Using Wi-Fi to Help Manage the Return to the Office

In some locations around the world, buildings that were closed to slow the spread of the coronavirus are beginning to open again — slowly. Fully opening offices will take months. During the process, employers will need to monitor their workspaces closely for social and physical distancing.

A technology we already have can help: Wi-Fi. It is pervasive in our workplaces, and Wi-Fi access points can act as powerful sensors. In particular, we can use location data gathered from Wi-Fi to help manage the re-introduction of workers, customers, and visitors into our facilities.

Our tool for this is Cisco DNA Spaces, a cloud-based system that offers site-specific, location-based analytics for any network using our Catalyst, Aironet, or Meraki wireless access points. Many of our customers already have a license for this product and simply need to turn it on. For others, we offer a 90-day, no-charge trial period to use the tool. Regardless, it should take under half an hour to activate and configure.

We have added applications on to our DNA Spaces platform to provide both real-time and historical analysis tools for businesses that are reopening their offices. The technology is flexible, and the amount of detail collected can be configured by each customer – from collecting anonymous statistical counts to individually identifying people at a site.

Watch Your Workspaces

Let’s look at an example of how the new DNA Spaces applications could help a business re-open its offices to bring people back to the workplace more safely, optionally communicate with specific people as needed, and improve the new workplace over time.

In the first phase of re-opening an office, we’re going to want to bring back a small proportion of employees and track how they use the space. The concern is that even with low population density in a building, people still may be congregating in hot-spots and breaking social and physical distance guidelines. We can use Cisco DNA Spaces’ Right Now app to see if this is happening at a site.

DNA Spaces Right Now shows how many people are using your facilities at the moment.

Traditional data for building occupancy — pulled from access card badge-in records — can tell us how many people enter a building and when, but this data stream doesn’t usually monitor which parts of a building people use, nor when they leave. With Wi-Fi, we can gather much more robust data that tracks how people use, move, and occupy spaces throughout the day.

The Right Now service tracks new devices that enter a space when they connect to Wi-Fi, and by recording which access points are able to electronically “see” them, it can tell which part of the building they are in.

Businesses can use DNA Spaces in a privacy protective, fully anonymized mode (with hashed MAC addresses); in this mode, it does not record any information that could correlate device locations to specific people. It can tell a facilities manager how the workforce in a building is behaving overall, but not the identity of individuals on-site.

You can set density alerts from the Web-based service.

With this data stream, we can watch how behavior changes as we allow more people back into the office over the weeks and months of a return-to-office program. In particular, we can determine if there is an occupancy load at which people start to cluster, breaking general distancing guidelines. If and when this happens, a company can work on reconfiguring hot-spot locations, educating employees, dialing back the number of people allowed into the office, or a combination of mitigations.

Enabling this feature on a network, if it is not already turned on, takes about 30 minutes. It does not require the installation of software on end-user devices.

At Cisco, we have been using DNA Spaces in fully anonymized mode in some of our offices in South Korea and China, after testing in our San Jose buildings. We will have more to say about how these projects are progressing soon.

Data for a Changing Office

Over time, as the return-to-office program gets established, businesses will need to evaluate the new use patterns and the economics of company workplaces. With our Impact Analysis app in DNA Spaces, facilities managers across a business will be able to see how buildings and campuses are being used – not just how much they are being used. We’ll be able to provide reports on time spent in the office, building utilization, and other metrics that could inform how workplaces could get reconfigured. We think these tools will be especially important for buildings that are used by visitors and guests, like stores and schools.

DNA Spaces Impact Analysis shows how building use changes over time.

The applications to monitor building use are available now.

Meanwhile, we are investigating additional capabilities that customers could enable if we offered tracking of not just how devices move around a space in the aggregate, but whose devices they are. This more granular data would let employers contact specific employees and inform them of potential Covid-19 exposure, if necessary. Critically, these features will always be optional, and data collected in a company’s private network will always belong solely to the company that owns the network. DNA Spaces currently does not offer contact tracing to tell precisely who is near whom.

Activating Your Wi-Fi Sensors

We believe using Wi-Fi access points as sensors can provide facilities managers and business leaders with critical information that can help keep people safer, and make spaces more effective and efficient. All our tools are quick to set up, and we are making them available at no charge to all who can use them: Anyone running Cisco or Meraki wireless access points.

Continue reading

Building character towards future success

Why does someone become a fashion designer? Or a scientist, an investor, or entrepreneur – or all of the above?

I don’t ever recall thinking I wanted to “be” this or that. I just wanted to do something. And then I looked up and discovered I had become something.

