Tuesday, 13 December 2022

EVPN Myth Buster Series – To lead or follow, where does Cisco stand?

Innovation is one of many characteristics defining industry leadership. Becoming an industry leader requires a company to innovate and find new ways to solve customer problems. Industry leadership is not something that can be created overnight. It takes more than a software release or a list of supported features to cement yourself as a technology thought leader in the networking industry. Over the past several decades, Cisco has demonstrated its leadership in networking by leading technology innovations that meet and exceed customers’ needs and then enabling the adoption of these technologies across organizations driving standardization. This has also led to robust collaborations and interoperability among different vendors for the benefit of the industry as a whole – please refer to Figure 1 Number of RFCs authors per affiliation for the top 30 companies at IETF over the past three decades.

Some examples of such technologies are L3VPN, MPLS, and EVPN. Cisco innovators such as Eric Rosen, Yakov Rekhter, and George Swallow incubated MPLS and L3VPN technologies and then led the standardization effort at the IETF. Furthermore, Cisco innovator, Ali Sajassi incubated EVPN technology and then led the standardization effort at the IETF. A well-adopted standard is like a team sport, and it requires not only participation but also contributions from every member of the team – i.e., from every vendor and provider involved.

Cisco Certification, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Prepartion
Figure 1. Number of RFC authors per affiliation for the top 30 companies at IETF over the past three decades

In the past decade, Cisco has introduced EVPN technology to the networking industry at large and has led the standardization efforts for all the initial RFCs for this technology with the help of several vendors and service providers. Although there are vendors who are true partners and contributors to this technology and its standardization, there are “others” who are neither participants nor contributors but just users of it. One can easily find out who is who by looking at the IETF statistics for EVPN.

These “other” vendors have made claims to be pioneers of cloud networking fabrics driving a standards-based approach, even though they are openly adopting and implementing Cisco-authored RFCs and drafts into their software. These “other” vendors attempt to create the perception of open standards as their core pillar. Cisco has been a long-time innovator with a proven track record of developing IETF drafts to facilitate the implementation of new technologies that are widely adopted by these other vendors (“others”) in the networking industry. Being an industry leader requires Cisco to continue evolving and driving standards to make networks work better – please refer to Figure 2. Chart showing the number of EVPN RFC Primary Authorship, EVPN RFC Authorship, and Working-Group Authorship Affiliation:

Cisco Certification, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Prepartion
Figure 2. Number of EVPN RFC Primary Authorship, EVPN RFC Authorship, and Working-Group Authorship Affiliation

IETF


For most of us, it is widely known the IETF is the premier Internet standards organization. Citing the IETF Standards page:

Cisco Certification, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Prepartion
“Improving existing standards and creating, implementing, and deploying new standards is an ongoing effort. The IETF’s mission is to produce high-quality, relevant technical documents that describe these voluntary standards. IETF working groups are the primary mechanism for the development of IETF specifications and guidelines.”
As EVPN-VXLAN becomes the de facto standard for IP fabrics, Cisco continues to enhance and publish IETF drafts based on the protocols and architectures addressing new requirements and use cases. When Cisco develops the standards and drafts, there is an implementation in mind for the system and its parts, while “others” will choose to follow and implement the RFCs and the drafts without a full understanding of the use cases.

These other vendors will create and leverage feature matrices to fill their gaps and respond to RFPs, citing our documents and acting as if they would know better. Cisco can confidently claim to lead while “others” only follow, while Cisco invents and “others” only adopt.

Cisco Certification, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Prepartion
Figure 3. VXLAN EVPN Industry Contribution

Cisco continues to extend its leadership in promoting open standards, interoperability, and multi-vendor solutions for Cloud Networking technologies.

This series of blogs aimed to provide a deeper understanding of EVPN VXLAN and additions to the IETF drafts implemented for today’s customer deployments.

