Unclear on fiber optic breakouts? What you need to know

We often receive questions about fiber optic breakout patch cords for pluggable optic transceivers. If you’re wondering the same thing, the first door to knock on is the fiber cable infrastructure provider for your network. We’ve posted cabling guides for some well-known providers, but there are certainly other options. These guides contain specific part numbers for their breakout patch cords and cassettes for use with many Cisco Optics transceivers.

Why would you use breakouts?

Fiber optic breakouts are useful for many applications. Take for example a 400G port in a switch or router. A breakout structure could make that 400G port equivalent to a high density set of four 100G ports. Breakout connectivity also allows you to upgrade your network hardware one site at a time, so you don’t have to take down the whole network all at once. You could also use breakouts for redundancy in your architecture.

Read More: 300-710: Securing Networks with Cisco Firepower (SNCF)

The fundamental distinction of a breakout application is that it connects network devices (switches, routers, and servers) to other network devices containing ports of different speed without sacrificing port bandwidth. That last part about not sacrificing port bandwidth is key. You could still connect ports of different speed using an adapter. Or you could run a high speed port at a lower speed by filling it with a lower speed optic. For example, 40G QSFP+ optics can work in 100G QSFP28 ports. However, in both of these situations you under-utilize the bandwidth of the higher speed port.

Example of breakout application.

With breakouts, you fully utilize port bandwidth. The most common breakout configuration involves a higher speed QSFP port that connects to four lower speed ports, either SFP lower speed QSFP. For example, Cisco’s QSFP-100G-SR4-S can connect to four different 25G SFP28 ports with a fiber breakout patch cord (or cartridge) and four SFP-25G-SR-S pluggable optic modules. Similar breakouts are possible with some 40G QSFP+ and 10G SFP+ modules.

Which pluggable optics support breakout?

Almost always, a pluggable optic transceiver that uses parallel fiber supports breakout. The Cisco Optics-to-Device Compatibility Matrix online tool shows whether the pluggable optic uses parallel or duplex fiber. Breakout is possible with both SMF (Single-Mode Fiber) and MMF (Multi-Mode Fiber) media type.

In the rare case of an exception, the tool notates if the pluggable optic or network device does not support breakout mode.

Example of rare exception when breakout mode is not supported, indicated in pop-up message in the Cisco Optics-to-Device Compatibility Matrix.

As a baseline reference, these are some of the Cisco pluggable optic transceivers that support 4-channel breakout configurations:

Partial list of Product IDs for Cisco Optics that can be used in breakout configurations.

For a full list and mapping of which optics can connect to each other via breakout, see the Optics-to-Optics Interoperability Matrix. Below is an example.

Cisco Optics-to-Optics Interoperability Matrix example. The far right column indicates whether a fiber optic breakout patch cord is needed.

Fiber optic breakout patch cord pinout diagrams

If your fiber cable vendor doesn’t have a standard breakout patch cord, and you request a custom design, you can use the diagram below as a guide. The patch cord doesn’t depend on the data rate. The main consideration is whether the fiber type is SMF or MMF.

Fiber breakout jumper pinout diagram for SMF. Note the 8 degree angle polish on the MPO connector end face.

Fiber breakout jumper pinout diagram for MMF.

Remember, fiber breakout patch cords or cartridges are for pluggable optic transceivers. If you’re using an AOC (Active Optical Cable) such as QSFP-4X10G-AOCxM or copper cables such as QSFP-4SFP25G-CUxM, the breakout structure may be built into the cable because they are pre-terminated and plug directly into the QSFP or SFP type ports. Therefore, these cables do not need a separate fiber breakout patch cord.

Source: cisco.com

Continue reading

Under Pressure to Secure Your Enterprise? Predict More to Prevent More

Cybersecurity is a top priority for any organization conducting business over the Internet. Protecting your assets encompasses an ever-expanding digital landscape. Any data breach can have a devastating impact on the finances and brand equity of an organization. It’s why cybersecurity is treated as a business risk, rather than merely an IT issue. The importance of security is nothing new, but the global pandemic has made it even more critical.

