Friday, 16 July 2021

Nanosecond Buffer Visibility with Hardware-Based Microburst Detection

What Are Microbursts and Why Do They Matter?

Ever wondered why a switch interface shows an average utilization of well below wire rate, and yet egress discards are incrementing? Most likely, that interface is experiencing microbursts. Often, when multiple input interfaces simultaneously receive traffic destined to a single egress interface – a so-called “incast” traffic pattern – no problem arises because the instantaneous receive rate is low enough that the output interface can handle the load.

The term “microburst” refers to the same situation, but where the receive rate of those interfaces in aggregate exceeds the wire rate of the output interface for some time. In this case, the excess traffic must be buffered. If enough such traffic arrives simultaneously, the buffer on the output interface can fill and potentially overflow, resulting in discards. Figure 1 illustrates the microburst concept.

Cisco Exam Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Material, Cisco Guides, Cisco Career
Figure 1: Microburst Concept

In the example shown in Figure 1, three interfaces simultaneously receive a series of back-to-back packets with a minimum inter-packet gap (IPG). The destination must transmit those packets but can only transmit at the maximum rate of the output interface. In this case, all four interfaces are the same speed, so the transmit interface is forced to buffer the excess traffic. If the burst is short-lived, the transmit interface will eventually empty the buffer and only a small latency penalty is paid. But if these traffic bursts last long enough, the buffer can overflow, resulting in egress discards. While at times packet drops are benign or at least productive – for example, randomly dropping frames to prevent congestion buildup while avoiding TCP window synchronization – they can also negatively impact application performance, not to mention simply causing concern among network operations staff.

If egress interface discards are incrementing, how can it be confirmed that microbursts are indeed occurring, and if so, how often and how long-lived they are? Is congestion only occasional, or is a given interface perennially congested, which might warrant workload redistribution, configuration changes, or other action? Traditional methods such as monitoring interface counters do not offer the needed visibility – such counters are typically read by software at relatively long intervals (often 10 seconds or more) and therefore tend to “smooth out” bursty traffic patterns. That’s where the Cisco Nexus 9000 series Data Center switches come into the picture.

What Is Hardware-Based Microburst Detection and How Does It Work?


Cisco Nexus 9000 series Data Center switches, including both fixed-form-factor Nexus 9300-EX/FX/FX2/FX3/GX (as well as the 9364C and 9332C) and modular Nexus 9500-EX/FX/GX platforms, provide advanced hardware capabilities that make detecting and measuring microbursts easy. Based on custom Cisco silicon known as the Cloud Scale ASIC family, these switches provide granular per-interface per-queue monitoring for hard-to-identify traffic microbursts, for both unicast and multicast traffic.

Each queue is instrumented with trigger-based microburst measurement capabilities. When the buffer utilization for a monitored queue crosses a configurable “rising” threshold, the silicon captures the exact moment that threshold was reached using a nanosecond granularity timestamp; as the buffer continues to fill, the “peak” depth of that queue is recorded along with another timestamp; and finally, as the queue drains, a third and final timestamp is recorded as the queue drops below a “falling” threshold. The result is a series of raw records that looks like the output in Figure 2.

Cisco Exam Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Material, Cisco Guides, Cisco Career
Figure 2: Raw microburst records (NX-OS)

Consuming Microburst Data for Analysis


Now that we’re able to detect when, how often, and how severe microburst activity is, what can we do with that data? Of course, you can always observe the burst data directly on the switch (running NX-OS software), using the “show queuing burst-detect” command. This option is the most basic and may suffice for certain situations – a quick spot check of activity on an interface or queue for example – but in most cases, you’ll want to retrieve the data from the switch for consumption and analysis by other systems.

The powerful streaming telemetry capability in NX-OS software offers an excellent option for getting microburst data off of the switching infrastructure and into other systems for further analysis, trending, correlation, and visualization. NX-OS software streams telemetry data using JSON or Google Protocol Buffer (GPB) encoding over a variety of transport options, allowing platforms provided by Cisco, third parties, or developed directly by IT to easily ingest and parse the data generated by the switching infrastructure.

The Cisco Nexus Dashboard Insights application easily handles configuration, consumption, and analysis of microburst data from one or more switch fabrics—both NX-OS based as well as ACI based—quickly alerting network operators of excessive microburst activity across the network. Figure 3 shows an example of a microburst-related anomaly generated by Nexus Dashboard Insights upon observing multiple microburst events occurring on a given interface over a short period of time.

