Drag and drop your way to network segmentation

I can understand if you dread configuring network segmentation. Not only is it hard to configure the many different switches and routers, creating VLANs, using ACLs to create lists of permit or deny IP addresses, it is also easy to make mistakes and risk shutting down parts of the network. And with users and devices moving around, you must continuously modify these configurations. Is it any surprise that many of today’s networks are not optimally segmented?

In this blog we discuss how Cisco Digital Network Architecture (Cisco DNA) makes it easy to segment your campus and branch networks. This blog is the second in a series focusing on aspects of intent-based networking, the first being on controller-led architecture.

Before digging into the solution, let’s understand why you may want to segment your network in the first place.

◉ Enhanced security: Isolate and filter network traffic to limit communications between users and devices

◉ Better access control: Allow users and devices to access only authorized resources

◉ Improved monitoring: Log events, monitor connection attempts, and detect suspicious behavior

◉ Faster containment: Minimize the scope of a network breach

Group-based access control

Recognizing that segmenting the network is a security must-have, we set about making it easy to do in Cisco DNA – the access network for campus and branch. Those of you who have experienced the Cisco DNA Center – the controller for a Cisco DNA based network – know that it provides a highly intuitive and easy to use graphical interface to manage the network and is the ideal platform to define segmentation. For those who haven’t, we encourage them to attend one of our monthly demo sessions where we explain what Cisco DNA can do for you.

Cisco DNA Center allows you to easily manage security policies through policy-based abstractions called scalable groups.  Scalable groups are used to represent connected users and devices based upon attributes, like role, function, location, etc. rather than IP addresses. These groups then form the basis of security policies, centrally managed on Cisco DNA Center and enforced across the network fabric.

Cisco DNA Center enables simplified management of access control between the different groups, and dynamically configures the access control policy in the fabric consisting of switches, routers, and wireless network devices that make up the fabric.

As people and things connect to the network using either a wired or wireless interface, Cisco DNA identifies them and automatically assigns them to their rightful group and places them in the appropriate segment. We call the creation of these Virtual Networks (VN), macro-segmenting.

The two levels of network segmentation

But what about the communications between members within a VN? We need to control that too for a deeper level of security. We call this micro-segmenting. So, while macro-segmenting isolates traffic between VNs, micro-segmenting controls communications between different groups or members of the same group within the VN.

For example, you might define two VNs – an ‘Employee’ VN with management, HR, security staff, and financial analysts, and an ‘IoT’ VN with security cameras, door locks, and digital signage. With SD-Access macro-segmentation you can ensure that a compromised camera will not let the attacker access HR resources. While with micro-segmentation, you can prevent lateral spread of malware between say HR and security staff or between two financial analysts.

Cisco DNA Center makes it easy to micro-segment the network. The Access Control Application within Cisco DNA Center works with Cisco Identity Services Engine (ISE) to let you define contracts. Contracts are statements that permit or deny specific types of interactions. For example, if you are concerned about malware attacks that spread using well-known TCP ports of 22, 80, and 443, you can simply create a contract that would disallow such communications between members of the same group.

Once you define the contracts, you use a simple matrix within Cisco DNA Center and activate them between source and destination groups. This matrix visually describes policies that the Cisco DNA Center consistently applies and enforces through the network fabric.

Segmentation that extends from access to apps

Just like Cisco DNA Center segments the access network and creates groups of users, Cisco ACI segments data center and cloud networks and creates groups of applications. Cisco’s multidomain architecture lets these networking domains exchange and map these groups. Now, thanks to this integrated segmentation, users can only run applications they are authorized for. For example, only accounting staff may access point-of-sale systems in keeping with PCI regulations.

Continue reading

How Wi-Fi 6 overcame one of the toughest wireless environments on the planet

Metal and heat. Since ancient times, these two foundational elements have continuously been used to create a variety of tools. In medieval times, metallurgy technology spawned swords and armor unlike any before it and, in the early 19th century, it vitalized the Industrial Revolution. Nowadays, high-tech metallurgical processes are giving rise to advanced materials and products.