Rise in Remote Access Authentication

Many of the new security challenges stem from the rapid increase in remote work that occurred almost overnight last year with the global rollout of stay-at-home orders. According to data from Cisco DUO, more organizations across all industries have enabled their employees to work from home, and there’s every indication this could continue for an extended time. Between February and April of 2020, we saw a 60% increase in remote access authentication — a percentage that has held remarkably steady ever since.

For IT Ops, a key challenge was ensuring their business employees could securely access the tools and resources they needed to do their jobs, seamlessly and with no additional friction. At the same time, organizations have had to protect critical information and minimize risk, all while accommodating myriad types of users and devices using unsecured networks. In order to accomplish the above, having visibility and insights into remote work patterns is a must, allowing SecOps and NetOps teams to authenticate and secure enterprise traffic through zero-trust solutions and multi-factor authentication.

Identifying Cyberthreat Patterns

In addition to the expansion of the attack surface due to the shift to remote work, cyber-criminals evolved their attacks to feed on people’s fears around the pandemic. DNS traffic analysis by Cisco Umbrella revealed some startling findings for the first nine months of 2020. For example, among our Umbrella DNS customers:

◉ 91% saw a domain linked to malware

◉ 68% saw a domain linked to cryptomining

◉ 85% saw a domain linked to phishing

◉ 63% saw a domain linked to trojans

In fact, since 2019, trojans and phishing have traded spots in threat ranking. In 2019, trojans were the number two threat at 59%, while phishing was number four with 46% impacted. Over the past year, phishing has risen by nearly 40% in large part due to malicious actors preying on people’s fears about the virus.

If IT teams are to scale and stay ahead of the bad actors in this evolving landscape of cyberthreats, they must be able to proactively monitor and identify malicious traffic and its patterns. It is vastly better to predict and prevent cyberattacks than to try to undo the damage caused by data breaches after the fact.

Threat Targets by Industry

Shifts in the distribution of threat traffic across different business markets since 2019 offer further insight into how to secure your enterprise. In particular, managed service providers (MSPs) have now surpassed financial services as the most impacted markets. In fact, U.S. government agencies have issued recent warnings about the heightened risk of attacks by state actors on MSPs.

Why this jump in MSP threat traffic? MSPs are attractive targets because, unless an MSP has effectively secured its own environment, it is vulnerable to attack by malicious actors who can then hijack remote monitoring management to go after the MSP’s clients. These customers are then at higher risk than the MSP itself. (By contrast, higher education traffic has dropped considerably in the ranking of impacted markets over the past year — from the top spot to the number six spot — most likely due to students being unable to attend classes in person.)

The rise in malware using sophisticated hiding and evasion techniques has made cyber defense teams’ jobs that much harder. In order to secure your data and your enterprise, manual monitoring and intervention is no longer a viable solution. Today’s cyber defenders must have visibility across applications, networks, and devices, along with the ability to leverage machine speed and predictive intelligence to deliver scalable, adaptable protection.

Source: cisco.com

Continue reading

Education, Education, Education: RSA 2021 and the State of Education Security

There is an old maxim in the real estate profession that is used when evaluating the value of a home. Realtors often speak of “location, location, location”, as if the customer involved in the transaction is so unaware of that factor that it requires the incessant repetition. In cybersecurity, however, one area that is in dire need of a recurrent reminder is the area of education, both of cybersecurity professionals, as well as targeting that specialized knowledge towards the education sector.

Resilience, and Investing in People

This year’s RSA conference was started with an inspirational keynote message from CEO Charles (Chuck) Robbins. The theme of this year’s RSA conference was resilience, which is also the key to effective cybersecurity. The vision for a post-pandemic world is one where Cisco will invest more to make the world a safer place, while carrying out that vision in less time than ever.

Part of Cisco’s investment in the future is not only about technology, it is about people. There are around 2.8 million cyber professionals globally, but there are currently more than 4 million unfilled cybersecurity jobs. There is no other industry where the open positions exceed the number of available positions at such a grand scale. This is the equivalent of the entire population of many small countries. Cisco is seeking not only to enable the workforce by looking at the existing talent pool, but by also tapping into unconventional places to find new talent. Unlikely security professionals exist in places like the local coffee shop, the mechanic’s garage, and even the prisons.

