Tutorial and Material, Cisco Certification

Template programmer uses the velocity templating language for templates. The templates are created via the template editor and are applied via the User Interface or programmatically via the API.

This initial blog is going to cover the basics of finding templates, getting a specific version and applying a template to a device. To better illustrate how the API calls can be used in a practical manner, I am going to use a small python script published on github.

I am going to use a common (practical example) template of changing the vlan assigned to an interface on a switch. The template will take two variables:

◈ An interface name (e.g. gig1/0/20)
◈ A vlan number (e.g. 20)

Interaction with PnP Day0


For those familiar with this blog series, I have covered day0 configuration with Network PnP and also some basic velocity examples.

Day-0 templates are applied only when the device first contacts the controller and is onboarded to the network. Depending on your operational model, the day0 configuration might be quite small (just enough to establish secure connectivity) and day-N templates are used to apply ongoing configuration changes.

Network Automation, Developer, Cisco DNA, API, DevNet, Cisco Tutorial and Material, Cisco Certification

Step 1 – Listing Templates


The first step is to find the templates available on the Cisco DNA Center.

If you downloaded the example script, you can just run it with no arguments to see a list of templates.

(in order to run this script you will need to either edit the dnac_config.py file, or set the appropriate environment variables to customize your DNA Center and loging credentials – as outlined in the README). The template of interest is called “Adam/int-vlan” .

The API call is shown below. When the script is run without any argumnets, it prints the names of all templates. The first part of the name is the template project. In this case “Adam”. A project is just a folder to group templates.

$ ./template.py
Available Templates:
https://dnac:443/dna/intent/api/v1/template-programmer/template
  Adam/acl
  Adam/binding
  Adam/int-vlan
  Adam/interface-des
  DB/prefix
  Onboarding Configuration/9300
  Onboarding Configuration/advanced
  Onboarding Configuration/basic
  Onboarding Configuration/encs-9k
  Production/base
  Production/comp1
  Production/interfaces

Step 2– Getting the latest version


To get more details on a particular template, the script can be run with the –template <template-name> option. The latest version of the template (Version: 10) is selected.

The TemplateId is then used to return the body of this version of the template.

The body is quite simple, applying an access vlan to the given switch port. This is shown in green.

The script also requires two parameters ({“vlan”:””,”interface”:””})

$ ./template.py --template Adam/int-vlan
Looking for: Adam/int-vlan
https://dnac:443/dna/intent/api/v1/template-programmer/template
TemplateId: 610a718c-0a71-484b-a632-a79b64192cb7 Version: 11

https://dnac:443/dna/intent/api/v1/template-programmer/template/610a718c-0a71-484b-a632-a79b64192cb7
Showing Template Body:
interface $interface
  switchport access vlan $vlan

Required Parameters for template body: {"vlan":"","interface":""}

Bindings []

Step 3– Applying the template


The script can be executed with a device (ip address) and params provided. Note the params are in single quote to avoid shell issues.

$ /template.py --template Adam/int-vlan --device 10.10.50.2 --params '{"vlan":"20","interface":"gig1/0/20"}'
Looking for: Adam/int-vlan
https://dnac:443/dna/intent/api/v1/template-programmer/template
TemplateId: 610a718c-0a71-484b-a632-a79b64192cb7 Version: 11

https://dnac:443/dna/intent/api/v1/template-programmer/template/610a718c-0a71-484b-a632-a79b64192cb7
Showing Template Body:
interface $interface
  switchport access vlan $vlan

Required Parameters for template body: {"interface":"","vlan":""}

Bindings []

Up to this point, the output is the same as before. The payload for applying the template is below. Some notes:

◈ The targetInfo can be a list, which means multiple devices can be provisioned at the same time.
◈ Each target has its own set of parameters.
◈ The target device can be specified in multiple ways. In this example “MANAGED_DEVICE_IP” is the type, and the IP of the device is 10,.10.50.2. UUID is also supported.
◈ The templateId is also required.

{'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'},
                'type': 'MANAGED_DEVICE_IP',
                'id': '10.10.50.2'}],
'forcePushTemplate': False,
'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}

The POST call to https://dnac:443/dna/intent/api/v1/template-programmer/template/deploy returns a task, which contains a deploymentId which needs to be polled for completion.

