Wednesday, 27 March 2019

Balancing the risks and rewards of connected manufacturing

The most expensive cyber security event ever, started with a software accounting package from the Ukraine. In its wake 25% of the world’s shipping was shut down, major automobile and pharmaceutical companies came to a stop. And now a major lawsuit between an insurance provider and its customer has come forward with the phrase “act of war” as a major point of contention.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

What factory manager saw that coming?

Chances are nobody did, and that’s why Cisco, Schneider Electric, and Aveva are working together to mitigate the risks of digital manufacturing so their connected industrial customers can seize IIoT’s many rewards.

Designing IT/OT networks with cybersecurity in mind


“What previously was protected by proprietary OT protocols and hard-wired connectivity across the factory floor is now open game to hackers trying to do their dirty work through targeted IoT endpoints — whether a smartphone, field engineer’s tablet, connected variable speed drive, or any IoT-enabled asset.”

So what to do? Where to start.

Let’s start with an attitude adjustment. While most ICS environments have an implicit trust model, we need to surround them with a resilient architecture built on a zero-trust approach. In short: allow only the absolutely necessary access to equipment and applications. It is a significant change and will require significant buy-in from all involved.

How to get there.

Segmentation – contain outbreaks and control access


Segmentation gives you the opportunity to stop those outbreaks while controlling access, whether it be a whole department or an individual switch port connected to a robot.

Start high – where the attacks first enter the factory – through the industrial DMZ. It is shocking how many modern Fortune 500 factories lack a properly managed firewall separating it from the enterprise network. Much of the impact of WannaCry /NotPetya could have been addressed with a properly configured firewall. The world’s most widely deployed next-generation firewall, FirePower, can help.

Next, work your way down through the Purdue model: Levels 3 down to individual machines, increasing granular control (micro-segmentation) along the way.  You will need to understand the production lines, their relationships, and componentry. To do that you have to have visibility.

Visibility builds better segmentation


Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material
Visibility into your factory and processes is requisite for your segmentation decisions. You MUST find the process communication trails and work with the automation engineers to determine what is critical to ongoing operations. Cisco Stealthwatch can trace the full range of manufacturing communication patterns, from the factory floor, across the IDMZ to corporate ERP systems, to your favorite robot vendor’s cloud based analytics platform.

With an understanding of system communications, now build out a network architecture with modern network equipment. Look to resilient design concepts with multiple possible paths. Build for the future with Software Defined Networking for Software Defined Access (SDA). Cisco drives these policies through ISE (Identity Services Engine) which takes device or user identities directly or through pxGrid integrations with other Cisco products like IND (Industrial Network Director) or third party tools like Nozomi and others.

Visibility for the big picture


Visibility also drives understanding of process challenges including security threats.

Your DMZ NGFW should be able to determine if telemetry feeds are to be queried or simply pushed to analysis tools in the cloud or back at the research lab. Coupling your historians connection history at the plant with what is seen at the enterprise and beyond to the cloud based analysis site can cross numerous organizational and network boundaries through the stitching capabilities of Stealthwatch and Stealthwatch Cloud.

Visibility includes understanding the end-points in the factory. Are your engineering workstations or historians running without endpoint protections, making them potentially vulnerable to malware? ISE can tell you if end point protections are there, and of course you can remediate that threat with the deployment of AMP (Advanced Malware Protection).  And the plant floor itself? With the knowledge that your metal press has a vulnerable HMI (as determined by IND and ISE) and that the next maintenance outage is seven months away (as determined by the production calendar), you can quickly apply a Talos-produced SNORT rule to protect that machine via an ISA 3000 industrial NGFW at its gateway edge.

Close the loop with a security control loop


Just as a control loop takes inputs and adjusts the process, so, too, should your security see the state of your process system’s security and actuate the proper controls. Proper security controls are dynamic and adaptable. A microsegmentation capable architecture and network is the base from which you enable visibility into new equipment and behaviors. Visibility provides the knowledge (with help from the operations team) to drive the policies which the network and security controls will enforce. And this process is as connected as your modern factory because we can stitch together the factory activity with the enterprise – crossing former boundaries to create stronger and more secure bonds.

Now’s the time to secure your factory floor


All this represents a dramatic shift for manufacturers, OT professionals, and even IT departments.

At Cisco, we’re proud to stand at the forefront of the effort, alongside our partners at Schneider Electric and Aveva, to secure digital manufacturing and prevent negative outcomes.

Tuesday, 26 March 2019

Rakuten Cloud Platform is a Blueprint for the Future

Things that seem obvious today were not always that way. At some point, someone with a bit of courage and a flash of insight makes a bold move—like sticking a digital camera on the back of a phone. The rest of the world responds with a collective “of course!” and the world is changed, never to look back.

We had one of those moments a couple of weeks ago at Mobile World Congress in Barcelona when Rakuten announced their Rakuten Cloud Platform or RCP. Mickey Mikitani, Chairman, President and CEO of Rakuten introduced RCP the following way:

Rakuten has a founding vision of empowering people to realize their dreams and a history of disrupting the status quo to take the lead, in industries from e-commerce to fintech and digital content. We are very excited to launch a mobile network in Japan that is set to become the first choice of consumers and change global standards in telecommunications.