This extreme reach for diversity is rooted firmly in history. When the world needed to solve the encryption puzzle used by the enemies in World War Two, they sought people from all walks of life to decipher what seemed like an unbreakable code. They were not all mathematicians. They included librarians, psychologists, and even hobbyists who collected porcelain figurines.

Diversity is a force multiplier towards solving outwardly unsolvable problems.

An Unnoticed Target

Education towards creating a stronger workforce is useless if not applied to business sectors that need it the most. One sector where there is a need for cybersecurity professionals is the area of education. In the 2018 “End-of-Year Data Breach Report” issued by the Identity Theft Research Center (ITRC), there were over 1.4 Million records breached at educational institutions. These numbers closely matched the breach numbers of 2017 for the education sector. However, over the course of 2019, the breached records increased to over 2.4 Million.

While the education sector falls last among the five industries monitored in the ITRC reports, there appears to be a pattern emerging.

Wendy’s Keen Insights

Cisco’s Head of Advisory CISOs, Wendy Nather, and Dr. Wade Baker, of the Cyentia Institute opened the final day of the 2021 RSA conference with by asking the question “What (Actually, Measurably) Makes a Security Program More Successful?”

Wendy stated that she dislikes benchmarks, mostly because some people are not good at it, offering more opinion that measurable results. In order to measure success, we must be more interested in what works. Wendy and Wade drew upon the findings of the Cisco 2020 Security Outcomes Study to discuss a methodology that is measurable, and actionable.

Follow the Patterns

The Security Outcomes Study findings are based on patterns, rather than raw numbers, and this is important when considering the rise in educational breaches. Valuable insights are derived by finding patterns in the data that show clear correlations between security practices, and the outcomes. As a cybersecurity professional, the idea of finding patterns that show clear correlations should resonate deeply, as this is a foundational tenet of your entire discipline of threat intelligence.

Ignoring a pattern just because it is deceptively insignificant at the time can lead to an instance of not seeing the shape of things to come. Are we on the precipice of witnessing a new target? The people at Cisco do not agree with the logic of ignoring it, hoping it will go away.

Why a School is a Good Target

It may seem like a school, or university is not a very lucrative target for a cyberattack, but when one stops to think about it, an educational institution contains a rich variety of valuable information, more than just the books in the student libraries and the fraternity and sorority houses.

Schools are fertile grounds for ideas, and inspirational knowledge. These are the roots of intellectual property.  In fact, some schools are branded as research universities. This means that the information about the students who are working on research, as well as the research itself, are viable targets for a cybercriminal.

How Cisco is Positioned to Protect These Valuable Assets

Cisco is uniquely qualified to protect all learning institutions by offering a wide range of security solutions and products to safeguard all educational institutions, from the earliest grades, all the way up to institutions of higher learning.

Whether it is managing the in-person and remote students and their mobile devices, to fostering a productive learning environment, to protecting sensitive student and research data, Cisco offers a wide range of solutions to meet your goals, and ensure an effective approach to your security vision.

There is more to a security solution than the platform. The depth of information, and flexibility and pragmatism is key towards a full security approach. As described by the CISO of Brunel University, “Cisco backs its products with engineers who are at the top of their game”.

Source: cisco.com

Continue reading

Stretching Cisco Designed Oracle Infrastructures with Low Latency Protocols

Before the pandemic, industries were turned upside down as a digital transformation wave forced IT departments to think of new ways to implement services and address this new business challenge. When business travel starts up again, each of us will see examples: taxi’s replaced by Uber and Lyft; newspapers replaced by a smartphone; radio replaced by Spotify. Each industry struggles to remain relevant. The impact on IT?  The huge growth in applications that draw data from more sources, and the speed to implement required today. Oracle databases and the server infrastructures that support have to support larger workloads without sacrificing performance. The challenge is how to architect these systems to meet uncertain growth requirements yet keep their finance department happy.

Read More: 500-173: Designing the FlexPod Solution (FPDESIGN)

Cisco foresaw this requirement a couple of years ago and invested in a set of Cisco Validated Designs demonstrating the benefits of NVMe (Non-Volatile Memory Express) over Fabrics partnering with Pure Storage initially and more recently with NetApp.

