Network automation: offering choices now key

Since that time, the approach has not evolved much. But some of the solutions available have, as well as moving past the SDN term towards network automation. So it’s a perfect time to revisit the subject and explore some of options now available for turnkey and open source solutions around network automation.

Options for network automation

Every IT organization is at a different stage of their in-house operational expertise and business requirements to execute and deliver IT services faster. Plus, no two network environments are the same. And it’s almost certain that 90%+ of the IT organizations looking to leverage automation, have a current install base they need to support. This is where the approach of offering various levels of network automation is critical.

Figure 1. The three categories of options for network automation.

The various options available can be aligned into three categories (see figure 1) that give IT organizations the power of choice. While the solutions themselves have evolved, these three categories have not. They are:

◈ Prescriptive “turnkey”

◈ Open source/standard tools and API’s with Cisco hardware/virtual network functions (VNF)

◈ Support for Heterogeneous Hardware/VNF Environments.

Prescriptive “turnkey”

The prescriptive “turnkey” options work best for organizations that have a limited amount of automation and programmability skill sets within the operations teams. Cisco’s offerings in this option have a set of common attributes, such as:

◈ Hiding of complex configurations that are typically done via the CLI

◈ Prescriptive on-boarding of new network elements (plug-n-play, zero-touch-provisioning)

◈ Pre-built GUI application

◈ A controlled fabric domain

◈ Some form of analytics and assurance

◈ And an “under the covers” device/fabric configuration which normal operations (CLI) could take days/weeks to accomplish.

Turnkey solutions typically target Cisco-specific hardware/software to allow the simplification of all of these tasks and offerings. Examples of these solutions include Cisco Software Defined-Access (SDA) with the DNA Center controller, Cisco Software Defined WAN (SD-WAN), Cisco Application Centric Infrastructure (ACI) for on-prem data center build-outs, and in the large enterprise and SP space, the recent Cisco CrossWork framework for closed-loop automation.

Open source/standard tools and VNF

Open source/standard tools and API’s with Cisco hardware/virtual network functions (VNF) can be used by those wanting to use Cisco hardware and/or VNF’s, but who prefer to leverage a more open set of controllers (API’s, SDK’s and open source tool sets and applications).

The typical customer using this approach already embraced a NetDevOps model and “do it yourself” mentality within their IT operations team. Plus, they have the in-house expertise to support it on a daily basis. And they are driving Cisco hardware/VNF’s to offer and support a rich set of standard API’s and overall management stack to allow them to leverage this type of NetDevOps approach.

Figure 2. The Model-Driven Manageability Stack

To support IT operations team using this approach, Cisco has created an open source management protocol stack (see figure 2) in some of its new software releases. This gives do-it-yourself type IT operations the ability to configure and collect valuable telemetry from Cisco hardware/VNF’s via third-party API’s (YANG models) and open protocols to/from the Cisco devices.

Leveraging YANG models

The goal of this model-driven protocol stack is to decouple the protocol, encoding and transport options from one another while leveraging the YANG models for both device configuration and telemetry collection. The result is that any application north of the network element has a consistent protocol stack to leverage for development of applications.

For example, an application written in Python can take advantage of the YANG Development Kit for Python (YDK-py) SDK. It leverages gRPC, with GBP encoding, using either native Cisco YANG models or OpenConfig models for configuration and operations of the Cisco device.

The exact same combination can also be used to stream telemetry from the devices to some collection stack, further simplifying the communication channels required. For customers embracing Cisco hardware/VNF’s, but who prefer developing their own applications to configure/modify the devices and collect telemetry, the model-driven management stack offers those capabilities through open source protocols, encoding and API’s (YANG models).

While there are many other open source tools that fit into this category, Ansible is a highly regarded one in the network operations space. This is because it doesn’t require a device agent to communicate with the device, it’s modules are widely available, it’s open source, and it’s viewed by many as a more readable language.

Heterogeneous hardware/VNF environments

The third option, support for heterogeneous hardware/VNF environments, targets customers like those in option two. They’ve embraced the NetDevOps model and have critical in-house expertise to fully support it. They’re able to leverage the exact same approach and capabilities as option two (if all their vendors can support the management protocol stack offerings).

