Tuesday, 1 September 2020

Cisco MDS SAN Analytics: The GPS System for Your SAN

Cisco Data Center, Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Certification, Cisco Exam Prep

Living in Silicon Valley can be very exciting, but it has some challenges too. Traffic is certainly one of those challenges, and it’s a very common occurrence for most of us. Regardless of where you live in the world, you’ve likely experienced the inconvenience of traffic congestion.

In order to avoid traffic, we usually turn to one common solution. Simply turn on your favorite GPS map application and find the most optimized route around traffic congestion. These applications provide us with real-time traffic reports and visualization across the GRID and in every city.

The same analogy can be applied to Cisco’s industry-unique solution: SAN Analytics for Cisco MDS 9000 series switches.

The Need for SAN Visibility


When beginning a performance review of our storage environment, we need complete visibility. Storage management solutions provide valuable insights from the fabric storage and server infrastructure perspective. But what about congestion that occurs outside of the server or storage environment? It could be a misbehaving application, a corrupt piece of hardware in the pathway, or a saturated storage port. It could even be a VM causing heavy utilization on a server port or an application with bursty behavior caused by a large number of small IOPS. It can literally be anything, right? This is precisely where Cisco SAN Analytics comes to the rescue.

Like a trusted GPS, Cisco SAN Analytics running on the Cisco MDS 32G platform provides real-time, complete visibility across the fabric comprising of SCSI/NVMe flows. Let’s look at this very briefly and understand how it functions in Cisco’s MDS 32G switches.

How It Works


Cisco Data Center, Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Certification, Cisco Exam Prep

The Cisco SAN Analytics solution runs on the onboard NPU (Network Processing Unit) located on the Cisco MDS 32G platform. It runs on a dedicated network processor which carry out the analytics operation. Hence, turning on this feature is non-disruptive to any normal switching functionality. The dedicated NPU (Network Processor Unit) residing on each 32G module or switch will analyze the Fibre Channel protocol header information (SCSI or NVMe). It will then export this metadata from the switches using streaming telemetry via the management port. This metadata can be streamed into the DCNM (Data Center Network Manager) or to any 3rd party tool that has the ability to digest gRPC formatted data.

The unique features of SAN Analytics


◉ Accessibility: Turn ON or OFF anytime, without disrupting normal switching traffic through the port.

◉ Ease of configuration or administration: It is not rocket science! It’s a simple 4-step process using DCNM or a 2-line CLI command to enable it.

◉ Flexibility: It can analyze SCSI or NVMe flows, or both flows together.

◉ Security: Security does not interfere with the data payload, so there is no concern with compromising the data at any point.

◉ Simplicity: How about those extra cabling or ports? Not necessary, as this is an on-switch function requiring no extra cables or ports.

◉ Scalability: It can be turned on across selected / all of the switch ports to monitor up to 40,000 flows.

Now, if there are any issues in the fabric (or even to improve the performance of the fabric), you will know where to send the ambulance!

This is how Cisco SAN Analytics is defining the standards for storage network analytics: simple, scalable, and secure.

Cisco Data Center, Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Certification, Cisco Exam Prep

Take SAN Analytics for a Test Drive


Why not try it out? Both Cisco Data Center Network Manager (DCNM) and the SAN Analytics software products can be deployed and utilized with full product capabilities for up to 120 days. This will allow customers to test drive these amazing technologies in their environments to get a feel for their capabilities before they purchase.

Simply grab any Cisco MDS 32G FC switch/module, put it in any fabric (Cisco or non-Cisco), and discover issues long before they can become a real problem.

Monday, 31 August 2020

Cisco Named a Leader in IDC MarketScape: Worldwide Enterprise Videoconferencing 2020 Vendor Assessment

Why Cisco is a Leader in the 2020 IDC MarketScape


For the fifth consecutive year, Cisco has been identified as a leader in the IDC MarketScape! We are extremely proud to receive this recognition and while we strive to achieve for the benefit of our customers, it always feels good to be recognized for our hard work, especially in a crowded market among notable competitors. Cisco’s continued standing as a Leader in the 2020 IDC MarketScape Worldwide Enterprise Videoconferencing report is a strong indicator that customers continue to believe in the Webex vision and strategy. As the IDC MarketScape report points out, our “focus on enterprise-grade security, scale, and management functionality are selling points for customers.”