If you want to better understand how Rakuten is building RCP, I have some deep dive technical links at the end of this blog. For now, I wanted to explore why Rakuten decided to invest the time, effort and resources in building RCP.

For a while now, there has been growing tension between apps and services and the infrastructure they depend upon. This tension has increased as the center of gravity for app and service deployment has moved into the cloud. This, in turn, has given rise to cloud native architectures which further exacerbate stresses on infrastructure that was not originally designed for this brave new world.  At the customer end of things, we are now engaging with them in more ways and in more places. Not only do we have an explosion of phones and tablets, we are about to see an even larger explosion of connected cars, drones, cameras, refrigerators, and—my favorite—cows. Customers expect consistent and predictable services regardless of if they are at home, at play or on the move. Almost every network operator is making the investments to keep up with this sea change. But interestingly enough, app and service owners are also looking to take greater control of their own destiny. We saw the first movement in this direction with the large web players getting involved with projects like the Telecom Infra Project (TIP) and CORD. Their objective was to help service providers upgrade the infrastructure on which those web players were dependent to meet their growth goals. Netflix has, for years worked with ISPs to help improve the streaming experience of their subscribers. Rakuten has simply taken the logical next step. They are a cloud-first, mobile-first business and now they are building out bespoke infrastructure that is precisely calibrated to their needs. Moreover, as their business grows and evolves, Rakuten can be assured that their infrastructure will keep up with minimal lag.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Materials

While not everyone wants to be or can be Rakuten, it is worthwhile understanding what they did and why they did it, as that insight will be valuable to anyone contemplating an architecture refresh. Tareq Amin, CTO of Rakuten, built RCP around three guiding principles:

◈ Zero Touch, End-to-End Automation and Assurance
◈ Software Defined Programmable Infrastructure
◈ Distributed and Common Carrier Grade Telco Cloud

Looking at the first two principles, we can tell this is an architecture meant to be run by machines (hello SkyNet!). When we look at the scale of Rakuten’s vision and their goals for service agility and customer experience, it’s really the only feasible approach. For velocity, agility and cost reasons, humans simply cannot be inline to the day-to-day operations of RCP. To make this a reality, two things need to happen. First, every element of RCP needs to be programmable. For most of you reading this, deployment of programmable infrastructure (and the ability to take advantage of it) is opportunistic and incremental. Any progress is good news, however, there is significant difference between 99% programmable and 100% programmable. Anything less than 100% means at some point, someone is still sitting at a keyboard and introducing friction into your workflows and acting as a constraint on your business. Cisco’s contribution to Rakuten’s programmable infrastructure goal was our NFVI solution and our IOS-XE, IOS-XR and ACI-based transport platforms. They all provide rich, capable, programmatic interfaces that met all of Rakuten’s design requirements–no keyboards required.

In concert with programmability is automation. Much like programmability, partially automating a service chain is helpful, but having 100% coverage of your end-to-end service chain really unlocks new possibilities around how you build and deliver services. Are example, operationally, you lower costs of operation and reduce the time to stand-up and tear-down service chains. That opens up the door to more dynamic capacity management, auto-scaling and assurance management.  That increases your efficiency and utilization which further lowers opex and frees budget dollars for further investment and a virtuous cycle is spawned. From a customer experience perspective, real benefit comes from minimizing the lag between creation of services and ability of the infrastructure to support them. This frees service owners to iterate offers more quickly, experiment more easily and makes customization and personalization more feasible.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Materials

Rakuten’s RCP automation framework is two-tiered to provide flexibility and horizontal scalability. The bottom tier is comprised of four domains: central data center, WAN, edge data center and far edge data center. The domain level automation is built from a combination of Cisco Network Services Orchestrator (NSO), the NFVO Function Pack for NSO, Cisco Elastic Services Controller (ESC) as a virtual network function (VNF) manager, and, on an interim basis, other partner VNF managers—Rakuten’s mid-term goal is to consolidate on ESC.  NSO then uses a feature called Layered Services Architecture (LSA) to tie those four domains together with a cross-domain instance of NSO. Together, this framework provides RCP with fast, dependable, scalable, sophisticated end-to-end service orchestration. Rakuten then takes advantage of the rich northbound software interfaces NSO offers to tie the automation framework to their OSS and BSS systems.

The final principle, distributed and common carrier grade telco cloud, is a reflection of the changing nature of traffic. It no longer makes sense to try and serve subscribers from some far-away central data center. Providers can also no longer make assumptions as to where their customers are located. Instead, RCP needs to be able to serve customers wherever they are, whichever device they are on, whatever service they are consuming. For both customers and service owners, Rakuten needs to be able to pervasively deliver consistent capabilities and predictable customer experience. Let’s take a closer look at how they do that and where we contribute to the effort.

