Power of Cloud Application Centric Infrastructure (Cloud ACI) in Service Chaining

It is a reality that most enterprise customers are moving from a private data center model to a hybrid multi-cloud model. They are either moving some of their existing applications or developing newer applications in a cloud native way to deploy in the public clouds. Customers are wary about sticking to just a single public cloud provider for fear of vendor lock-in. Hence, we are seeing a very high percentage of customers adopting a multi cloud strategy. According to Flexera 2021 State of the cloud report, this number stands at 92%. While a multi cloud model gives customers flexibility, better disaster recovery and helps with compliance, it also comes with a number of challenges. Customers have to learn not just one, but all of the different public cloud nuances and implementations.

More Info: 352-001: CCDE Design Written Exam (CCDE)

Navigating the different islands of public cloud

When customers adopt a multi cloud strategy, they often begin with one and then expand to other clouds. Though most public clouds were built with an over-arching goal  of providing access to resources instantly at a lower cost, their individual implementations and corresponding cloud native constructs are different. Hence automation artifacts built for a specific public cloud provider, cannot be re-used for other clouds.  As we see our customers undertake the multi cloud journey, it is increasingly clear that having an automated way to configure the cloud constructs for various clouds is a huge benefit for our customers.

Cisco provides this solution to our customers via Cloud ACI. Cisco Application Centric Infrastructure (ACI) is Cisco’s premier Software Defined Networking (SDN) solution for the data center.  The ACI solution now caters not only to on-premises data center, but the public cloud as well. Thereby, offering a seamless experience to customers to orchestrate and manage consistent policies for their workloads irrespective of where the workload resides. Cloud ACI provides that needed abstraction across multiple public clouds, providing a single policy model for customers to define their intent. Cisco ACI solution takes care of automating the user intent into required cloud native construct of each cloud.

Cloud ACI solution achieves this by deploying the Cisco Cloud Application Infrastructure Policy Controller (Cloud APIC)  in the cloud site, like Amazon AWS or Microsoft Azure. The cloud APIC is registered with the Cisco Nexus Dashboard Orchestrator (formerly Multi-Site Orchestrator) – the master controller for managing different ACI sites. The user defines the policies on the Nexus Dashboard Orchestrator, which pushes it down to the sites where the user policy needs to be applied.The Cloud ACI controller at the site takes care of configuring the right networking and security cloud constructs for that cloud site.

Let us take an example of an enterprise that plans to deploy workloads both in AWS and Azure. Resources in AWS are deployed within a VPC, whereas Azure requires a Resource Group. AWS provides native load balancing services via Elastic Load Balancers, whereas in Azure, you would use an Application Gateway for L7 load balancing and Network Load Balancer for L4 traffic. The native cloud constructs are different and end users have to learn both AWS as well as Azure languages. If the enterprise uses Cloud ACI, configuring a VRF (Virtual Routing context) from the Nexus Dashboard Orchestrator will translate to creating a VPC in a AWS site and a Virtual Network (VNET) in the Azure site. It’s that simple!!!

Load Balancers and More!

Cloud ACI can be particularly powerful when automating your applications behind native load balancing services. Both large web scale applications as well as  smaller enterprise applications are typically deployed behind a load balancer for high availability and elasticity. Hence, all major public cloud players offer load balancing as a native service. Load balancers have a frontend, which is the IP and port to reach the application and a backend with the servers serving that application. Depending on the load, the servers hosting the application can be scaled up/down elastically.

Cloud ACI provides a neat way to automate the creation of the native load balancers as well as configure and manage the lifecycle of the load balancers. The solution provides an innovative way to add the backend servers as targets to the load balancers dynamically. This is done via tagging the servers and creating a service graph in ACI. A service graph represents the flow of data between consumers and providers via one or more service devices. Cloud ACI provides the ability to create load balancers and configures the frontend port based on user configuration. Once a user specifies via a contract the desired provider endpoint group (EPG), the solution takes care of automatically adding the servers that belong to the provider endpoint group as the backend of the load balancer.

This is pretty powerful, with VMs scaling up and down, there is no need to manually add/remove these servers from the load balancer backend. Cloud APIC auto detects the servers and classifies them into the right EPG.  The Cloud APIC then dynamically adds/removes these servers from the backend of the load balancer.