Cisco Exam Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Material, Cisco Guides, Cisco Career

Cisco Exam Prep, Cisco Preparation, Cisco Learning, Cisco Tutorial and Material, Cisco Guides, Cisco Career
Figure 3: Nexus Dashboard Insights Microburst Anomaly

As shown in Figure 3, Nexus Dashboard Insights not only identifies the device, interface, and queue experiencing microbursts, but also correlates those burst events to monitored flows traversing the interface that may have contributed to the burstiness, based on flows with the largest measured max burst values. This detailed information provides an unprecedented level of visibility into network behavior, enabling network operators to quickly identify and remediate congestion hot-spots network-wide.

Key Takeaways


Sometimes, the whole is greater than the parts – that’s certainly the case with the advanced hardware capabilities of Cisco Nexus 9000 series switches, the standards-based streaming telemetry provided by NX-OS, and the cutting-edge microservices-based Day 2 Operations functions provided by the Nexus Dashboard Insights application. Together, these technologies greatly simplify the process of identifying congestion in the network before it becomes a significant problem, making network operations teams more productive and more effective than ever before!

Source: cisco.com

Thursday, 15 July 2021

Reinventing Small to Medium Wi-Fi 6 Deployments

Cisco Prep, Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Preparation, Cisco Exam Prep

As many organizations are looking at wireless refreshes that include both expansion and upgrades to Wi-Fi 6, those with small, medium or branch locations have some cool (and very useful) new options to consider and should seriously rethink the deployment model.

Historically, small, medium and branch wireless deployments have been an operational challenge for many organizations. Some of those challenges include:

◉ Solution cost including procurement, deployment, and maintenance,

◉ Management complexity

◉ Lack of visibility into the user experience

◉ Limited feature sets, including security limitations, that force a compromise on features in smaller sites to uphold cost effectiveness

◉ Approaching smaller sites as home Wi-Fi setups for lack of better solutions

I wanted to emphasize that size does not matter, meaning that the deployments representing smaller locations can easily represent significant cash flow where user experience is key.  I have personally struggled in the past with the need to purchase multiple wireless controllers for sites with 10 to 20 access points.

Today, things are looking a little different for smaller enterprise grade deployments. Cisco’s latest enhancements of the Cisco Embedded Wireless Controller (EWC) licensing model means its easy and cost effective to deploy these smaller networks without the need for a physical or even a cloud-based controller. Some might say it’s a game changer, and for those with small to medium wireless deployments up to 100 access points, it really is.

It is important to note that 100 access points is a large site. In my opinion, most deployments will consist of a handful of access points but it’s good to know the EWC can scale up to 100 APs if needed. Add in Cisco’s recent announcement that AireOS is going into sunset mode and you can see why EWC is a much-needed solution to support smaller sites. It also provides an exit strategy for some of the smaller site controllers like the 2504.

Full featured wireless controller integrated into the AP

As stated earlier, I think it is time to reinvent how we think and deploy these smaller wireless networks. With EWC we have the full enterprise features and management capabilities of a standalone (HA capable) controller(s), integrated into the Cisco Catalyst 9100 series access points. Previous embedded solutions were somewhat cumbersome to use and suffered feature parities, I know this because I’ve used them. With the latest EWC capabilities, Cisco really scored a home run thats worthy of taking a closer look at.

The EWC leverages the same IOS-XE software that runs on the Cisco Catalyst 9800 wireless controllers, so what you get is essentially controller without the appliance or licenses. And beyond supporting Catalyst APs, the EWC also supports many of Cisco’s existing AC Wave 2 access points including the 18xx, 28xx, 38xx, 48xx. While these Aironet APs can be part of the EWC network serving clients, they cannot function as the EWC controllers, that privilege is reserved for the Catalyst 91oo series access points.

Cisco Prep, Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Preparation, Cisco Exam Prep
With the EWC you can move to the new 9800 platform and still make use of your older access points.

Getting started

I find it’s best to start by adding two Catalyst 9100 EWC access points to your network as an HA controller pair. This gives you the flexibility to upgrade the rest of the access points as needed, on your timeline and budget. Making the migration process even easier, the EWC GUI has a configuration conversion utility that allows you to take your AireOS configuration and migrate it to the new Catalyst 9800 wireless controller platform configuration; it’s a quick process that saves a ton of time and effort. What makes this solution especially cool is that the EWC access points can be used as both a controller and to service clients, without any noticeable lag or experience issues.