Customers generally fall into two categories:

◉ Those running I/O over ethernet and would more naturally move to RDMA

◉ SAN based customers who desire low latency but within a SAN infrastructure

Cisco has developed a proven solution for each of these two scenarios, see details below.

In 2019, Cisco and Pure Storage tested and validated a FlashStack solution highlighting the benefits of RoCE V2 – Oracle RAC 19c Databases running on Cisco UCS with Pure Storage FlashArray //X90R2 using NVMe-oF RoCE V2 (RoCE  – RDMA over Converged Ethernet version 2). Here the standard FlashStack Converged Infrastructure (depicted below) was set up with NVMe located in the servers and used RoCE to move the data traffic between the servers and the All-Flash storage subsystem.  SLOB (Silly Little Oracle Benchmark) was used to replicate users and the system was scaled to 512 users demonstrating the following benefits:

◉ Lower latency compared to other traditional protocols

◉ Higher IOPS (I/O per second) and scaled linearly

◉ Higher bandwidth to address higher data traffic requirements

◉ Improved protocol efficiency by reducing the “I/O stack”

◉ Lower host CPU utilization, documented at 30% less

◉ Indirectly, as CPU utilization was lowered, more processor cycles are available to process work, therefore fewer Intel processor cores need to be licensed to achieve performance.

This was a welcome design incorporated by many companies from commercial to large enterprise as it addressed a pressing need – how to stretch the IT budget to complete more work on the current system.  The NVMe interface is defined to enable host software to communicate with nonvolatile memory over PCI Express (PCIe). It was designed from the ground up for low-latency solid state media, eliminating many of the bottlenecks seen in the legacy protocols for running enterprise applications. NVMe devices are connected to the PCIe bus inside a server. NVMe-oF extends the high-performance and low-latency benefits of NVMe across network fabrics that connect servers and storage. NVMe-oF takes the lightweight and streamlined NVMe command set, and the more efficient queueing model, and replaces the PCIe transport with alternate transports, like Fibre Channel, RDMA over Converged Ethernet (RoCE v2), TCP.

In 2020, the Pandemic hit.

COVID-19 caused many IT organizations to shift focus from database to remote worker implementations initially conceived as short-term solutions, now moving to longer term designs. Businesses are returning to a focus on stretching their database infrastructure solutions, and Cisco has partnered with NetApp on a new solution to meet this goal.

In April 2021, Cisco and NetApp published a new Cisco Validated Design called FlexPod Datacenter with Oracle 19c RAC Databases on Cisco UCS and NetApp AFF with NVMe/FC. The proven design using NVMe is now proven work with a Fibric Channel twist.

NVMe over Fibre Channel (NVMe/FC) is implemented through the Fibre Channel NVMe (FC-NVMe) standard which is designed to enable NVMe based message commands to transfer data and status information between a host computer and a target storage subsystem over a Fibre Channel network fabric. FC-NVMe simplifies the NVMe command sets into basic FCP instructions. Because Fibre Channel is designed for storage traffic, functionality such as discovery, management and end-to-end qualification of equipment is built into the system.

Almost all high-performance latency sensitive applications and workloads are running on the same underlying transport protocol (FCP) today. Because NVMe/FC and Fibre Channel networks use the same FCP, they can use common hardware components. It’s even possible to use the same switches, cables, and NetApp ONTAP target port to communicate with both protocols at the same time. The ability to use either protocol by itself or both at the same time on the same hardware makes transitioning from FCP to NVMe/FC both simple and seamless.

Large-scale block flash-based storage environments that use Fibre Channel are the most likely to adopt NVMe over FC. FC-NVMe offers the same structure, predictability and reliability characteristics for NVMe-oF that Fibre Channel does for SCSI. Plus, NVMe-oF traffic and traditional SCSI-based traffic can run simultaneously on the same FC fabric.

The design for new FlexPod is depicted below and follows the proven design that has led FlexPod to become a most popular Converged Infrastructure in the market for several years.

The same low latency, high performance benefits of the previous CVD are proven once again in this NVM/FC design.  As such, customers now have a choice as to how to implement a modern SAN to run the heart of their IT shop – the Oracle Database.

