Dynamic Service Chaining in a Data Center with Nexus Infrastructure

In an application-centric data center, the network needs to have maximum agility to manage workloads and incorporate services such as firewalls, load balancers, proxies and optimizers. These network services enhance compliance, security, and optimization in virtualized data centers and cloud networks. Data center ops teams need an elegant method to insert service nodes and have the ability to automatically redirect traffic using predefined rules as operations change.

Enterprises running their data centers on the Nexus 9000 and NX-OS platform can now seamlessly integrate service nodes into their data center and edge deployments using the new Cisco Enhanced Policy Based Redirect (ePBR) to easily define and manage rules that control how traffic is redirected to individual services.

Challenges with Service Insertion and Service Chaining

The biggest challenge when it comes to introducing service nodes in a data center is onboarding them into the fabric, and subsequently creating the traffic redirection rules. Today, there are two ways of implementing traffic redirection rules – by influencing the traffic path using routing metrics, or by selective traffic redirection using policy-based routing.

The challenge with using routing to influence the forwarding path is that all traffic traverses the same path. This often ends up making the service node a bottle neck. The only practical way to achieve scale is by vertically scaling the node, which is expensive and  limited by the extent the node can be expanded.

Policy Based Routing (PBR) rules are also complex to maintain since separate rules are needed for forward and reverse traffic directions in order to maintain symmetry for stateful service nodes. In addition, when there are multiple service nodes in a chain, maintaining PBR rules to redirect traffic across them increases complexity even more.

Introducing Enhanced Policy Based Redirect

NX-OS version 9.3(5) provides Enhanced Policy Based Redirect. The goal of ePBR is to solve some of the challenges with existing redirection rules. In a nutshell, ePBR:

◉ Simplifies onboarding service nodes into the network

◉ Creates selective traffic redirection rules across a single node or a chain of service nodes

◉ Auto-generates reverse redirection rules to maintain symmetry across a service node chain

◉ Provides the ability to redirect and load-balance

◉ Supports pre-defined and customizable probes to monitor the health of service nodes

◉ Supports the ability to either drop traffic, bypass a node, or fallback to routing lookup when a node in a chain fails

ePBR supports all of these capabilities across a fabric running VXLAN with BGP EVPN, as well as a classic core, aggregation, access data center deployment, at line rate switching, with no penalty to throughput or performance. Let’s look at three ePBR use cases.

Use Case 1: ePBR for Selective Traffic Redirection

Various applications may require redirection across different sets of service nodes. With ePBR, redirection rules can match application traffic using Source Destination IP and L4 ports and redirect them across different service nodes or service chains. In the diagram below, client traffic for Application 1 traverses the firewall and IPS, whereas Application 2 traverses the proxy before reaching the server. This flexibility that ePBR enables customers to on-board multiple applications on their network and comply with security requirements.

Use Case 1: ePBR for Selective Traffic Redirection

Use Case 2: Selective Traffic Redirection Across Active/Standby Service Node Chain

In this use case, traffic from clients is redirected to a firewall and load-balancer service chain, before being sent to the server. Using probes, ePBR intelligently tracks which node in each cluster is active and automatically redirects the traffic to a new active node if the original active node fails. In this example, the service chain is inserted in a fabric running VXLAN. As a result, traffic from clients is always redirected to the active firewall and then the active load-balancer.

Use Case 2: Selective Traffic Redirection Across Active/Standby Service Node Chain

Use Case 3: Load-Balancing Across Service Nodes

With exponential growth in traffic, ePBR can intelligently load-balance across service nodes in a cluster, providing the ability to horizontally scale the network. ePBR ensures symmetry is maintained for a given flow by making sure that traffic in both forward and reverse directions is redirected to the same service node in the cluster. The example below shows how traffic inside a mobile packet core is load-balanced across a cluster of TCP optimizers.