IDC MarketScape studies companies’ recent paths, investigate where they think the company is going, connects with the company’s customers, and comes up with a positioning based on these parameters.

Our Approach to Collaboration


I see our position as a leader in this year’s IDC MarketScape as a validation of our approach to collaboration: We believe in tools that are easy to use and let users be productive from anywhere; that is integrated with the workflow and decision-making process; that have security built-in, not bolted on; and are inherently flexible, manageable and adaptable for scale and innovation. And for many of our customers, the best part is you can get it all from one place.

“Cisco’s one-stop vendor approach and broad portfolio of video collaboration solutions and endpoints that are integrated with its extensive UC&C portfolio can be key benefits for customers, whether you are a small, a midsize, or an enterprise organization,” said Rich Costello, IDC analyst. “This can be even more beneficial especially if you already have an existing investment in Cisco networking infrastructure or leveraging cloud-based services.”

MarketScape Vendor Analysis


We work hard here at Cisco to give customers the tools they need to be successful. Whether you are working from the Cloud, from an on-premise device, from your mobile, desktop, or tablet, we want to ensure that we’re providing you with the products and experiences you need.

Let me tell you more about why Cisco continues to be recognized as a leader by the IDC MarketScape and other industry watchers.

Cisco Prep, Cisco Tutorial and Material, Cisco Study Material, Cisco IDC
SOURCE: IDC MarketScape: Worldwide Enterprise Videoconferencing 2020 Vendor Assessment, by Rich Costello, July 2020, IDC Doc# US46691620.

IDC MarketScape vendor analysis model is designed to provide an overview of the competitive fitness of ICT suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. The Capabilities score measures vendor product, go-to-market, and business execution in the short-term. The Strategy score measures alignment of vendor strategies with customer requirements in a 3-5-year timeframe. The vendor market share is represented by the size of the icons.

Making the Workplace Experience Better 


We understand that the tools you use every day need to make your life easier, not harder. Webex combines calling, meetings, messages, and devices into one single unified experience, so you can work better, faster, smarter. While you are scheduled for back to back video meetings from home, you can see who is already waiting for you in the next meeting, and if you are running late, just send a message in your Team space to let them know while they wait in the security lobby, or attach a file from your Enterprise Content Management system for them to review in the meantime. And if you have a few extra minutes before the next meeting, you can video call a colleague for a quick discussion with a single click. The ease of use of Webex makes connecting and collaboration simple and frictionless. It combines both hardware and software to fit today’s workstyles, workflows, and workspaces.Our unified platform provides all the collaboration tools needed – with just one, modern, unified application.

Our Customer’s Needs are our Top Priority – Simple Buying Model 


This is an unprecedented era, where remote working collaboration tools — video conferencing, devices, phones, headsets — have become the lifeblood for businesses to stay connected and productive. That is why we have formulated a simple purchasing model.

HaaS: offers industry-leading collaboration endpoints with a more affordable payment plan and a better user experience through our Webex® unified platform. Set up your remote office with devices such as the DeskPro.

Flex plan: use Cisco collaboration tools with one simple subscription-based offer. It helps with transitions to the cloud, and investment protection, by including cloud, premises, hosted, and hybrid deployments, with the flexibility to use them all.

You have an easy way to access the tools you need. Our repeat recognition as a Leader means that we’ve demonstrated a seamless, intelligent portfolio for every type of workspace that meets market demand. Remote work is the new normal way to work and the Cisco Webex portfolio was purposefully designed to make interacting and collaborating with your teams effortless.

Increase Market Coverage


Our team has a focus on making Webex available to companies of all sizes.