A “telco cloud” is essentially a private cloud optimized for hosting virtualized network functions (VNFs). It is built from NFV Infrastructure (NFVI) that hosts the VNFs and a management and orchestration layer (MANO—discussed earlier). Cisco Virtualized Infrastructure Manager (CVIM) is an open, modular containerized NFVI software solution that forms the building blocks of RCP. The RCP deployment embeds Red Hat Enterprise Linux and Red Hat OpenStack Platform. Beyond support for Cisco and 3rd-party VNFs, CVIM provides key features like security hardening, automated zero-touch provisioning and full lifecycle management of VNFs. Underpinning it all, Cisco ACI and Cisco Nexus 9000 series switches link network, compute and storage resources.

RCP’s CVIM building blocks are flexible and fungible so a collection of CVIMs can be adapted to support any service or application today or in the future. This gives Rakuten great cost efficiencies with RCP, but it also gives service owners great freedom to build new services and get them deployed quickly without worry about what the infrastructure can or cannot do. At the same time, these basic NFVI building blocks can be deployed anywhere along the service chain that makes sense, since managing a CVIM instance in the central data center is no different than managing one in a far edge data center. Along those same lines, VNFs, content and resources can be placed and even moved around on the fly to optimize operations and customer experience—distributing them to wherever makes the most sense.

Mickey Mikitani stated “[w]ith automation and virtualization, Rakuten is redefining how mobile networks are designed and how services can be consumed.” RCP seems ready to do exactly that. Not only will their investment in RCP help Rakuten and its customers, it will serve as lab for their peers to learn and the industry to evolve.

Saturday, 23 March 2019

Calling in Webex Teams Now Powered by Cisco BroadCloud

A proven calling platform that brings cloud innovation to the mid-market and large enterprise.


Today Cisco announced a new enterprise-class, native cloud solution – Webex Calling. It’s powered by bringing together the best of the proven Cisco BroadCloud platform as well as Cisco Webex. This brings Cisco’s total business cloud calling users to over 29 million worldwide. By combining a full enterprise PBX feature set with the rich team collaboration capabilities of Webex Teams, Webex Calling delivers the complete, integrated collaboration experience business users need. It will be sold under the Cisco Collaboration Flex Plan by Cisco VAR channel partners. Availability begins in the U.S. on March 31, 2019 and will expand to more than 35 countries across North America, Europe, Australia/New Zealand, and Japan by the end of the year.

Cisco BroadCloud, Cisco Tutorial and Materials, Cisco Learning, Cisco Guides

We are already seeing a great fit in the market from our early partner engagements.

“The release of Webex Calling is timed perfectly with a phone refresh Presidio is doing for an important retail customer. The customer recognized immediately that they could configure, deploy, and manage over 2,500 handsets across 500 locations in nearly a plug-and-play fashion utilizing a lean IT team while saving hundreds of thousands of dollars in telecom costs,” said Vinu Thomas, CTO of Presidio. “The flexibility of adding and removing phones, the access to the full suite of Webex’s collaboration offerings, and the ease of automatic updates and patching are just a few of the reasons Webex Calling is a tremendous opportunity for Cisco partners and their customers.”

Superior alternative


Mid-market and enterprise business leaders have been reluctant to move to the cloud, due to concerns about scalability, feature functionality, reliability, and security. That’s why we only see a current cloud calling market penetration estimate of 8% for businesses with 100+ users, while the cloud penetration for the under 100 user segment is more than 25%, based on market analyst estimates.

Webex Calling eliminates these former barriers and gives business leaders the freedom to replace their aging PBX infrastructure with a superior cloud PBX alternative. With cloud delivery from a series of geo-redundant data centers in seven countries, operated by experienced Tier 4 operators, Cisco is able to deliver a multi-tenant cloud service that is more reliable, scalable, and secure than any on-premises option. And with a cloud service that counts release cycles in weeks, rather than years, Webex Calling is always up to date, delivering a more intelligent user experience.

Complete solution


Now Cisco can take users from their smartphone in their car, to the devices they use in their office, home, or meeting room with easy device handovers and rich business calling features at every step. With Webex Teams included, we’re making it simple to keep organizations connected and productive from wherever work gets done.

Here’s what you get with Webex Calling:

◈ A proven, enterprise-class cloud PBX
◈ Bundled with Webex Teams, for advanced collaboration
◈ Optional Cisco multiplatform (MPP) IP phones, headsets, and video devices
◈ Option to add Webex Meetings
◈ Simplified packaged pricing
◈ Investment protection through Cisco Collaboration Flex Plan purchasing
◈ Sales and service support from a qualified Cisco VAR channel partner
◈ Global availability expanding throughout 2019 to 35+ countries and 7 languages

Smooth transition

In most cases, larger businesses need more time to transition over to the cloud. In some industries, like financial services, they may not ever move completely to the cloud. That makes the time and process in this transition zone a key gating factor for these business leaders.

One of the most important advantages we see with Webex Calling is the flexibility it offers for customers looking to transition to the cloud in phases, rather than all at once. Cisco customers now have the freedom to move any site, or group of users to the cloud, while maintaining a common network dial plan and directory access for users across all cloud and on-premises PBX sites.