Executing template on:10.10.50.2, with Params:{"vlan":"20","interface":"gig1/0/20"}
payload {'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'}, 'type': 'MANAGED_DEVICE_IP', 'id': '10.10.50.2'}], 'forcePushTemplate': False, 'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}
https://dnac:443/dna/intent/api/v1/template-programmer/template/deploy
Response {u'duration': u'0 seconds', u'deploymentId': u'Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.ApplicableTargets: [10.10.50.2]Template Deployemnt Id: 41ac69b9-8f2b-43a5-bb4b-622936f0f244', u'endTime': u'', u'startTime': u''}

The deploymentId status needs to be polled until the deployment is competed.

waiting for deploymentId 41ac69b9-8f2b-43a5-bb4b-622936f0f244
https://dnac:443/api/v1/template-programmer/template/deploy/status/41ac69b9-8f2b-43a5-bb4b-622936f0f244
{u'status': u'INIT', u'templateName': u'int-vlan', u'projectName': u'Adam', u'devices': [{u'status': u'IN_PROGRESS', u'name': u'', u'detailedStatusMessage': None, u'deviceId': u'e05075e8-eb5b-42f5-9f60-d56380702655', u'startTime': u'04:33:56 15/01/2019', u'duration': u'0 minutes 0 seconds', u'endTime': u'', u'ipAddress': u'e05075e8-eb5b-42f5-9f60-d56380702655'}], u'deploymentId': u'41ac69b9-8f2b-43a5-bb4b-622936f0f244', u'startTime': u'', u'duration': u'0 seconds', u'endTime': u'', u'templateVersion': u'11'}
Task=41ac69b9-8f2b-43a5-bb4b-622936f0f244 has not completed yet. Sleeping 2 seconds...
https://dnac:443/api/v1/template-programmer/template/deploy/status/41ac69b9-8f2b-43a5-bb4b-622936f0f244
{u'status': u'SUCCESS', u'templateName': u'int-vlan', u'projectName': u'Adam', u'devices': [{u'status': u'SUCCESS', u'name': u'', u'detailedStatusMessage': u'Provisioning success for template int-vlan', u'deviceId': u'e05075e8-eb5b-42f5-9f60-d56380702655', u'startTime': u'04:33:56 15/01/2019', u'duration': u'0 minutes 2 seconds', u'endTime': u'', u'ipAddress': u'e05075e8-eb5b-42f5-9f60-d56380702655'}], u'deploymentId': u'41ac69b9-8f2b-43a5-bb4b-622936f0f244', u'startTime': u'', u'duration': u'0 seconds', u'endTime': u'04:33:57 15/01/2019', u'templateVersion': u'11'}

Once completed, the status is displayed. The status (SUCCESS/FAIL), time taken, template name, version and deviceId are all shown.

Response:
{
  "status": "SUCCESS",
  "templateName": "int-vlan",
  "projectName": "Adam",
  "devices": [
    {
      "status": "SUCCESS",
      "name": "",
      "detailedStatusMessage": "Provisioning success for template int-vlan",
      "deviceId": "e05075e8-eb5b-42f5-9f60-d56380702655",
      "startTime": "04:33:56 15/01/2019",
      "duration": "0 minutes 2 seconds",
      "endTime": "",
      "ipAddress": "e05075e8-eb5b-42f5-9f60-d56380702655"
    }
  ],
  "deploymentId": "41ac69b9-8f2b-43a5-bb4b-622936f0f244",
  "startTime": "",
  "duration": "0 seconds",
  "endTime": "04:33:57 15/01/2019",
  "templateVersion": "11"
}

The interface Gig1/0/20 on the switch has successfully been provisioned into vlan 20.

Tips and Traps


One of the most obvious issues when testing is an error message related to “deployed with same params”, an example appears below.