Business will continue to challenge their IT departments, some are planned challenges while others are completely unforecasted. Picking a design that can grow to meet these future requirements, where each element in the design can be upgraded independently as circumstances warrant, while meeting performance requirements with an eye toward Oracle licensing costs is the challenge that Cisco’s low latency solutions have met. These are the solutions your organization should take a closer look at for your future Oracle deployments.

Source: cisco.com

Continue reading

“Hello IKS”… from Terraform Cloud!

Organizations are seeking uniformity in tools and procedures

Tracking industry trends, some of the legacy enterprise applications will be modernized in a microservices architecture and containerized. While some of the microservices and heritage apps will remain on-prem. Others will make their way to public clouds. In general, DevOps has been very successful in leveraging open source tools, such as Terraform, for public cloud infrastructure provisioning. For example, enterprises are seeking to bring the cloud experience on-prem by providing their DevOps and application developers with IT services like CAAS (Container As A Service).

More Info: 350-801: Implementing Cisco Collaboration Core Technologies (CLCOR)

Organizations are seeking uniformity in tools and procedures that they use to orchestrate their cloud stacks across public and private clouds to host these containerized workloads.

Intersight Kubernetes Service (IKS) container management platform

The debate on container orchestration frameworks has pretty much concluded (at least for now!) and Kubernetes is a clear winner. Organizations have successfully leveraged Kubernetes services (AKS, EKS, GKE,..) from public clouds and Terraform has played a prominent role in their CI/CD toolchain. To support containerized workload deployments and operations, Cisco Intersight includes IKS (Intersight Kubernetes Service) which is a SaaS-delivered, turn-key container management platform for multicloud and production-grade Kubernetes.

The following use case attempts to highlight the integration that was recently announced between Cisco Intersight and HashiCorp Cloud for Business.

Cisco Intersight and HashiCorp Cloud for Business use case

In this blog, we will walk through a simple use case where:

◉ A cloud admin would offer CaaS (containers as a service) in their service catalog, leveraging IKS (Intersight Kubernetes Service) to set up the ippools and Kubernetes policies for an app team in her enterprise

◉ An App DevOps then comes in and leverages those policies to provision an IKS cluster based on the specification of the App developers for the cluster and finally

◉ An App Developer would deploy a sample app.

The above will leverage TFCB (Terraform Cloud For Business), IST (Intersight Service for Terraform), IKS (Intersight Kubernetes Service), Intersight Terraform Provider and Helm Terraform provider.

Following assumes that the configuration and provisioning is all done with Terraform Cloud UI (traditional ClickOps). Please watch out for subsequent blogs that will address the same using Intersight API’s for end-to-end programmability.

Role of a Cloud Admin

You will provision the following Targets in Intersight and verify for a Connected operational status:

You will set up the Terraform config files and workspaces for provisioning ippools and policies for the app team and execute the Terraform plan in TFCB. An example can be found here

Role of an App DevOps

Based on the infrastructure requirements provided by your app team, you will set up the Terraform config files and workspaces to provision an IKS cluster leveraging the policies configured by your Cloud Admin. You will plan and execute the Terraform plan in TFCB. An example of the config file to provision a single node IKS cluster can be found here:

Role of an App Developer

You will set up the Terraform config files and workspaces for deploying a sample app on the IKS cluster provisioned by your DevOps. An example of the config file to deploy a sample app using the Terraform Helm Provider can be found here:

SandBox and learning lab

A sandbox and a learning lab are available here. It helps the user wear the hat of the above personas and walk through a sample deployment exercise:

The following captures a very high-level view of the sequence across the various tools in the sandbox and is quite self-explanatory. The Sandbox simulates your on prem infrastructure:

Check out this DevNet CodeExchange entry if you would like to experiment with a single-node cluster in your own vSphere infrastructure.

Behind the scenes…

The following highlights the value add of Cisco Intersight and TFCB integrations in simplifying and securely provisioning private cloud resources such as k8s clusters and applications on prem.

Source: cisco.com

Continue reading

Too Fast Too Furious with Catalyst Wi-Fi 6 MU-MIMO

Servicing many clients that are using small packets with non-Wi-Fi 6 is inefficient because the overheads incurred by the preamble and other mechanisms tend to dominate. OFDMA is ideally suited for this scenario because it divides up the channel and services up to 37 users (for 80MHz bandwidth) simultaneously, which amortizes the overhead. OFDMA improves system efficiency, but it does not necessarily improve throughput.