It is your skills and character that makes you who you are. You get to decide on which skills you have. But your character … how does that happen? Three character traits have helped me enormously in my life. I’ll share the secret to how you might be able to amplify these in yourself.

The first trait: Curiosity

My own curiosity meant I was taking risks. I hit bumps in the road, but also had great adventures. College was a huge transition for me; it allowed me to escape my old life. I went to my state’s college, the University of Maryland. It was like a sandbox to me. I was eager to try new things – which in the 1970’s was sometimes dangerous.

As a freshman, I took a job washing dishes in an algal biology lab. It wasn’t very interesting. But the lab tech next door, an older man, was using a crazy-sounding instrument called the Scanning Electron Microscope, or SEM, in the Engineering Dept. After a bit of my pestering, he took me to the SEM lab and let me watch as he looked at specimens. The microscope shot electrons onto the gold coated surface of the specimen, which allowed us to see the specimen in 3D, at a microscopic level.

Soon, I got to know the person who ran the microscope lab in that same Engineering Dept. In passing, he mentioned an upcoming three-day meeting in Chicago, with international scientists gathering to talk about Scanning Electron Microscopy!

I had to go. This was my calling. It was my curiosity talking to me.

I drove for two days, from Maryland to Chicago, and slept on the floor of a friend of a friend’s apartment to attend this meeting. I met scientists from Oxford, Cambridge, and the famed IBM Research Labs, who were involved in groundbreaking work in microscopy. I made friends with all of them, talking about the lectures, their research, and joining the group for meals.

The team from Oxford labs invited me to join them as an intern that summer, where I could work on one of three existing million-volt microscopes and help them build the first Scanning Transmission Electron Microscope, now known as a STEM instrument. I was so curious and fascinated by electron microscopy that I took all the available classes on campus in this area.

And so, by listening to my curiosity, I got the priceless experience of working with top scientists, learning about a groundbreaking new technology, and participating in its development, at one of the most respected universities in the world.

Now, my second life trait: Perseverance

Some years ago, I received a letter from a US Presidential Science Advisor thanking me for a job well done as a consultant. He said, the one thing I should be sure to pass on to my children is my perseverance. He thought it was a rare trait.

Later, as I thought back on it, my first memory with perseverance was in my first job after college. Soon after graduation, I took a job at Johnson & Johnson, establishing an electron microscope lab in one of their subsidiaries. Up to that point, my professional experiences was in government and academic environments.

Moving to a for-profit organization was confusing for me, and I didn’t feel that I fit-in. But then, I saw a notice, on the bulletin board in the lunchroom to participate in a graduate class “on the pharmaceutical industry.”

I took the GRE – which means I took the risk of applying, which led me to a degree. This laid the groundwork for what was to follow. Johnson & Johnson had a tuition reimbursement program for that MBA, but it did not extend to my job level. I was told to wait until I was in a higher position to take the program, when I could use the degree. I fought that suggestion. I talked with the head of HR to lobby for a change in policy. I ended up getting all of my tuition reimbursed. In my six years at Johnson & Johnson, I continued to persevere, and went from Research & Development, to Regulatory Affairs, and then on to finance where I did sales forecasting.

Finally, my third life trait: Innovation

My innate curiosity and asking “what might appear to be dumb” questions to understand my environment would soon open up more opportunities for me.

While at a conference for another employer, I overheard a group of people in their late twenties chatting ahead of me in the registration line. They worked on Wall Street, and I was fascinated by their conversation on industries and markets. Soon, I became close friends with that group and learned a lot from them.

After that chance encounter, I was inspired and started to look for a job on Wall Street. I quickly realized that my varied experiences were an asset in this new fiscal world.

I had no idea what investment banking was, so I met with anyone who would talk with me. As luck would have it, I ran into the Chairman of the Board from my company at a Christmas party. It was awkward to answer the question, “Where do you work?” But taking hold of my courage, I told him I worked for him and was looking for a job.

Unknown to me, over the next few days, he made some calls. Soon I had an interview at a venture capital firm. At first, I was confused because I didn’t know what venture capital was. I decided to take a leap of faith and, after many interviews, got that job.

After four years of working in venture capital, I decided to move to the other side of the table, as I realized that I wanted to be on the creative side of the equation. Over the years, I’ve founded seven companies, all of them with great teams of people. Some succeeded, and some didn’t succeed.

In the middle of that, I went back to school to earn my MFA in fashion design and spent five years running a fashion label. I didn’t realize that, while it is hard for a consumer to shop e-commerce stores and find the right clothes that will look good on them, no-one teaches designers how to fix that problem. I spent several more years experimenting with my label and eventually changed direction again entirely.