In today’s industrial plants, manufacturers are streamlining processes to create better products, free of defects, that meet exact tolerances. Mettis Aerospace has been at the forefront of metallurgical innovation for over 80 years, specializing in forging, machining and sub assembly for the aerospace and defense sectors. The company uses powerful presses to forge a variety of metals into highly sophisticated products for the aerospace industry. As a technology driven company, Mettis also relies on network connected sensors, cameras, and robotics to manufacture their products. This is where Cisco, its technology, and partnerships comes in to play.

Electromagnetism and Wi-Fi

While metal and heat are needed for the forging of aerospace products, they are also detrimental to Wi-Fi. As a conductor of electricity and magnetism, metal directly affects radio waves, including those from Wi-Fi. This means that in a building made mostly of steel, where people are working with various metals on massive steel and iron presses, such as Mettis’ forging facilities, radio waves are reflected and diffracted in all directions. More metal means more degradation and interference, resulting in an unacceptable Wi-Fi experience. Add in high-heat (1000+ degrees Fahrenheit) and its effect on the electrical equipment and you have the worst possible situation for Wi-Fi.

Interesting fact: Mettis is home to some of the most powerful forging presses in the UK, one in particular weighs the equivalent of over 200 small cars.

Wi-Fi 6 drives industrial applications with ease

With that in mind, Cisco, along with its partners from the Wireless Broadband Alliance, set out to test Wi-Fi 6 at the Mettis manufacturing plant in Midlands, England. For the above reasons, previous attempts to use Wi-Fi failed in this environment. However, with Wi-Fi 6 come new technologies that enable it to perform in less than optimal conditions.

◉ First and most important, Wi-Fi 6 offers a new radio channel structure, allowing narrower but longer data symbols. Additionally, flexible orthogonal frequency division multiplexing (OFDM) guard interval ensures that Wi-Fi signals do not interfere with one another and cause overlapping transmission issues. This longer symbol duration (Ts) and guard interval (Gi) is better able to resist harsh multi-path environments, such as those found in the Mettis plant.

◉ Second, OFDM access (OFDMA) multiplexes multiple users on the same channel at the same time increasing network efficiency and providing lower latency for both uplink and downlink traffic. This is important for business critical, delay-sensitive applications used in manufacturing environments.

◉ Third, WiFi6 offers significant co-channel-interference (CCI) mitigation via Basic Service Set (BSS) color techniques that allow the operator to selectively ignore interference; boosting reliability and reducing delay. This is critical in open-space high-ceiling environments such as those found in the Mettis plant.

Mettis tested 4k live streaming video from cameras mounted on robotic arms, augmented reality to support equipment status and repairs, large file uploads, and Wi-Fi video calling on smartphones. Cisco Catalyst 9100 Wi-Fi 6 capable access points met all trial expectations with very low latency across a variety of partner devices throughout the manufacturing floor to prove out the success of the technology. Speeds reached 700Mbps which was our benchmark for this trial using the 80Mhz channel. Future trials will include the 160Mhz channel with a benchmark of gigabit speeds.

This was a huge success for all, especially Mettis. The pilot highlighted that industrial applications go beyond typical use cases and require the latest Wi-Fi 6 technology at both the network and device level to ensure consistent and reliable access and connectivity.

Continue reading

Putting the Enterprise in the 5G Driver’s Seat

The enterprise offers boundless opportunities as we move into and through the 5G era. 90% of Service Provider CXOs said the most important new revenue streams in 5G are going to come from enterprise.

But what are the business models for 5G where the enterprise is concerned? And did anyone actually ask the enterprise if they’re even interested in 5G?