Cisco Prep, Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Preparation, Cisco Exam Prep

Requirements and settings

The EWC deployment resembles FlexConnect local switching mode, meaning the controller is only the control plane and all data originates from the wireless access points onto the network. You can change the access point mode to a trunk interface if you use AAA override or utilize multiple VLANS.

While you can run the EWC network with a single access point, if you installed at least two Catalyst EWC access points, they auto enable High Availability mode and if the wireless network can continue to operate and be fully managed if one of the EWC access points becomes unavailable.

Now given the EWC is running the Cisco Catalyst 9800 software you have full access to all the enterprise features you would expect. This includes DNA Center for monitoring, Assurance, AI/ML and management, DNA Spaces for location services and engagement. For sites with higher security requirements, Cisco Umbrella is also available. Please note, these capabilities do not come standard with the EWC and require additional licensing, and in the case of DNA Center, a physical appliance.

What else is exciting, is that with the purchase of DNA licensing, you can turn on the multi-site management feature. This means that you can have multiple sites each with at least one EWC access point and manage them as a single network across all sites. This allows for some level of wireless service survivability if one of the sites loses connectivity to the WAN but still has Internet access. Multisite capabilities can also create a uniform user experience across all sites.

Cisco Prep, Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Preparation, Cisco Exam Prep

What comes standard the EWC is a host of tools that make setting up and maintaining your small but critical wireless network easy and cost-effective while providing Cisco enterprise-class features, security, and reliability.

Source: cisco.com

Wednesday, 14 July 2021

How Cisco Cloud Application Centric Infrastructure (Cloud ACI) powers Application Service Chaining

Cisco Cloud Application Centric Infrastructure, Cisco Career, Cisco Tutorial and Material, Cisco Learning, Cisco Guides, Cisco Preparation, Cisco Exam Prep

In the blog titled Power of Cloud Application Centric Infrastructure (Cloud ACI) in Service Chaining, we talked about how cloud ACI provides an elegant solution for lifecycle management of native load balancers in the public cloud. We also looked at a simple use case of a Firewall insertion before traffic hits the application load balancer. In this blog, we will look at more complex use-cases that we can solve using a comprehensive service chaining framework with Cisco ACI.

Protect your workloads with seamless Firewall insertion

With security a top-of-mind big concern in the public cloud, customers want traffic inspection not just for traffic incoming from the internet into the customer applications in the public cloud, but also for the traffic within the public cloud namely, across VPC’s (AWS)/ VNETs (Microsoft Azure). Let us take an example of a customer running each application in a different Virtual Network in Azure. Traffic from the web application in the Web VNET needs to be inspected before it is sent to the backend application running in the App tier VNET. This typically means a firewall or Intrusion Detection System (IDS) or an Intrusion prevention system (IPS) device insertion in the path between the two applications. Traffic sent by the web application needs to be redirected to IDS/IPS and sent to the backend application only if the inspection device deems it ok.

Cloud ACI seamlessly automates not just the networking but also the security group configuration all the way from the Web tier servers to the App tier servers and everything in between based on the service chain and the contract between the two applications. The inspection devices (IPS/IDS) are typically behind a network load balancer to cater for high availability. The topology would look like below:

Cisco Cloud Application Centric Infrastructure, Cisco Career, Cisco Tutorial and Material, Cisco Learning, Cisco Guides, Cisco Preparation, Cisco Exam Prep

In the diagram above, the backend application is fronted by an application load balancer, called an application gateway (AGW) in Azure. Remember that the web servers are talking to the Virtual IP (VIP) of the backend application hosted by the AGW and have no idea about the firewall. So, how do we insert the firewall in the path between the two applications?

Realize the full potential of Cloud ACI


Cloud ACI provides a truly innovative way for customers to achieve this by providing a very flexible model of configuring a service graph. Create a service graph by adding the network load balancer (NLB), the firewall and the application load balancer specifying the service chain. While adding the NLB, the service graph lets you specify a “redirect” option on the consumer and provider connectors. By selecting this option, traffic from the Web VNET destined to the application tier will be redirected to the NLB. Similarly, the return flow from the APP tier to the Web will also flow via the NLB.

Cloud ACI achieves this by automatically programming a User-defined route (UDR) in the Web VNET route table. The route points to the NLB VIP as the next-hop for traffic destined to the AGW VIP, as shown in the below diagram.