You see, prior to earning my MFA, I had owned two successful predictive modeling start-ups, and I saw similarities with the kind of problems we were solving in my eCommerce fashion company and the issues we faced in those two companies. So four-and-a-half years ago, I started up Savitude, an AI technology company, to solve the “fit” and “flatter” problem we had in our eCommerce label.

Reflecting on traits for success

Now in a reflective time of my life, I have wondered, “what has kept me going in this direction?” What keeps me doing this now? The nature of my reflection has changed, and I started to see new patterns. Not long ago, I connected my attraction to early stage startups, inventions, and inventors to my early life. I started to think I could alter my own perception of my surroundings. How and when this started, I don’t know…but I do know why.

To survive my abusive childhood, I created alternate narratives. I searched for the rules on how it could be. I wanted a copy of the “rule book” that I thought everyone was born with.

Eventually, I realized I had to write my own rule book.

If you resonate with even a small part of my story, you too can transfer the energy you spend on questions like “why didn’t I do?” into creative exploration and innovative contemplation.

I am most grateful for the perseverance this exercise has given me. And, perhaps some of you have also found the inner strength to endure difficult times. You can repurpose that strength to navigate a rewarding path.

The traits of curiosity, perseverance, and innovation have helped me enormously. I have had experiences that have made me feel small, and those memories are enduring. But in those times, I have imagined brightness in the dark, interest where was none, and the will to wake up every day, which in turn has given me the power to invent, to patent, to hire, to sell, to deposit money.

Continue reading

Cisco Announces Intent to Acquire ThousandEyes, Inc. – Network Intelligence for What’s Next

Today businesses, schools and governments depend on applications and digital services more than ever. Those applications run in data centers and clouds around the world. Our users and sites are connected over broadband, SD-WAN and cellular networks. It is key for every technology group to understand that the Internet is mission critical and business critical for all of us. It is now our corporate network, and we need to have better visibility, intelligence and insights of the Internet than we ever had from private networks.

Today I’m excited to announce Cisco’s intent to acquire ThousandEyes. Headquartered in San Francisco and founded in 2010, ThousandEyes provides Internet intelligence at a scale and accuracy never seen before. In a time when every meeting is held and every document is shared through connected applications, the need for ThousandEyes technology has never been so high.

ThousandEyes’ technology warns us when a user’s experience is less than ideal and can pinpoint where those failures were caused. With thousands of agents deployed throughout the Internet, ThousandEyes’ platform has an unprecedented understanding of the Internet and grows more intelligent with ever deployment. With ThousandEyes, AppDynamics and Cisco SD-WAN technology, we will have the ability to improve the performance, reliability and scalability of all the applications on which we depend so much.

ThousandEyes’ network intelligence platform focuses on the user experience and network performance. The platform gathers data from various points throughout the public Internet — from within data centers, colocation centers, campuses, branches and on end-user devices —to identify dependencies that impact service delivery. This enables businesses to see, understand and improve all our users’ digital experience.

Frequently, when acquiring important technologies like this, we try to find the right product analogy or comparison to an existing business or product. Consider this; is ThousandEyes the ultimate IP SLA for a multi-cloud, SD-WAN world?  Yes.* Does ThousandEyes give network-as-a-service offerings the visibility they need to respond proactively, now that the Internet is our Enterprise network? Yes. However, I believe more than anything, ThousandEyes is to the network what Talos is to security.

In 2013, after the acquisition of Sourcefire, we merged Sourcefire’s Vulnerability Research Team with Cisco TRAC and SecApps groups to form Cisco Talos, our security threat research team. Since then, all Cisco security products have been fueled by threat intelligence from Talos. I had an incredible view of this when Talos WannaCry signatures were pushed to Meraki MXs and we started detecting true WannaCry infiltration around the world. We were even able to reach out to those affected and help them through the mitigation process. This type of deep intelligence changed the game for our customer’s security posture. I’m incredibly excited about ThousandEyes, because ThousandEyes is Cisco’s new Internet Intelligence group. All of our networking products can become more intelligent and more proactive by leveraging this technology.

The ThousandEyes acquisition will enable deeper and broader visibility to pin-point deficiencies and improve the network and application performance across all networks your business relies on by enabling end-to-end visibility when accessing cloud applications. Internet Intelligence won’t just improve networking reliability, but end-to-end application experience. Embedding ThousandEyes technology into Cisco’s networking portfolio will give unprecedented intelligence on the largest deployed base of networking equipment in the world.