History of Ethernet VPN (EVPN)


For many years, the need for extending Layer-2 efficiently was a burdensome task. Before the availability of Layer-2 VPNs, sorts of LANE (LAN Emulation) were used to transport Ethernet across distances, or we just plugged two Ethernet domains together via CWDM or DWDM. All these approaches had their pros and cons, but some common challenges remained, the virtualization of the Layer-2 service across a common infrastructure. When MPLS-based Layer-2 VPN rose to prominence, the presence of true Layer-2 VPNs became available, and with this the better use of the underlying transport infrastructure. With VPLS (Virtual Private LAN Service) multipoint-to-multipoint Layer-2 VPNs became affordable and addressed many new use cases. Even though VPLS brought many advantages, the pseudo-wire maintenance, transport dependency, and lack of comprehensive embedded access node redundancy still made it challenging to deploy. While all of this was the truth over a decade ago, around 2012 we embarked on a new chapter of Layer-2 VPNs with the advent of Ethernet VPN in short EVPN. In its essence, EVPN addressed the challenges the more traditional L2VPNs incurred and innovated new schemes in layer-2 address learning to become one of the most successful VPN technologies.

The journey of EVPN as a standard started back in 2010 when Ali Sajassi introduced and presented the very first draft of EVPN (initially called Routed VPLS, draft-sajassi-l2vpn-rvpls-bgp-00.txt, to IETF (Internet Engineering Task Force) in March of 2010. This draft was later merged with another draft by Rahul Aggarwal (from Juniper), draft-raggarwa-mac-vpn-00.txt, because of their synergy, and a new draft was born in October 2010 –  draft-raggarwa-sajassi-l2vpn-evpn-00.txt. This draft became a working group document in February 2012 and became a standard RFC 7432 in February 2015. This is the defacto base RFC for the basic EVPN behavior and its modes and subsequent EVPN RFC builds on top of the groundwork of this RFC.

Around the same time as the main EVPN draft introduction, Cisco introduced other EVPN related drafts such as draft-sajassi-raggarwa-l2vpn-evpn-req-00.txt and draft-sajassi-l2vpn-pbb-evpn-00.txt in October 2010 and March 2011 respectively which became standard in February 2014 and September 2015 respectively.

After the publications of initial EVPN drafts that later became RFCs 7432, 7209, and 7623, in 2013, Cisco published another set of EVPN drafts for Virtualization/VxLAN and for inter-subnet forwarding (L2 and L3 forwarding) that gave EVPN its versatility as it stands today. These drafts later became the standard RFCs 8365 and 9135.

Cisco Certification, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Prepartion
Figure 4. IETF EVPN Timeline

With the based EVPN using MPLS encapsulation celebrated its success in the Service Provider market, for the Data Center an IP-based encapsulation was more suitable. With this, in 2013 the EVPN draft for “overlays” (draft-sd-l2vpn-evpn-overlay) was published, which included the encapsulation of VXLAN and became RFC 8365 in 2018. In order to address the various use cases for the Data Center, a couple of related drafts were filed around the same time. The definition of how to do inter-subnet routing (draft-sajassi-l2vpn-evpn-inter-subnet-forwarding), how we advertise a IP Prefix route in EVPN (draft-rabadan-l2vpn-evpn-prefix-advertisement) or how to interconnect multiple EVPN “overlay” domains with a Data Center Interconnect (draft-rabadan-l2vpn-dci-evpn-overlay). All these drafts from 2013 now being RFCs and define the standard in how EVPN is being used within and between Data Centers.

Cisco Certification, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Prepartion
Figure 5. EVPN RFC for VXLAN and DCI

The realms of standards are often a cabala. Opening this up and sharing some of the histories with the most significant milestones is as important as defining the standards themselves. For more than a decade, Cisco has actively driven the standardization of EVPN and shared this innovation with the networking industry. With over 50 publications to the IETF, Cisco leads the EVPN standardization and is proud of the collaboration with its partnering authors. With the proliferation of EVPN across all of Cisco’s Operating Systems (IOS-XE, IOS-XR, NX-OS) being fully interoperable, the flexibility of the right operational model across deployments in Campus, WAN, Data Center, or Service Provider domains is unmatched.