Powerful channels


Webex Calling will be sold primarily by Cisco value-added reseller partners (VARs) that are trusted by enterprises worldwide. So now mid-market and enterprise customers can get the performance, reliability, and security of a Cisco cloud calling solution from the Cisco channel partner they prefer, or are currently doing business with.

Early excitement and momentum with our VAR partners is building. Here’s what Joe Berger, Practice Director, Collaboration and End User Computing for World Wide Technology had to say. “As the UCaaS market continues to mature, we’re excited to have Webex Calling in our portfolio. The Cisco BroadCloud powered solution now gives us more options for those customers who are looking to move their collaboration workloads to the cloud . . . backed by the enterprise requirements that many businesses already expect from Cisco. When combined with Webex Meetings and Webex Teams, this truly becomes a next generation collaboration platform.”

We now have 19 U.S.-based partners already signed up to introduce Webex Calling to their business customers. Talk to one of these Cisco partners about Webex Calling:

◈ CDW
◈ CompuNet
◈ ConvergeOne, Inc.
◈ Core BTS
◈ Data Strategy, a Trace3 company
◈ Dimension Data
◈ ePlus
◈ Insight
◈ Iron Bow Technologies
◈ Logicalis
◈ LookingPoint
◈ PCM, Inc.
◈ Pivot Technology Solutions
◈ Presidio
◈ Sentinel Technologies
◈ ShoreGroup Solutions
◈ Sirius Computer Solutions
◈ Software House International
◈ World Wide Technology

Tuesday, 19 March 2019

Web & Mobile On-prem Solution Maximizes Customer Experience

Business overview


The increased relevance of web sites, chat, and mobile applications on smartphones is supporting a big rush to evolve customer care into a digital omnichannel architecture. Enterprises recognize how these new ways of communicating are becoming increasingly important for reaching their business objectives. The true omnichannel experience that companies are aiming to achieve is the ability to carry the context along different channels to maximize the customer experience and to deliver high quality services along the entire customer journey.

Video Advisor enables a compelling digital journey by seamlessly integrating with Cisco Customer Journey Solutions such as CCX, CCE, PCCE, HCS and empowers companies to enable real-time video agent engagement and escalation directly in their applications and website channels, making it easy for customers to interact with experts when, how and where they choose. The resulting customer experience of moving seamlessly from one channel to the other results in an improved business outcomes and customer loyalty.

Product overview


Video Advisor features at a glance:

◈ Web and iOS/Android smartphone SDK’s
◈ Audio/Video WebRTC to SIP on premise signaling server
◈ Media transcoding/ pass-through and firewall traversal
◈ WebRTC Cisco Finesse gadget
◈ Co-browsing, Link and Document Asynchronous Sharing, or double sidereal time Desktop Sharing

Integrates with Cisco’s Customer Care Architecture Portfolio:

◈ CCX
◈ CCE
◈ PCCE
◈ HCS-CC

Multiple Audio/Video options for the customer


Video Advisor is the Eudata® solution to set up Video Sessions between customers and Agents: it allows the customer to contact an expert in the Cisco Contact Center through Audio and Video calls directly from the company web site or iOS/Android smartphone applications:

◈ WEB: Add a simple “Click To Call” button on your web site to provide real-time support to customers and users
◈ SMARTPHONE: Add Video Capabilities to your mobile APPs using native SDKs to enrich your customer experience
◈ KIOSK: Create Video services available from a public Kiosk (based on PCs or on mobile devices)

Through a simple script it is possible to add audio/video support to the company web site:

<div id="unyco_container3lvagkeeav">
<script type="text/javascript"
src="https://demo.unyco.net/bc/rst/customer/js/includeUnycoPo
pover.js?code=gn1lir4si8&rnd=3lvagkeeav" ></script>
</div>

Eudata® supplies native mobile SDKs, available for both Android and iOS devices, which can be easily integrated into a customer’s existing mobile applications for adding WebRTC audio/video capabilities.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Materials

Browser/device compatibility matrix:


Video Advisor takes advantage of modern browser APIs to enable application/desktop sharing and WebRTC capability. For older browsers, like Internet Explorer, a plug-in is needed for access those functionalities.

WebRTC to SIP architecture and call flow


Video Advisor is based on WebRTC technology to offer an Internet video phone to customers using web sites, mobile applications, or kiosks.

Through the Eudata® WCS on-premise WebRTC2SIP component – that acts as a middleware between digital customer touch points and the Cisco Customer Journey Solution through the Universal Queueing API (CCX, CCE, PCCE and HCS) – the incoming WebRTC session is turned into a SIP call sent to the customer care solution for treatment. Video Advisor is therefore fully integrated with Cisco CVP and Cisco CUCM for routing calls to the desired expert.

