Cisco NX-OS VXLAN Innovations Part 1: Inter-VNI Communication Using Downstream VNI

In this blog, we’ll look closely at VXLAN EVPN Downstream VNI for intra-site and inter-site (Inter-VNI communication using Downstream VNI).

Segmentation is one of the basic needs for Multi-Tenancy. There are many different ways to segment,  be it with VLANs in Ethernet or VRFs in IP Routing use-cases. With Virtual Extensible LAN (VXLAN), segmentation becomes more scalable with over 16 million assignable identifiers called VNI (Virtual Network Identifier). Traditionally, VXLAN segments are assigned in a symmetrical fashion, which means it must be the same to allow communication. While this symmetric assignment is generally fine, there are use cases that could benefit from a more flexible assignment and the communication across VNIs. For example, Acquisition and Mergers or  Shared Services offerings.

During Acquisition and Mergers, it is pertinent to achieve a fast and seamless integration both for the business and the IT infrastructure. In the specific case of the IT infrastructure, we are aiming to integrate without any renumbering. This broken down to VXLAN, we want to provide inter-VNI communication.

In the case of Shared Services, many deployed segments are required to reach a common service like DNS, Active Directory or similar. These shared, or extranet, services are often front-ended with a firewall which avoids the need for inter-VNI communication. Nevertheless, there are cases where specific needs dictate transparent access to this extranet service and inter-VNI communication becomes critical.

There are different methods where inter-VNI communication is used. The most common cases with attached terminology are called VRF Route Leaking. In VRF Route Leaking, the goal is to bring an IP route from one VRF and transport or leak it, into a different VRF. Different needs are present in translation cases. For example,  when you want to represent a segment with a different identifier than what was assigned (think VLAN translation).

Downstream VNI assignment for VXLAN EVPN addresses inter-VNI communication needs, be it for communication between VRFs, or is it for use-cases of translating VNIs between Sites.

Use Case Scenarios

Downstream VNI for shared services provides the functionality to selectively leak routes between VRFs. By adjusting the configuration of the VRF Route-Targets (RT), you have the option to import IP prefixes into a different VRF. Downstream VNI assignment allows the egress VTEP (Downstream) to dictate the VNI used by the ingress VTEP (Upstream). This is to reach the network advertised by the egress VTEP, which would otherwise honor the configured VNI. Downstream VNI complements and completes the need for asymmetric VNI assignment and simplifies the communication between different VRF with different VNIs. For example, the Extranet/Shared Services scenario where a service (DNS Server) sitting in service VRF needs to share the services to all the hosts (servers in different VRFs). The Shared service VRF needs to a) import the multiple VRFs into its local VRF as well as should be b) able to support the disparate value of downstream VNI.

Similar as in the shared services use-case, Downstream VNI provides a method of Translating or Normalizing VNI assignments in a VXLAN EVPN Multi-Site deployment. Where traditionally the same VNIs have to be assigned across all the Sites, with Downstream VNI we can allow inter VNI communication on the Border Gateway (BGW). By aligning the Route-Target configuration between the BGW, Sites with different VNIs will be able to communicate. Exactly as explained for the prior use-case, the egress VTEP (Downstream) dictates the VNI to be used by the ingress VTEP (Upstream) For example, Normalization/Asymmetric VNI deployment scenario, when we are adding new Sites in VXLAN EVPN Multi-Site, on new Border Gateway (BGW), it may be desirable to use and stitch completely disparate values of VNIs.

Benefits

Seamless Integration and Flexible Deployments. With Downstream VNI we have the opportunity for more seamless integration of disjoint networks with the same intent. As a result, a much more agile and time-saving approach is available. For use-cases where Extranet/Shared Service scenario exists, a more flexible deployment option exists with Downstream VNI.

How it works

1. Upon receiving a route update on the ingress VTEP (Upstream), the route is being installed with the advertised VNI from the egress VTEP (Downstream). In short, the prefix is installed with the Downstream VNI.

2. As a result, the egress VTEP dictates the VNI used by the ingress VTEP to reach the respective network advertisement done by egress VTEP. This way, the ingress VTEP uses the right VNI to reach the prefix advertised by the egress VTEP when forwarding data to this peer.

3. The process of Downstream VNI is achieved by the egress VTEP (Downstream) publishing the VNI via BGP control-plane protocol to other receiving VTEPs, which will use this downstream assigned VNI for the encapsulation instruction to send data to the egress VTEP. Data traffic will always be sent with the Downstream VNI assigned to a prefix and will override the otherwise honored configured VNI.