Source: cisco.com

Sunday, 11 December 2022

Simplify the Adoption of Sustainable Technologies in the Workplace with Cisco DNA Center

Supporting sustainable technologies on a campus network is great for the planet and can substantially lower the cost of workplace operations. But adding hundreds of new IoT devices to a campus network can be a heavy lift for IT teams. Let’s take a look at the many innovations that Cisco has made to address sustainable technology, so that supporting a cleaner planet does not become a burden on IT teams.

For organizations, environmental sustainability is the practice of operating without producing a negative impact on the environment. Certainly, you’ve been hearing a lot about environmental sustainability and how IT can help to reduce your organization’s carbon footprint. When it comes to reducing the environmental impact of offices, factories, and warehouses, IT has a very big role to play. Gartner estimates that “By 2025, 75% of CIOs will be responsible for sustainable technology outcomes and 25% of CIOs will have compensation linked to their sustainable technology impact.” (Gartner Top Strategic Technology Trends for 2023: Sustainable Technology, ID G00774132)

Most IT departments will begin their sustainability work by verifying that IT technologies are being sourced from companies with “Net Zero” policies and programs. Cisco has documented all the steps we’ve taken to create a more sustainable solution for your network. Your next step will be to lower your environmental footprint by deploying new sensor technologies within your campus networks for initiatives such as energy efficiency, water usage, recycling, and site optimization. These technologies will be helpful in your sustainability objectives, but they can become a major source of complexity and time drain for IT teams. So, let’s look at some of the more popular technologies and the recent innovations in Cisco networking solutions that can make deploying them much easier.

Sustainable Technology is Coming to your Campus


The reason I can guarantee that you will soon be deploying sustainable technology is that there are substantial financial rewards for lowering your usage of electricity and material goods. Investments in sustainability are good for the planet and good for your bottom line. Sustainable technology, which is a category of smart building technologies, is a framework of networking solutions that enable businesses to achieve their sustainability goals. These goals usually include a reduction in environmental impact (power, water, recycling, and waste disposal), and optimization of office space and physical assets. Typical devices are automatic window shades that close in direct sunlight, water usage sensors, and of course UPoE+ LED lighting powered by Cisco Catalyst 9000 PoE ports and monitored by Cisco DNA Center. These are popular choices because PoE LED lighting can yield large savings quickly without a complex electrical installation, and water usage sensors are an easy way to detect water leaks – which is the most common and most expensive of office accidents.  The industry for smart building technology is diverse, and you will certainly find an IoT device or sensor for just about any project.

Cisco DNA Center, Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Certification, Cisco Prep, Cisco Career, Cisco Skills, Cisco Jobs
Figure 1: Architectures for smart buildings

The diagram in Figure 1 above, shows the many categories of smart building technologies, as well as the infrastructure and applications that manage and operate the solution. Cisco has a great webpage on our portfolio for smart buildings where you read more about the solution. Many of these technologies are complements or expansions to projects that your team already supports, but the impact of sustainable technology on your network will be substantial. There will surely be hundreds of new sensors, meters, and control devices on your campus network. Most of these will require PoE and many will require local application servers. There are three categories of Cisco DNA Center innovations that facilitate supporting these devices: (1) connecting and securing, (2) powering, and (3) software management.

Connecting and Securing New IoT Devices 


I’m sure you’ve heard about Cisco DNA Center AI-Endpoint Analytics. This feature is in the Policy section of Cisco DNA Center, and it automatically identifies all new endpoints that connect to the network using a cloud-based device manufacturers database. Endpoints are then added to the inventory dashboard and checks and authentications are made using deep packet inspection (DPI) and machine learning to authenticate that the device is what it says it is. Each device is given a “Trust Score” between 1 (suspicious) and 10 (trustworthy) and you can view a list of the verifications that each device has passed. During the lifecycle of devices, Cisco DNA Center will continue to monitor device behavior and any anomalies (such as sudden changes in communication protocols) will be flagged for attention. Additionally, Cisco DNA Center can be configured to automatically isolate devices that demonstrate behavior anomalies.