MU-MIMO (Multi-User, Multiple input, Multiple output) creates spatially distinct separate channels between the transmitter and each of a small number of receivers such that each receiver hears only the information intended for itself, and not the information intended for other receivers. This means that the transmitter can, by superposition, transmit to a few receivers simultaneously, increasing the aggregate throughput by a factor equivalent to the number of receivers being serviced.

Cisco’s Catalyst 9800 series WLC with IOS XE 17.6.1 (currently Beta) introduces futuristic Access Point scheduler design, which efficiently serves multiple clients at the same time. This is done while creating least level of sounding overhead, which in turn yields data rates close to PHY rate even in dense environment. These advancements are currently supported on Catalyst 9130 and Catalyst 9124 series Access Points. Let’s first understand MU-MIMO concepts and then evaluate its performance.

Beamforming and MU-MIMO

Beamforming radio waves using an array of phased antennas has been known for decades. More recently the principles have been used to produce MU-MIMO where the concept of multiple simultaneous beams to provide independent channels for each of the users.

Similar principles apply in the audio domain where speakers can be phased to direct sound to a particular location. The idea is to adjust the phases of each speaker such that the sound adds constructively at the point where the listener is, and destructively at all other locations.

Consider a sound, Sr , played through an array of four speakers with the sound for each speaker adjusted by a phasor Q1r through Q4r so that the signal strength at the red listener, Lr is maximized, and the signal strength at the blue listener Lb is minimized.

Using superposition, we can take each message, impose the appropriate phase adjustment, and add the signals just before they go into the speakers. This way we can send two different messages at the same time, but each listener will hear only the message intended for them.

Note the importance of spatial separation – Lb and Lr are hearing their respective messages because the phasors were optimized to deliver each sound to their specific location. If one of the listeners moves from his position, he will no longer hear his message.

If a third person enters the picture and stands close to the speakers, he will hear the garbled sound of both messages simultaneously.

Consider this in the context of Wi-Fi where the speakers are replaced by antennas and the signal processing to control the phasors, and generate digital messages at a certain data rate, is done in the AP. Since both messages can be transmitted simultaneously one could theoretically double the aggregated data rate. The same approach can be used to service more clients simultaneously, so where is the limit? Practically, there are limits in the accuracy that the phasors can be set, there are reflections that cause “cross talk” and other imperfections that limit the gains in throughput that can be achieved.

Sniffing in the context of MU-MIMO is more complicated because of the spatial significance.  Note that placing a sniffer close to the AP will achieve the same garbled message effect we discussed earlier. The sniffer probe must be placed physically close to the device that is being sniffed, and generally one sniffer probe is required for each device.

System Overview and Test infrastructure

In this MU-MIMO test, we are using the octoScope (now part of Spirent) STACK-MAX testbed. On the infrastructure side, Cisco’s Catalyst 9800 WLC running IOS XE 17.6.1 (Beta code) and Catalyst 9130 Access point is used. The C9130 AP supports up to 8×8 uplink and downlink MU-MIMO with eight spatial streams. The Pal-6E is Wi-Fi 6 capable and can simulate up to 256 stations or can act as Sniffer probe.

The STApal is a fully contained STA based upon the Intel AX210 chipset, running on its own hardware platform. All the test chambers are completely isolated from the outside world, and signal paths between them are controlled using fully shielded attenuators, so that reliable and repeatable measurements can be made. The chambers are lined with an RF absorptive foam to significantly reduce internal reflections and prevent standing waves.

For this MU-MIMO test we are using up to 4 STA’s. RF path connects signals from the C9130 AP through to individual STAs. We are using the multipath emulator (MPE) in LOS, or IEEE Channel Model A mode. Each pair of antennas is fed into a group of four clients as shown in the diagram below. We have seen that spatial separation is a requirement for successful MU-MIMO operation. This is achieved by placing antennas in the corners of the anechoic test chamber to get the best spatial separation. This allows four independent MU-MIMO streams to STAs in the four groups of four.

Practical testing

To demonstrate the MU-MIMO gains we placed C9130 AP in the center of the chamber and ran downlink UDP traffic to the STAs attached to the antennas in the box corners.