What differentiates this multi-vendor option is the additional need to support an open standard transport (control and data plane) common to all of the vendors in the network. This could include IPv4/v6 and Multiprotocol Label Switching (MPLS) with multi-protocol BGP (MP-BGP), which has existed in multi-vendor environments for years. More recently, E-VPN/VXLAN in data center and campus fabrics, as well as Segment Routing with a Path Computational Element (PCE), is gaining traction in large service capable backbones.

Empowering network automation

As I discussed in the first blog, offering options similar to those above empowers customers with a variety of approaches as their network operations teams transition to automation.

As with any transformational shift of this scale, there are trade-offs to consider; ones that clearly align with the operational skill set of the organization (specifically the DevOps skills they are capable of injecting into their daily operations).

In the end, offering choices to customers as they move down the path of SDN, automation and programmability is, in my opinion, no longer an option but a necessity. But the choices offered should include common ground for supporting automation in a multi-vendor environment. The key challenge will be aligning the options offered by single or multiple vendors to the business needs of the IT organization. Lastly, if your IT organization is new to automation, don’t attempt to boil the entire ocean. Just focus on automating the day-to-day repeatable processes found in your network operations. By doing that, your organization can more quickly gain value from network automation.

Continue reading

Cisco Co-Innovation Centers are Giving Connectivity a Health-Check

Healthcare is something that, at one point or another, touches upon every single person – whether it’s their own health or that of older or more vulnerable relatives.

Yet, across Europe, access to both reactive and preventative healthcare resources is being stretched as a result of people living longer and under-resourcing of health professionals.

One way in which connectivity can help tackle this strain is through allowing more advanced technology to be used, alongside enabling better access to existing technology.

One of the biggest hurdles though is not the lack of this technology, but the high levels of digital exclusion. Despite many people taking things such as the internet or digital literacy for granted, millions of people lack basic skills or access to digital tools.

I believe that everyone should have access to these digital tools as a basic right.

The Digital Exclusion Epidemic

Digital exclusion is the term that we give to members of a society who are unable to access many tools and services that we take for granted. This can affect everything from access to digital resources around health conditions to being able to book appointments online.

Across the continent, 80 million Europeans never use the internet because of the cost, with many of these being vulnerable citizens who would benefit most from access. In the UK, 10% of people have never used the internet, with 4/5 of these being over 65.

This lack of access has a number of negative consequences:

Firstly, individuals are unable to access online resources which could help provide information around existing or likely health conditions. This also rules out advanced services such as remote healthcare provisioning or wearable tracking. This not only limits the individual’s ability to help themselves, but makes them more likely to have to seek help at hospitals or from local doctors.

Secondly, a lack of connectivity makes the job of care workers visiting homes more difficult, as they are not able to do their job as quickly or as effectively. This means that resources are again stretched further. Ultimately, there is a need to shift between the capabilities of health and social care in order to maximise both resources. Look at hospitals for example: they’re already over-populated, including patients who remain on wards as they don’t have the means to be looked after if they return home. We need to be looking at how technology and connectivity can help give patients the same type of care at home as they are receiving in the hospital.

Finally, it’s not just physical health, but mental health as well which is impacted. Digital exclusion means being unable to use social networks or other tools to stay in touch with family and friends.

All of these don’t just have an impact on the individuals involved, but the wider healthcare ecosystem and society as a whole too.

This is not something which can be fixed overnight, but it’s something that can be solved if public health bodies, technology companies, governments and individuals work together.

How We Are Helping

We’re working alongside the government and councils of Suffolk on a project called Connected Together. This is a digital connectivity inclusion project, trialled in Haverhill, Suffolk, which aims to support greater independence through the use of digital services to citizens currently with care and support needs, while also providing quick, secure connectivity for the public sector workers who routinely visit them.

We believe that by installing connectivity for free into the homes that need it most, we can help spark positive changes that will benefit local councils, care workers and those living in the community.

We believe in the power of advanced technology to make a real difference in the future, but we also realise that having basic internet access is the bedrock for this to happen. There is a cost to this, but it’s one that pales in significance to the savings that will be seen further down the line.

Another initiative I’m excited by is the Center of Connected Health established in Cisco’s German Innovation Center, openBerlin. This innovation centre is one of many that we have set up worldwide, with the intention of showcasing digital solutions to complex problems and making those tangible for the healthcare sector.