Besides security and posture information, endpoint inventory includes the manufacturer, model, OS type, software version, and other management information. You can even register the device with the manufacturer within Cisco DNA Center, and if a software upgrade is available, you will be advised right inside the dashboard. The comprehensive dashboard gives you everything you need to connect, secure, and manage the many new IoT devices on your network.

Cisco DNA Center, Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Certification, Cisco Prep, Cisco Career, Cisco Skills, Cisco Jobs
Figure 2: AI endpoint analytics aggregates network data to identify endpoints.

Powering IoT Devices and Managing PoE Capacity


As more PoE devices connect to your network, understanding power usage and availability per branch office and per switch will become critical. The PoE Analytics dashboard in Cisco DNA Center gives you quick and easy visibility of your PoE usage everywhere. You can see the status of PoE consumption across your organization: by branch, building, individual switch, or even by type of device. You can view the total power budget available in any switch, as well as what is allocated, remaining, and load. You can verify the actual amount of power being drawn from each device—this is critical since many IoT devices pull more power than their manual indicates. During the lifecycle of these devices, PoE Analytics monitors spikes in power and pushes alerts for any anomaly to the main Cisco DNA Center Assurance dashboard. Any Cisco DNA Center alert can be exported to your ServiceNow (ITSM) or PagerDuty, and PoE alerts are good candidates for immediate attention. The PoE Analytics dashboard in Cisco DNA Center enables you to plan and manage the power of your IoT devices anywhere in your network.

Cisco DNA Center, Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Certification, Cisco Prep, Cisco Career, Cisco Skills, Cisco Jobs
Figure 3: PoE Analytics facilitates managing power for IoT devices

Edge Compute for Device Software


Another challenge you will likely encounter is the performance of the server software that controls these IoT devices. In many cases, this software is located in the cloud, and the time spent managing it will be minimal. However, some of the more complex sensors may recommend that the server software be installed on-premises for improved performance. This requires either a server in your wiring closet or small Raspberry Pi devices distributed around the campus.

Instead of deploying additional hardware on-site, Cisco DNA Center can help you run these IoT applications on your Catalyst 9000 switches. Cisco Application Hosting on Catalyst 9000 series of switches extend the cloud application to the edge of the network enabling data processing closer to the source for much-improved performance of low-power IoT devices. The app hosting framework inside Catalyst 9000 switches enables off-the-shelf Docker apps, running as separate Linux processes, so they do not affect the switch’s IOS XE performance or security. Installing the application has been streamlined with Cisco DNA Center’s App Hosting Automation dashboard. Simply drag and drop the application into the dashboard and it loads into the Cisco DNA Center’s app hosting library. Then choose the switches where you want the application installed and push them out.

Cisco DNA Center, Cisco Tutorial and Materials, Cisco Guides, Cisco Learning, Cisco Certification, Cisco Prep, Cisco Career, Cisco Skills, Cisco Jobs
Figure 4: Using Cisco DNA Center to install apps on your Catalyst 9000 switches

Deploying smart building technology to meet your company goals for sustainability and cost optimization will be a big trend in 2023. Training your staff on Cisco DNA Center will enable you to manage this new technology while maximizing your IT staff’s productivity.

Source: cisco.com

Saturday, 10 December 2022

Preparing for 2023 and what lies in store for Endpoint Security

Cisco Career, Cisco Skill, Cisco Job, Cisco Tutorial and Materials, Cisco Guides, Cisco Prep, Cisco Preparation

A new year is almost upon us and as we look back on our accomplishments in 2022, we also look forward to helping our customers become more security resilient and be better prepared for 2023. As part of this forward-looking process, and with the help of Gartner Peer Insights, we surveyed 100 Security and IT professionals to understand their level of security maturity and obtain their perspective on the future.