The IDC MarketScape also notes that our recent acquisition and integration of BroadSoft has expanded our global carrier partnerships with a large base of cloud calling users who can now “create a compelling calling and meetings bundle with an integrated experience”. I am proud to say that we are a leader in cloud calling – with over 30M users served through our cloud calling platforms by over 400 carriers worldwide. We are working diligently with our partners to bring the complete Webex collaboration experience to all these cloud calling customers.

Saturday, 29 August 2020

Monitoring SAP Business Processes with Cisco AppDynamics

Cisco Prep, Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning

In today’s digital world, the application isn’t just a part of the business—in many cases, it is the business. So when performance issues strike, they’re more than merely headaches—they’re potentially revenue-impacting events. That’s why IT and business leaders who want to stay ahead of the curve and avoid costly downtime require a proactive approach to application performance monitoring (APM).

That’s where Cisco AppDynamics comes in.

With automatic baselining and anomaly detection, Cisco AppDynamics provides comprehensive APM that helps businesses stay one step ahead of issues impacting their applications, including those in SAP environments. By providing an all-in-one view of application health, plus the ability to drill down to the line of SAP proprietary code, Cisco AppDynamics is uniquely capable of delivering insights businesses can act on.

Take Cepheid, a leading molecular diagnostics company based in California. For years, Cepheid’s operations team performed around-the-clock operational monitoring and support of its SAP applications using disparate tools, including logs, to manually monitor its SAP environment. Now, Cepheid uses AppDynamics to proactively detect and address issues before they become problems. If, for example, Cepheid’s SAP environment were to suffer an outage, supply chain and manufacturing would be at risk of being slowed, order fulfillment—better known in the SAP space as Procure to Pay—would stall, and downstream, the ability to pay suppliers and bill customers, known as Order to Cash, would also be impacted. But because Cepheid uses Cisco AppDynamics, the company knows it has a proactive monitoring solution designed to keep it ahead of the curve.

The high cost of not connecting SAP to business outcomes


Thousands of businesses around the world run their customer-facing and back-end processes with a combination of SAP applications for e-commerce, logistics, ERP, and supply chain, as well as non-SAP applications. When problems arise in these situations—for example, if revenue is down on an e-commerce site—it can be caused by a number of factors ranging from the simple (a lack of website traffic) to the more complex, such as an underperforming order management system. Whatever the cause may be, it’s critical that IT teams have the solutions needed to identify and prioritize issues at hand, for the sake of the customer experience and the health of the business. This is particularly relevant in the context of application problems that your customers can’t necessarily see, such as code issues or undersize compute notes that can cause them to abandon your application.

Today, a normal response to business process issues such as these is to bring stakeholders into a war room-like setting to participate in a vigorous session of finger-pointing based on siloed data about the application environment. Not surprisingly, this reactive approach is extremely inefficient and can lead to skyrocketing mean-time-to-resolution (MTTR) as well as customer churn.

Enter AppDynamics Business IQ for SAP


To address the critical challenges associated with connecting SAP performance to the context of your business, AppDynamics has added the ability to manage business process performance, including processes that run a combination of SAP and non-SAP applications.

As a first step, Business IQ correlates the metrics of core business processes with those of underlying applications. These metrics are baselined by machine learning algorithms that determine “normal” operating conditions. This “normal” baseline is used as the benchmark for alerting when a metric deviates from the normal. When this happens, AppDynamics proactively sends alerts and provides potential root-cause analysis to remediate the issue.

Integral to the ability of AppDynamics to monitor SAP applications is its code-level visibility into ABAP, SAP’s proprietary programming language, which is used to build SAP applications. This capability complements the ability of AppDynamics to monitor non-SAP applications.

Core Business IQ capabilities include:

◉ Measuring how application performance impacts business health, using dashboards, health rules, and metrics to help you understand how application performance impacts customers and the overallbusiness in real time. (See Figure 1.)

Figure 1.  Screenshot of an AppDynamics order management dashboard

Cisco Prep, Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning

◉ Monitoring and providing insights around the customer journey throughout the most business-critical paths in a business’s SAP- and non-SAP business processes. Through customer and businessjourney dashboards, you can identify critical steps customers take before specific conversion events or other milestones in their journeys. (See Figure 2.)