The role of Cisco’s Center of Connected Health is to demonstrate the innovative ways in which we can connect different healthcare silos with the goal of significantly improving the efficiency and quality of care for care providers and patients at the same time.

It deploys consistent standards to help hospitals, clinics, care providers, insurers and patients securely and responsibly access patient data. In the future we expect to see multiple electronic health record solutions maintained by multiple providers. The real challenge then becomes the ability to securely connect those sources.

By demonstrating and explaining the value of connected health-data solutions, the Center of Connected Health will smooth the healthcare sector’s journey towards digitalisation.

What’s more, in our co-innovation centre in Dubai, we’re continuing to look at the role of connectivity in improving healthcare. The centre provides a test-bed for innovative telemedicine solutions, with an example being an application that allows for a patients’ vitals to be tested and then analysed alongside all other health records. This helps identify the need for medical care more effectively and helps collaboration across the eco-system. Elsewhere, a new Cisco co-creation pilot, developed by the Cisco Saudi Arabia CDA team, has pioneered virtual, smartphone-enabled consultations between patients and physicians.

Solutions such as these will become all the more significant as more and more people in the Middle East and Africa get online for the first time.

If we are to truly benefit from the improved care technology allows us, then we need to make sure everyone has the basic digital tools, abilities and access. Connectivity will allow for better technology and data to be shared, making life better for everyone.

Continue reading

Cisco SX350X and SX550X 10GE Switches for SMB

With cloud, virtualization, internet of things, 11ac and Wifi 6, businesses need a high-performance network to support the growing devices, applications and traffic. 10 Gigabit Ethernet (10GE) may sound like an overkill for small and midsize businesses (SMB) a few years ago, but today it has increasingly become a necessity.

Cisco Small Business team develops networking technologies tailored for SMB. In 2014, we launched our 1st 10GE switch for SMB market. In 2016, we expanded our 10GE switch line to 8 models. And now, we’re bringing our 10GE offering to the next level.

Cisco SX350X and SX550X 10GE Switches

The new offering includes 11 models – 5 in the 350X series and 6 in 550X series. The port density starts from just 8 ports of 10GE all the way to 52 ports. And there is a diverse selection of 10GE copper, 10GE fiber or mixed config models for different use cases. Most importantly, these switches are now more affordable – perfect for SMB to upgrade their network with limited investment.

The switches also come with a bunch of exciting features including

◆ 4 x combo 10GE uplinks for maximum flexibility

◆ Larger packet buffer to handle burst in traffic

◆ Trustworthy systems including secure boot and run time defense for security

◆ Stackable with existing SG550XG and SG350XG 10G switches for investment protection

Embedded FindIT Probe and Cisco PnP Connect

In the recent software updates, we have introduced some exciting new capabilities. These are all to make the deployment and operation of the switches even more intuitive and secure. Download the software updates for your switches at Cisco Software Central.

Why Cisco 100-500 series switches an ideal option for SMB?

SMB loves 100-500 series switches for the following reasons

◈ Simple, easy to use UI – No CLI skill required

◈ Warranty support model – limited lifetime hardware warranty and software updates

◈ No service contracts or licensing required

◈ Everyday affordable price

Continue reading

Managing your SAP Digital Transformation Journey

Digital Transformation.

We’ve heard the words, but have you wondered what it is all about? Digital Transformation is a strategic directive to redefine your business practices and processes to gain competitive advantage. It is all about making the inevitable tide of change work for you, rather than against you. It is also a disruptive force.

Digital Transformation requires a Plan

Amid all the talk of digital transformation, we lose sight that the process of change must be purposeful to have impact. Digitizing marketing content, hiring social media marketing millennials or modernizing your ERP applications is not digital transformation and will fail to yield any measurable advantage without a strategic vision, direction and careful planning.

You need to address where the beating heart of change resides – the data center. The data center is a critical component that factors into making any digital transformation plan successful.