The results of the survey, called “Gartner Peer Insights – Future of Endpoint Security” can be found here in Infographic form.

Key insights from the Survey:

◉ Many organizations are employing EDR and XDR capabilities, but few have reached full maturity.
◉ Organizations are looking for integrated platforms that support hybrid workforces while simplifying vendor management.
◉ In anticipation of the ever-increasing threat landscape, organizations are looking to highly integrated and automated endpoint security solutions.
◉ Organizations want future-proof endpoint security solutions that bolster their security resilience.

Insight Example

Regarding the first key insight, approximately two-thirds of the organizations surveyed have implemented EDR and XDR capabilities. These two capabilities are critical to detecting and eliminating threats, either before a breach has occurred or before a breach has had an opportunity to create damage.

Cisco Career, Cisco Skill, Cisco Job, Cisco Tutorial and Materials, Cisco Guides, Cisco Prep, Cisco Preparation
Figure 1: Deployed endpoint security capabilities

Insight Example

Another key insight is related to endpoint vendor selection. In the survey, it’s noted that the top criterion organizations are looking for when selecting an endpoint security solution is the ability to support a hybrid workforce. This isn’t surprising given the events that have occurred over the last few years and the mix of remote workers expanding to working from home. Many organizations feel that the hybrid workforce is here to stay, in varying levels of remote workforce vs. on-premises workforce. The obvious implications directly related to the endpoint solutions are flexibility (e.g., deployment options), scalability, efficacy, resilience, and manageability, as a few examples.

Cisco Career, Cisco Skill, Cisco Job, Cisco Tutorial and Materials, Cisco Guides, Cisco Prep, Cisco Preparation
Figure 2: Top Motivations when considering endpoint security

Source: cisco.com

Thursday, 8 December 2022

Application Resource Management in Healthcare

Resource Management in Healthcare, Dell EMC Study, Dell EMC Preparation, Dell EMC Career, Dell EMC Skills, Dell EMC Jobs

Four Ways Healthcare Providers Have Benefited from Intersight Workload Optimizer


IT operations teams are like doctors. Doctors practice preventive medicine to help patients keep their health on track. When a patient’s health goes off track, the doctor minimizes symptoms through medication and rest, and they perform assessments to identify the root cause of the ailment.

In a similar way, IT operations teams keep their organizations’ mission-critical applications on track by providing computing, networking, and storage resources. Sometimes an application demonstrates symptoms indicating there’s something wrong (such as sluggish performance). If the root cause is serious enough and goes unaddressed, it can lead to downtime and impact the end user experience.

Treating the symptoms of poor application performance


Too often IT teams spend most of their time addressing the symptoms of underperforming applications or resuscitating them when they go offline. They’re alerted when there’s an issue, but they can’t easily pinpoint the root cause. This means the symptoms get treated to keep applications running, but the underlying cause or causes go untreated, which can lead to recurring application performance issues and costly staff time spent addressing them.

How to stay ahead of application resource issues


Application resource management solutions like Cisco Intersight Workload Optimizer (IWO) provide vital capabilities to help IT teams prevent application resource issues from occurring while optimizing costs to control their budgets.

Cisco Prep, Cisco Tutorial and Material, Cisco Skill, Cisco Jobs, Cisco Certification

Here are four examples where Cisco healthcare customers used application resource management to maintain the health of their organizations’ applications in fiscally responsible ways.

1) Ensuring mission-critical application performance

A healthcare services provider was experiencing performance issues with mission-critical applications. They couldn’t identify where in the stack the issues were originating from, so they used AppDynamics and IWO to gain deep visibility from their applications through their underlying computing infrastructure, particularly into hundreds of virtual machines. The visibility showed them when application performance began to stretch VM workloads and how to optimize their virtual environment to ensure continuous resources for optimal application performance. In addition to providing continuous up-time for their mission-critical applications, the customer has used IWO to optimize workloads in the public cloud and reduce public cloud spend by 40%.