◈ An Audio/Video Web RTC call is initiated either by a web widget, a smartphone application, or a kiosk.
◈ The audio video Web RTC call originated by the customer is translated into a SIP call by the WCS WebRTC2SIP server and sent to Cisco Customer Care where it is handled as a regular incoming SIP call and so finally routed to the agent. Customer details can be sent as SIP headers in order to display on agent desktop.
◈ The call is terminated on a customer care agent SIP endpoint.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Materials

WebRTC to Web RTC


In case the Customer Care solution is not video enabled, Video Advisor supports also an end to end customer to agent Web RTC audio/video/screen sharing solution through a Cisco Finesse fully integrated gadget:

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Materials

Rich interactive expert features


Video Advisor solution enriches real-time voice and video communications with interactive collaboration experiences such as Co-browsing, Link and Document Asynchronous Sharing, or double sidereal time Desktop Sharing:

◈ 2-way voice, 1- or 2-way video selectable by customer
◈ Co-browsing of customer application or web screen visible to Video Advisor
◈ Application or web control by Video Advisor
◈ Video Advisor annotation and cursor spotlight
◈ Joint form fill (sensitive data cells can be masked on the expert screen)
◈ Ability to push files and URLs to customer

Saturday, 16 March 2019

DevOps with CloudCenter and Kubernetes in a Multicloud Environment – Part 1

The need for digital innovation


Whatever your business might be, your internal and external customers expect more and more services, greater efficiency and a better experience. Providing new services (which in most cases will mean a new or revamped application) to customers and anticipating your competitors’ moves attracts new customers and retains the existing ones.

Often the line of business developers are not satisfied with the support they receive from the IT operations teams in terms of flexibility and speed to start a new project, especially if new technologies or skills are required (e.g. developing and deploying cloud native applications).

The perception of IT operations depends also on the frequency of supporting the efforts of releasing fixes for broken services and on the process of testing so that production environments are “bug-free”, after going through functionality and reliability tests.

Frequent releases and the quality of the code can benefit a lot from automation in all the phases of a software project, though end-to-end automation is not absolutely necessary; it’s just much better!

The fundamental pillars are organizing workflows and processes to ensure they cover every need (no gaps in the responsibility, no grey area in communication among different departments, shared objectives instead of finger pointing).

Figure 1 below shows the evolution of methodologies and the impact on the value perceived by the business. The stars represent the moment when business value is realized by a release of the application in production.

With traditional waterfall projects, it happens only at the end of the project (by the way, with a lot of uncertainty due to delays and unexpected trouble during the development and the test phases).

Agile methodology reduces risk by repeating shorter cycles of design, coding and testing that can address any surprises and adjust the course of the project sooner if necessary. But deployment in production still happens at the very end of the project.

The innovation allowed by Continuous Integration and Continuous Deployment (CI/CD) brings the application in production at every cycle (new releases or bug fixing) ensuring optimal quality and a deterministic outcome: the business will appreciate the benefit in terms of time-to-market for their initiatives.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Materials

Figure 1 – CI/CD offers more business value

DevOps is not a technology nor a product

DevOps means collaboration between Developers and Operations.

The work of whoever is responsible for design and implementation of the code (the dev team) does not finish when a new build of the application is released. Developers should also collaborate in testing the entire system (code, infrastructure and process), releasing it in production, operating and measuring its KPI.

The Operations team do not just execute a defined process to maintain the system but should collaborate since the design phase of the application and, most importantly, provide constructive feedback from the production environment that can help improve and extend the application in next development cycles, e.g. application errors and their reason, performances issues, support tickets opened by users, etc.

The collaboration and the feedback loop are foundational principles in DevOps, as described in next paragraph. 

Cultural change

Necessary cultural change should be promoted (breaking silos in the organization), with incentives and gradual adoption of practices that will improve with time: the entire organization and the individuals have to digest a new way of working, openly analyzing its outcome and contributing to the progress with personal feedback and suggestions. A great book describing this cultural change is the Phoenix Project.

DevOps practices suggest that the entire lifecycle of a service is managed by a single team: from the inception phase and the requirements analysis, to the implementation, testing, release and related operational processes. They can be more efficient and provide more value if they know everything about the service and they can react to any problem quickly, as well as evolving it based on new requirements.

The DevOps team should include representatives from different departments (lines of business, IT Architecture, Operations…) that bring their skill and experience, so a new organizational model may be required. The result can be a “dotted-line” reporting structure with functional responsibilities across different teams.

It is not necessary to build a team for each service. Some services can be grouped in one team, especially if they belong to the same business area or if they are responsible for the building blocks of a composite application (in a microservices architecture).

DevOps principles


Gene Kim defines the principles of all DevOps patterns (the Three Ways) in the books “DevOps Handbook” and “The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win.” He asserts that the Three Ways describe the values and philosophies that frame the processes, procedures, practices of DevOps, as well as the prescriptive steps.