Digital Transformation Requires a Next Generation Data Center

The classic architecture of the data center was primarily silos of design, implementation and operation. There were networking organizations, compute organizations, storage organizations, security organizations, and procurement organizations. The list goes on. And each of these silos was responsible for the operation and interaction with the other silos. This has proved to be very inefficient and created extra lag in the system. In fact, most early cloud adoption happened because data centers took too long to respond to new application demand or new data sources. Cloud adoption was an operational imperative, not a strategic directive for many organizations.

So, to drive digital transformation, the next generation data center has to be all about the Data, and the functionality that will move the data center anywhere the data is.

It’s all about the Data

Traditionally, data centers were built like bastions to protect the crown jewel data assets of the corporation. Security protected the storage vault and the data was replicated across multiple systems for different reporting and analytic purposes. Integrating new data or non-IP data with those crown jewels required a herculean effort. The result was an under performing application delivered far to late to be remotely advantageous. What has become clear is that data center designs based on siloed architectures and 4-walled bastions of data management will no longer work.

A new data center model is needed as executive visionaries drive new business practices. Data will be coming from everywhere and it won’t be curated. It will be public. It will be messy. And there will be a lot of it. Data gravity may shift from the core of the data center to multiple locations forcing a hybrid data center solution.

Accelerated change will force a new generation of application development running concurrent with operations. These applications will be distributed to run closer to their data sources and will be part of a network of applications spread across multiple locations.

Cisco can help you on your Digital Transformation Journey

Cisco is designing the next generation data center for SAP applications. Cisco Validated Designs are focusing on aspects of programmability, automation, operational insights, application performance and security in depth. Each of these aspects will be covered in a series of blogs to help understand the technology and the competitive advantage available to Cisco data center customers.

Hopefully it is becoming evident that gaining competitive advantage for your business is this area requires a plan. It requires comprehensive alignment across all departments in your business, inbound and outbound marketing aligning with product design, manufacturing and supply chain partnerships with greater flexibility and visibility to operations, and finance and accounting systems delivering a competitive advantage where only cost centers existed.

Embrace change. It is inevitable. And Cisco is building the bridge between data and business advantage to help you succeed in your digital transformation journey.

Continue reading

Cybersecurity for Federal Networks: It All Starts with Visibility

A configuration mistake or purposeful mis-configuration is no joke. But it does illustrate how a misconfigured network can quickly become a security event (or it may already be one and your team does not know it). But how do you distinguish normal network activity from abnormal? Without visibility into every corner of the network (including the virtual world of the data center), and some ability to compare current vs. baseline, it can be extremely difficult and there may be many “little events” that remain hidden to you.

Deeper network visibility enabled

This story does raise the question, how do you enable the benefits of deeper network visibility? That capability is provided by Cisco Stealthwatch. It enables you to strategically analyze the collective telemetry from NetFlow and IP Flow Information Export (IPFIX), two protocols every network device can export (see figure 1).

Figure 1. Stealthwatch collects NetFlow and IPFIX from every network device for Visibility.

You can also add value to your data center through Cisco Tetration. It provides unmatched visibility into behavioral deviations, whether terrestrial or cloud-based. While “behavioral visibility” is a bit different than the visibility discussion so far, it is critical to the protection and operation of the modern data center. A good example is one we saw recently with one of our customers, where a seemingly insignificant and otherwise undetected data stream out of the data center turned out to be a command and control channel. Thankfully for the customer, Tetration uncovered the threat in less than 30 seconds.

Deeper visibility + identity = attribution

Visibility in modern IT networks must go beyond the mere identification of packet flows. User identity should also be linked to packet flows wherever possible. Look at it this way, if you want to reach max visibility, think:

Visibility + Identity = Attribution

With attribution, you can see unexpected or undesired network behavior, plus you can link that behavior back to individual actors on your network. It is no longer just “some machine that did something weird.” Instead it is a concrete action with a concrete identity: such as “RedGuy” at “3:20pm” reached out to a “Command and Control” site (whether he meant to or not), becoming patient zero for your next computer epidemic.

The power of deeper visibility into your network

To help illustrate the power of deeper visibility on your network, consider another actual event we can all relate to. A contractor (let’s call him BlueGuy) goes to work. It’s Saturday and the office is empty. In the quiet loneliness all around, he begins downloading terabytes of data from another site. This continues, with downloads sprinkled throughout the day. Some may consider this suspicious behavior.