Cisco Cloud Application Centric Infrastructure, Cisco Career, Cisco Tutorial and Material, Cisco Learning, Cisco Guides, Cisco Preparation, Cisco Exam Prep

The firewalls are typically deployed in a 1-arm mode for this use case. UDR installed in the Web VNET will redirect traffic destined to the application VIP 12.1.0.10 via the NLB. The solution uses the high availability port configuration provided by the Azure NLB. This lets the NLB pass all traffic received to the backend irrespective of port/protocol of the traffic. Hence, NLB sends all traffic it receives from the Web servers to the firewall. The firewall after inspection, sends it to the actual destination of 12.1.0.10. Notice that, in this flow the source and destination IP of the packet does not change. The source remains the web server IP and destination the AGW IP. There is no network address translation happening and hence debugging flows just got a lot easier! Cloud ACI also creates and programs the Network Security Group at every hop of this flow.

This enables full automation of your cloud network and security policies. And, this works even if the Web and App VNETs are in different regions. No more manual configuration of these complex service chains in your network!

Source: cisco.com

Tuesday, 13 July 2021

Pass Cisco 300-415 ENSDWI Exam with Practice Tests to Get Inviting Career Benefits

The CCNP Enterprise certification prepares the applicants to deal with the professional-level tasks and provides them the opportunity to choose a specialization they require. To achieve this Cisco certification, they have to pass two exams, one of which should be a CCNP Enterprise concentration exam. There are six of them in total, but in this post, we will be focusing on the CCNP Enterprise 300-415 ENSDWI exam.

Cisco 300-415 ENSDWI Exam Details

The 300-415 exam is specifically aimed to evaluate one's skills concerning the Cisco SD-WAN solution. It incorporates quality of services, SD-WAN architecture, and deployment of edge routers, policies, and security features. Additionally, you require to know about the deployment of the controller, operations, management, and multicast. It is one of the qualifying exams for earning the CCNP Enterprise and Cisco Certified Specialist – Enterprise SD-WAN Implementation

The potential applicants for this exam must have a solid hold of the concepts of software-defined networking, enterprise-wide area network design, and routing protocol operation, along with IPSec and transport layer security.

Cisco 300-415 ENSDWI Exam: Domains to Master

This certification exam includes a broad range of topics, and before taking it, the applicants must have a profound knowledge of these domains. To pass Cisco 300-415 ENSDWI, you must master all the following subjects:

  • Architecture (20%)
  • Deploying Controller (15%)
  • Deploying Controller (20%)
  • Policies (20%)
  • Security and Service Quality (15%)
  • Administering and Operations (10%)

Be sure that you have incorporated all these objectives and don't overlook any. Talking about the number of 300-415 ENSDWI exam questions, there will be about 60 of them. But, the exact number is not defined by Cisco. However, you will have to answer all of them in 90 minutes. They can be of various formats and in two languages: English and Japanese. You can schedule the exam on Pearson VUE, and the cisco 300-415 exam cost is $300.

Appropriate Resources for Cisco 300-415 ENSDWI Exam Prep

Preparation is the prime phase of the entire certification process, and it is the most tiresome and difficult stage. For many applicants, it can be even more difficult than the exam itself. This is because Cisco 300-415 ENSDWI exam lasts for 90 minutes, and preparation can go on for at least three to four months. However, it depends on perspectives. For other applicants, the exam day can be the most strenuous time of the entire month, leading to constant stress or even depression. But you can avoid any of the cases and defend yourself against all directions with thorough learning.

Must Read: Make Passing Cisco 300-415 ENSDWI Exam Your Next Goal

Hence, you require a solid plan that will follow your learning style, a stack of prep resources, and a lot of time. Furthermore, don't forget to add some practice tests from third-party platforms. They will help you acquire some knowledge of taking the certification exams and answer all the questions in time.

Once the entire process is outlined and scheduled, then the applicant should repeat the process and check performance till they sit for the actual exam. They will learn more competently and find themselves fortunate enough to pass the 300-415 ENSDWI exam on their first try when they appear in the exam.

Benefits of Passing CCNP Enterprise 300-415 Exam And Earning Relevant Certification

The value of Cisco certifications has reached unexpected heights, and here are the advantages and perks of earning their certifications.

  • It will strengthen your technical knowledge and perceive the business and technical problems the organization has to confront.
  • It provides credibility and responsibility when you are recruited for a higher position in a leading organization.
  • Being CCNP Enterprise certified, you become the first choice for promotion. Eventually, if you are seeking a new job, you become a sought-after applicant. Furthermore, your significance in the market is enhanced when you pass this Implementing Cisco SD-WAN Solutions exam and move to the next step of the Cisco certification journey.