First, we did this with MU-MIMO switched off and started with one STA. We noted that the throughput was just a little over 1000 Mbps, a little less than the 1200 Mbps of the PHY rate.  After 20 seconds we introduced another STA and saw that the aggregate throughput stays at the 1000 Mbps, but that the two STAs share the channel and each STA is achieving 500 Mbps. 20 seconds later we introduced a third STA. Again the aggregate throughput stays the same at 1000 MBps, and the three STAs share the channel to get a little over 300 Mbps each. Introduction of the fourth STA follows the same pattern with the aggregate remaining unchanged, and each STA receiving 250 Mbps.

We repeated the experiment, this time with MU-MIMO switched on.

Starting with one STA we achieved the familiar 1000 Mbps. After 20 seconds we introduced the second STA and observed the aggregate had increased to 2000 Mbps which is significantly higher than the PHY rate. We also noted that each STA is still receiving nearly the 1000 Mbps it was before.  Unlike the previous experiment where the STAs shared the channel, in this experiment they are each able to fully utilize their own channel independently of each other.

Adding a third STA increased the aggregate to 2200 Mbps. Each of the three STAs was still receiving 730 Mbps. Addition of a fourth STA results in aggregate throughput of 2100 Mbps with each STA receiving 525 Mbps, a two-fold increase over Single User operation.

The graph below summarizes the results.

Verdict

MU-MIMO exploits the spatial separation of receivers to direct independent messages to each of the receivers simultaneously. This allows for much more efficient use of the medium and increases the aggregate data that the network can deliver. Catalyst 9130 AP’s pioneering scheduler design offers superior throughput gains in Multiuser transmission scenarios. This is an outcome of higher MCS rates, low sounding overhead  and efficient dynamic packet scheduling.

DL and UL MU-MIMO along with OFDMA are enabled by default on a WLAN. These features are available on 9800 series wireless controllers on existing releases but the above discussed enhancements will be available from 17.6.1 (currently Beta) release onwards.

Source: cisco.com

Continue reading

Scalable Security with Cisco Secure Firewall Cloud Native

Today, companies invest in making their security controls scalable and dynamic to meet the ever-increasing demand on their network(s). In many cases, the response is a massive shift to Kubernetes® (K8s®) orchestrated infrastructure that provides a cloud-native, scalable, and resilient infrastructure.

This is where Cisco Secure Firewall Cloud Native (SFCN) comes in. It gives you the flexibility to provision, run, and scale containerized security services. Cisco Secure Firewall Cloud Native brings together the benefits of Kubernetes and Cisco’s industry-leading security technologies, providing a resilient architecture for infrastructure security at scale.

Figure 1 – Cisco Secure Firewall Cloud Native platform overview

The architecture depicted above shows a modular platform that is scalable, resilient, DevOps friendly, and Kubernetes-orchestrated. In the initial release of Cisco Secure Firewall Cloud Native, we have added support for CNFW (L3/L4 + VPN) in AWS. Future releases will add support for CNTD (L7) security and other cloud providers.

Read More: 100-490: Supporting Cisco Routing and Switching Network Devices (RSTECH)

Key capabilities of Cisco Secure Firewall Cloud Native include:

◉ Modular and scalable architecture

◉ Kubernetes orchestrated deployment

◉ DevOps friendly with Infrastructure-as-Code support (IaC)

◉ Data externalization for stateless services via a high-performance Redis™ database

◉ Multi-AZ, multi-region, and multi-tenant support

Figure 2 – Cisco Secure Firewall Cloud Native platform components

The architecture depicted above shows the Cisco Secure Firewall Cloud Native platform, which uses Amazon EKS, Amazon ElastiCache™, Amazon EFS with industry-leading Cisco VPN and L3/L4 security control for the edge firewall use-case. The administrator can manage Cisco Secure Firewall Cloud Native infrastructure using kubectl + YAML or Cisco Defense Orchestrator (CDO). Cisco provides APIs, CRDs, and Helm™ charts for this deployment. It uses custom metric and Kubernetes horizontal pod autoscaler (HPA) to scale pods horizontally.