ThousandEyes’ further complement Cisco’s capabilities with proactive application modeling to help improve application quality of experience (QoE). Cisco will incorporate ThousandEyes’ capabilities in our AppDynamics application intelligence portfolio to enhance visibility across the enterprise, internet and the cloud. AppDynamics, another acquisition that cemented Cisco’s place in the business intelligence, analytics and IT operations market, will be able to offer even deeper application insights paired with true Network Intelligence from ThousandEyes.

I can’t tell you how excited I am about ThousandEyes. To all of ThousandEyes’ employees and partners, welcome to Cisco. To everyone looking for more intelligent, reliable and agile application and internet experience, come take a look at this amazing technology and stay tuned for developments as we embed ThousandEyes into Cisco products throughout our networking, cloud and application offerings.

Source: cisco.com

Continue reading

Cisco continues investment protection with 64G FC readiness using Cisco MDS 9700 Series Multilayer Directors

In this series of blogs, we are trying to discuss some of the unique advantages of Cisco MDS 9000 series switches across the Fibre Channel industry. In the first blog, we talked about NVMe/FC support in Cisco MDS 9000 Series Multilayer Switches. Now, let’s talk about investment protection.

Investment protection is usually discussed as a business advantage. But I am not going to talk about only money savings, but also about easing the technical and operational pain the customer endures because of the complex chassis forklifting as well.

Cisco MDS 9700 Multilayer Director class switches carry on the legacy of investment protection that the Cisco MDS 9500 class of directors were originally founded on. The legacy that started with the MDS 9500 platform in 2002 continues with the MDS 9700 platform, launched in Apr 2013.

Cisco MDS 9500 Series Multilayer Directors had three models to match up with different port density requirements. Cisco MDS 9509, launched in 2002, had capacity for 224 Fibre Channel (FC) ports; Cisco MDS 9506, launched in 2003, for 128 FC ports; and Cisco MDS 9513, launched in 2006, for 528 FC ports.  The total active life span (sales announcement to end of support) of MDS 9506 was 17 years, MDS 9509 was ~19 years, and MDS 9513 was ~16 years.

With an operational life span of nearly 19 years, the Cisco MDS 9500 went through three speed upgrades from 1G/2G  4G  8G FC speed, using new modules simultaneously in the same chassis. Additionally, we upgraded from Supervisor-1 to Supervisor-2 to Supervisor-2A modules to enhance the scalability required by customer data center environments. More importantly, all of these changes were done without any disruption.

Fast forward to April 2013: The Cisco MDS 9710 Multilayer Director was launched, supporting 48 ports of line-rate performance at 16G FC speed per module, followed by MDS 9706 and MDS 9718.

Say Hi to 2017 and the same chassis (Cisco MDS 9700) is ready to support 32G FC speed at line-rate performance. Additionally, new software features like SCSI and NVMe Analytics, anti-counterfeit security, improved scalability, enhanced redundancy, and high availability were also introduced in this platform.

Today, we are now talking about 64G FC speeds and NVMe based fabrics. Again, the same chassis – Cisco MDS 9700 series directors are now 64G FC ready. The recently launched new supervisor-4 modules and fabric-3 modules provide the capability to provide 64G FC performance in the future. So, the chassis you buy today is ready to drive the SAN with optimal speed of 64G FC because the back plane is ready. That’s adding almost a decade long life in already ~8 year old chassis.

So, if we look at Cisco’s SAN investment in the MDS 9700 series platform in the pictures below, shows the commitment of Cisco towards the Fibre Channel industry with continuous hardware and software innovation, through three generations speed (16G, 32G and 64G), along with Cisco NX-OS software from the 6.x to 7.x to 8.x releases.

Figure 1. Hardware innovation

Figure 2. Software innovation

Now, the question is – where is the investment protection we are talking about?

To understand that, let’s look at this example.

CapEx investment needed for customers using Cisco MDS 9700 series directors:

CapEx investment needed for non-Cisco customers (with every speed upgrade):

Note:  New chassis = New (Chassis + Supervisor modules + Fabric Modules + Line cards) + new switch license(s) + new management software license(s) + Components (SFPs, Cables, etc.) and so on… an abscess drainage procedure but pus is replaced with money in this case.

And it does not stop here.

◉ Ask the DC architects how much planning goes in for chassis upgrade (airflow, space, power, etc.)

◉ Ask the engineer on the data center floor for the amount of efforts required to rack and stack new chassis (new cables, new SFPs, new airflow directions, new power requirements, and the downtime to physically swap the chassis). And if something goes haywire during this chassis swap (Murphy’s 

Law), a simple 15-minute outage means millions of dollars lost in revenue.