Use Case 3: Load-Balancing Across Service Nodes

Improving Operational Efficiency with Innovations in Cisco ASICs and NX-OS

Cisco continues to provide value to our customers by fully leveraging capabilities designed into Cisco ASICs and innovations in NX-OS software. ePBR enables the rapid on-boarding of a variety of services into data center networks, and simplifies how traffic chaining rules are setup, thus reducing time spent provisioning services and improving overall operational efficiency.

Continue reading

Cisco’s Role in the Monumental Vaccination Effort

Big challenges require big solutions. But when it comes to technology for coronavirus vaccine access and administration, many of those big solutions already exist.

As you read this, COVID-19 vaccines are being rolled out in different capacities around the world. The troubling news is, getting the vaccines to the public is continuing to present an evolving array of challenges. Limited availability, complex transportation and storage, and phasing are all creating confusion. The good news is that technology is helping to overcome those challenges by building bridges between the government agencies in charge of the vaccination effort, the retail pharmacies and healthcare organizations administering the vaccines, and the communities who need them.

During the past nine months, Cisco has been powering an inclusive recovery through efficient vaccine administration; helping essential organizations stand up the technology and communications needed by medical and healthcare facilities, retail pharmacies, essential government services, and other frontline efforts. And, today, Cisco continues to do its part as a trusted technology partner. We’re helping enable vaccine administration by improving three key functions—communications and access, field operations and administration, and security and application performance.

Communications and access

By providing communications and access solutions—such as Cisco Webex and Webex Contact Center—we’re enabling better patient access and outreach, better care provider and administrative collaboration, and more virtual engagements. We’re also providing a more comprehensive way for government agencies, healthcare facilities, and retail sites to efficiently scale their efforts to address increased volume and equitable access to critical information and services.

Field operations and administration

With field operations and administration solutions—like networking, WiFi analytics, video, collaboration, and cloud-delivered location services and security—we’re helping organizations respond to dynamic community needs, set up field hospitals and mobile clinics, provide equitable access, improve citizen experiences, and simplify equipment monitoring.

Security and application performance

Finally, our innovative security and application performance tools—among them, application monitoring and management, IoT sensors, cameras, and cloud-enabled security—are ensuring the safety, security, privacy, performance, and compliance necessary for organizations to successfully administer vaccines and operate efficiently around the clock.

As you can imagine, vaccine administration systems will likely remain under immense pressure until the millions of people who need vaccinations get them. So, it is vital for government, healthcare, and retail organizations to keep these mission-critical services running as smoothly as technologically possible. That, as it turns out, is our strong suit.

Keep in mind, performing in this capacity is nothing new for Cisco. All of the solutions and use cases mentioned above are customer-validated and proven.

As it always has, Cisco provides its customers with solutions that help people and communities access technology, information, advice, and anything else they might require. We were here for our customers before the pandemic. We’re here for them today as we navigate our way through COVID-19 together. And as any trusted partner should, we will be here for our customers tomorrow to take on whatever comes next. That’s why so many leaders around the world, across all levels of government, healthcare, and retail, have trusted and relied on us to stand by them through their ongoing digital transformation efforts.

Continue reading

300-715 Free Exam Questions & Latest Cisco CCNP Security Study Guide

Cisco SISE Exam Description:

The Implementing and Configuring Cisco Identity Services Engine v1.0 (SISE 300-715) exam is a 90-minute exam associated with the CCNP Security and Cisco Certified Specialist - Security Identity Management Implementation certifications. This exam tests a candidate's knowledge of Cisco Identify Services Engine, including architecture and deployment, policy enforcement, Web Auth and guest services, profiler, BYOD, endpoint compliance, and network access device administration. The course, Implementing and Configuring Cisco Identity Services Engine, helps candidates to prepare for this exam.