Potential Jobs You Can Get With Cisco 300-415 Certification

If you pass the 300-415 ENSDWI exam and get the associated certification, you will be able to land one of the following positions:

  • System Installer
  • System Integrator
  • Network Administrator
  • Solutions Designer

Summary

The Cisco 300-415 exam is quite challenging indeed. It can get you many advantages and brilliant job prospects. Though good things come with obstacles, so make sure that you prepare for this Cisco exam with great consideration.

Enhanced Visibility is Key to Improved Cybersecurity at Your Manufacturing Site

Cisco Cybersecurity, Cisco Learning, Cisco Preparation, Cisco Exam Prep, Cisco Guides, Cisco Career

Visibility is a key to success across a wide range of disciplines. If you’re a basketball fan like me, you know that visibility is important when a player makes an alley-oop pass to his teammate in an NBA game.  It’s even more important for high-risk operations like landing an aircraft in the fog. Now imagine how essential visibility is for securing a manufacturing site.

When you can’t see what’s happening on your network, keeping your manufacturing site secure and addressing today’s threat detection landscape can be difficult-to-impossible. Visibility into your IT and your operational technology (OT) assets helps to answer these critical questions:

◉ What assets are on your network? What is their level of criticality?

◉ Which assets communicate with other assets and what are they saying?

◉ Which assets are vulnerable and need extra attention?

Essentially, manufacturers need enhanced visibility to see things before they happen, swiftly respond during events and access ongoing insights regarding the state of their environment. Unfortunately, many manufacturers today lack visibility into the assets on their industrial network.

This lack of visibility may severely impact the implementation of cybersecurity best practices and risk mitigation plans.

Visibility Matters

Enhanced visibility includes:

◉ Asset inventory and vulnerability management

◉ Network segmentation to limit threat spreading

◉ Critical event tracking

◉ Focusing threat detection on where it matters

According to a Forrester Study, 55 percent of industrial organizations have little or no confidence that they know what devices exist in their industrial network. In addition, 76 percent of manufacturers believe their current security practices may be inadequate. Many do not believe they could contain, eradicate, and recover from a breach.

This cybersecurity risk expands as industrial systems become further connected, for instance as companies employ digital transformation. For example, 66 percent1 of manufacturers have already experienced a cybersecurity security incident impacting their industrial control systems (ICS). Anyone watching the nightly news can see that there is a growing number of cybersecurity attacks occurring in critical infrastructure.

Unfortunately, manufacturers are getting breached because appropriate cybersecurity practices are not in place. For some, this results from the expansion of manufacturing systems over the years through acquisitions, causing several legacy systems to populate the plant floor. For others, the loss of knowledge as experienced workers leave can contribute to cybersecurity vulnerability. Not to mention the trend toward companies employing remote workers, and facilities now being connected to their supply chains and no longer isolated, only add to the threat surface.

Chuck Robbins, Cisco CEO, during his RSAC 2021 keynote put the risk this way: “If we think about cybercrime like we think about the GDP of companies, it would be the third largest economy in the world after the US and China with $6 trillion in global damages. And we all know the real cost is not being able to run our businesses or the reputational damage that you suffer and the impact on your organization in the future.”

Put simply, how can you secure an environment if you don’t know what’s connected? Gaining visibility is key to building and maintaining a detailed asset inventory, managing vulnerabilities, and segmenting networks to limit threat spreading. Visibility also lets you focus threat detection where it really matters so that you can track critical events before it’s too late.

Leaders in IT and OT security work together help to enhance your visibility

Cisco – a global leader in industrial networking and security – and Rockwell Automation – a global leader in industrial control, power and information systems – continue to combine forces to lead digital transformation for The Connected Enterprise. And now, Rockwell Automation is expanding its threat detection services offerings by adding Cisco Cyber Vision to its portfolio.

“We are excited to continue growing our strategic alliance offerings with Cisco,” said Angela Rapko, director, Portfolio & Business Management–Customer Support and Maintenance (CSM), Rockwell Automation. “The addition of Cisco Cyber Vision to our cybersecurity threat detection services portfolio benefits our customers by expanding the integration between the Rockwell Automation and Cisco ecosystems, particularly around cybersecurity.”

Proactive approach to industrial cybersecurity

To help industrial customers improve their security postures, Rockwell Automation offers a portfolio of world-class industrial cybersecurity services (Figure 1). These services follow the NIST Cybersecurity Framework. At a high level, they help customers build a more secure, robust, future-ready network for their connected enterprises by providing assessment, design, implementation, and monitoring solutions.