Key components include:

◉ Control Point (CP): The Control Point is responsible for config validation, compilation and distribution, licensing, routes management. CP pods accept configuration from REST APIs, kubectl+YAML, or Cisco Defense Orchestrator.

◉ Enforcement Point (EP): CNFW EP pods are responsible for L3/L4 and VPN traffic handling and VPN termination.

◉ Redirector: Redirector pod is responsible for intelligent load balancing remote access VPN traffic. When the redirector receives a request, it contacts Redis DB and provides Fully Qualified Domain Name (FQDN) of the enforcement pods handling the least number of VPN sessions.

◉ Redis DB: The Redis database has information on VPN sessions. The redirector uses this information to enable smart load balancing and recovery. 

The following instance type is supported for each component.

Initial use-cases:

◉ Scalable Remote Access VPN architecture

◉ Scalable Remote Access VPN architecture with smart load balancing and session resiliency

◉ Scalable DC backhauls

◉ Multi-tenancy

◉ Scalable cloud hub

◉ Scalable edge firewall

Scalable Remote Access VPN architecture

Cisco Secure Firewall Cloud Native provides an easy way to deploy scalable remote access VPN architecture. It uses custom metrics and horizontal pod autoscaler to increase or decrease the number of CNFW Enforcement Points as needed. The Control Point controls configuration, routing, and Amazon Route 53™ configuration for the auto-scaled Enforcement Point.

Figure 3 – Scalable Remote Access VPN architecture

Traffic flow:

1. The remote VPN user sends a DNS query for vpn.mydomain.com. Amazon Route 53 keeps track of all CNFW nodes, and it has “A record” for each node with weighted average load balancing enabled for incoming DNS requests.

2. The remote VPN user receives “Elastic IP – EIP” of the outside interfaces of the CNFW node.

3. The remote VPN user connects to the CNFW node. Each node provides a separate VPN pool for proper routing.

Scalable Remote Access VPN architecture, with smart load balancing and session resiliency

Cisco Secure Firewall Cloud Native architecture with smart load balancing uses Amazon ElastiCache (Redis DB) to store VPN session information. Redirector node consults Redis database to perform load balancing based VPN session count, instead of weighted average load balancing.

The Control Point controls configuration, routing, redirector configuration, and Route 53 configuration for the auto-scaled enforcement point.

Figure 4 – Scalable Remote Access VPN architecture with smart load balancing and session resiliency

Traffic flow:

1. The remote VPN user sends a DNS query for vpn.mydomain.com, and vpn.mydomain.com points to the CNFW redirector.

2. The remote VPN user then sends the request to the redirector.

3. CNFW redirector periodically polls the Redis database (Amazon ElastiCache) to find out the FQDN of the Cisco Secure Firewall Cloud Native nodes with the least number of VPN endpoints. CNFW redirector provides FQDN of the least loaded CNFW node to the remote VPN user.

4. The remote user resolves FQDN, we automatically add “A” record for each CNFW enforcement point in Amazon Route 53.

5. The remote VPN user connects to the CNFW node that has the least number of VPN sessions.

Scalable DC backhauls

The autoscaled Enforcement Points can form a tunnel back to the data center automatically. Cisco provides a sample Kubernetes deployment to enable this functionality.

Figure 5 – Scalable DC backhaul

Multi-tenancy

This architecture provides multi-tenant architecture using cloud-native constructs such as namespace, EKS cluster, nodes, subnets, and security groups.

Figure 6 – Multi-tenancy

Scalable cloud hub

This architecture provides a scalable cloud architecture using CNFW, Amazon EKS, and other cloud native controls.

Figure 7 – Scalable cloud hub

Scalable edge firewall

This architecture provides a scalable architecture using CNFW, Amazon EKS, and other cloud-native controls.

Figure 8 – Scalable edge firewall

Licensing

Cisco Secure Firewall Cloud Native is available starting with ASA 9.16. This release brings CNFW (L3/L4 + VPN) security with Bring Your Own Licensing (BYOL), using Cisco Smart Licensing.

◉ Licenses are based on CPU cores used

◉ Supports multi-tenancy

◉ Unlicensed Cisco Secure Firewall Cloud Native EP runs at 100 Kbps

◉ AnyConnect license model is the same as the ASA AnyConnect license model

Source: cisco.com

Continue reading