Unleash the power of service chaining

For web applications reachable over the internet, it is paramount that there is additional security built in to protect the application and the backend servers from security attacks. In such cases, it is common for customers to insert a firewall before the traffic hits the load balancer. The firewall could be Cisco’s FTD, or 3rd party firewalls from vendors like Checkpoint, Fortinet, VM-Series Next-Generation Firewall from Palo Alto etc, available in the public cloud marketplace. Cloud ACI provides the perfect automation for this use case by providing users with a way to build a multi node service graph. To provide high availability for the firewall, a load balancer may be placed in front of the firewall like shown in the below picture

Cloud ACI can automate the entire flow by managing the lifecycle of both the front end and the Backend LB. It automates the creation of the load balancers, configuring the frontend port/protocol and adding the right backend targets.  As defined by the service chain, it adds the firewall instances as the targets of the Frontend LB. It adds the application servers as the targets of the backend application load balancer (ALB). Cloud APIC also configures the security groups at each layer with the right set of rules based on the contract. This ensures that no un-intended traffic flows between the user and the backend application servers. Can it get better than this! The only configuration that is required from cloud ACI is

◉ creation of the logical devices for the load balancers and firewall

◉ creation of a service graph specifying the location of the service devices in the chain

◉ configuring a contract between the consumer and the backend application server endpoint group

As you can see, this is extremely simple and saves time and reduces configuration complexity for the user. What more, the network admin can be at peace knowing that any dynamic scaling of the backend servers by the application/server admin, will be handled by cloud APIC.

Source: cisco.com

Continue reading

Top 10 CCNA 200-301 Exam Preparation Tips: Key to Success

When applying for any IT job position in comparison with numerous candidates, it is important to confirm extra qualifications for the role. Achieving a relevant certification is believed to be an amazing way to do so. This would be because recruitment manager view them as evidence of skills so signs for more reliable performance. If you are looking for some useful study methods concerning the CCNA 200-301 Exam, we have mentioned them below, but first, let’s explore the exam outline.

Essential Information of the CCNA 200-301 Exam

A vital step in preparing for any exam is to determine the list of the themes to be included. And the more comprehensive it is, the more consideration you should pay to this chapter. Regarding Cisco 200-301 exam, you can find a complete outline on Cisco’s official website. On the whole, the areas you’ll be evaluated on involve networking basics, IP connectivity and IP services, programmability, network access, and so on. At this step, it’s also essential to know what types of questions you will face, how much time you’ll be given, and how to ace the exam.

Continue reading

Cisco Secure: Supporting NIST Cybersecurity Framework

Extending the alignment to include more Cisco products

Why should you care? With so many security frameworks, it can be difficult to know where to start from. While many organizations are challenged with managing and improving their cybersecurity programs against the dynamic threat landscape, it’s not easy to pick one framework over another. So where do they start from – ISACA COBIT 5? ISO27000 series? CIS CSC? NIST CSF? SABSA? Or something else? National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF) exactly for this reason. It’s a simple, best-practices approach to Cybersecurity leveraging the specific standards that are widely used and already working well today.

Basics First

NIST CSF is a voluntary framework based on existing standards, guidelines and practices for reducing cyber risks. It enables organisations to discuss, address and manage cybersecurity risk.

More Info: 350-901: Developing Applications Using Cisco Core Platforms and APIs (DEVCOR)

◉ It is used to manage cybersecurity risks in a cost-effective way while protecting privacy

◉ It references the globally accepted standards (COBIT, ISO/IEC, ISA, NIST, CCS)

◉ It enables all organizations (large or small) to improve security and resilience

◉ 3 pillars – People, Process, and Technology – Each of these are important

◉ Only half of the CSF Categories are addressed by technology

◉ It emphasizes the importance of two other main pillars of Cybersecurity – People and Process

The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles but for today’s discussion, we will focus only on Core which is a ‘set of activities and outcomes using a language that is easy to understand.

How CSF Core makes lives easier?

The CSF Core consists of four components as shown in the table below. The CSF Core provides a set of activities to achieve specific cybersecurity outcomes. It also gives guidance on how to achieve those outcomes. The table below lists each of these components with a short description and example:

The CSF Core is comprised of five functions – Identity, Protect, Detect, Respond, and Recover. These functions when considered together, provide the lifecycle of an organization’s cybersecurity risk

How Cisco Security Products align to NIST CSF?