Figure 2.  Screenshot of a customer order journey dashboard

Cisco Prep, Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning

◉ Proactively managing digital business processes around business journeys, allowing you to identify where bottlenecks exist at different steps of a business process before they become customer-impacting and to measure the health of end-to-end business processes with SAP and non-SAP application components in real-time.

With Business IQ from AppDynamics, business owners and IT departments can discuss the health of their business processes and connect with application health through one common language, as they deliver exceptional customer experiences. No more war rooms, just a single source of truth.

So if the success of your business depends on the health of your SAP-based business processes and applications, learn more about how AppDynamics, the only platform that unifies full-stack performance monitoring for business and IT, can help you.

Friday, 28 August 2020

Work-From-Home Networking: One Size Does Not Fit All

In March of this year, commercial offices began closing around the world, and businesses sent millions of their employees home to do their jobs from there. For the most part, I.T. successfully supported the transition. The global Internet did not crumble, and most people found they could access resources and videoconferencing tools just fine. It’s a testament to I.T. workers around the world that this emergency transition worked as well as it did.

But we are no longer in the emergency phase of the shift to work-from-home. It’s time now to plan for a long-term change in where people work, how they access online resources, and how we support and secure these users and their workloads.

The fundamental shift is that we need to think about our people working from home, and the home networks they use, as the default network. We cannot think of these home installations as second fiddle to our corporate-controlled, office-based networks. Now we must consider every work-from-home worker, and every one of their home offices, as worthy of the same level of connectivity support as our company headquarters and branches.

Of course, we can’t really provide every worker with headquarters-level support for their home networks. But we can attack the challenge by breaking down the way we approach the different needs of different workers. And by using new methods to head off issues before they become critical.

The Status Quo: VPN Users


For many office employees in companies that rely heavily on corporate applications, the standard model of equipping them with Virtual Private Network (VPN) software for their computers will continue to work. Configuring split tunneling can optimize performance to cloud-hosted services while still giving employees secure access to corporate-hosted resources.

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Certification, Cisco Networking

Choose the right solution for each worker’s home networking needs.

There are even some users who can throttle back from using VPNs. Today, we have employees who work exclusively on cloud services (like Office365), and we can take a zero-trust posture with their networking stacks, relying instead on the applications for security.

But even in cases where the end user isn’t connected to corporate-controlled resources or for whom connecting to a VPN is superfluous, we should still monitor the performance of the services they are using, to get ahead of any issues that may arise in their cloud services. With digital experience monitoring, it’s possible to check on network and application performance, even for networks and applications that do not touch our corporate infrastructure.

Enhanced Connectivity: Corporate Access Points in the Home


For employees for whom best-effort connectivity isn’t enough, we can replace or augment a home wireless access point with a Wi-Fi router that acts as an extension of the corporate network. A home wireless access point, configured by company I.T. before the employee installs it, can provide advanced security and monitoring and prioritize bandwidth for applications that need it.

As a side benefit for users, corporate access points can make an in-home network appear just like the at-the-office network. If their devices automatically connect at the office, they’ll do the same at home. There’s no need to bother with firing up a VPN.

For home workers who need to get non-PC devices, like IP phones, on the corporate network, dedicated corporate access points are also an easy solution.

Some of our customers support engineers working at home as well, and some of them need to get multiple devices on their companies’ networks. For them, extending the network into the home is by far the best solution.

In fact, for pure simplicity and ease of use, having a company Wi-Fi access point in the home can’t be beat — especially for the many employees who use multiple devices for work, like perhaps a laptop, a phone, and a tablet.  This solution removes the need to ever sign on to a VPN and makes seamless connectivity to work resources a snap.

And as remote extensions of the corporate network, corporate IT will have full visibility into these access points. They can manage the devices remotely and track performance and security issues.

Our Remote Workforce Wireless Solution is designed for these use cases.