Cisco Cybersecurity, Cisco Learning, Cisco Preparation, Cisco Exam Prep, Cisco Guides, Cisco Career
Figure 1: Rockwell Automation cybersecurity framework

By leveraging Rockwell services to implement Cisco solutions, our customers can realize ‘best of both world’ benefits.  The OT domain expertise from Rockwell helps to improve security posture in the manufacturing environment while mitigating potential risks to production.  In parallel, leveraging Cisco solutions in the OT space provides for maximized integration into existing Cisco based infrastructure on the IT side, making it easier for IT to manage and maximize investments relative to a holistic Enterprise approach to security.

Rockwell Automation uses Cisco Cyber Vision to deliver improved visibility


To help improve customers’ visibility into their networks, Rockwell Automation has added Cyber Vision as part of its visibility and threat detection services portfolio. Cisco Cyber Vision helps customers maintain the integrity of their plant assets and protect them against cybersecurity threats as part of an overall cybersecurity threat defense. Cyber Vision provides full visibility into industrial control systems including identifying device vulnerabilities, tracking critical events, detecting abnormal behaviors as well as cyber threats. It feeds IT security tools with all this OT context to easily build security policies and accelerate incident response. Whether you are a Rockwell customer, a Cisco customer or a joint customer of ours already, you can benefit from these new solutions and services.

By providing full visibility, Cisco Cyber Vision helps customers build zones and conduits by:

◉ Automatically discovering all the assets connected on a network, as well as the logical relationships between them

◉ Enabling OT users to group assets based on knowledge of the underlying process and overall security requirements

◉ Aggregating traffic flows into conduits, which then receive segmentation policies

Cisco Cybersecurity, Cisco Learning, Cisco Preparation, Cisco Exam Prep, Cisco Guides, Cisco Career

By improving visibility, Cisco Cyber Vision also helps customers to detect threat vectors by identifying behavioral changes within the communication patterns on the network.

Improved visibility helps OT, IT, and Security Operations (CISO) work better together:

◉ OT keeps production going and improves uptime.

◉ IT implements cybersecurity best practices.

◉ CISO builds and enforces OT security policies without disrupting production.

Finally, improved visibility helps to establish a more collaborative workflow between IT and OT, creating a more common ground for them to work together and collaborate. IT and OT work on the same representation of the industrial network but from different points of view:

◉ From a network hygiene viewpoint, IT provides cybersecurity best practices and a perspective on threat detection.

◉ With its knowledge of the industrial process, OT understands which assets are the most critical and whether or not a particular event represents a threat within a certain context

In short, IT, OT, and CISO must work together to deliver enhanced security through visibility. Just like two basketball players executing an alley-oop pass, improved visibility is a key to enabling their successful collaboration.

Source: cisco.com

Monday, 12 July 2021

Building a scalable RAVPN architecture in Oracle Cloud Infrastructure using Cisco Secure Firewall

Oracle Cloud Infrastructure, Cisco Secure Firewall, Cisco Exam Prep, Cisco Preparation, Cisco Tutorial and Material, Cisco Career

Oracle Cloud Infrastructure (OCI) provides a wide range of cloud-computing services, workloads, and applications to organizations globally. With Cisco Secure Firewall, organizations are able to build a scalable RAVPN architecture on OCI, providing employees secure remote access to their organization’s resources from any location or endpoint.

This scalable architecture brings together Cisco Security and OCI Infrastructure-as-a-service (IaaS) and extends remote access VPN capabilities with the combination of Cisco Duo, Cisco Umbrella, and AMP Enabler, also known as Cisco Secure Remote Worker. Extending this solution to your OCI environment protects multi-region, multi-availability domains.

◉ Cisco AnyConnect Secure Mobility Client – Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization.

◉ Cisco Duo – Multi-factor authentication from Duo protects the network by using a second source of validation and authentication.

◉ Cisco Umbrella Roaming Security Module – Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time — both on and off your corporate VPN. It enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port.

◉ Cisco AnyConnect AMP Enabler – Cisco AnyConnect AMP Enabler module protects against malware.

Organizations can deploy Cisco Secure Firewall Threat Defense Virtual (formerly FTDv/NGFWv) and Cisco Secure Firewall ASA Virtual (formerly ASAv) in the OCI environment to enable a secure connection back to the application in the cloud. Traditionally, firewalls scale using clustering but, in the cloud, due to abstraction of layer-2, it is not possible to implement native high-availability and native firewall clustering.