Extending the work already done with the existing whitepaper, below is the updated alignment that includes a few more products (highlighted in Orange box) and how each of these products map to different NIST CSF Categories:

Source: cisco.com

Continue reading

Create new possibilities at the IoT Edge with the Cisco Catalyst IR1800 Series

Get ready for an all-new Cisco industrial router: the Cisco Catalyst IR1800 Rugged Series. With many new interfaces and modules backed by a stronger CPU and more memory, the IR1800 series gives IoT application developers new possibilities for innovating at the IoT Edge, for example to host applications that can extract and transform IoT data right at the edge. The DevNet IoT Dev Center has a new learning lab and sandbox so you can try out these new features on a real IR1835 ruggedized router.

More Info: 300-715: Implementing and Configuring Cisco Identity Services Engine (SISE)

With the 5G/LTE, Wi-Fi 6, industrial SSD and GPS modules, the IR1800 series prepares you for the future, but that’s not all. The IR1800 focuses on supporting mobility , especially in the transportation industry with features like CAN bus, FirstNet, GPS/GNSS + dead reckoning and ignition power management. Furthermore, you can access all these interfaces from your IOx edge applications and use the data to power use-cases like recording video surveillance, streaming multi-media entertainment and advertisement content or providing predictive maintenance for the vehicle itself.

IR1835: Industrial Routing & Edge Compute Sandbox Overview

IOx Edge Compute

All models of the IR1800 series support the Cisco IOx Edge Compute Framework which allows you to install and deploy your dockerized applications directly on the device. With the updated 1.2GHz quad-core ARM CPU and 8GB memory, you also have a strong compute device at the edge. Furthermore, you can add an industrial SSD which extends your storage to more than 100GB, for example for on-board videos, images, databases, and log files.

Want to try deploying your Docker containers and IOx applications on the IR1835? Check out this iox-webserver sample application on the DevNet Code Exchange which you can download or build to get started.

On-box IOx Local Manager: Managing your IOx applications on the IR1835.
Here the NGINX server is installed and reachable on Port 8000.

Device APIs NETCONF & RESTCONF

Since this Router runs Cisco’s open and programmable IOS-XE operating system, you can configure the device via device level APIs such as NETCONF/RESTCONF. This means that you can change any device configuration by simply running a Python script from your local machine and apply the changes on as many devices as you want.

The new DevNet learning lab walks you through how you can get operational data directly from the device or even change the device configuration with simple REST calls or Python scripts.

WebUI

Check out the user-friendly on-box Device Manger (WebUI) shown below. Now you can easily navigate through the monitoring data, configuration, and settings of your industrial device from a browser window.

Graphical User interface on the IR1835

Source: cisco.com

Continue reading

Secure and Save with Cisco Secure Firewall Threat Defense Virtual

Simultaneously secure and save with new 7.0 features and subscription models

Organizations rely on Cisco Secure Firewall Threat Defense Virtual (formerly FTDv/NGFWv), Cisco’s proven network firewall with IPS, URL filtering, and malware defense that protects virtualized environments in private and public clouds.

In addition to the improved IPS performance with Snort 3 and the new support for Hyperconverged Infrastructure platforms, our 7.0 release brings a wealth of other visibility, management and performance enhancements. This includes two additional improvements for Secure Firewall Threat Defense Virtual: licensing enhancements that lower consumption cost, plus a much larger virtual appliance option, FTDv100, that provides increased performance with a 16-core CPU configuration.

Licensing enhancements

The capabilities of our virtual firewall offerings can be cost-effectively consumed with a new, flexible, tiered licensing model. By making the base software available as a subscription with 1, 3, and 5-Year terms, customers benefit with lower total cost of ownership. These subscriptions include basic online embedded support, further lowering ownership cost when compared to perpetual licenses. Further, subscriptions enable a shift in spending from CapEx to OpEx, and allow portability across on-prem and cloud deployments.

Additionally, we are introducing performance tiers for Secure Firewall Threat Defense Virtual. This includes a low entry price, suitable for organizations of all sizes and requirements. With the performance tier licensing model, customers can now pick and choose the tier that meets their throughput requirements. Throughput starts at 100Mbps and extending to 16Gbps. The performance-tiered licensing also provides different VPN session limit options, depending upon your deployment requirements.

Any of the licenses can be used on any supported configuration, allowing higher tier licenses on lower tier vCPU/memory configurations, for future expansion flexibility.