Executing template on:10.10.50.2, with Params:{"vlan":"20","interface":"gig1/0/20"}
payload {'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'}, 'type': 'MANAGED_DEVICE_IP', 'id': '10.10.50.2'}], 'forcePushTemplate': False, 'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}
https://dnac:443/dna/intent/api/v1/template-programmer/template/deploy
Response {u'duration': u'0 seconds', u'deploymentId': u'Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.ApplicableTargets: [10.10.50.2],Template int-vlan:11 is already deployed with same params,. Not deploying it.None of the targets are applicable for the template. Hence not deploying', u'endTime': u'', u'startTime': u''}
Error: 11 is already deployed with same params,. Not deploying it.None of the targets are applicable for the template. Hence not deploying

By default Cisco DNA Center will not deploy the same template, with the same parameters twice (if the first attempt was successful). There are times where you may want to change this behaviour. The –force option can be used to set the ‘forcePushTemplate’: False, option to True.
One other thing you may find confusing is the following message.

Executing template on:10.10.50.20, with Params:{"vlan":"20","interface":"gig1/0/20"}
payload {'targetInfo': [{'params': {u'interface': u'gig1/0/20', u'vlan': u'20'}, 'type': 'MANAGED_DEVICE_IP', 'id': '10.10.50.20'}], 'forcePushTemplate': False, 'templateId': u'610a718c-0a71-484b-a632-a79b64192cb7'}
https://dnac:443/api/v1/template-programmer/template/deploy
Response {u'duration': u'0 seconds', u'deploymentId': u'Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.nonApplicableTargets: {10.10.50.20=Device is not applicable for the template due to mismatch of deviceType or softwareType or softwareVersion}.ApplicableTargets: NoneNone of the targets are applicable for the template. Hence not deploying', u'endTime': u'', u'startTime': u''}
Error: Deployment of Template: 610a718c-0a71-484b-a632-a79b64192cb7.nonApplicableTargets: {10.10.50.20=Device is not applicable for the template due to mismatch of deviceType or softwareType or softwareVersion}.ApplicableTargets: NoneNone of the targets are applicable for the template. Hence not deploying

At first glance, you might think the device type of the template does not match that of the device. This could be true however, somewhat confusingly, it could also be the device IP address cannot be found on the controller. Be careful with devices that have multiple IP addresses, make sure you use the same IP as the controller used to discover and manage the device. In this case 10.10.50.20 is not a valid device in the controller inventory. 10.10.50.2 was used in the earlier examples.

The final thing to be careful of is some parameters might be “typed”. For example, I could have type “int” for vlan in this example (rather than a string). Make sure the payload reflects that.

Sunday, 20 January 2019

Performance, Scale, and Flexibility for Accelerating AI / ML

A famous line: “I feel the need–the need for speed!” When I talk to data scientists, they often express the same sentiment. Charged with the responsibility of mining value out of numerous data sources, they often feel that they need ever more speed to do their jobs quickly. To support the data scientists, IT teams are always looking for performance, scale, and flexibility. Clearly, the need for accelerating artificial intelligence and machine learning performance is critical to enterprise’s success.

Performance


In anticipation of Cisco Live Barcelona, I am excited to share some of the recent development on the UCS team to help customers to accelerate AI/ML deployment.

First, Cisco has published the performance characteristics of the UCS C480 ML. With 8 x NVIDIA V100 Tesla GPUs, this server is optimized for deep learning workloads as demonstrated with the various popular convolutional neural networks for image classification.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material
C480 ML TensorFlow Training Performance

Scale


While the performance of a single server is important, customers are demanding that a cluster of servers to scale to increasing demands. At Cisco Live Barcelona, we are looking forward to show 2 demos.