Architects can still design a scalable architecture using cloud components like Oracle’s Network Load Balancer (NLB) and DNS.

◉ Design 1 – Load balance RAVPN sessions to multiple firewalls using OCI DNS service

◉ Design 2 – Load balance RAVPN sessions to multiple Cisco Secure Firewalls using OCI network load balancer service

◉ Design 3 – Load balance RAVPN sessions across multiple regions using OCI DNS and a network load balancer

Note: Each firewall uses a unique VPN pool, and the OCI route table points to the respective firewall for the VPN pool.

Load balance RAVPN sessions to multiple firewalls using OCI DNS service

In this architecture, we have deployed multiple firewalls in multi-availability domains. OCI DNS service provides a mechanism for RAVPN load balancing.

◉ DNS provides an FQDN (example.vpn.com)

◉ DNS has “A” record for each firewall

◉ DNS monitors the health of each firewalls using probes

◉ DNS receives DNS query for FQDN and replies with the public IP address of the Cisco Secure Firewall

◉ The user connects directly to Cisco Secure Firewall

Oracle Cloud Infrastructure, Cisco Secure Firewall, Cisco Exam Prep, Cisco Preparation, Cisco Tutorial and Material, Cisco Career
Figure1: Scalable RAVPN architecture using Cisco Secure Firewall and OCI DNS

Load balance RAVPN sessions to multiple Secure Firewall virtual appliances using OCI network load balancer service

In this architecture, we have deployed multiple firewalls in multi-availability domains. OCI NLB provides a mechanism for RAVPN load balancing.

◉ The user uses the IP address of a load balancer as a VPN headend in AnyConnect client.
◉ OCI NLB received an SSL VPN session request, and it load-balances the request using two tuple load hashing.
◉ The user connects to Cisco Secure Firewall.

Oracle Cloud Infrastructure, Cisco Secure Firewall, Cisco Exam Prep, Cisco Preparation, Cisco Tutorial and Material, Cisco Career
Figure2: Scalable RAVPN architecture using Cisco Secure Firewall and OCI Load Balancer
 
Load balance RAVPN sessions across multiple regions using OCI DNS and a network load balancer

In this architecture, we have deployed multiple firewalls in multi-availability domains and multi-regions. OCI NLB and DNS provide a mechanism for RAVPN load balancing.

◉ At the region level, OCI NLB load balances traffic using two tuple load balancing (same as Figure 2)
◉ At the multi-region level, OCI DNS load balances traffic using DNS weighted average (same as Figure 1)
◉ DNS provides an FQDN (example.vpn.com)
◉ DNS has “A” record for each firewall
◉ DNS monitors the health of OCI LB
◉ DNS receives DNS query for FQDN and replies with the public IP address of OCI NLB
◉ User connects to OCI NLB, NLB load balances SSL VPN session based on two tuple load balancing method.

Oracle Cloud Infrastructure, Cisco Secure Firewall, Cisco Exam Prep, Cisco Preparation, Cisco Tutorial and Material, Cisco Career
Figure3: Multi-Region scalable RAVPN architecture using Cisco Secure Firewall, OCI Load Balancer and DNS

Source: cisco.com

Saturday, 10 July 2021

Intelligent Capture: The Magic Goggles for Wireless Troubleshooting

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Preparation, Cisco Career

The COVID-19 outbreak has proved that the internet is not a luxury but a basic necessity. The internet has become an ever more crucial link in adapting to the new normal, and Wi-Fi is seeing an inevitable surge of all time. With networks getting so big and complex, the challenges in managing the network are getting more and more difficult. Wi-Fi Troubleshooting is one of the crucial challenges faced by network admins, involving complex data collection from various sources, followed by an intense analysis of the huge data to resolve the problem.

Read More: 350-901: Developing Applications Using Cisco Core Platforms and APIs (DEVCOR)

What if you possess a magic goggle?

A goggle that offers 360 views of the network.

A goggle that offers see-through power to uncover the cause of the problem.

A goggle that offers foresees power to predict an issue even before it occurs.

Introducing Intelligent Capture

Intelligent Capture is a built-in, enhanced issue detection and root-cause-analysis forensic capture solution, which makes the wireless troubleshooting process a lot easier with the ready-to-use packet captures, historical data charts, and self-diagnosed anomaly events.

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Preparation, Cisco Career

As the name says, these data are intelligent that it masks all the complexities of Wi-Fi troubleshooting by presenting right and relevant data to root cause the issues faster, even if the client roams between the Access Points.