On most networks this might go unnoticed. But as Stealthwatch observes network activity in its entirety, it understands this behavior is not normal, based on previous baselines. As a result, this behavior is considered excessive. As Stealthwatch constantly monitors all the network transactions, it detects BlueGuy’s activity and it reports on it. In its communication with the Cisco Identity Services Engine (ISE), individual identity is assigned to the network data flows, and attribution is achieved. BlueGuy is busted.

Initially, it may seem that no good can come of this type of network activity. But upon further investigation, it turns out that BlueGuy uses the office on weekends to study for his Cisco CCNA. While he does this on his own time, he must do so from the office network because the courseware is on a corporate network at another site (this explains the enormous data exchanges). So it is revealed as a harmless event, rather than a massive data breach. Yet the entire episode would have remained unknown without complete network visibility. What if it had been a breach? Would your network have seen it?

SGTs, NetFlow, IPFIX and the world of packet flow

In this latest example, the two primary tools used are Cisco Stealthwatch and Cisco ISE. ISE adds attribution to the NetFlow/IPFIX packet flow collected by Stealthwatch. With Scalable Group Tags (SGTs), ISE tags all packets as they enter the network. SGTs can be used for both identification and enforcement anywhere in the network.

Of course, Stealthwatch sees all packet flows via NetFlow/IPFIX and performs analysis based on all network data, including the SGTs. Individual attribution is achieved via pxGrid communications between Stealthwatch and ISE. These results can then be presented to an administrator for disposition, including quarantine (see Figure 2).

Figure 2 – ISE adds Attribution to the Visibility story.

What about firewalls?

You may have noticed in both Figures 1 and 2 there are far more network devices than there are security devices. This is typical in any network. However, both visibility and attribution must rely on the entire network fabric to assist with the goal of complete visibility.

As you can see in the diagrams, putting your faith in security devices alone for visibility can fail (or certainly fall short). While the deployment of additional firewalls (or other assorted security devices) may add more points of visibility, no number of firewalls can achieve what you can by using the entire network as a sensor.

The Zero Trust wasteland

When it comes to securing Federal government networks, a few Zero Trust models have emerged recently, along with the thought that a network should be viewed as an untrusted wasteland of packet freeways where all security should focus on data. But it would be unwise to simply dismiss the incredible power of identity and visibility combined (attribution).

For IT leaders, the track record is clear: controlling entry and monitoring activity of users in the corporate/government network is the best way to track offensive behavior or bad actors. This approach can give you the capability to control, or even eliminate, threats before they reach your data.

Or, to relate it in everyday language, when we let strangers into our homes, we don’t pause and quickly weld the refrigerator door shut and disable the WiFi. Instead, we use common sense: screening them before they enter, watching their behavior as they do so and ensuring their actions inside our home are acceptable. If they do take a peek into our fridge, we may trust (thanks to attribution) that they are not necessarily going after the last of the cupcakes. But if they do, we’ll be ready.

Continue reading

5 Types of Talk Triggers for Your B2B Strategy

Customer experience is simple, right? Well, theoretically, the delivery of great customer experience is rooted in an easy-to-understand formula: Great customer experience happens when you exceed customer expectations.

Every time you interact with a business of any type, you have an idea or an inkling of how that interaction will go. That’s the expectation. If the business exceeds your expectation in a noticeable way, you have a great experience. If the business falls short of your expectation, you think the opposite.

The best companies in the world, don’t do a lot of marketing. Do you know why? They operationalize something about their business that motivates their customers to become volunteer marketers on their behalf.

Word of mouth is more important than ever. We trust each other twice as much as we trust brands. It’s the most powerful and persuasive form of marketing.

Everybody thinks word of mouth is important. Between 50 and 91% of all purchases are influenced by word of mouth, but very few companies have a strategy for it. We assume our customers will talk about us, but will they? The biggest mistake we make is assuming that competency creates conversation, that being a good business is enough to get people to tell the story. But all your competitors are also good. Good enough is not enough.

A talk trigger is a strategic, operational differentiator that compels word of mouth. It causes your customers to involuntarily talk about your business. A Talk Trigger isn’t a surprise-and-delight social media tactic, nor is it a gimmick. It doesn’t involve Drake, Rhianna or Cardi B. Oftentimes, it’s something quite ordinary, like a business card, company hold music, or a pre-meeting phone call, that you choose to make different.