Cisco 300-715 Exam Overview:

• Exam Name:- Implementing and Configuring Cisco Identity Services Engine
• Exam Number:- 300-715 SISE
• Exam Price:- $300 USD
• Duration:- 90 minutes
• Number of Questions:- 55-65
• Passing Score:- Variable (750-850 / 1000 Approx.)
• Recommended Training:- Implementing and Configuring Cisco Identity Services Engine (SISE)
• Exam Registration:- PEARSON VUE
• Sample Questions:- Cisco 300-715 Sample Questions
• Practice Exam:- Cisco Certified Network Professional Security Practice Test

Related Articles:-

• Avail CCNP Security 300-715 SISE Certification to Enhance Your Career
• 300-715 SISE: Study Tips to Get Success

Continue reading

Cisco 350-401 ENCOR Exam Journey: Tips That Make Your Prep Easier

Organizations are on the constant lookout for specialists who can competently execute core technologies. That's why there's a surge in requirements for those who can demonstrate they have the right skills. If you want to benefit from these opportunities, you require to follow the proper approach that comprises training, taking exams, and achieving certifications. Cisco has a magnificent plan for you by providing several certifications at different entry levels, associate to professional, expert, and architect. To gain any, you should use it for an exam, and this article is dedicated to the Cisco 350-401 ENCOR exam. We'd like you to know essential things about this exam and how you can prepare for it competently.

Continue reading

Desktops in the Data Center: Establishing ground rules for VDI

Since the earliest days of computing, we’ve endeavored to provide users with efficient, secure access to the critical applications which power the business.

From those early mainframe applications being accessed from hard-wired dumb terminals to the modern cloud-based application architectures of today, accessible to any user, from anywhere, on any device, we’ve witnessed the changing technology landscape deliver monumental gains in user productivity and flexibility.  With today’s workforce being increasingly remote, the delivery of secure, remote access to corporate IT resources and applications is more important than ever.

Although the remote access VPN has been dutifully providing secure, remote access for many years now, the advantages of centrally administering and securing the user desktop through Virtual Desktop Infrastructure (VDI) are driving rapid growth in adoption.  With options including hosting of the virtual desktop directly in the data center as VDI or in the public cloud as Desktop-as-a-Service (DaaS), organizations can quickly scale the environment to meet business demand in a rapidly changing world.

Allowing users to access a managed desktop instance from any personal laptop or mobile device, with direct access to their applications provides cost efficiencies and great flexibility with lower bandwidth consumption…. and it’s more secure, right?  Well, not so fast!

Considering the Risks

Although addressing some of the key challenges in enabling a remote workforce, VDI introduces a whole new set of considerations for IT security.  After all, we’ve spent years keeping users OUT of the data center…. and now with VDI, the user desktop itself now resides on a virtual machine, hosted directly inside the data center or cloud, right inside the perimeter security which is there to protect the organization’s most critical assets. The data!

This raises some important questions around how we can secure these environments and address some of these new risks.

◉ Who is connecting remotely to the virtual desktop?

◉ Which applications are being accessed from the virtual desktops?

◉ Can virtual desktops communicate with each other?

◉ What else can the virtual desktop gain access to outside of traditional apps?

◉ Can the virtual desktop in any way open a reverse tunnel or proxy out to the Internet?

◉ What is the security posture of the remote user device?

◉ If the remote device is infected by virus or malware, is there any possible way that might infect the virtual desktop?

If the virtual desktop itself is infected by virus or malware, could an attacker access or infect other desktops, application servers, databases etc. Are you sure?

With VDI solutions today ranging from traditional on-premises solutions from Citrix and VMware to cloud offered services with Windows Virtual Desktop from Azure and Amazon Workspaces from AWS, there are differing approaches to the delivery of a common foundation for secure authentication, transport and endpoint control.  What is lacking however, is the ability to address some of the key fundamentals for a Zero Trust approach to user and application security across the multiple environments and vendors that make up most IT landscapes today.

How can Cisco Secure Workload (Tetration) help?

Cisco Secure Workload (Tetration) provides zero trust segmentation for VDI endpoints AND applications.  Founded on a least-privilege access model, this allows the administrator to centrally define and enforce a dynamic segmentation policy to each and every desktop instance and application workload.  Requiring no infrastructure changes and supporting any data center or cloud environment, this allows for a more flexible, scalable approach to address critical security concerns, today!