NGC on Hortonworks 3

Many customers already have a big data lake, and almost everyone is looking to mine additional value out of the data. With Hortonworks 3, the Hadoop cluster is able to support containers running on CPUs and GPUs. This unified cluster architecture enables customers to do traditional data extract, transform, and load (ETL) before feeding the data to a deep learning algorithm. Since Cisco announced intent to support NVIDIA NGC-Ready program, which provides GPU enabled software containers, Cisco Live Barcelona will be the first time where Cisco demonstrate NGC containers running on UCS, in this case, as part of the Hortonworks cluster. In short, the Hortonworks Hadoop cluster is able to support the complete data pipeline.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material
NGC on Hortonworks 3

NGC on Red Hat OpenShift

While some customers prefer Hadoop as the clustering tool, others are choosing Red Hat OpenShift as the Kubernetes container orchestrator with enterprise support. In Barcelona, we will also show NGC running on OpenShift enabling support for multiple data scientists with both interactive and batch workloads.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material
NGC on Red Hat OpenShift

Flexibility


Kubeflow Pipelines

While many customers have the bulk of their data on-premise, some data scientists would like to do machine learning experiments in the cloud. In November, 2018, Google announced Kubeflow Pipelines. At Cisco Live Barcelona, in partnership with Google, Cisco will demonstrate Kubeflow Pipelines running on both Google Cloud and UCS enabling a true hybrid cloud experience.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Inferencing on Hyperflex 4.0

Inferencing is also a critical part of machine learning. At Barcelona, we are also showcasing HyperFlex 4.0 as a edge computing system in a retail environment where video streams can be used for customer sentiment analysis.

Cisco Study Material, Cisco Guides, Cisco Learning, Cisco Tutorial and Material
HyperFlex 4.0 for Inferencing on the Edge

Cisco Live Barcelona 2019


I can’t wait to share with all of you the UCS solutions that can accelerate artificial intelligence and machine learning adoption. With the raw performance of the UCS C480 ML, scale with Hortonworks 3 and Red Hat OpenShift, and flexibility with Kubeflow and inferencing on HyperFlex 4.0, I am looking forward to help our customers to make a genuine difference with the business problems.

Friday, 18 January 2019

Forrester’s Zero Trust or Gartner’s Lean Trust?

Zero trust is misnamed


There’s been many management approaches that include the “Zero” term. In shipping, there was “Zero Inventory”. In manufacturing, there was “Zero Defects”. In environmental planning, there’s “Zero Waste”. So, it’s not surprising that the security industry has adopted “Zero Trust” or its “Zero Trust Networking” (ZTN) and “Zero Trust eXtended” (ZTX) variants as it’s buzzword. I bet you will see this term plastered on vendors booths at RSA Conference this year. But without trust, how would your digital business get things done? Gartner’s Neil MacDonald makes the argument that “zero trust is misnamed” in his latest report, “Zero Trust Is an Initial Step on the Roadmap to CARTA”. Whether it’s Forrester ZTX or Gartner CARTA, both approaches allow businesses to operate in a risk-appropriate manner by enabling better access security decisions.

Use cases that matter


Before we jump into any comparisons, let’s explore some use cases to illustrate why it matters to your business. One example is your CEO accessing Microsoft Office 365—maybe even with her unmanaged iPhone. How do you know that she didn’t get phished and an attacker is logging in with her stolen credentials? Is her device’s screen-lock turned on, OS and browser up to date, and not jailbroken? Another example is your HVAC system accessing the campus network. Were you aware that the OT team installed this without telling IT? Do you know if it meets your IoT requirements or if it’s communicating with things it should not? And don’t forget about your in-house app with containerized workloads accessing each other across a hybrid cloud data center infrastructure. Did your DevOps team document how it’s supposed to communicate or how its services stay up to date? Unlikely, so how do you learn this as it changes over time? It’s now harder than ever for IT teams to enforce access decisions everywhere. But is the answer just denying your CEO, HVAC and app from working? Of course not. Yet “Zero Trust” essentially says to begin with an initial security posture that has no implicit trust between different entities, aka. default deny. If you’re a CISO, does zero trust clearly explain to other business execs why new security investments are needed?