Table 1: Performance tiered license entitlements

Software upgrade considerations

For current deployments running 6.7 or below, the upgrade to 7.0 will, by default, maintain the variable license tier and uses the non-tiered license entitlements. Customers can also choose the specific performance tier from their Cisco Smart Licensing account using Firewall Management Center or the local Firepower Device Manager.

Customers who have an existing non-tiered license can continue to use all entitlements, including the new FTDv100 tier.

Figure 1: Tier Selection in Secure Firewall Management Center (FMC)

Public Cloud

Performance-tiered licenses can be applied and used on any supported platform,  including public clouds like Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI) using the Bring Your Own License (BYOL) model.

The ability to use any of the performance-tiered licenses, on any supported resource combination, (i.e., vCPU/memory) enables virtual firewall licenses to be used on a wide variety of instance types across AWS, Azure, GCP and OCI platforms.

Support

The Base and TMC subscription include 8X5 online support at no additional cost and also provides software upgrades.

Cisco Solution Support is also available for the Base and TMC subscription that provides 24X7 technical phone support and is the recommended level of support.

Source: cisco.com

Continue reading

DNA Center Template Labs – Getting Started Series, Part 1

Prologue

Over the years, as new technology has been introduced, there has always been a barrier to adoption. While automation is powerful, we need to test it fully. Delays in getting started are typically caused by the wait on lab equipment. If it’s not lab equipment, it’s licensing or the time required to set up and cable the equipment. This, together with the development time, resources, and scheduling, makes the whole activity painful. This typically causes a gap between the time technology is launched to the time it is adopted. It also means that there is a learning curve which typically adds even more delay to adoption by organizations. This leaves one to ask exactly how do I get started with DNA Center Templates.

But what if there was a better way!

dCLOUD is a Cisco environment that provides curated content labs. dCLOUD allows the user a new way of experiencing the Cisco portfolio. It allows the user to try out the new technology in a safe environment. It also helps to save time, reduce shipping costs, licensing issues, power, and cooling needs. All this and while still allowing an environment to test various features and functions.

Overview

In this ongoing series, we will explain each of the labs. The labs are set up to help you learn more about templating, Plug and Play, and Day N automation. Together with helpful labs and guided examples that can be downloaded and implemented within dCLOUD or modified for use in your own lab environment.

How?

Within dCLOUD, several sandbox-type labs are available. These self-contained environments are there to allow you to use them as you please within the time scheduled. This allows us a place to start practicing various concepts without fear of impacting production environments.

Therefore, to aid customers in the transition toward automation, we have put together a set of small helpful labs within a Github repository. As a result, we hope to demystify some of the complexities of setting up plug-and-play and help guide customers through the complexities and caveats. In this way, these self-guided labs provide a glimpse into the fundamentals of building velocity templates and provide examples that you can download and expand from. The sample templates and JSON files supplied are for easy import into DNA Centers’ template editor for quicker adoption. Lastly, some scripts are ready-made excerpts of code that allow you to build the environment to test.

First, in a practical lab guide, we step by step delve into the concepts of building templates and methodologies for using both Onboarding and DayN templates. Second, we provide answers and explanations to many of the questions that come up during automation workshops. Our hope is that you find the information both helpful and informative. Thus, we hope to give a well-rounded explanation of automation methods and concepts that we can easily expand upon for production purposes.

The lab content is located within the existing DNAC-TEMPLATES repository to give a one-stop-shop for all the necessary tools, scripts, templates, and code samples. Within it are four labs, which build upon the tutorials allowing you to test the methods in a lab environment.

DNAC Template LABS

These labs aim to guide you through the typical steps required to enable the various automation tasks delivered by DNA Center. This lab will give examples of templates used in DNA Center that we can modify for our use and test on equipment within the LAB environment. Additional information within the lab provides a well-rounded explanation of Automation methods with Templates. Lastly, the lab allows for customers to use DNA Center workflows to practice deploying Onboarding, DayN Templates, and Application Policy automation on both Wired and Wireless Platforms.

The goal of this lab is for it to be a practical guide to aid engineers to rapidly begin using DNA Center automation and help them work towards a template strategy. Additionally, this lab will give customers a permanent place to try out the templates and include configurations for various use cases. This environment will enable engineers to reduce the time and effort needed to instantiate the network.

As a result, you will gain experience in setting up Plug and Play onboarding and templates. Additionally, you will use advanced templating methods and troubleshooting tools. These may help during faultfinding to determine what is failing in a deployment.

Please use this menu to navigate the various sections of this Github repository. Within the multiple folders are examples, explanation readme files for reference.