When Poor Connectivity Means Lost Revenue — or Worse


And then you have the employees who absolutely cannot suffer downtime or performance outages: for example, real-time traders and medical professionals. These are workers for whom the vast majority of their productivity is interacting with remote systems or other people. For these workers, even a reliable ISP connection to their home office may not be good enough.

Furthermore, for high-security workers like traders, it may not be good for them to go direct to the Internet and risk falling prey to a honeypot attack from a van sitting outside their house.

More commonly, for a worker who has limited ISP bandwidth in their home, it may be unacceptable if, say, a video consultation degrades because a child in their house is competing for bandwidth during a distance-learning class at the same time.

For these workers, we recommend secure SD-WAN routers that can select better or alternate paths to necessary resources in real-time. In these homes, consider a router (like our LTE Advanced Pro) that has an independent wireless connection. I.T. personnel can configure this equipment so critical communications are routed over it – either all the time, or when the main link becomes burdened.

While a home-based SD-WAN router is overkill for most workers, when connectivity is mission-critical (and when you’re equipping execs who cannot stand being disconnected), it’s the best option. It’s also a good solution for employees who don’t have a reliable primary ISP.

Work from Home is Not One-Size-Fits-All


Our employees have been working from home for months, and it is time to start finessing their networking solutions. We need to consider individual circumstances, including the availability of reliable ISP connectivity for each user, the number and types of devices they work with, and how important it is that they remain online 100% of the time.

Even when people start returning to offices, there will be many employees who work from home more frequently – and many who rarely, or never, come in to the office. Their home installations deserve the same level of consideration and support as any other place where our employees gather.

Thursday, 27 August 2020

Cisco DNA Spaces Indoor IoT Services with Wi-Fi 6 – Delivering Business Outcomes at Scale

Organizations today are facing unprecedented times, and the need to digitize physical spaces has never been more important.

To adapt to these new challenges, enterprises must shift toward a new, open and unified ecosystem that both (1) supports delivering outcomes at scale and (2) continues to provide the enterprise with control of their infrastructure and solution stack.

Cisco’s wireless infrastructure with Cisco DNA Spaces is a powerful framework to enable this new requirement. Wireless access points have evolved from being used for connectivity to being a sensor enabling location services –  and Cisco’s Wi-Fi 6 Certified Catalyst 9100 access points powered by Cisco’s Catalyst 9800 controllers can now serve as a powerful gateway for not just Wi-Fi devices but also BLE asset tags, beacons, and other IoT end devices.

With *Cisco DNA Spaces Indoor IoT Services, customers can take their wireless beyond connectivity, digitize their physical spaces, and gain insights on the behavior of people, and now things. Currently supporting at least 500 million mobile devices, processing over 1 trillion location updates, and live across over 1 million access points, Cisco DNA Spaces continues to scale into digitizing enterprises across various industries.

Enabling Multiple Use Cases through an Open, Unified Platform


Location services solutions today face major challenges with complexity and limited ability to scale. There is a fragmented market of proprietary solutions where new applications would require disparate hardware and software, limiting flexibility and reusability.

Vendor-specific apps and hardware mean that there are separate touchpoints for monitoring and support, resulting in disjointed support models. As customers discover more use cases and deploy more IoT devices, they run into management pains with vendor lock-in and limited scalability.

Cisco Networking, Cisco DNA Center, Wireless and Mobility, Cisco Exam Prep, Cisco Tutorial and Material

To overcome this complexity and cost, we are excited to announce Cisco DNA Spaces *Indoor IoT Services – which provides an open and unified platform for ordering IoT devices, onboarding and configuring devices, and connecting to industry-specific applications to enable business outcomes.

This offering will help customers deploy their applications rapidly, at scale, and at a significantly lower total cost of ownership (TCO).  This empowers enterprises to deploy multiple use cases such as asset management, room finding, space utilization, environmental monitoring, employee safety, and more, all enabled through a single middleware layer.

With Cisco DNA Spaces Indoor IoT Services, customers can deploy a broader spectrum of end devices, all without having to deploy separate gateways.