A Talk Trigger can also help you exceed customer expectations. Why? Because your customers aren’t expecting it. There are the five distinct types of Talk Triggers. These are the conversational levers you can pull:

You can be more human than your customers expect.

You can be more useful than your customers expect.

You can be more generous than your customers expect.

You can be more responsive than your customers expect.

You can be more playful than your customers expect.

Each of these types of Talk Triggers is talkable. One isn’t more advantageous than the other. However, one might be a better fit for your business or for your brand, and that’s a key ingredient of creating a Talk Trigger that will have word of mouth success. Let’s take a look at each one.

Be More Human Than Your Customers Expect

These days, empathy from business is in short supply for two main reasons. The first is empathy requires inconsistency and listening. It requires interacting with customers as individuals. This approach, by definition, drives up the per-interaction cost every time a business intersects with the customer. The second reason is that empathetic interactions means that employees must have permission to work outside of a script. For many companies, the concern of risk involved is too great.

This is why, when businesses choose the opposite approach, being empathetic and human can have a massive word of mouth impact.

Be More Useful Than Your Customers Expect

Not all businesses and organizations have the heart to be disproportionately empathetic, and that’s OK. For those companies, it may make more sense create a word of mouth engine that is more logical and useful. In 2013, I wrote Youtility: Why Smart Marketing is About Help, Not Hype that showed businesses how to attract customers by providing online content that informs and educates. This idea can work as a Talk Trigger, too.

This Talk Trigger archetype is most-likely to be noticed in an industry or business-setting that is not known for being helpful or making customers’ lives easier. Being different than what’s expected creates a Talk Trigger and helps your business solve the customer experience formula.

Be More Generous Than Your Customers Expect

Consumers are besieged by companies giving them less for the same price, or worse, for a higher price. We are surrounded by this phenomenon, also known as “shrinkflation.” According to a study by the National Statistics in the United Kingdom, 2,529 products decreased in size between 2012 and 2017. The ubiquity of shrinkflation is why showing your customers the opposite, showing generosity, can be an effective Talk Trigger.

Generosity creates conversation because customers are stunned that, as a business, you’ve decided to give something away… for free.

Be More Responsive Than Your Customers Expect

Forty-one percent of consumers say that when they contact a business, getting their issue quickly is the most important element of that customer service interaction. Nine out of ten American consumers refuse to wait on hold for more than five minutes when they’ve called a business.

Speed matters, but it’s also a moving target. What was considered “fast” in 2000 is now slow. What was considered “fast” in 2010 is table stakes for most businesses in 2019. This relentlessness of the changing pace and expectations around speed and responsiveness means there’s an exceptionally high standard for a company to make this a Talk Trigger.

It is operationally difficult for a company to create a speed-based Talk Trigger, but when one does (and many have), there’s an extraordinary payoff.

Be More Playful Than Your Customers Expect

When asked to describe a business, most customers don’t think to mention the word “fun” or “amusing.” Most businesses are difficult to describe because there are a limited number of synonyms for the word “fine.”

Like the other Talk Trigger archetypes on this list, this fact presents an opportunity for businesses. The expectation is that your business will be vanilla, which means adding a little flair will create chatter.

Whichever Talk Trigger archetype is right for your business, we’re trying to do the same thing. We’re creating a circumstance where your customers say these words, “You won’t believe what happened to me when [FILL IN THE BLANK]…”

Your customer experience is what fills in that blank.

Continue reading

New Perspectives on Software-Defined WAN

The integration of Software-Defined Wide Area Networking (SD-WAN) with cloud management functionality into the Cisco family of routers in 2018 excited many of our customers. Instantly over a million installed Cisco ISR and ASR routers could be upgraded to become SD-WAN capable, improving application performance for a distributed workforce, store outlets, and branch offices. SD-WAN lowers the cost of branch connectivity to not only the enterprise data center but also IaaS and SaaS application platforms. Later in 2018, we addressed the evolving Cloud Edge—the intersection between security, networking, and the cloud—by adding full-stack security to Cisco SD-WAN. This brings flexible, secure connectivity to distributed organizations with multicloud environments by making every WAN device software-defined and secure.