We did and they are. Cisco surveyed our enterprise customers and asked them what they wanted to receive from a 5G experience, and these are just some of the things they told us they expect:

· More flexibility, control and visibility from their Service Providers.
· A network that’s easy to operate and deploy.
· The ability to drive their network, based on policy (intent-based networking).

Wi-Fi 6 or 5G?

So, does the enterprise want Wi-Fi 6 or 5G? Is it a binary decision? The answer that came back from our enterprise customers is that they want the right tool for the job, whatever the job may be. We’ve been working to break down the characteristics of each access type to understand what the right tool is for each job, so that we can advise our enterprise customers accordingly, and put them on the road to success.

Enterprises are digitizing completely, and new applications will require pervasive compute and connectivity. On one hand, Wi-Fi 6 offers mass availability, less cost and ease of deployment. On the other, 5G is stronger in terms of handoffs, low latency and determinism.

To enable the enterprise to capture new revenues, we’re putting them in the driver’s seat with bundles, verticals and new channels. In some places, Wi-Fi 6 makes sense. In others, 5G is the right tool for the job. Often, the enterprise will benefit from both technologies. It all comes down to the specific needs in a given vertical, the associated policy and service requirements, and how we package the services and bring them to market in new and intelligent ways. This service creation, combined with our unmatched end-to-end portfolio, makes Cisco the most important 5G vendor out there.

Continue reading

Configuring Cisco Security with Amazon VPC Ingress Routing

Today, Amazon Web Services (AWS) announced a new capability in Virtual Private Cloud (VPC) networking that is designed to make it easier and more efficient for Cisco Security customers to deploy advanced security controls in the cloud. This new capability is called Amazon VPC Ingress Routing. It allows users to specify routes for traffic flowing between a VPC and the internet or from a VPN connection, such as a private datacenter.

Amazon VPC Ingress Routing is a service that helps customers simplify the integration of network and security appliances within their network topology. With Amazon VPC Ingress Routing, customers can define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances, before it reaches the final destination. This makes it easier for customers to deploy production-grade applications with the networking and security services they require within their Amazon VPC.

While the remainder of this post focuses on Cisco’s NGFWv and ASAv products, this capability can also be used to deploy a number of other network-based security solutions into the AWS traffic path. This includes services such as the following:

◉ Firewall policy enforcement
◉ Network traffic visibility
◉ Malware detection
◉ URL filtering
◉ Intrusion Prevention
◉ DNS security

This is a big win for Cisco customers deploying our security products in AWS, and we are pleased to have been an early adopter and Integration Partner with AWS on this launch.

How to Use Amazon VPC Ingress Routing with Cisco Firewalls

The configuration is achieved by creating a custom route table and associating subnet routes with the private Elastic Network Interface (ENI) of the security appliance, and then associating the public ENI with an IGW and VGW. A single firewall instance can protect multiple subnets; however, a separate instance is needed per VPC. Below are some details on the testing we performed as well as sample use cases and configuration guidance.

Use Cases / Deployment Scenarios

Cisco NGFWv/ASAv can be deployed in a VPC to protect the following traffic flows:

◉ Traffic Traversing an Internet Gateway (IGW) To/From the Internet
◉ Traffic Traversing a VPN Gateway (VGW) To/From a Remote VPN Peer

Benefits of Using Amazon VPC Ingress Routing with Cisco’s NGFWv and ASAv

◉ Offload NAT from the firewall to AWS network address translation (NAT) gateway or instance
◉ Simplify protection of multi-tier applications spanning subnets and VPCs
◉ The scalable design makes it easy to add new subnets, and more of them
◉ Enables bi-directional, threat-centric protection for traffic bound for private networks and the internet

POC Deployment Scenario

Enable outbound Internet connectivity and offload NAT function to AWS NAT gateway

In this scenario, the Cisco Firewall (NGFWv or ASAv) is deployed between internal services in the AWS VPC and the internet. The route table for the Internet Gateway (igw-rt) has a specific route for the Inside subnet which directs inbound traffic to the Cisco Firewall for inspection. Prior to this enhancement, the users had to NAT egress traffic on the firewall to bring back the reply packet to the same virtual appliance. This new configuration eliminates the need for an ENI on the firewall and removes the requirement to perform NAT on the firewall, thus improving performance.