Cisco Networking, Cisco DNA Center, Wireless and Mobility, Cisco Exam Prep, Cisco Tutorial and Material

The IoT Device Marketplace features a broad spectrum of supported end devices ready for customers to order and deploy. Customers have a wide choice of specialized beacons, tags, wristbands, badges, sensors, and other devices that are ready to deploy.

They can choose these devices based on their required use case, technology, form factor, and price. The device vendors are validated and are integrated into Cisco DNA Spaces end-to-end support model.

Cisco Networking, Cisco DNA Center, Wireless and Mobility, Cisco Exam Prep, Cisco Tutorial and Material

Customers can discover and order end devices through the IoT Device Marketplace.

Cisco DNA Spaces also has an ecosystem of partner applications that are easy to activate. The Cisco DNA Spaces App Center features industry specific partner applications that leverages the location data from Cisco DNA Spaces, delivered over the Firehose API, to drive business outcomes across healthcare, workspaces, retail, hospitality, education, and manufacturing.

Cisco Networking, Cisco DNA Center, Wireless and Mobility, Cisco Exam Prep, Cisco Tutorial and Material

Discover vertical specific partner applications on the Cisco DNA Spaces App Center.

Wi-Fi 6 Access Points with Dynamic Gateways


Cisco’s Wi-Fi 6 certified Catalyst 9100 access points can now host the Cisco DNA Spaces Advanced Gateway, deployed through Indoor IoT Services. This gateway enables management of BLE beacons and asset tags. The access points also come standard with a BLE radio, allowing them to scan, detect telemetry, transmit, and receive location information from various BLE end devices.

This decouples devices & applications, meaning customers can enable multiple applications with a wide range of devices, without having to worry about vendor compatibilities. This also replaces the need for overlay networks, and customers won’t have to deploy separate gateways.

Cisco Networking, Cisco DNA Center, Wireless and Mobility, Cisco Exam Prep, Cisco Tutorial and Material

End-to-End as a Service


Cisco DNA Spaces Indoor IoT Services is an end-to-end as a service offering that greatly simplifies the activation, configuration, monitoring and management of IoT end devices from different vendors. You can discover devices from your network, activate them, and group these devices by assets, use cases and types of devices.

Device management is made simple with the ability to apply policy-based configurations to the device groupings.

Cisco Networking, Cisco DNA Center, Wireless and Mobility, Cisco Exam Prep, Cisco Tutorial and Material

Apply policies to device groups, based on use case or asset.

End-to-end monitoring & support capabilities are also being expanded to include the end devices, in addition to Cisco DNA Spaces location data, access points, and partner applications. Monitoring will now include device battery level, last heard, and firmware to ensure that your end devices are working optimally.

Cisco Networking, Cisco DNA Center, Wireless and Mobility, Cisco Exam Prep, Cisco Tutorial and Material

Monitor devices through the dashboard and get proactive alerts on which devices require attention.

Tuesday, 25 August 2020

Multi-Site Data Center Networking with Secure VXLAN EVPN and CloudSec

Transcending Data Center Physical Needs


Maslow’s Hierarchy of Needs illustrates that humans need to fulfill base physiological needs—food, water, warmth, rest—in order to pursue higher levels of growth. When it comes to data center and Data Center Networking (DCN), meeting the physical infrastructure needs are the condition on which the next higher-level capabilities—safety and security—are constructed.

Satisfying the physical needs of a data center can be achieved through the concepts of Disaster Avoidance (DA) and Disaster Recovery (DR).

◉ Disaster Avoidance (DA) can be built on a redundant Data Center configuration, where each data center is its own Network Fault Domain, also called an Availability Zone (AZ).

◉ Building redundancy between multiple Availability Zones creates a Region.

◉ Building redundant data centers across multiple Regions provides a foundation for Disaster Recovery (DR).