In short, SD-WAN has arrived and organizations are deploying it worldwide. So what can we look forward to as this technology enters its next phase? Let me preview some of the ways we are working to bring even more control, functionality, and flexibility to SD-WAN.

Turning the Internet into a Manageable and Secure WAN

One of the key features of SD-WAN is the ability to use multiple connectivity options simultaneously to always have the most reliable or appropriate connection for application Quality of Experience. Specifically, you can choose among the options available for the location: MPLS, Ethernet, internet, leased lines, DSL, LTE networks, and soon 5G. It’s this flexibility to choose the most cost-effective and best-performing connectivity option available to provide the ideal application experience for each location of a distributed workforce. For example, need to ensure that Office 365 Cloud is performing as needed at branch offices? Instead of relying on an expensive MPLS connection backhauling to headquarters for connections to multicloud applications, use a secure Direct Internet connection to the Microsoft Cloud, which is continuously monitored by SD-WAN to meet performance SLAs.

What’s next? The ability to manage end-to-end connectivity from enterprise to 5G endpoints and back will bring greater levels of control over data traffic and application performance. The key to extending intent-based networking controls from enterprise to 5G cellular endpoints is network slicing in the 5G channels in conjunction with micro-segmentation in the enterprise. 5G slicing enables the carrier to separate traffic into unique partitions, keeping sensitive data separate from normal traffic. The technique enables 5G providers to maintain the necessary service level agreements for low-latency traffic, and create an end-to-end virtual network encompassing compute and storage functions.

Wired and wireless Enterprise networks are already segmented to channel traffic according to type (sensitive/video/IoT), priority, and latency. Today with 4G LTE, the enterprise segmented traffic destined for a cellular endpoint would move onto the cellular network with few controls over how the data is segmented and managed. The new 5G networks can be sliced to match the security and performance requirements of the segments in the enterprise, thus maintaining the original policies from end-to-end. A security policy, for example, that is established in the enterprise network will follow a person’s device as it transitions from the enterprise to a 5G network slice. Cisco SD-WAN will be able to take full advantage of network slicing in 5G to meet the security and segmentation needs of enterprise networks.

Virtualizing Network Functions for the SD-Branch

Bringing the focus back to ensuring robust branch connectivity, we are enhancing the functions that run on the local edge routers and appliances along with the core SD-WAN software suite. Virtualizing network functions (VNF) increases local performance and minimizes backhaul traffic to corporate data centers DMZs or cloud platforms. Many functions are being virtualized on edge routers and appliances—such as optimization and intelligent caching, application-aware firewalls, intrusion detection, and URL filtering. And, of course, SD-WAN’s full security stack supports compliance, direct internet access, direct cloud access, and guest access.

Virtualizing critical functions and running them at the cloud edge—in the branch office, store, or clinic—improves both the efficiency and cost-effectiveness of distributed computing and a remote workforce. VNFs can also be run on cloud platforms and colocation facilities to spread the functionality over multiple remote locations. For example, by consolidating VNFs on a provider’s IaaS platform—a virtual network hub—IT can reduce management costs while being able to spin up or down new virtual machines as needed to accommodate workloads and connectivity for a group of regional branches. More on this in a future blog post.

Improving Application Quality of Experience with WAN Optimization

WAN optimization techniques have been around since the early days of frame relay and MPLS. The main goal of dedicated optimization appliances was to maximize the throughput on these relatively expensive circuits. As new technologies such as VoIP and video became critical to business, optimizing the circuits to provide the necessary Quality of Service grew in importance. But as direct internet connections became the rule rather than the exception for accessing popular SaaS and cloud apps, a much more granular, flexible, and automated WAN optimization process is required. Thus SD-WAN was designed to meet the new application QoE demands.

There are several optimization methods that Cisco SD-WAN currently employs to improve the QoE for cloud and SaaS applications accessed by the distributed workforce. Currently, Cisco SD-WAN monitors the available links for latency, packet loss, and jitter that affect throughput and performance. By dynamically measuring these characteristics and comparing them with service levels that specific applications require, the SD-WAN can automatically decide which circuits to use for individual applications. VoIP and video are two applications that require specific levels of latency and low jitter to perform correctly. While a SaaS application may be more tolerant of jitter, it still requires a guaranteed level of throughput to provide satisfactory performance. SD-WAN automates the monitoring and selection of appropriate paths to maintain expected QoE for each type of application.