Cisco NGFW/ASA with AWS IGW (routable attached to IGW) and AWS NGW to NAT outbound traffic

Cisco NGFW/ASA with Multiple Subnets, Three-tier Architecture Using IGW and Amazon VPC Ingress Routing

This topology expands on the previous​, demonstrating how multiple subnets can be protected by a single firewall. By utilizing the AWS NAT Gateway service, the number of protected subnets behind a single firewall can be scaled significantly beyond what was previously possible.

As with the previous architecture, the ​Cisco Firewall is deployed at the edge in routed mode, forwarding outbound traffic to the IGW. Multiple routes are configured in the IGW’s route table to direct the traffic back to the appropriate subnet while the protected subnets forward their traffic to the internal firewall interface via the NAT gateway.

Cisco NGFW/ASA three-tier Architecture with AWS IGW and VPC Ingress Routing

Cisco NGFW/ASA with Multiple Subnets, Three-tier Architecture Using VGW and Amazon VPC Ingress Routing 

Cisco Firewalls can also be deployed in an Amazon VPC to inspect traffic flowing through a VPN tunnel. In this case, the ​Cisco Firewall is deployed at the edge in routed mode, forwarding outbound traffic to the to a VGW. In this example, the local and remote networks are routable; therefore, the NAT gateway can be eliminated, further improving efficiency and reducing cost.

Cisco NGFW/ASA three-tier Architecture with AWS IGW and VPC Ingress Routing

In Addition to Support for Amazon Ingress Routing, we are adding AWS Security Group management to Cisco Defense Orchestrator (CDO). We are also extending the existing ACI policy-based automation for L4-7 services insertion to the AWS cloud by leveraging Amazon VPC ingress routing. These integrations will make deploying L4-7 services in a hybrid cloud as well as Cisco Security at scale in AWS easier than ever.

Continue reading

Automated Cloud Infrastructure: Extending ACI and AWS integration

It’s the time of the year – AWS re:invent 2019 is happening this week. Cisco and AWS customers deploy workloads and applications in both their own data centers and the AWS cloud today and look forward to even better integration to achieve their infrastructure automation goals while maintaining a consistent operational model.

Cisco and AWS are extending their partnership across multiple domains such as campus, WAN, branch, data center and cloud using a policy based, automated approach. This blog will focus on how customers can leverage the new AWS capabilities and enhancements to build a better Automated Cloud Infrastructure for their data centers.

Our customers started to deploy Application Centric Infrastructure in their own data centers using Nexus 9000 fabrics 5 years ago. Key tenets of the ACI operation model have been:

1. Intent based/ policy driven automation
2. Define policy once – deploy automatically when and where needed
3. Flexible and scalable multi-tenancy
4. Automated service insertion and traffic redirection
5. Open APIs to provide network connectivity between baremetal, hypervisor, container, and cloud environments

AWS announced multiple innovations and enhancements this week:

1. AWS Outposts – provide AWS services on-premises
2. AWS VPC Ingress Routing – Inbound routing control for more efficient service insertion
3. AWS Transit Gateway – Simple and high performance connectivity between AWS VPC’s

These innovation and enhancements map very well to the ACI operational model our customers have deployed today.

ACI extension to AWS Outposts

AWS Outposts are Amazon’s on-premise services for running applications that require the lowest possible latency or that have local data-processing requirements. Earlier this year, we announced availability of Cisco Cloud ACI on AWS for hybrid clouds. Therefore, extending ACI enterprise-grade networking to AWS Outposts becomes very easy. As Figure 1 shows customers can now leverage Cisco Multi-Site Orchestrator to manage ACI fabrics on premises, Cloud ACI instances in the AWS cloud, as well as AWS Outposts instances connected to ACI or NX-OS Nexus fabrics all at the same time.