Cisco Exam Prep, Cisco Learning, Cisco Guides, Cisco Learning, Cisco Prep

Availability Zones within a Region

Availability Zones (AZ) are made possible with a modern data center network fabric with VXLAN BGP EVPN. The interconnect technology, Multi-Site, is capable of securely extending data center operation within and between Regions. A Region can consist of connected and geographically dispersed on-premise data centers and the public cloud. If you are interested in more details about DA and DR concepts, watch the Cisco Live session recording “Multicloud Networking for ACI and NX-OS Enabled Data Center Fabrics“.

With the primary basic need for availability through the existence of DA and DR in regions achieved, we can investigate data center Safety needs as we climb the pyramid of Maslow’s hierarchy.

Safety and Security: The Second Essential Need


The data center is, of course, where your data and applications reside—email, databases, website, and critical business processes. With connectivity between Availability Zones and Regions in place, there is a threat of exposing data to threats once it moves outside the confines of the on-premise or colocation centers. That’s because data transfers between Availability Zones and Regions generally have to travel over public infrastructure. The need for such transfers is driven by the requirement to have highly-available applications that are supported by redundant data centers. As data leaves the confinement of the Data Center via an interconnect, safety measures must ensure the Confidentiality and Integrity of these transfers to reduce the exposure to threats. Let’s examine the protocols that make secure data center interconnects possible.

DC Interconnect Evolves from IPSec to MACSec to CloudSec


About a decade ago, MACSec or 802.1AE became the preferred method of addressing Confidentiality and Integrity for high speed Data Center Interconnects (DCI). It superseded IPSec because it was natively embedded into the data center switch silicon (CloudScale ASICs). This enabled encryption at line-rate with minimal added latency or increase in packet size overhead. While these advantages were an advancement over IPSec, MACSec’s shortcomings arise because it can only be deployed between two adjacent devices. When Dark Fiber or xWDM are available among data centers this is not a problem. But often such a fully-transparent and secure service is too costly or not available. In these cases, the choice was to revert back to the more resource-consuming IPSec approach.

The virtue of MACSec paired with the requirements of Confidentiality, Integrity, and Availability (CIA) results in CloudSec. In essence, CloudSec is MACSec-in-UDP using Transport Mode, similar to ESP-in-UDP in Transport Mode as described in RFC3948. In addition to the specifics of transporting MACSec encrypted data over IP networks, CloudSec also carries a UDP header for entropy as well as an encrypted payload for Network Virtualization use-cases.

Cisco Exam Prep, Cisco Learning, Cisco Guides, Cisco Learning, Cisco Prep

CloudSec carries an encrypted payload for network virtualization.

Other less efficient attempts were made to achieve similar results using, for example, MACSec over VXLAN or VXLAN over IPSec. While secure, these approaches just stack encapsulations and incur higher resource consumption. CloudSec is an efficient and secure transport encapsulation for carrying VXLAN.

Secure VXLAN EVPN Multi-Site using CloudSec


VXLAN EVPN Multi-Site provides a scalable interconnectivity solution among Data Center Networks (DCN). CloudSec provides transport and encryption. The signaling and key exchange that Secure EVPN provides is the final piece needed for a complete solution.

Secure EVPN, as documented in the IETF draft “draft-sajassi-bess-secure-evpn” describes a method of leveraging the EVPN address-family of Multi-Protocol BGP (MP-BGP). Secure EVPN provides a similar level of privacy, integrity, and authentication as Internet Key Exchange version 2 (IKEv2). BGP provides the capability of a point-to-multipoint control-plane for signaling encryption keys and policy exchange between the Multi-Site Border Gateways (BGW), creating pair-wise Security Associations for the CloudSec encryption. While there are established methods for signaling the creation of Security Associations, as with IKE in IPSec, these methods are generally based on point-to-point signaling, requiring the operator to configure pair-wise associations.

A VXLAN EVPN Multi-Site environment creates the ability to have an any-to-any communication between Sites. This full-mesh communication pattern requires the pre-creation of the Security Associations for CloudSec encryption. Leveraging BGP and a point-to-multipoint signaling methods becomes more efficient given that the Security Associates stay pair-wise.