This is where the Cisco MDS 9700 Series Multilayer Directors continue their technical innovation to maintain feature superiority, in both directions – hardware and software.

This is how hundreds of Cisco MDS 9500 directors are still running nonstop for more than 10 years.

This is how hundreds of Cisco MDS 9700 directors are running nonstop for more than 5 years.

And finally, this is how YOU, the customer, can save millions of dollars by investing in the Cisco MDS 9700 series director class switches.

Continue reading

Cisco Remote Access VPN architecture for Amazon Web Services (AWS)

Today applications are evolving and moving to the public cloud. Amazon Web Services (AWS) offers different types of services to host these applications in the cloud. Customers are opting for hybrid cloud services because it provides the optimum architecture for application hosting and performance. This change in cloud architecture introduces a big challenge of providing a secure connection to the remote workers.

Cisco provides a comprehensive solution by offering Cisco Adaptive Security Application (ASAv) and Cisco Next-Generation Firewall in the AWS marketplace. These virtual appliances can integrate with the Cisco security portfolio and provides unmatched remote access VPN architecture for AWS.

Figure 1: Components of the Cisco Secure Remote Worker

◉ Cisco AnyConnect Secure Mobility Client: Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization. It provides a consistent user experience across devices, both on and off-premises, without creating a headache for your IT teams. Simplify management with a single agent.

◉ Cisco Duo: Cisco Duo is a user-friendly, scalable way to keep business ahead of ever-changing security threats by implementing the Zero Trust security model. Multi-factor authentication from Duo protects the network by using a second source of validation, like a phone or token, to verify user identity before granting access. Cisco Duo is engineered to provide a simple, streamlined login experience for every remote user. As a cloud-based solution, it integrates easily with your existing technology and provides administrative, visibility, and monitoring.

◉ Cisco Umbrella Roaming Security Module: Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time — both on and off your corporate VPN. The Roaming Security module enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port. Umbrella provides real-time visibility into all internet activity per hostname both on and off your network or VPN.

◉ Cisco Advanced Malware Protection (AMP) Enabler: Cisco AnyConnect AMP Enabler module is used as a medium for deploying Advanced Malware Protection (AMP) for Endpoints. It pushes the AMP for Endpoints software to a subset of endpoints from a server hosted locally within the enterprise and installs AMP services to its existing user base. This approach provides AnyConnect user base administrators with an additional security agent that detects potential malware threats happening in the network, removes those threats, and protects the enterprise from compromise. It saves bandwidth and time taken to download, requires no changes on the portal side, and can be done without authentication credentials being sent to the endpoint. AnyConnect AMP Enabler protects the user both on and off the network or VPN.

◉ Cisco Identity Services Engines (ISE): Cisco AnyConnect Secure Mobility Client offers a VPN posture module and an ISE posture module. Both provide the Cisco AnyConnect Secure Mobility Client with the ability to assess an endpoint’s compliance for things like antivirus, antispyware, and firewall software installed on the host. The administrator can then restrict network access until the endpoint is in compliance.

◉ Cisco Adaptive Security Application (Virtual Appliance): The Cisco Adaptive Security Appliance (ASA) is a security appliance that protects corporate networks and data centers. It provides users with highly secure access to data and network resources – anytime, anywhere. The remote users can use Cisco AnyConnect Secure Mobility Client on the endpoints to securely connect to the resources hosted in the Data Center or the Cloud.

◉ Cisco Next-Generation Firewall / Firepower Threat Defense (Virtual Appliance): The Cisco Firepower NGFW helps you prevent breaches, get visibility to stop threats fast, and automate operations to save time. A next-generation firewall (NGFW) is a network security device that provides capabilities beyond a traditional, stateful firewall by adding capabilities like application visibility and control, Next-Generation IPS, URL filtering, and Advanced Malware Protection (AMP).

Scalable and Resilient Remote VPN architecture for AWS (Single-VPC & Multi-AZ)

Due to layer-2 abstraction in the cloud, it not possible to provide native firewall high availability, firewall clustering, and VPN clustering. AWS offers native services like AWS route53, AWS route tables that enable DNS based load balancing.