4. The egress VTEP dictates the VNI to be used by ingress VTEP by performing the downstream VNI assignment via the BGP EVPN control-plane protocol.

In the above example, the VTEPs have disparate VNIs i.e. 50001 and 50002. If VLAN 20 with VRF-B needs to communicate to VLAN10 of VRF-A, the VTEP-1 (L3VNI 50001) will act as a Downstream VTEP and dictate VTEP-4 to use VNI 50001 to encapsulate the packets to reach VLAN 10 and vice-versa.

What’s Next?

Stay tuned for our next blogs which cover features and benefits for VXLAN EVPN based data center fabrics such as Loop detection and mitigation in VXLAN EVPN fabrics, deliver packets in secured fashion across VXLAN EVPN sites using CloudSec and seamless integration of multicast packet (TRM) with MVPN (Draft-Rosen).

Continue reading

Bolstering Cyber Resilience in the Financial Services Industry: Part Two

As you read in part one of this blog, Cybersecurity threats have never been greater. It is imperative that your financial services organization is prepared to detect and combat even the most sophisticated cyber-attacks. Cybersecurity month brought this issue top of mind for so many in the financial services world, and now it is time to put the information into action.

Last week we starting discussing the five-point strategy to bolster cyber resilience. We walked through the first two points: Secure by Design and Zero Trust. Now let’s jump into the final three elements of this strategy.

#3) Third Party Cyber Risk Assessment

As financial services firms continue to strengthen their cyber resilience, cyber threat actors have been working hard to identify vulnerabilities both internal and external to the firm to gain access to financial data. Most financial services firms have a large ecosystem of partners (customer service, software development, equipment providers, media and internet marketing, etc.) external to the firm, who augment the firm’s products and services with their own and/or play a critical role in developing, deploying, or maintaining the firm’s products and services. These ecosystem partners are all connected to the firms network, have access to critical financial data, and are expected to comply with the firm’s risk and compliance policies. Our research has identified that “70% of Financial Third-Party Vendors have Unacceptable Compliance to Regulations” and “do not have a focus on Insider Threats and Patching”.

Cisco’s Third-Party Security Assessment Program provides financial services firms with proactive services to validate security posture within the firm’s third-party vendors and provides direction for improvement of systems, processes to each vendor, including relevant training and certification support.

#4) Security Awareness Training (Employee Training)

It’s become evident that, often, the weakest link in many cybersecurity defenses are people. In fact, according to the 2019 Gartner Magic Quadrant for Security Awareness Computer-Based Training, “People influence security more than technology or policy and cybercriminals know how to exploit human behaviors.”

So, while technology continues to evolve, the human element will always be the most unpredictable variable to secure. In order to fortify against people-enabled losses, financial services firms are turning to security awareness and training programs. Recent events have highlighted an increased need for security awareness, as the transition to a remote workforce has unveiled new, targeted threats that require employees to detect on their own.

Cisco Security Awareness is designed to help promote and apply effective cybersecurity common sense by modifying end-user behavior. Using engaging and relevant computer-based content with various simulated attack methods, this cloud-delivered product provides comprehensive simulation, training, and reporting so employee process can be continually monitored and tracked; an important part of compliance standards such as HIPAA and GDPR.

#5) Cyber Insurance

Financial services firms are at huge financial risk when a data breach occurs. To protect themselves from such an eventuality and in light of the emerging advancement in data theft and manipulation threats, it is imperative that they protect themselves with cyber insurance. Aside from providing financial cover, these cyber insurance providers also provide their customers with advanced notification of threats. Cisco is part of an industry-first offering partnering with Apple, Aon, and Allianz to bring together the key pieces needed to manage cyber risk: security technology, secure devices, cybersecurity domain expertise, and enhanced cyber insurance (select markets only).

Now What?

It is evident that there has never been a more pressing time to evaluate your cybersecurity strategy. Once you walk through the five-points above, here is one final checklist to ensure you are maximizing your cybersecurity strategy.

For a financial services firm to have a robust cyber resilient strategy:

1. The cybersecurity practices of their third party partners as well as their own have to be regularly reviewed, audited and continuously enhanced.

2. There must be a security-first mindset from the CEO down to every employee and partner in the organization.

3. Employee awareness and training sessions on cyber hygiene best practices must be held regularly to prevent exploitable vulnerabilities and help minimize the impact of any data breach.