The First Way – Systems Thinking

◈ Understand the entire flow of work
◈ Seek to increase the flow of work
◈ Stop problems early and often – Don’t let them flow downstream
◈ Keep everyone thinking globally
◈ Deeply understand your systems

First Way Goals

◈ One source of truth – Code, environment and configuration in one place
◈ Consistent release process – Automation is essential (one click)
◈ Decrease cycle times, Faster release cadence

The Second Way – Feedback Loops

◈ Understand and respond to the needs of all customers (internal and external)
◈ Shorten and amplify all feedback loops
◈ With feedback comes quality

Second Way Goals

◈ Defects and performance issues fixed faster
◈ Ops and InfoSec user stories appear as part of the application
◈ Everyone is communicating better
◈ More work getting done

The Third Way – Synergy

◈ Consistent process and effective feedback result in agility
◈ Now use that agility to experiment
◈ You only learn from failure – So fail often, but recover quickly

Third Way Goals

◈ Ability to anticipate, even define new business needs through visibility in the systems
◈ Ability to test and optimize new business opportunities in the system while managing risk
◈ Joy

Now that we have covered the basics of DevOps, let’s have a look at a product from Cisco that could make it easier to adopt DevOps practices. Remember that DevOps cannot be bought: it is the set of good practices that you define and refine as continuous improvement based on experience. Automation is only a part of the story.

The Cisco multicloud approach

Many organizations are using at least one private or public cloud, but more and more use a combination of different clouds: that implies a need for consistent governance, security, networking, analytics and automation that apply to every environment.  The multicloud portfolio includes products, services and reference architectures that span all technologies mentioned above to make the adoption of clouds simpler.

This post explains how we have built a demo using products in the automation bucket to support a DevOps use case (i.e. Continuous Integration and Continuous Deployment, aka CI/CD).

The two products are the Cisco CloudCenter Suite (CCS) and the Cisco Container Platform (CCP), briefly described in the following paragraphs before we go on to the demo.

Cisco CloudCenter Suite


Cisco CloudCenter Suite is a solution that helps the IT organization to enable developers and lines of business to deploy and operate a large number of applications and middleware platforms, made more complex by the availability of different possible targets (private and public clouds for running VM and containers).

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Materials

Figure 2 – CloudCenter Suite addresses the many-to-many complexity

CloudCenter Suite is a single tool that simplifies multicloud management by enabling organizations to design, deploy, and optimize infrastructure and applications across clouds by automating application deployment and consuming resources and services from any cloud. It helps to enforce a single governance model including cost control, approval processes, security policies and consistent architecture across different clouds.

The benefit is that you don’t have to learn and use the different tools from cloud providers, or replicate the automation blueprints using the native automation technologies in each cloud (e.g. Cloud Formation for AWS, Heat for Openstack, Powershell for Azure): you only create a single model and CloudCenter Suite translates it into a call to the specific API exposed by each cloud, including public, on-premises and Kubernetes clusters.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Materials

Figure 3 – CloudCenter Suite translates a single blueprint to API calls for all clouds

Everything you do in CloudCenter Suite can be done through its API, making it easier to orchestrate it externally (e.g. from Jenkins, through a plugin that Cisco ships so that you can insert multicloud deployments in your CI/CD pipeline).

The current version of the CloudCenter Suite also includes additional modules like the Cost Optimizer and the Action Orchestrator: a useful enhancement to create a governance model and make operations easy in a heterogeneous multicloud environment.

Cisco Container Platform


Cisco Container Platform is another software product from Cisco, that Operations teams can use to create and manage enterprise-grade Kubernetes clusters. It deploys, fully configures and manages (upgrades, scales, monitors) Kubernetes clusters on-premises and in the public cloud for you – it also supports additional native integration with AWS’s EKS. It takes care of all the complexity of integrating with networking (options offered out of the box are Calico, Contiv and Cisco ACI), storage, security (SSO and RBAC are added to Kubernetes) as well as centralized monitoring and logging (Elasticsearch, Fluentd and Kibana) while shipping 100% open source binaries from the upstream repositories. With Cisco Container Platform, DevOps teams can now extend their deployment environments to include Kubernetes-based containers, without the complexity of having to actually deploy and maintain it themselves.

Thursday, 14 March 2019

Open programmable architecture delivering value beyond connectivity

We discussed how Cisco delivers consistency and simplicity, with integrated security, across Enterprise domains. Now we’ll discuss in more detail how this is done.

“People who are serious about software should make their own hardware”

Cisco uniquely develops its own hardware and software, including silicon for Switching, Wireless, and Routing platforms. This allows Cisco to deliver unique innovations and optimizations pertaining to network-specific needs, such as:

◈ Stackpower/Stackwise,  AVB, MACSec-256, and ERSPAN for Switching
◈ CleanAir, Flexible Radio Assignment and Hyperlocation for Wireless
◈ Advanced hardware queueing and Deep Packet Inspection for Routing
◈ Flexible Netflow (FNF), Scalable Group Tags (SGT), VXLAN, and NBAR2 across all the domains

These unique innovations in hardware and software enables Cisco to deliver a lot more value beyond connectivity in the areas of security, visibility, high availability, etc and are the foundation for the evolution to an Intent-based architecture.

Built-in Security and Network Visibility for Proactive Insights


FNF and NBAR2 are foundational enablers for Security and Application Visibility embedded in the platforms. Cisco Switching, Routing and Wireless platforms incorporate special hardware and software to collect information about all the flows in the network, not just sampled, and deep packet inspection capability to identify applications. All this is done without network slowdown. This is what makes advanced Security services such as Encrypted Traffic Analytics (ETA) able to detect malware in encrypted traffic without decrypting the traffic, working in conjunction with Cisco Talos, Cognitive Threat Analytics (CTA), and Threatgrid while using Cisco Stealthwatch. It is also what enables Application Assurance, advanced Application Policy, and Network as a Sensor.