Establishing Control for Virtual Desktops

With Secure Workload, administrators can enforce a dynamic allow-list policy which allows users to access a defined set of applications and resources, while restricting any other connectivity.  Virtual desktops are typically connected to a shared virtual network, leaving a wide-open attack surface for lateral movement or malware propagation so this policy provides an immediate benefit in restriction of desktop to desktop communication.

This flexible policy allows rules to be defined based on context, whether identifying a specific desktop group/pool, application workloads or vulnerable machines, providing simplicity in administration and the flexibility to adapt to a changing environment without further modification.

◉ Do your VDI instances really need to communicate with one another?

With a single policy rule, Secure Workload can enforce a desktop isolation policy to restrict communication between desktop instances without impacting critical services and application access.  This simple step will immediately block malware propagation and restrict visibility and lateral movement between desktops.

Figure 1: Deny policy for virtual desktop isolation

Figure 2: Lateral communication between desktops blocked (inbound and outbound)

◉ Want to permit only a specific user group access to your highly sensitive HR application?

Secure Workload will identify the desktop instances and application workloads by context, continuously refreshing the allow-list policy rules to permit this communication as users log in and out of their virtual desktops and as the application workloads evolve.

Figure 3: Context based application access control

◉ Need full visibility of which applications are being accessed, how and when?

Tetration not only enforces the allow-list policy to protect your assets, but also records flow data from every communication, ensuring continuous near-real-time compliance monitoring of traffic to identify malicious or anomalous behaviors.

◉ Need to meet segmentation requirements for regulatory compliance?

Natural language policy definition based on dynamic labels and annotations ensures traffic complies with regulatory policy constraints from one well-defined policy intent.

◉ Require the ability to automatically quarantine vulnerable virtual desktops or application workloads to protect against exploit?

Tetration natively detects vulnerable software packages to apply automated policy controls which only apply until remediation.

All offered from SaaS, this can be achieved without any change to existing infrastructure, with distributed enforcement at scale from virtual desktops to application workloads for end to end protection.

Continue reading

Bringing Office-Quality Connectivity to Home Teleworkers with SD-WAN

Most likely you are reading this Cisco blog post from your home office, just as I wrote it from mine. Whereas, at least in the States, it used to be “there’s no place like home” now it’s more like “no place but home” as we weather the new normal of isolation and lock downs to stay safe.

Working from home has taken on a whole new meaning as we spend our days on video meetings with colleagues, accessing corporate data center resources via VPN, and using direct internet access to cloud and SaaS applications. Our home Wi-Fi is overloaded with internet-dependent work, school, and play, causing more than a few eye-rolls as application performance slows to a crawl and video conversations are peppered with static. What’s a corporate warrior to do to keep up with the streaming workload and stay in good spirits?

While individuals have limited options to speed up their home office connectivity, IT can step in to provide enterprise-grade services to high-value workers for whom every minute with clients, customers, and coworkers counts. These professionals have a wide variety of business-critical functions such as a brokerage advisor recommending trade strategies for clients, a telemedicine physician monitoring an elderly patient, or a CX representative walking a customer through a complex installation procedure. The high-value workforce needs superior connectivity that makes working at home just as fluid as being in the office with consistent connectivity and performance. What was once “good enough” for occasional evening and weekend work-at-home stints is no longer adequate.

Beyond consistent and reliable connectivity, professional teleworkers need the ability to use personal devices—laptops, phones, and tablets—to securely access data and applications to keep their workflow fluid. On top of all that, they need peace of mind provided by enterprise-grade security that is easy to use and practically invisible to daily work routines.

When tasked with upgrading high-value workers’ home offices, IT needs a solution that provides:

◉ Centralized policy management and zero-touch provisioning to bring thousands of remote offices online quickly.