4. Firms must collaborate with the financial services industry participants to share learnings, best practices, and develop industry wide cyber resilience strategies

Take these tips and the (above) five point cyber resilience strategy to ensure that you are doing everything you can to secure your financial services organization.

Continue reading

Enabling Integration via Webex Teams – All Together Now

Enabling Integration via Webex Teams and Cisco DNA, SD-Wan, Intersight, Thousand Eyes via Cloud API Gateway

I was really excited to have a unique opportunity to put together a team of my fellow engineers to work on a Collaboration hacking contest within Cisco. This annual event is usually in-person for a day or two in San Jose, making it out of reach for my nomadic desert comrades located in Arizona. This year, however, remote is the new normal. This unique situation made it possible for my ragtag band of misfits to participate in events regardless of our geography. So we embarked on a mission to enable webhook integration for Webex teams, so that our products can send notifications into Teams, just as they can into email.

A cloud native yet cloud agnostic solution

In order to do this we decided to make sure this wasn’t only able to support diverse products, but also, diverse clouds. A cloud native, yet cloud agnostic solution based upon serverless infrastructure supporting standard webhooks and HTTPS Post messages. We decided on Google Cloud platform and Amazon Web Services for our multi cloud endeavor.

The initial idea was actually for a separate use case – I have esp8266 modules integrated with Teams for the use case of being notified when my garage door is opened/closed, my bearded dragon’s cage is hot, etc. As these scale in number, if I ever were to change my security bot token or room ID, I would have to go re-flash all of my IoT Sensors to match. So, it creates an operational problem for leveraging Teams as a IoT device receiver or third party integrator.

Enable cloud as an API gateway

The idea was to enable cloud as an API gateway to accept requests, do advanced security checks, and decouple the Webex Teams security and context information from what is flashed onto the sensors to better manage the lifecycle. But extending this to webbooks was a natural evolution that seemed to have the most immediate impact to customers. When Demo’ing some of our cloud technologies (Intersight, Meraki), customers saw that notifications can go to webhook or email, and naturally inquired about their Webex Teams integration.

By enabling the webhook capability, we immediately added support for all of our product sets that support webhooks to integrate with Webex Teams. And do so without requiring any change on either the product, or Webex Teams. We did want to have native “handlers” in the code to handle differences in webhook formatting between different products. For our project we created handlers for Cisco DNA Center and Meraki. We had started work on Thousand Eyes but didn’t have the lab instance able to send webhooks at the time we finished the project. The amount of effort to create and modify a handler is as simple as 20 minutes worth of effort ensuring that the JSON fields that you care about, are included in what is sent to Teams.

The code is available on Github

Of note, while the code should have been very consistent between solutions, there is a difference in how Google integrates their API with their cloud functions compared to AWS. The API gateway on GCP has been out for a while, but right now integration of the API gateway on Google for cloud functions is in Beta and does require a bit more lift to setup. I expect this will normalize as it is brought to market. I also want to caveat that by noting I was seeking a functional product, closer integration with GCP teams probably would have helped with how I managed some error handling in Cloud Functions to make it integrate with API GW.

Continue reading

Retail network segmentation landscape

For as long as I can remember, retailers have recognized the importance of segmentation. The perils of mixing transactional data with other types of network traffic are significant. Yet, many retailers have found that a lack of attention in this area results in the compromise of transactional or Personally Identifiable Information (PII).

The challenge becomes exponentially more complex as the use of technology expands:

The long-predicted explosion of Internet of Things (IoT) devices is finally here. As many businesses respond to unpredictable business circumstances, it has become increasingly important that they have near real-time operational data on their stores and distribution centers. What is the current occupancy of my store? Are my chillers, freezers and hot tables working properly? Where are my associates and customers? What is my current inventory-on-hand (and what’s on the inbound truck, and when will it be here)? These questions can all be answered using IoT sensors. It is worth noting though that IoT sensors are either limited, or single-function devices, and therefore are not always able to defend themselves. If left unprotected, these devices can present a tempting attack surface for threat actors.

Point of Sale may not always be a static location. We are seeing more retailers shun the traditional fixed point of sale and adopt mobile devices. In some cases the POS may still be at a lane or cash wrap, but it may also be used for line busting, curbside pickup, home delivery, and for omni-channel returns. These additional use cases shift the emphasis from dedicated payment terminals that communicate directly with a payment processor, to multifunction devices sitting on the wireless network.