Figure 2: Cisco Remote Access VPN scalable design using AWS Route53

Traffic Flow:

◉ The remote access VPN user initiates a VPN connection using a hostname (example: answamivpn.com), and the DNS server returns an IP address. AWS route53 monitors all the firewalls using AWS route53 health checks

◉ Remote user makes the connection to the firewall

◉ Access the resources hosted in AWS

Recommendation for the architecture shown in figure 2:

◉ Each availability zone (AZ) should have multiple firewalls (ASAv or NGFWv)

◉ Each firewall should have a dedicated VPN pool (i.e. separate VPN pool for each firewall)

◉ VPN pool should be outside of VPC CIDR range, avoid overlapping networks

◉ Control traffic using AWS route table

◉ Enable weighted average load balancing on AWS route53

◉ AWS route53 should track firewalls public IP/elastic IP using port 443

     ◉ Cisco Duo: Multi-factor authentication

     ◉ Cisco Umbrella Roaming Security Module: DNS layer security and IP enforcement

     ◉ Cisco AMP enabler: File and Malware analysis

     ◉ Cisco ISE: Authentication and Posture

     ◉ SWC: Visibility

The architecture shown in figure 2, is a scalable and resilient design for a single VPC deployment. This architecture is based on the principle of a distributed architecture. In the case of a multiple VPN architecture, we recommend deploying bigger firewall instances (example: C5.2xl 0r C5.4xl) in a centralized VPC.

Scalable and Resilient Remote VPN architecture for AWS (Multi-VPC & Multi-AZ)

In the case of a multi-vpc architecture, we recommend deploying multiple instances of bigger firewalls in a centralized VPC (known as security-hub VPC) and the connect security-hub VPC to spoke VPCs using AWS Transit Gateway.

The AWS transit gateway can have the following types of attachments:

◉ VPC attachment (used for VPC and AWS Direct Connect (DX) connection)

◉ VPN attachment (used for IPsec connectivity to DC)

◉ Peering connection (used for peering two AWS transit gateway – not shown in this architecture)

Figure 3: Cisco Remote Access VPN for multi-vpc architecture

Traffic Flow:

◉ The remote access VPN user initiates a VPN connection using a hostname (example: answamivpn.com), and the DNS server returns an IP address. AWS route53 monitors all the firewalls using AWS route53 health checks.

◉ Remote user makes the connection to the firewall.

◉ Access the resources hosted in AWS.

Recommendation for the architecture shown in figure 3:

◉ Each availability zone (AZ) should have multiple firewalls (ASAv or NGFWv)

◉ Each firewall should have a dedicated VPN pool (i.e. separate VPN pool for each firewall)

◉ VPN pool should be outside of VPC CIDR range, avoid overlapping networks

◉ Control traffic using AWS route table

◉ Enable weighted average load balancing on AWS route53

◉ Use AWS Transit Gateway for interconnecting VPC

◉ For a hybrid cloud architecture, terminate VPN on the firewalls at the edge in the secure hub vpc or use VPN attachment on the AWS transit gateway.

◉ AWS route53 should track firewalls public IP/elastic IP using port 443

     ◉ Cisco Duo: Multi-factor authentication

     ◉ Cisco Umbrella Roaming Security Module: DNS layer security and IP enforcement

     ◉ Cisco AMP enabler: File and Malware analysis

     ◉ Cisco ISE: Authentication and Posture

     ◉ SWC: Visibility

Continue reading

Cisco® Application Centric Infrastructure (Cisco ACI™) 5.0 for the Changing World

As we navigate these uncertain times, almost all industries are dealing with the rapid change of technology, increasing social changes and a more dispersed workforce.

It is more important than ever to have a network that is automated and secure from the edge, to the data center and into private and public clouds to help address some of the challenges both current and future.

We are very excited to announce the availability of Cisco® Application Centric Infrastructure (Cisco ACI™) 5.0 that helps customers future proof their networks in these challenging times.  With this release, we are extending ‘ACI Anywhere’ to enable automated Service Provider capabilities for 5G, new capabilities for Cisco’s Cloud ACI, and Day 2 operational tools.

What’s New with Cisco ACI 5.0

Power Service Provider Networks of the Future

5G transformations are challenging the telecom providers to develop the data center networks of the future, which should seamlessly scale, automate and integrate their infrastructure from the edge to the central data center and across the transport network. This requires the adoption of an end-to-end programmable SDN enabled approach across the data center applications and SP transport backbone.

To meet 5G low latency requirements, mobile services are moving closer to the subscriber edge, and drive the demand for distributed compute at the edges of the SP network. The new SP data center will be where the data is and Cisco ACI delivers the automation capability needed for the 5G telco cloud. ACI 5.0 delivers:

◉ Support for Segment Routing MPLS (SR-MPLS) and EVPN handoff. Service providers can inter-connect their ACI based telco cloud to 5G transport backbone network with end-to-end segmentation.

◉ Cross domain policy that automates mapping of 5G application and transport slices for end-to-end SLA that can differentiate low latency applications from non-critical applications.