◈ Granular Visibility: Model-driven telemetry (MDT, otherwise known as Streaming Telemetry) provides a mechanism to stream data from Switches, Routers, and Wireless devices to a destination. By subscribing to a data set defined in a YANG model, the specific event data can be streamed on-change, providing near-real-time monitoring of the network, leading to quick detection and rectification of failures.
◈ Intelligent Capture: Gather contextual data ranging from live client onboarding to on-demand RF scanning to real-time Wi-Fi analytics and client location. Actionable insights are provided by analyzing packet captures across multiple network elements, with zero packet loss.


Simplified Management for an Always-on Network


Network Automation is a new paradigm for network configuration, operation and monitoring. Cisco’s solution delivers the following across wired and wireless in the Enterprise:

◈ Automated device provisioning: This is the ability to automate the process of upgrading software images and installing configuration files on Cisco Switches, Routers, and Wireless devices when they are being deployed in the network for the first time. Cisco provides turnkey solutions such as Plug and Play (PnP) that enable an effortless and automated deployment. Automatic device provisioning is also provided using Zero Touch Provisioning (ZTP) which, while not a turnkey solution like PnP, is offered for greater flexibility and compatibility with numerous device types.

◈ API-driven configuration: support a wide range of automation features and provide robust open APIs over Network Configuration Protocol (NETCONF) using YANG data models for external tools, both off-the-shelf and custom built, to automatically provision network resources. Most platforms also support Restconf and GNMI APIs.

◈ Seamless software upgrades and patching: To enhance OS resiliency, Cisco IOS XE supports patching, which provides fixes for critical bugs and security vulnerabilities between regular maintenance releases. This support allows customers to add patches without having to wait for the next maintenance release.

◈ Application Hosting: Cisco Switches and Routers support hosting of applications directly in the infrastructure. Container/VM App hosting for Analytics, Security, IOT, Validation/Troubleshooting tools (Wireshark, iPerf, etc), Cloud Connectors, CI/CD applications, and more. These platforms support local storage starting from 120GB and above to store application data.

Orchestrating and Assuring the network from an Enterprise-wide view


Custom ASICs enable Cisco to future proof customers for the ever-changing digital businesses, by delivering beyond standards. Modern and modular IOS-XE support across the portfolio supports IT simplicity and scale. More importantly, all Cisco’s next generation platforms are built from the ground-up for Intent Based Networking (IBN). Cisco SD-Access, Cisco’s IBN architecture for the Campus, provides automated end-to-end segmentation to separate user, device and application traffic.

Cisco SD-Access automates user access policy so organizations can make sure the right policies are established for any user or device with any application across the network. Instead of defining a policy for your LAN, wireless LAN and WAN, you only define it once and apply it to all three domains. SD Access provides the ability for “policy-based automated network enforcement” for access, security, application quality and monitoring, across ALL network domains. Cisco SD-Access delivers macro-segmentation using Virtual Networks (or VRFs) and micro-segmentation using Scalable Group Tags (SGTs). VXLAN is the dataplane encapsulation protocol carrying the Virtual Networks and SGTs and forwarded with the specialized silicon in the hardware platforms, while LISP is the fabric Control Plane protocol keeping track of devices and users as they connect and move in the fabric.

“It is clear that SD-Access is the future; it is the only way we can keep up with the explosion of connected devices” 

Cisco DNA Center is the single pane of glass where all of this comes together. It is the single point of Orchestration, Automation, and Assurance for the network.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Certifications, Cisco Study Material

◈ Automation for Provisioning: Software Image Management (SWIM) manages the images for your network devices and, when it detects a device is not conformant with images deemed as “Golden” in your environment, can automatically update the device. Cisco Plug-n-Play (PnP) enables zero-touch deployment for new devices as they are added to your network.

◈ Analytics for Assurance: Cisco DNA Center receives contextual information from the network devices, endpoints, and applications and delivers rich assurance functionality. It delivers unprecedented visibility, proactive insights, real-time troubleshooting, and predictive performance.

“The new Cisco Catalyst 9000 provide us performance we need, and the security features that are critical for our healthcare records. The new network, powered by Cisco® Digital Network Architecture (Cisco DNA), gives us granular insight into who’re the users, the devices they use, and the applications they access—all with the ability to learn and adapt to changes and needs in the network.”

Cisco DNA Center is also the place where the network can be designed, policy is created, and devices are deployed in the network, for SD-Access (fabric based) and non-fabric based environments. Next time we’ll explore DNA Center a bit closer. In the meantime, here is a teaser showing Wired and Wireless Client Health in DNA Center.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Certifications, Cisco Study Material

Tuesday, 12 March 2019

Accelerating Insights and Analytics with VAPP & Cisco Meraki APIs

Extend and Expand Your Cisco Meraki Dashboard Capabilities


Digital Transformation has drastically changed customer’s habits: they want to do business anytime, anywhere, and on their preferred device. In order to successfully engage these “always-connected” customers, organizations have to provide an ideal digital environment where everything can be arranged quickly and easily.