Guest wireless is now table stakes – customers expect to be able to send and receive text and email, access their shopping lists, or showroom their impending purchase to ensure they are getting the best price. A robust wireless network will not only be an expectation going forward, but a necessity to support associate efficiency and customer needs. With the advent of 5G networks, any communication that happens in the store via a mobile device needs to happen over the store wireless network, because 5G signals are unlikely to penetrate the structure of the building. Voice and data will cease when customers enter the store, unless the device can seamlessly roam onto the store network. That network will need the resilience and capacity to handle that traffic. Customers who cannot continue their conversations or access their data while in the store are likely to “vote with their feet” and shop elsewhere. In much the same way as guests now judge hotels by how fast and reliable the internet service is in their rooms, connectivity will be paramount for consumers and guests alike.

The inextricable move to the cloud has accelerated recently for multiple reasons – a need to

◉ reduce the physical IT footprint in the store

◉ stand up and configure new or pop-up stores quickly

◉ capitalize on the elastic capacity that cloud processing provides for busy periods

◉ leverage Software as a Service offerings for business systems such as supply chain and customer relationship management.

This shift to public, private and hybrid cloud can present new complexities and create a reliance on external parties, resulting in limited visibility and management to the retailer.

Many systems that are considered non-essential to the core retail mission (such as mechanical maintenance and physical security) are increasingly being outsourced. These moves result in third-party managed (or unmanaged) devices and sensors residing on the store or distribution center network.

These changes in the day-to-day operations of retailers can significantly increase the attack surface, and consequently the risk profile, for the retailer if not appropriately mitigated. The key is having a well-planned and executed segmentation and access control policy to ensure that devices and users can only access the systems and data appropriate for their role. Traditionally, this has been a somewhat manual process, which may be perfectly feasible for smaller organizations, but much more complex for larger retailers.

Continue reading

Going Multicloud? Can you relate to one of these six use cases?

In 1996, Cisco and HCL began working together by setting up an offshore development center in India. Over the past 24 years, we have strategically joined forces to bring to market a broad portfolio of products and services that we deliver to more than 100 shared customers, encompassing data center, networks, collaboration, IoT, security, and application monitoring. We continue to invest in resource development through training, centers of excellence, labs, joint go-to-market activities, and collaborating as 360-degree partners developing Cisco products.

One of our joint development efforts created HCL VelocITy: A multicloud framework powered by Cisco. VelocITy goes beyond the world of software-defined solutions to offer a reusable, repeatable, reference architecture delivered with a consumable, flexible, commercial construct. This framework leverages components from Cisco and other ecosystem partners, along with HCL’s position as a market leader in data center outsourcing and hybrid infrastructure managed services.

Many enterprises now operate multiple cloud environments, deploying a blend of private on-premises and public cloud infrastructures that best meet their application and business requirements. Executing a successful multicloud strategy can be extremely challenging, however.

A need to make multicloud easier

As enterprises start planning their multicloud environments, they need to answer a number of questions that can be crucial for achieving their digitization goals, such as:

◉ Do they have the required and adequately skilled resources in-house for the new technology landscape?

◉ Do they have a standard reference architecture that will apply across their on-premises and cloud environments?

◉ How will they secure the entire environment?

◉ What will be the cost impact of migrating to a multicloud environment? Do they have visibility into the potential cost differences when migrating workloads to the cloud?

In addition, once they’ve made key planning decisions, the process of execution can become a real nightmare. A customer with its own IT team may find it extremely difficult migrating to a multicloud environment due to the high level of complexity.

To help customers respond to these challenges, HCL built VelocITy. As you’ll see, it offers substantial, measurable benefits.

Figure 1  The VelocITy multicloud architecture

A pre-integrated, certified, multicloud reference architecture

The HCL VelocITy framework, as shown in Figure 1, provides a pre-integrated, certified reference architecture with pre-engineered components, incorporating the people, processes, and technology infrastructure required to provide end-to-end service delivery for multicloud deployments. Simply put, it removes the pain a customer can experience when migrating to a multicloud environment. They don’t need to choose different products from different vendors and then attempt to integrate all into an optimal and secure solution that meets their specific use case needs.