Shift to lean trust


Zero trust also says to “always verify”. So, we could verify the CEO’s identity. And we could assess her iPhone’s hygiene. Or we could check the compliance of the HVAC system’s profile. And we could baseline workloads’ communication behaviors. One could say that these verifications and assessments are rebuilding trust at a higher level of the IT stack. Not based on network IPs, but establishing user-device, IoT or workload trust. So, it does seem like “zero trust” is a misnamed term. Gartner’s CARTA (Continuous Adaptive Risk and Trust Assessment) framework argues that the goal is “lean trust”. MacDonald says to better enable new digital business, cloud and mobile initiatives that we need to continuously assess the combination of risk and trust throughout the duration of a network interaction and beyond the network to all infosec processes.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material

Be practical


Whether you tell your boardroom that you’re going to adopt zero trust or lean trust, you need to decide how and where to start your multi-year journey. Forrester’s Zero Trust eXtended concept includes every security technology—those designed to eliminate or establish trust as well as those to prevent or detect threats. So, it opens the flood gates to dozens of vendors positioning nearly every product to help you adopt zero trust. Cisco agrees that zero trust is a useful security concept but extending it to all aspects of security makes adopting the approach less practical and prescriptive. MacDonald instead recommends starting two specific projects in 2019—one granting more access protection for users and devices and another delivering more attack protection for workloads and apps. These projects are known as software-defined perimeters to let the good guys in and microsegmentation to keep the bad guys out, respectively.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material

Maintain balance


In the CARTA framework, MacDonald splits his “Adaptive Security Architecture” (circa 2014) into two balanced access and attack protection approaches with four stages each. This aligns more closely with how Cisco recommends that customers complement the threat-centric security solutions (already deployed or being considered), such as NGFW and SIG, with newer trust-centric security solutions, such as MFA and SDP (see acronym definitions below). Across Cisco’s portfolio, we feel it’s more practical and prescriptive to focus on the subset of services and products that align to the app and network access-focused tenets of CARTA or Zero Trust. We call these trust-centric solutions Cisco Trusted Access. And Cisco is adding continuous verification capabilities across this portfolio to establish a CARTA-inspired “lean trust” level for users and their devices, headless IoT devices, and app workloads. Cisco’s integrated portfolio will ensure that dynamic context gained from your threat-centric solutions adapt trusted access based on your risk tolerance levels. Thereby, eliminating silos across your multi-domain security policy.

Wednesday, 16 January 2019

The Next Netflix of the SD-WAN Blockbuster: Cisco SD-WAN Security

Much like Blockbuster Video, who paid a final late fee, most SD-WAN vendors will soon pay for ignoring the market’s demand for security integrated within their SD-WAN appliances.

The video rental business was a thriving industry in the early 80s and Blockbuster Video was its undisputed leader. Through years of high-resolution technology innovations, Blockbuster Video kept pace with market demands, upgrading its inventories from the early VHS videos to DVDs and ultimately to Blu-rays. Modernizations on its content delivery process, on the other hand, was a bust. Customers had to visit a video store to rent a movie and return it before a certain deadline. Many factors like an uncomfortable rental process, late fees, limited rentals times, too few copies of new releases per stores, and the occasional bad quality of the rented movies all contributed to customers searching for a better solution.

Fast forward to the present and the complex process and experiences that customers are going through with securing their SD-WAN solutions are very similar to the Blockbuster Video rental process. Over the past few years, there has been an increased interest within enterprise organizations in migrating from traditional WAN to software-defined WAN (SD-WAN). A significant appeal of SD-WAN, for many organizations, is the ability to establish a direct branch-to-cloud and branch-to-Internet connectivity. The direct internet access (DIA) from branches, using less-expensive broadband services, requires deploying strong security at each branch.

Adding Up the Costs


It was estimated that late fees contributed to a substantial amount of Blockbuster’s yearly revenues.  In fact, in 2000 they earned over $800M, or roughly 16% of their revenue, out of late fees alone. Like Blockbuster’s late fees which could have added up to several times of the rental price, a common two-box set for connectivity and security in most of today’s SD-WAN solutions makes the overall platform more expensive to implement and maintain.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material
But why a two-box solution?

SD-WAN’s direct internet access exposes branches to the outside world’s threats and risks. As more sophisticated threats are emerging from the application level (layer-7), customers are looking for defenses against these advanced threats at layer-7 plus better visibility and control. The majority of current SD-WAN vendors are not inherently built to provide such a granular security and are forced to use an additional security device for their branch connectivity.

Adding the costs of an extra security appliance, its license fee and support, its management tool, and the expertise to install and manage it could easily surpass the forecasted operational expenses.