Cisco Tutorial and Material, Cisco Learning, Cisco Certifications, Cisco Meraki APIs

The Power Of Simplicity

Cisco has always worked to simplify powerful technology letting our users stay focused on their core business. As part of this vision, Cisco Meraki has built a cloud-based dashboard that customers around the world can use to easily manage their IT network infrastructure.

From the very beginning, our engineers have been focused on providing innovative features and extremely simple functionalities. In some cases, however, trying to address custom applications or specific use cases would have compromised the dashboard usability.

Why APIs make things different

The changing consumer experience is now made possible by exposing APIs which create extremely enticing possibilities and provide untold opportunities. Cisco is aware of how important it is to work closely with companies like Bizmate, in which the key strategy is to invest heavily in APIs allowing our partners and developers to build more specialized use cases.

VAPP – VIEW® Application Portal

In this background, Cisco and Bizmate have worked together to provide a new application portal specially designed for Cisco users adding value to the Cisco Meraki platform and building digital solutions for customers and partners.

VAPP provides pre-built web applications in a cloud computing environment with normalized authentication, APIs integration, event-driven workflows, rule-based actions and so much more.

VAPP easily integrates with the Cisco Meraki infrastructure and processes data, thanks to the vast extended library of available connectors in VIEW® – Real Time Intelligence. This innovative architecture, based on non-relational databases and inference engines, delivers a large amount of streaming data flow in order to help decision-making through precise and timely information on the status of the processes and assets involved.

VAPP Interactive Dashboards summarize the information available in a single view with immediate impact, and allows the user to extend and expand the Cisco Meraki dashboard capabilities. These Dashboards facilitate parameter tracking and indexes of interest through a dynamic and easily customizable comprehensive set of Apps to interact with data from Cisco Meraki network.

Let’s take a closer look at some of the best VAPP apps.

Concentration Map

Get insights on your user’s concentration and movements by analyzing their behaviors with the help of interactive maps. Concentration Map provides more comprehensive connections between data and location to help you understand data at finer detail. By bringing real-world context to your analysis, maps are unique in their ability to help to generate insights and make predictions that would not be possible using traditional tables and charts.

◈ Improving customer experience or targeted marketing.

Combine geospatial location, ease of access, context and proximity to make relevant marketing offers or improve experiences. This enables marketers to proactively meet customer needs.

◈ Improving safety.

Whether it’s responding to emergency situations, offering services to employee or improving procedures, all organizations are candidates for location analytics based on this app.

◈ Optimizing business processes.

Adding the location context of assets – manufacturing, assembling, logistics, distribution and servicing – helps optimize businesses process and adds value for organizations.

Configuration Backup

This App can backup and restore your Cisco Meraki Network configuration. Creating configuration backups enables you to later restore a configuration.

This is useful when you want to revert the equipment settings to an earlier configuration. You can perform the restoration as a single operation instead of manually reconfiguring each setting in the current configuration. You can either save backups on the server or export backups to an external host.

◈ Save time and effort with network backups.

Launch an instant and reliable backup for your Wi-Fi, VPN, and firewalls configuration.

◈ Store configuration data centrally.

Organize configuration backups to enable quick and easy searches. Search for and locate a configuration file to restore.

◈ Quickly recover from device or configuration failures.

Reduce downtime by easily replacing a device configuration from the archives. Quickly recover from failed configuration changes by restoring a previous known good configuration.

◈ Get alerts on errors.

Monitor for failed backup, and execute corrective actions as required.

Wi-Fi Coverage Survey

Wi-Fi Coverage Survey is a complete Wi-Fi site surveying app. Site surveys are performed in real-time producing more informative views of your wireless coverage.

Wi-Fi Coverage Survey App automatically supports network architects and engineers to define the areas over which signal levels need improvements. You won’t need to move around and collect Wi-Fi data of the entire area, the data will be automatically collected by VAPP which measures wireless signal in real-time and with actual data provided by your network users.

◈ Automatically monitor your Wi-Fi Infrastructure.

Analyze the coverage and the correct propagation of your Wi-Fi network signal to improve its performance.

◈ Dynamic Heatmaps.

Wi-Fi Coverage Survey heatmaps allows to perform Wi-Fi site survey easier and faster. It works by defining locations (maps, buildings) in specific geographic areas.

◈ Data Storage & Comparisons.

By performing Wi-Fi measurements, this App stores details of device location, signal level and other relevant data. You can compare coverages over different days and understand which conditions caused the change.

The examples above are just a few of the applications available on the VAPP marketplace. They represent a smarter approach to IT management and network data analysis based on data collected from Cisco devices.

VAPP gives you end-to-end visibility across your business processes allowing you to effectively monitor your assets, proactively address issues and provide the level of service expected by your customers. Thanks to Cisco APIs, VAPP enterprise-ready applications tie the right metrics together into real-time dashboards that help you focus on things that matter on your business.