Solution Components – The Three Gears


Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Preparation, Cisco Career

Intelligent Capture solution comprises of Cisco DNA Center, Wireless LAN Controllers, and Cisco Access Points.

Design: The Cisco DNA Center offers a centralized, intuitive management system that makes it fast and easy to design, provision, and apply the policies on the controllers.

Deploy: The WLAN Controller deploys and manages the policies across the access points.

Operate: The Access Points operate on the policies by streaming the critical data to the Cisco DNA Center which is correlated with the events from the controller offering 360 views of the network.

The Cisco DNA Center intuitive UI provides end-to-end network visibility and live technical insight into various wireless metrics from both the client and access point perspective

Solution Categories – The Two Faces


Intelligent Capture solution is offered under two categories.

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Preparation, Cisco Career

◉ AP Stats Capture: Always-on real-time RF monitoring service, offers an in-depth analytical view of various wireless metrics related to an AP’s radio. The trend view of historical metrics gives insight into why users experience poor signal, low throughout, and onboarding failures

◉ Spectrum Analysis: On-demand service, render charts on Channel and Interference, detailing the spectrum activities in the RF environment surrounding an AP.

◉ Live Capture: On-demand service, needed for troubleshooting a client onboarding failure in live time. This solution captures the management frames when a client joins and leaves the network. In addition to the packet capture, the access point also offers client statistics at a 5-second frequency for easy root cause analysis. This feature can target up to 16 clients at once.

◉ Scheduled Capture: On-demand service, required to triage a client join issue that occurs recursively at a specific time of the day. This solution offers the capability to schedule Live capture for a specific date and time. Furthermore, the user can control the length of the scheduling session from 30 minutes to 8 hours. This feature allows you to schedule up to 12 sessions at once.

◉ Data Capture: On-demand service, used for troubleshooting a client who is experiencing poor network performance with low throughput and onboarding failure. This feature provides the most granular packet capture than live capture offering both management and unencrypted data frames to analyze the issue in detail. This feature runs exclusively for a single client at once.

◉ Anomaly Stats Capture: Always-on service, proactively monitors the network and raises an anomaly in the event of failure. This feature notifies users with an immediate understanding of any client onboarding issue that has occurred, provides analysis, and presents a packet capture depicting the incident as proof.

Going Above and Beyond – The One Intelligence


Time Travel:  The Intelligent Capture solution is not limited to troubleshooting present issues, but it also stretches to the past and into the future.

- Past: Offers the capability to travel up to 14 days in the past to revisit the exact moment when everything went wrong. Pinpoint the cause and take action to prevent it from ever happening again.
- Future: Analytics on the enormous real-time and historical data helps in predicting the problem even before they arise.

Packet Stitching: The Intelligent Capture is not restricted to packet capture, but it also extends to packet stitching. In a client roaming scenario, the Cisco DNA Center manages to capture the packets from all the APs involved in the client movement trail.  The packets from multiple sources are stitched internally and return as a single concatenated file to the Cisco DNA Center for an easy download.

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Preparation, Cisco Career

Unlock the Power of Wi-Fi 6


Wi-Fi 6 is opening new possibilities with a more consistent and dependable network connection that will deliver speeds up to four times faster with four times the capacity. Improved speed, capacity, and control will support existing applications with greater performance and drive new innovations.  Wi-Fi 6 began its ramp-up, and the market will soon start seeing large numbers of devices in Wi-Fi 6. Therefore, it is important to prepare your network for the new standard to gain all the benefits that Wi-Fi 6 offers.

Intelligent Capture combined with other Cisco DNA Assurance solutions unlocks the power of the Wi-Fi 6, by offering the exclusive Wi-Fi6 Dashboard which provides a visual representation of your wireless network showcasing the Wi-Fi 6 Readiness, and the efficiency of the Wi-Fi 6 networks compared to non-Wi-Fi 6 networks.

Notes from Hands-On Experiences


Cisco deployments and Pilot programs heavily utilize Cisco DNA Assurance’s Intelligent Capture to troubleshoot their network issues.  One notable experience from the field is where Intelligent Capture resolved the client disconnection/dropout issue by highlighting the missing response from the client for the AP’s request during roaming.

Cisco Exam Prep, Cisco Tutorial and Material, Cisco Learning, Cisco Preparation, Cisco Career

Your Eyes Need It


Instead of scrambling through the data or trying to replicate the issue, pick the magic goggles and with the see-through power find and resolve any complicated wireless issues in record time!

Source: cisco.com