End-Users’ Experience


Blockbuster’s movie renting process was lengthy and cumbersome for everyone. Customers had to physically go to the store, find a movie, rent a movie, and then return the movie back to the store within a small-time frame. Depending to the location of a video store, just renting a movie could have taken hours instead of minutes. What an inferior content delivery process compared to the modern online rental process that takes just a few clicks!

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material
Similar to the agility of a modern movie streaming experience, distributed organizations using SD-WAN solutions have the dexterity to open two or more new offshore sales offices or store branches in no time. It’s vital for IT teams to deploy, provision, and dynamically scale new branches from any location without requiring physical presence in every location. However, remotely deploying a two-box solution does not seem to be a straight forward and easy task.  The configuration and deployment of additional infrastructure using separate management tools could easily turn the provisioning process from a zero-touch into a many-touch one.

Almost every article written about SD-WAN solution benefits, one way or another, talks about delivering the best user experience. However, many of the considerations focus on the networking side to provide the best application quality of experience for end users. A subject that often gets ignored is the customer experience associated with the complexity of deploying, managing, and monitoring the additional security box at the branch with an SD-WAN solution. Integration of multiple boxes at a branch makes the deployment process complex and lengthy and the overall manageability difficult and costly.

Cisco SD-WAN Security: The Next Netflix


Cisco is taking a new leadership position in SD-WAN solutions by integrating enterprise firewall, intrusion prevention, and URL filtering capabilities directly into its SD-WAN appliance. By integrating WAN router connectivity and security capabilities into a single box, the overall complexity associated with deployment can be eliminated and its manageability made easier.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material

This innovative and unified solution uses Cisco Talos – the industry-leading threat intelligence group – for its threat prevention and provides faster security deployment with Cisco Umbrella’s cloud security service in order to protect connections to the cloud. And secure access to every application by verifying users’ identities, checking devices’ hygiene, and enforcing adaptive multi-factor authentication policies via Duo Security (recently acquired).

It’s time to get rid of the old SD-WAN “VCR” box and embrace the future with Cisco SD-WAN security “streaming” box.

Sunday, 13 January 2019

Discover Meraki APIs for Location Analytics, Cameras, and Network Health

Meraki wireless networks and security cameras are deployed in large numbers of retail outlets, hotels, campuses, and enterprises. Meraki wireless networks connect many business-critical devices, including Point-of-Sales devices, and provide internet connectivity to visiting customers. The Meraki camera provides reliable security with local and remote live viewing capabilities from Meraki cloud hosted dashboard. Both are very easy to deploy, configure, and manage via a centralized cloud management dashboard.

Meraki wireless access points and security cameras, beyond their basic functionalities, also provide valuable insight into foot traffic and behavior patterns of users. Meraki Access point collects user location information from nearby smart devices, enabling location-based analytics.

Meraki camera utilizes a powerful onboard processor to analyze video and provides valuable foot traffic insights by detecting persons using computer vision. Location insights provided by these Meraki devices enables businesses to provide better customer engagements, increase retail store traffic, and drive revenue. Meraki network location analytics and camera analytics are exposed to business owners via an easy to use Meraki dashboard.

As Meraki wireless network is enabling core business capabilities, monitoring of network health and maintaining low network latency becomes very critical to the operations team. Meraki Wireless Health features simplifies monitoring and root cause analysis of issues for all connected clients from the Meraki health dashboard. The dashboard provides a snapshot view for 1 hour, 12 hours, 1 day, and 1-week durations, along with various drill down capabilities to help identify issues.

Rich APIs for location analytics, health, and camera


Meraki pre-built dashboards for location analytics, camera analytics, and health monitoring are very useful and sufficient for many organizations. But some organizations have more advance use cases and want to retain granular data for longer periods of time. Historical data from Meraki, when combined with other business related data like Point-of-Sale, can provide very useful business insights. To enable these advanced use cases Meraki also supports rich APIs for location analytics, health, and camera analytics. These data sets can help business solve complex use-cases like:

◈ How much do foot traffic and sales increase during promotions?
◈ What is typical queue size on cash registers during specific hours of day?
◈ How many devices successfully connected (or failed to connect) to the network in specific locations throughout the business?