Secure VXLAN EVPN Multi-Site using CloudSec provides state-of-the art Data Center Interconnect (DCI) with Confidentiality, Integrity, and Availability (CIA). The solution builds on VXLAN EVPN Multi-Site, which has been available on Cisco Nexus 9000 with NX-OS for many years.

Secure VXLAN EVPN Multi-Site is designed to be used in existing Multi-Site deployments. Border Gateways (BGW) using CloudSec-capable hardware can provide the encrypted service to communicate among peers while continuing to provide the Multi-Site functionality without encryption to the non-CloudSec BGWs. As part of the Secure EVPN Multi-Site solution, the configurable policy enables enforcement of encryption with a “must secure” option, while a relaxed mode is present for backwards compatibility with non-encryption capable sites.

Secure VXLAN EVPN Multi-Site using CloudSec is available in the Cisco Nexus 9300-FX2 as per NX-OS 9.3(5). All other Multi-Site BGW-capable Cisco Nexus 9000s are able to interoperate when running Cisco NX-OS 9.3(5).

Configure, Manage, and Operate Multi-Sites with Cisco DCNM


Cisco Data Center Network Manager (DCNM), starting with version 11.4(1), supports the setup of Secure EVPN Multi-Site using CloudSec. The authentication and encryption policy can be set in DCNM’s Fabric Builder workflow so that the necessary configuration settings are applied to the BGWs that are part of a respective Multi-Site Domain (MSD). Since DCNM is backward compatible with non-CloudSec capable BGWs, they can be included with one click in DCNM’s web-based management console. Enabling Secure EVPN Multi-Site with CloudSec is just a couple of clicks away.

Monday, 24 August 2020

Simplify IoT Edge-to-Multi-Cloud Data Flow with Cisco Edge Intelligence

DevNet is always looking for ways to help you do business smarter. And with our new IoT Edge Intelligence tools, you can now get your data directly from the network edge to the cloud, or from your own data center. Read on to learn how.

Connect assets at the edge to multi-cloud application destinations


Cisco recently made its brand new IoT data orchestration software – Edge Intelligence – publicly available. Edge Intelligence (EI) connects assets at the edge to multi-cloud application destinations securely, reliably and consistently.

The software integrates nicely with Cisco’s industrial networking and compute devices, which means that it already runs on some IOx capable devices (IR829, IR809, IC3000 and more to come very soon!). But today, you can get EI as a SaaS, where the user can manage assets, data policies, and data destinations via a centralized UI that enables remote deployment at scale.

Cisco Exam Prep, Cisco Tutorial and Materials, Cisco Learning, Cisco Certification

Here at DevNet, we wanted to make EI fun and easy. So, you can now test, learn, and get hands-on with EI with our new Learning Lab and DevNet Sandbox:

How it works


Edge Intelligence is built on 4 pillars:

1. Data Extraction: You can automatically ingest data from any edge sensor using built in industry standard connectors residing on Cisco Network equipment. Supported sensor protocols include OPC-UA, Modbus (TCP-IP and Serial-RTU) and MQTT

2. Data Transformation: You can create intelligent, business ready tasks using policies to filter, compress, or analyze data using real-time computing. Edge Intelligence supports creating these data logic scripts using industry standard IDE tools (e.g. Microsoft VSCode)

3. Data Governance: You can create a central point of control with the authority and security to determine who has access and where that data may be accessed. Edge Intelligence allows for policy control at device and attribute level on raw or transformed data.

4. Data Delivery: You can choose and deliver which data is sent to which analytics destinations with seamless integration with cloud providers, including Azure IoT Hub and standard MQTT based destinations, like Quantela, Software AG.

Cisco Exam Prep, Cisco Tutorial and Materials, Cisco Learning, Cisco Certification


Here’s an easy way to find more about how Edge Intelligence works. In my August 26th webinar we will show you how you can create your asset types, asset inventory, and data policies within just a few minutes. And, send data from the edge to your MQTT broker or preferred cloud hosting service. We will also showcase creating data logic scripts for data transformation using the industry-standard IDE tool Visual Studio Code.

Source: cisco.com