◉ Monitoring of Quality of Service (QoS) and remotely troubleshooting connection reliability to enhance application experience from non-standardized home internet connections and Wi-Fi to cloud and SaaS resources.

◉ Centralized, cloud-delivered, multi-layer security—including DNS URL-Filtering, Application Aware Firewall, Intrusion Protection System, and Advanced Malware Protection—to protect sensitive traffic on its round trip from home office to cloud or data center and back.

◉ Ability to automatically detect and define devices connecting to the home office network and apply segmentation policies to control access permissions and prevent infections from spreading from home offices and to corporate resources.

With these capabilities, IT can provide an office-like experience to high-value workers while keeping enterprise assets secure. SD-WAN application-aware routing identifies the best routes to send data traffic to access SaaS applications—even as they may dynamically change during the workday. A split-tunnel configuration over a single WAN interface or second WAN interface over LTE provides redundant connectivity. IT can continuously monitor the edge-to-SaaS performance on both DIA and backhaul paths to ensure appropriate application Quality of Experience and consistent connectivity.

An All-in-One Secure Routing Solution for Teleworkers

From a teleworker’s point of view, an ideal at home connectivity solution provides an enhanced direct access to cloud or data center application experience. Performance-optimized cloud on-ramps deliver access to popular SaaS applications suites, such as Office365, and public cloud resources. A Secure Internet Gateway protects the remote worker against advanced persistent threats emanating from spoofed sites on the open internet.

The professional’s home office solution starts with an enterprise-grade router with integrated Wi-Fi that delivers a zero-trust fabric with end-to-end segmentation and always-on network connectivity. For areas with unreliable broadband connections, a Gb Ethernet speed LTE Advanced Pro or a 4G plug-in module provides backup or acts as the main direct internet connection.

The at-home system is capable of zero-touch provisioning, with remote NetOps teams able to detect, provision, and monitor the home network from anywhere. The remote worker simply plugs the router into power and a broadband internet connection or relies on the LTE/5G broadband cellular connection. The router automatically searches for the plug and play controller and downloads enterprise policies and segmentation rules before securely joining the corporate WAN. After that, the office worker connects to the permitted enterprise and cloud resources as if they were working on campus, guarded by the same security protection and access policies.

Security is Even More Critical for Remote Offices

The sheer variety of devices—both managed and unmanaged—that are connected to a home’s Wi-Fi requires zero-trust security and segmentation to safeguard critical information. Imagine the ability of a hacker to penetrate an unsecured household Wi-Fi through a poorly protected smart appliance and travel from there to the remote worker’s system and onward to corporate resources. Once an infection begins at home, a simple VPN is not going to contain it. The home network needs protection with:

◉ Location and device-sensitive Zero Trust Network Access (ZTNA) to ensure that connections coming from remote worksites can access only the applications and data for which they have permissions.

◉ Security Group Segmentation that limits access to specific network segments, stopping the propagation of threats that are attempting an east-west infection path.

◉ End-point analytics detects unusual communications among diverse devices that do not normally communicate, or that start using different protocols, and isolates them.

A cloud-based Secure Access Service Edge (SASE) umbrella provides security protections at scale for thousands of remote workers. Policy-based routing also secures access to confidential as well as non-sensitive data while protecting against man-in-the-middle attacks. Because policies are managed and deployed centrally through SD-WAN controllers, when workers move among home, branch, and campus locations, the access and security policies follow them, ensuring that their connections are secure regardless of location. IT gets a single-pane view of workforce connectivity and security to simplify the management of thousands of distributed connections.

It is Possible to Have the Best of Both Worlds at Home

Working at home with office-like connectivity and security is not only possible but is, and will continue to be, an absolute necessity as enterprises strive to stay agile and productive while battling future black swan events. WFH is not just a reaction to a health and safety emergency either. It is a workstyle made possible by technology that has important energy and environmental impacts as well as physical and mental health—does anyone really love commuting? The more seamless a work-at-home employee’s connection is to information, applications, and coworkers, the more productive the experience. By providing a secure, easy to manage and scalable routing solution, IT can ensure that the workforce stays connected and productive no matter where they choose or need to work.