◉ Service Providers can now simplify and scale to 1000’s of application slices between data center and transport network using a single BGP EVPN peering.

◉ With ACI Multisite Orchestrator (MSO) SR-MPLS policies can be centrally automated across the 5G Telco Cloud sites (central, regional and edge data centers).

The Cisco ACI 5.0 release delivers the tools to build a simple to manage, agile, and secure telco cloud.

Refer to Figure 1 for an example of a distributed ACI telco cloud leveraging an SR-MPLS transport.

Figure 1: ACI Integration with Segment Routing

Enable Simple To Manage Multicloud Deployments

Our customers are adopting Multicloud architectures and Cloud ACI provides the tools to have a consistent policy driven automation and security posture for their deployments.

Cloud ACI now supports the AWS Transit Gateway (TGW) automation for efficient and high-performance interconnect between multiple Amazon AWS VPCs. The ACI 5.0 release supports automation of the TGW lifecycle along with automated route-programming on TGW route-tables for all combinations of East-West and North-South traffic patterns.  Figure 2 shows an example.

Figure 2: ACI Integration with AWS Transit Gateway

Coming soon for Azure is support for VNET Peering, Shared service deployments, native and third party L4-7 service automation functions.

Cloud ACI support for Azure VNET peering enables customers to seamlessly connect networks as a single entity within the Azure Virtual Network, and leverage Azure backbone for low-latency, high bandwidth interconnects between virtual networks.

The solution will also enable customers to leverage a hub and spoke model for hosting their shared services in the hub VNET.

As customers begin to leverage native and third party L4-7 services in the cloud, they need automated traffic redirection to these services. That capability is available for On-Premises ACI fabrics already and the ACI 5.0 releases extends similar service chaining capabilities to Cloud ACI.

Cisco ACI 5.0 delivers for Multicloud deployments:

◉ Enterprise grade segmentation and multi-tenancy

◉ Policy based L4-L7 services automation, incuding native services such as load balancers, and 3rd party firewalls

◉ Enable automation of high performance interconnect (i) Between AWS VPCs (ii) Between Azure Virtual Networks

◉ Secure automated connectivity from on-premises to public clouds, and across public clouds

Keep Pace with Customer Designs and Operations

400G Ready: Customers can now deploy 400G capable Nexus 9508 chassis in their fabric spines and add 400G line cards later this year.

Per Leaf RBAC: Building upon the built-in multi-tenancy capabilities, ACI 5.0 enables new RBAC capabilities for physical multi-tenancy, that allows tenants to have management privileges at per leaf physical switch granularity.

Ease of Use: ACI 5.0 release continues to improve the ease of use of the ACI controller for daily operations:

◉ Centralized view of cloud resource inventory within AWS and Microsoft Azure

◉ Optimize time required for fabric upgrades, along with upgrade status indicators

◉ New Day 0 wizard providing a guided way to complete Day 0 Configuration for SNMP/Syslog policy

Security: Enhancements include increased Role Based Access Control (RBAC) for multi-tenancy, additional two factor authentication (TFA) capabilities with integration with Cisco’s DUO, and improved security policy for ACI Applications with App Center RBAC integration.

We are also introducing new flexible policy construct ‘Endpoint Security Group (ESG)’, that gives  you the ability to group endpoints based on L3 attributes, decoupled from Bridge Domain dependency,  and apply contracts between ESGs.

In addition, there are enhancements to Policy Based Redirect (PBR) capabilities to support additional service devices, symmetrical PBR for L1/L2 devices in cluster mode.

Scale: ACI 5.0 now supports upto 500 leafs per site in a Multi-Pod data center, 15 Virtual data centers in VMware vCenter Integration.

Kubernetes Orchestration: This new release enables several microservice deployment upgrades to support containerized workloads,  including support for ACI-CNI with OpenShift 4.3 on OpenStack and AWS, Docker Enterprise Release 3, and ACI Neutron Plugin support for bare-metal Servers with OpenStack.

Simplify Day 2 Operations

Customers are looking for proactive capabilities with deep insights into their networks to simplify their Day 2 Operations. Cisco enhances it’s existing Network Insights product to include:

◉ Multi-fabric support: Monitor and troubleshoot geographically distributed multiple fabrics with a single instance of Network Insights

◉ Multicast control plane visibility: Resolve issues through anomaly detection on PIM, IGMP & IGMP snooping control plane protocols.

◉ Customizable dashboards: Customize the observable parameters to suit your preferred way of monitoring.