Supplementing these existing performance attributes of SD-WAN are new controls for TCP optimization, forwarding correction, and packet duplication. SD-WAN provides metrics that aid in fine tuning the optimal TCP congestion algorithm to improve application performance. For example, the Cisco SD-WAN TCP optimization engine, a new layer in the Cisco SD-WAN stack, helps maintain superior application performance in high latency networks such as satellite, transcontinental, and other types of circuits prone to high-loss and high-latency.

To better tackle lossy networks, even for non-TCP applications, the Cisco SD-WAN optimization stack includes a Forward Error Correction (FEC) mechanism. FEC improves application experience by using additional parity packets to protect against loss. In situations when the loss percentage is very high, the Cisco SD-WAN optimization stack maintains performance by deploying a Packet Duplication feature. These optimization features help mitigate packet loss over noisy channels, thereby maintaining high application QoE for voice and video in particular. They are being integrated into the Cisco SD-WAN stack in upcoming IOS-XE releases. All three optimization techniques are managed via Cisco vManage and vSmart virtual network functions.

Edge-to-Cloud Protection with Integrated SD-WAN Security Stack

Securing branch to cloud to data center traffic, in all its permutations, is a key strength of SD-WAN. Last year Cisco added a virtualized security stack to provide multiple levels of protection at the cloud edge that includes:

• Application-Aware Enterprise Firewall with the ability to identify, permit, or block over 1400 applications.
• Intrusion Protection System (IPS) using Snort, the most widely deployed IPS engine in the world, to deliver real-time network defense against malware intrusions.
• URL-Filtering with advanced reporting on over 80 URL categories, providing IT with greater visibility and reducing risk with usage policies customized to an organization’s unique needs.
• DNS/web-layer security with integrated connections to Cisco Umbrella to prevent enterprise branch users, guests and mobile users from accessing inappropriate internet content and known malicious sites that might contain malware and other security risks.

Cisco SD-WAN Security Today

Coming soon to a Cisco edge router near you is Cisco Advanced Malware Protection (AMP) Threat Grid operating as a virtual network function (VNF). The additional AMP-focused layer includes a context-aware knowledgebase of known malware infectious agents. Cisco AMP Threat Grid identifies and alerts IT staff of discovered infections, and provides information on the malware method of attack, a measure of the threat it poses, and how to defend against it. Operating at the branch edge, with the SD-WAN VNF security stack, AMP Threat Grid provides a layer of malware protection, examining all incoming and outgoing traffic, ensuring that malware originating from direct internet connections can’t infect branch devices. Similarly, malware originating from the branch can’t hide in traffic outbound to the enterprise network or cloud applications.

Threat insights exposed with AMP Threat Grid are viewable through the Cisco vManage Portal where administrators can also initiate protective actions such as segmenting infected devices from the rest of the network. The vManage Portal gives network admins a view across the entire WAN, displaying all suspected infections, malware type, and paths of infection through the network. To augment security threat intelligence, the VNF instances of AMP Threat Grid working at the local edges are continuously connected to both AMP Cloud and Threat Grid Cloud, both managed by Cisco Talos Security.

AMP Cloud and Threat Grid Cloud collect malware and suspicious file data from Cisco installations around the world, maintaining a Malicious File Hash catalogue of suspected infections and keeping the information up to date on all Cisco routers as well as third-party security tools via an open API. For example, API integration of AMP Cloud and Threat Grid Cloud with application-aware, threat-focused firewalls provides rapid identification of suspected malware files with automated sandboxing of unknown files in the Threat Grid Cloud for additional analysis.

SD-WAN Continues to Improve Branch Connectivity, Application QoE, and Security

Cisco SD-WAN is foundational for a new software-defined network architecture. As organizations become more distributed, the workforce needs new ways to connect edge to cloud, data center to branch, while ensuring a high Quality of Experience for cloud and SaaS applications wherever they are needed. Cisco is at the forefront of this new wave of distributed connectivity, continuously refining our SD-WAN software and security stack to meet the needs of the digital enterprise.

Continue reading