◉ PnP Preparation – This lab explains the overall Plug and Play set up steps

◉ Onboarding Templates – This lab explains in-depth and how to deploy Day 0 templates

◉ Day N Templates – This lab will dive into Day N template constructs and use cases

◉ Composite Templates – This lab will explore how to build a composite template on DNA Center.

We will share additional, labs and content in an ongoing effort to fulfill all your automation needs with DNA Center.

dCLOUD as a LAB

To help customers succeed with DNA Center Automation, you may utilize the above labs as they have been designed to work within dCLOUD’s Cisco Enterprise Networks Hardware Sandbox v2.1 Lab. This allows you to run these labs and gives an environment to try the various code samples. You may choose to develop and export your own code for use in production environments. Also, this gives you an environment where you can safely POC/POV methods and steps without harming your own production environments. This also negates the need for shipping equipment, lead times, and licensing issues needed to get moving rapidly. Please do adhere to the best practices for the dCLOUD environment when using it.

The dCLOUD environment consists of the following:

Software:

DNA Center 2.1.2.5

Identity Services Engine (ISE) 3.0 (Not Configured)

Stealthwatch 7.1

FlowCollector 7.1

Cisco Prime Infrastructure 3.9

Wireless LAN Controller - C9800 running IOS-XE Amsterdam 17.3.3 code.

Windows 10 Jump Host 

Windows Server 2019 - Can be configured to provide identity, DHCP, DNS, etc.

Windows 10 Clients 

Hardware:

ISR 4451 Router - 17.3.3 IOS-XE Code

Catalyst 9300 Switch - 17.3.3 IOS-XE Code with Embedded Wireless Controller (EWC) and ThousandEyes Enterprise Agent

Catalyst 3850 Switch - 16.12.5 IOS-XE Code

4800 Access Points

Silex Controller (2 NIC's)

The environment allows for use with a web-based browser client for VPN-less connectivity, access as well as AnyConnect VPN client connectivity for those who prefer it. You may choose from labs hosted out of our San Jose and RTP Facilities by either selecting US East or US West. Choose the Cisco Enterprise Network Sandbox v2.1 or 3.1. To access this or any other content, including demonstrations, labs, and training in dCLOUD please work with your Cisco Account team or Cisco Partner Account Team directly. Your Account teams will schedule the session and share it for you to use. Once booked follow the guide within Github to complete the tasks adhering to the best practices of the dCLOUD environment.

Source: cisco.com

Continue reading

What’s New for DevNet Specialization?

The DevNet Specialization for Cisco’s Partners is constantly evolving. A couple of weeks ago, Chuck Stickney (DevNet Specialization Lead) together with Markus Lind (CEO, Miradot), had a great discussion in one of the Partner Interactive Webinars in Cisco’s Europe/Middle East/Africa/Russia region. One of the main topics was how Miradot – our first DevNet Specialized Partner – is applying DevNet to their solutions. How DevNet is helping them transform their business and deliver successful outcomes to the customers.

More Info: 300-710: Securing Networks with Cisco Firepower (SNCF)

There are 3 major areas through which DevNet enables business transformation:

◉ Agility, innovation, and speed

◉ Ecosystem innovation

◉ Team and processes

Empowering differentiation through APIs

One of the crucial points on the journey to business transformation is also empowering innovation and differentiation through APIs. During the webinar, attendees learned how APIs can apply to different use cases across different industries, including retail, healthcare, manufacturing, finance, and others. The skillset and knowledge that is reflected by DevNet Specialization can be fantastic proof to your customers that you can deliver innovative solutions that empower automation across their organizations.

Why become Specialized?

Markus Lind, CEO of Miradot, shared with us some insights into how his organization has benefited by achieving the DevNet Specialization. Why was that important? Being a small-sized partner company, they wanted to make sure, they not only have the way to increase their market base, but also to make change. They knew that amongst all the competition in their market, they needed something unique to differentiate themselves – which is when they started their journey to become DevNet Specialized.

How does it help them run the business on a daily basis?

Through the DevNet Specialization, Miradot has managed to have over 50% of their employees become DevNet Certified. They felt that to succeed and differentiate themselves across different partners, they had to find their niche. It turned out that the way to get their customers to have better discussions with them, is to embrace automation in their organization. Since becoming DevNet Specialized, Miradot has helped their customers define and navigate their infrastructure.

Source: cisco.com

Continue reading