The top six highly sought after use cases

Leveraging its experience helping many Fortune 500 customers design and implement their data center migration strategies, HCL has identified its top six validated use cases for multicloud. Aligned with major industry trends in deploying multicloud environments and summarized in Figure 2, these represent use cases that can be implemented with HCL VelocITy. These six use cases also expand to over 30 detailed use cases for day 0, day 1, and day 2.

Figure 2  Six validated multicloud use cases

Built on Cisco technology

In developing the VelocITy stack, HCL evaluated many potential technology partners. A clear success criterion was the potential partner’s ability to deliver an end-to-end stack with flexible consumption model options, along with having a high level of ecosystem partner integrations and single-call, day 2 break/fix support.

Cisco met these requirements, leveraging its in-depth hardware and software product portfolio. In addition, many of Cisco’s products are now offered through a flexible consumable model, leveraging the Cisco Capital®Open Pay® solution. A few of the Cisco products incorporated into the VelocITy stack include Cisco UCS®, HyperFlex™, Cisco ACI®, Cisco Intersight™, Cisco Workload Optimization Manager, AppDynamics®, Cisco Container Platform, Cisco CloudCenter™, and Cisco Tetration Analytics™.

Adding to this list, Cisco has more than 65 integrated and certified ecosystem partner offerings available to fill out the VelocITy solution.

Migrate to a hybrid, multicloud environment with confidence

Cisco’s market-leading technology, available through a modern OpEx-based business model, in combination with HCL’s vast experience in multicloud deployments, brings to market a truly differentiated offering.

The numbers speak for themselves. For example, by deploying HCL VelocITy, both a large hospitality chain and a European telco reduced their TCO by 40 percent, while seeing a 50-60 percent improvement in IT automation.

If you’re migrating to a multicloud environment to meet your specific use case needs, explore HCL VelocITy powered by Cisco.

Continue reading

A Look to 2021 with Cisco Meraki

As we look back on 2020, the pandemic has proven to be a clear digitization accelerator—especially in areas critical to COVID-19 response. Companies within the financial sector are going beyond the lobby and into the cloud.

Some of the key benefits of embracing a cloud-managed IT solution include a decrease in time to market thanks to automation and zero-touch provisioning, the ability to simplify visibility and troubleshoot while helping IT teams get ahead of issues, and the ability to focus extra time and budget on resources and business-critical projects.

Managing safe migration to the cloud has never been more important. At Cisco Meraki, our cloud-based platform enables agility, scale, and simplification for financial institutions big and small. As we look ahead to 2021, a few key areas of focus stand out.

Meet the secure branch of the future

Providing reliable, secure connectivity while turning data into intelligent insights about how your branch infrastructure is operating—and how it can operate better—is critical. This includes improving your customer experience and engaging with them in new ways from the moment they enter the branch. For example, consider personalizing customer engagements through digital and in-branch resources, then leverage collected insights to inform and improve customer experience.   

Manage video analytics intelligently

IoT cameras and sensors combined with Meraki Insight are a powerful tool to effectively manage security, while ensuring a safe customer experience. They allow you to: 

- Manage video analytics intelligently

- Maintain social distancing protocols

- Eliminate outdated hardware

Cloud-based team support

Today’s new normal has required businesses to rethink how to help their employees collaborate safely while working from remote locations. These cloud-based solutions are helping companies support their off-site workforce. Some examples include safe remote access for payments, insurance claims, and loan approvals—all while maintaining policy compliance. Teams are able to connect to a secure network from any location for mission-critical and sensitive data.

All in all, the shift to cloud-managed IT solutions has proven to be beneficial for companies within the financial sector. As we look ahead to 2021, security and analytics will continue to be key considerations for change.

Continue reading

Fast Track to Success in Cisco 300-420 ENSLD Certification

Cisco ENSLD Exam Description:

This exam certifies a candidate's knowledge of enterprise design including advanced addressing and routing solutions, advanced enterprise campus networks, WAN, security services, network services, and SDA. The course, Designing Cisco Enterprise Networks, helps candidates to prepare for this exam.

Cisco 300-420 Exam Overview:

• Exam Name: Designing Cisco Enterprise Networks
• Exam Number: 300-420 ENSLD
• Exam Price: $300 USD
• Duration: 90 minutes
• Number of Questions: 55-65
• Passing Score: Variable (750-850 / 1000 Approx.)

Also Read:-

1. Are You Interested in CCNP Enterprise 300-420 ENSLD Certification?
2. Looking to Go Global with Valuable IT Skills? Pass Cisco 300-420 Exam

Continue reading