Key benefits of using ACI with AWS Outposts for our customers are:

• Enterprise-grade network connectivity
• Consistent segmentation (e.g. zones, tenants)
• Automated service insertion and service chaining (more on this below)
• End-to-end visibility and troubleshooting

Figure 1: ACI extension to AWS hybrid cloud and AWS Outposts

A more detailed solution brief discussing how to connect AWS Outposts to existing Cisco Nexus data center fabrics is available here.

ACI integration with AWS VPC Ingress Routing

Amazon VPC Ingress Routing is a service that helps customers simplify the integration of virtual network and security appliances within their AWS VPC network topology. ACI enables customers today to define policies for automated service insertion and chaining. Many customers are using that functionality in their on-premises data centers. With the availability of AWS VPC Ingress Routing they will be able to use the same policy based approach for their AWS network designs as well.

Key benefits of using ACI with AWS VPC Ingress Steering

• Enterprise-grade service chain functionality for hybrid cloud

• Consistent service insertion for cloud native and 3rd party L4-& service appliances in AWS cloud and on-premises

• Automated service insertion and service chaining

Figure 2: ACI Automated Service Insertion in Hybrid Cloud

ACI Integration with AWS Transit Gateway

AWS Transit Gateway provides efficient and high performance interconnect between multiple AWS VPCs. The integration with Cisco ACI will provide customers the ability to maintain and manage their multi-tenant on-prem data center environment while automating connectivity to multiple AWS VPC instances in the cloud connected through AWS TGW.

Figure 3: ACI Integration with AWS Transit Gateway

Key benefits of using ACI with AWS Transit Gateway

• Enterprise grade segmentation and multi-tenancy

• Enable higher inter-VPC throughput provided by AWS TGW

• Secure automated connectivity from on-premises to AWS TG

Cisco ACI and AWS integrations enable customers to also simplify their day2operations by providing a single pane of glass (Multi-Site Orchestrator) for visibility, troubleshooting their network connectivity and segmentation across on-premises and cloud environments.

In addition to enabling the above innovations, we are also helping customers to accelerate their automated cloud infrastructure deployments through a ‘Cisco Cloud ACI’ promotional offer.

Continue reading

Weathering the Storm with Webex

Webex tools for disaster relief 

Storm Emma hit the coasts of Ireland in late February 2018. Towns and cities across the country were slammed with the bleakest snowstorm in almost half a century as a cold front travelling in from mainland Europe plunged the country to record low temperatures and buried many regions in over 2 feet of snow. Gale force winds compounded the relief efforts causing widespread disruptions to roads, rail and air travel. As a national emergency was declared, a co-ordination team assembled in Dublin to liaise with multiple authorities handling the response efforts across the country.

Recently, I met with Bryan Humphreys, Information and Communications Technology Project Leader for Cork County Council, to discuss his local authority’s response to the storm.  Bryan explained the unique challenges his team faced, “Cork County is the largest local authority by geographic area in Europe. However not only is it a large region, we are responsible for a county which has remote areas with mountainous and rugged terrain, and over 1,000 kilometres of coastline. We needed to equip our emergency teams to deal with all situations and to empower them with real-time and relevant information at their fingertips to allow for rapid and safe responses, especially during such conditions experienced with Storm Emma.”

County Cork’s rugged coastline and terrain

Responding to a natural disaster

Bryan and his team deployed Webex in late 2017 after witnessing other collaboration tools failing to deliver on original promises. Initial deployment started with a Webex Board in the Cork city headquarters and the team rapidly expanded their footprint in the ensuing months. Bryan’s team and the local authority make use of Webex devices and Webex Teams daily but the challenges which came with Storm Emma really exemplified to Bryan the power of the integrated Webex platform.