◉ AppDynamics Integration: Detect, locate and troubleshoot application connectivity issues faster, by correlating  network and application telemetry

◉ Topology view (BETA): Explore the power of overlaying logical constructs such as Tenant, VRF, EPG over physical infrastructure to zoom in on the problematic nodes and identify anomalies.

Figure 3: Network Insights For Proactive Day 2 Operations

Through these innovations, customers can transform their Day 2 Operations from being reactive to proactive, and reduce their  OPEX and downtime  by automating detection, location, and efficiently root-cause problems.

Keeping our eyes to the future

Innovation continues to thrive at Cisco  and our  customers  rely on our technology, partnership, and support to keep their businesses running and enable their digital transformations.

Continue reading

Spinning up an NVMe over Fibre Channel Strategy using Cisco MDS 9000 Series Multilayer Switches

Every so often there comes a time when we witness a major shift in the networking industry that fundamentally changes the landscape, including product portfolios and investment strategies. Storage and Storage Area Networks (SANs) are undergoing one such paradigm shift that opens up a huge opportunity for those looking to refresh their SAN investments and take advantage of the latest and greatest developments in this particular space. We can think of it as a “trifecta effect.”

Let’s see how the Cisco MDS SAN solution – using Cisco MDS 9000 Series Multilayer Switches helps meet the challenges posed by this “trifecta effect.” Through this series of blogs, we will cover various topics on Cisco’s innovation in storage networking technologies and how it addresses these challenges.

To start with, let’s first take a very common topic that is top of mind for every customer looking at Cisco MDS 9000 series switches:

◉ Do you support NVMe over Fibre Channel (NVMe/FC) or NVMe over Fabrics (NVMe-oF)?

◉ Which Cisco MDS 9000 Multilayer Series Switches support NVMe?

◉ Do I need an extra license to get support for NVMe on my Cisco MDS SAN switches?

So, let’s discuss the latest and greatest innovations driving the SAN industry and try to paint a picture of how the SAN landscape will look five to seven years down the road, while focusing on asking the right questions prior to that critical investment. Following this, we will be posting additional blogs that will dig deeper into each of the technological advances, in order to understand the bigger and better picture of future storage networking technology.

Why now?

Modern enterprise applications are exerting tremendous pressure on your SAN infrastructure. To keep up with advances in storage technology, customers are looking to invest in higher performing storage and storage networking. Combining the economic viability of All Flash / NVMe arrays and the technological advances with NVMe over Fibre Channel, there has never been a more compelling opportunity to upgrade the SAN infrastructure to meet future demands.

But before we think about refreshing our SAN, we have to ask few questions ourselves:

◉ Does it support NVMe?

◉ Is it 64Gb FC ready?

◉ Do we get any sort of deep packet visibility, a.k.a. SAN analytics, for monitoring, diagnostics, and troubleshooting?

◉ How can I get my SAN ready to use Cisco MDS 9000 Series Multilayer Switches?

We will elaborate more on the above questions, one by one, in this series of blogs.

In this blog, let’s talk about NVMe over Fibre Channel (FC) support using Cisco MDS 9000 series switches.

Most of us probably know what NVMe is – the various deployments of NVMe (over FC, RoCE, TCP, etc.). Solid State Disks (SSDs) and NVMe have superseded rotating/spinning disks. NVMe also has opened up a superhighway to send traffic using multiple lanes, providing a very high throughput rate. This results in extremely high bandwidth consumption, along with burst of reads and writes.

Does Cisco’s MDS SAN solution provide support for NVMe/FC?

This is a very common and top-of-mind question from customers during conversations involving SAN. The good news on the Cisco MDS SAN solution is – yes, it supports NVMe.

◉ Transparent support – no additional hardware/commands needed

◉ Works with any current 16G/32G fabric switch or current Cisco MDS 9700 16G/32G modules using Cisco NX-OS 8.x release

◉ No additional license needed

◉ No additional features needed to enable identification of NVMe commands

Vendor certification

From an ecosystem support perspective, we have certified Broadcom/Emulex and Cavium/Qlogic HBAs, along with Cisco UCS® C-Series servers. We have also published Cisco Validated Design guides with the NVMe solution, listed at the end of this blog.

We can run SCSI and NVMe flows together through the same hardware, through the same ISL (Inter Switch Link). Cisco MDS 9000 series switches will transparently allow successful registrations and logins with NVMe Name Servers as well as I/O exchanges between SCSI and NVMe initiators and targets, together.

This way, NVMe/FC, along with the Cisco MDS SAN solution, provides the best possible performance across the SAN, with seamless insertion of NVMe storage arrays in the existing or new ecosystem of MDS SAN switches.

Continue reading