Continue reading

Cisco DNA Center and Cisco Umbrella- Automate your journey towards DNS Security

Introducing Cisco DNA Center Integration with Umbrella

Cisco Umbrella provides the first line of defense against threats on the internet wherever users go. Umbrella delivers complete visibility into internet activity across all locations, devices, and users, and blocks threats before they ever reach your network or endpoints. Cisco Umbrella helps in securing traffic using Secure Internet Gateway(SIG) in cloud. In this blog, we will look at how Integration of Cisco Umbrella with Cisco DNA Center will help in automating and securing WLAN’s to provide maximum visibility and granularity using network infrastructure.

Wi-Fi is an expected service- but is your Wi-Fi also a liability?

In the world of connected things wireless infrastructure plays a major role in connecting people, processes, and things. According to Cisco VNI, 66% of Global Population will have Internet Access by 2023 and this brings in a bigger question of how to secure the endpoints (It can be Enterprise devices, Guest devices or even IoT Endpoints). It’s interesting that I mentioned about IoT Endpoints, reason being according to Cisco VNI, by 2023, IoT Endpoints will account for 50 percent (14.7 billion) of all global networked devices and one third of those devices will be wireless. The addition of billions of devices to the network edge drives the need for enterprises to provide actionable insights and scalable solutions to secure employees’ devices, IoT connections, infrastructure, and proprietary data.

      

Enabling Cisco Umbrella on Catalyst 9800 WLC brings in a whole lot of capabilities such as granular policy enforcement per SSID, visibility in identifying internet threats and reporting. Umbrella on WLAN enforces security at the Domain Name System (DNS) layer, which means you can block requests to malicious domains and IPs before a connection is ever made.

The need for Network Policy Automation

In today’s digital world, the network needs to adapt quickly to changing business requirements. The network needs to support an increasingly diverse and fast-changing set of users, devices, applications, and services. It needs to seamlessly and securely onboard this diverse set of devices and deliver the desired user and application experience.

Cisco DNA Center and Cisco Umbrella

Cisco DNA Center provides an intuitive GUI workflow to enable Umbrella policies on WLAN Controllers. Cisco DNA Center supports Umbrella configuration on Cisco Catalyst 9800 Series Wireless Controller running software version 16.12.x or higher and Cisco Catalyst 9100 Series Access Points on local, flex connect mode, and on Mobility Express (ME) AP’s. The supported Cisco DNA Center release version is 2.1.x.

As a pre-requisite, necessary keys, such as the API key, legacy token, management key, and secret, needs to be created in the Umbrella Account. To integrate DNA Center with Umbrella Organization ID, Management API Keys, and Network Device API Keys & token needs to be entered manually in Cisco DNA Center.

Once Integrated, Cisco DNA Center can now configure Umbrella policies to Catalyst 9800 WLC, which are managed and provisioned by Cisco DNA Center. Cisco DNA Center provides a comprehensive view all the WLAN Controllers that are eligible for Umbrella deployment in a site. If the WLAN Controllers are Not ready for Umbrella deployment, Cisco DNA Center also provides information on why the Network device is not ready. The major advantage of integration is, Cisco DNA Center can now retrieve policies created in the Umbrella cloud and provides an option to assign these policies at per SSID level to all the eligible WLAN Controllers. This way umbrella policies can be pushed to multiple SSID’s on multiple WLAN Controllers with few simple clicks.

Cisco DNA Center also provides base assurance capabilities for Total DNS Queries and Blocked DNS Queries in the Umbrella Services Dashboard.

The integration of Cisco DNA Center and Umbrella helps deploy Umbrella policies quickly with minimal disruption to other services, ensures that edge devices are secured at the DNS layer without any added latency. This helps maintain the network infrastructure stay up to date by aligning to dynamic business needs.

Continue reading