Merakibeat Plugin collects data from the Meraki API and stores it in an analytics database


The DevNet and Meraki teams worked together to create the Merakibeat plugin, data pipeline, and reporting dashboard based on open source technologies like Elastic Beats, Elasticsearch, and Kibana. The Merakibeat plugin enables consumption of data from Meraki wireless health, location analytics, and camera API, and stores this data in an analytics database like Elasticsearch.

Key open source components for data pipeline include:

◈ Elastic Beats is an open source platform for data shipper. The lightweight beats agent sends metrics to Elasticsearch. Beats is very flexible framework that supports pluggable input-output plugins.
◈ Merakibeat is a DevNet community contributed input plugin that can write data to any of the Beats supported output data sources like Elasticsearch, Kafka, MongoDB, Redis etc.
◈ Elasticsearch is an analytics data store that saves historical data for further analysis and reporting.
◈ Kibana is a visualization tool for Elasticsearch, that enables creating custom reports and dashboards.
◈ Business metrics, like point-of-sale data, can also be ingested into the same analytics datastore to enable data analysis of business metrics, network health, and location analytics.

Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Study Materials
Merakibeat data analytics pipeline

The DevNet team, working with Meraki engineers, developed a custom Beats plugin and reference data pipeline for Meraki APIs. This Merakibeat plugin has three sub modules –

◈ Meraki Health API module polls health APIs at configured intervals and fetches connection and latency status at network, device, and client levels. Polling interval and metrics to be collected can be configured using a config file.
◈ Location analytics scanning API supports pushing location analytics metrics to registered endpoints. The Merakibeat plugin starts a listener that accepts scanning data posted on a callback hook. The user needs to expose scanner data endpoint on external network and register callback endpoint in Meraki dashboard.
◈ Camera API: The Merakibeat camera module polls camera APIs at configured intervals and fetches average count of user presence and entrances in specific camera zones or full camera view.

Kibana is configured as a visualization tool for Elasticsearch, and we created a custom dashboard for wireless health status reporting. The dashboard shows different charts, like average success/failure ratios and network latencies. These charts can be viewed for various time duration (like 1day, 1week, 1month etc.) or specific date/time ranges. The Merakibeat GitHub repo also includes pre-created dashboards for Kibana that can be easily customized for user’s requirements.

To ease deployment, we bundled all components of the pipeline as Docker images, and created a Docker compose project that allows you to bring up a complete pipeline in a single command.

Merakibeat trial deployments


With one of our retail customers we deployed a trial version of Merakibeat, configured to collect wireless health and location analytics data. We also collected daily sales data from the retailer’s point-of-sale system. That enabled analyzing network health, active connections, and foot traffic with daily sales at the retail store. After collecting data for a couple of weeks we are able to create a dashboard in Kibana that helped the customer to analyze the following:

◈ Average number of customers visited per day
◈ Peak hours when customer visited retail area
◈ Correlation chart between customer count and sales revenue
◈ Percentage/count of customer devices that failed or succeed to connect wireless network

Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Study Materials
Retail dashboard, store traffic, and network health metrics overlaid with Point Of Sales data

With the Cisco Merchandise Store in San Jose we deployed Merakibeat trial version configured to collect Meraki camera analytics data. After collecting data for more than a week we created a custom dashboard and alerting solution to support the following use cases:

◈ Overall customer store visits
◈ Customers queue size at cash register
◈ Number of customers visiting specific areas in store (e.g., apparel, gadgets, greeting cards, etc.)
◈ Alerts to staff via Webex Teams if a suspicious person is detected in off-hours, or queue size is greater than an established threshold

Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Study Materials
Retail store dashboard, camera API based traffic pattern in zone of interest

The Merakibeat plugin source is available on DevNet Code Exchange, and is also contributed to the Elastic Beats community

With the Merakibeat plugin project we have not only enabled specific use-cases but created a reference data pipeline to enable correlating business metrics with various Meraki API provided data. We are looking forward to see interesting analytics and reporting use cases that users will create based on data collected and made available by Merakibeat plugin.