“Some of our response officers were equipped with tablets running Webex Teams letting us share critical information such as weather forecasts, maps and building blueprints. Our teams on the ground were able to respond effectively and efficiently in these life-threatening conditions. Our incident response vehicles were equipped with Cisco Webex devices which allowed our teams to join meetings from isolated and inhospitable areas. In some instances, we had remote teams dialled into a Webex session which ran for over 9 hours!”

“I can give examples of how first responders used Webex Teams to share insights into weather patterns to ensure their job was executed as efficiently and safely as possible, ensuring our responders returned home safely at the end of the day.”

“The Cisco Collaboration solution allowed us to run our crisis management team remotely. Back in our Cork offices in the south west of Ireland, we used the Webex Board to dial into national central crisis management meetings with government agencies situated out of Dublin.”

“Webex is now so central to our operations that we could not have managed such efficient responses to incidences without it. We have several Webex Boards in our offices in Cork, we’re using Webex Share in our meeting rooms, and our departments collaborate on Webex Teams. We’re looking at developing pods in our offices with DX80 units and the Webex platform opens up the possibility for remote working.”

For Bryan and his team, choosing Webex brought collaboration to new heights. “For us it was a no brainer. The quality and ease of the Webex platform was excellent, and in responding to some of the worst storms to ever hit Ireland, the Cisco Collaboration solution has been pivotal to our communications. Other local authorities in Ireland are now witnessing the power of the Webex platform and what we’re achieving in Cork and they too are exploring Webex as a model for their teams.”

The power of Webex has become central to Cork County Council’s response to national emergencies with storms becoming more commonplace with changing climate patterns not just in Ireland but around the globe. Cork County Council’s use of Webex and its applicability both in responding to emergencies and in an everyday working flow exemplifies the power of Cisco’s Collaboration tools and how Webex Teams can solve local authority’s collaboration needs.

Continue reading

Automated Networks for Flexible Manufacturing Cell’s

Competing in the industry as a manufacturer isn’t just about controlling costs. It’s about building an agile company that can deliver exactly what the market demands—today and tomorrow. Yet as product lifecycles get shorter every day, it doesn’t make things any easier in a mass production environment. So meeting customer needs today now requires you to not only keep operations efficient but also flexible—So you can respond quickly to each specific customer order and scale to the ever-demanding needs of the operations and manufacturing teams. 

Manufactures have been faced with a dilemma. A dilemma they only deal with when orders are not shipping.  For instance there is the minimum equipment needed to make the product which has a known but more often an unknown maximum yield. The schedule is based on the time it takes to make product which is equal to or less than the maximum yield of the machine.  When the yield falls below the schedule the unit profit is then lost and may be unrecoverable.  What makes this more difficult is that production lines are built for long runs of a given product.  These productions lines are not easily changed to build a different product.

This inability to change easily creates a financial boundary for many manufactures.  They won’t even attempt low volume production thus keeping some products off the market entirely or the manufacturing is moved offshore to a location with a low labor rate for manual manufacture. 

Manufactures have long wanted to be able to accurately measure yield.  Improve yield and you improve profits.  This assumes the schedule to meet orders approaches 100%.  If the orders for a given product falls can the line be easily reconfigured for another product?

One of the systems that may also need to be reconfigured is the network.  Cisco has been working to make network changes easy, even automated.  Therfore it was fortunate to come across the folks at the Commonwealth Center for Advanced Manufacturing (C-CAM) near Richmond Virginia.  They have just received a grant from the National Institute of Standards and Technology (NIST) to research the viability of the flexible manufacturing cell.  The purpose is to develop a profitable easily reconfigurable production cell for short and varied production runs.

To get the data from the production equipment will require a well–connected network.  So that well–connected network can and should include data collection via embedded edge computing.  Security for in plant and remote access to the data.   We believe that C-CAM is onto something that can revolutionize manufacturing in the U.S. and Cisco is proud to be participating with NIST and C-CAM in this endeavor. 

Continue reading