2) Maintaining application performance at a lower cost

1) In order to provide continuous application uptime, a healthcare provider in the midwestern United States uses on-premises infrastructure and hosting services through a public cloud provider. However, the costs for on-premises infrastructure and cloud resources were rising rapidly and not sustainable. Using IWO’s “what-if” scenario planning, Cisco worked with the client’s IT group to demonstrate how they could right-size new server purchases and identify the most cost-effective cloud resources to meet their budget requirements. As a result, the healthcare provider can continue to deliver computing resources to provide experiences their application users expect while delivering tangible cost savings.

2) A healthcare provider in the southeastern United States and Cisco UCS customer needed to improve overall infrastructure availability, specifically by getting better insight into the real-time status of VMs and other computing resources. With a restricted IT budget, they also needed to extend the life of existing systems to reduce their CapEx expenses. Using IWO, the healthcare provider identified an opportunity to reduce the number of hosts by 50% while maintaining the same levels of utilization and avoiding unnecessary CapEx investments. At the same time, the healthcare provider used IWO to ensure workload configurations comply with its policies, which has helped the customer improve its HIPAA compliance posture.

3) Conducting an EHR cloud migration analysis

This healthcare provider needed to refresh its Epic hyperspace environment for its primary electronic health record (EHR) system. Their IT team was considering moving to the EHR provider’s cloud-based IaaS solution. The Cisco team used IWO to conduct a detailed total cost of ownership (TCO)/return on investment (ROI) analysis. The study showed the ability to maintain desired application performance with fewer servers (and less cost) than the EHR provider prescribed. The analysis revealed the healthcare provider would save $500,000 per month over three years, or $18 million, by using an on-premises UCS solution instead of the hosted solution. The healthcare provider also went on to use IWO to continue optimizing its virtual environment for ongoing application resource management and cost containment.

Keep your applications in shape through application resource management


As a healthcare provider, your patients, caregivers, and others rely on your applications. With solutions like IWO at your disposal, you have the power to adopt best practices in application resource management and ensure uptime to deliver the experiences your users expect while gaining cost-containment capabilities. Rise above treating the symptoms of an ailing infrastructure; exercise proactive application resource management with Cisco Intersight Workload Optimizer to keep your applications and infrastructure in outstanding shape.

Source: cisco.com

Tuesday, 6 December 2022

How does ketchup and mustard relate to Cloud Monitoring for Catalyst and DNA Center?

My two sons have very different tastes in many things like activities, clothes, brands, food, and, more than anything, condiments! At home, we have these endless battles on whether ketchup is better than mustard or mustard than ketchup. The message to my kids is that there’s no such thing as a universal better option. There are many reasons why one would choose one over the other: food sensitivities, ingredients, nutritional value, and taste to name a few. My older son likes everything sweet and he doesn’t care too much about sugar content so ketchup is the best option for him. My younger son doesn’t like to mix sweet and savory food and also is more mindful of the nutritional value. For this reason, mustard is best for my younger son.

All this to say that, at Cisco, we strongly believe in giving choices to customers so that everyone can have the solution that works best for them. And this is also true when it comes to managing your Cisco Catalyst infrastructure. One option would be Cisco DNA Center for which I’ve written numerous blogs. We will discuss the characteristics of the recently introduced new option: Cloud Monitoring for Catalyst with Meraki Dashboard. The purpose of these blogs is to give you enough information to make the best choice for your environment.

Meraki Dashboard can provide cloud-based monitoring for Catalyst devices and it’s a great option for numerous environments. For example, networks with Catalyst fixed configuration switches with no management platform or a legacy management platform that needs to be replaced.  Another great use case would be mixed environments with Catalyst switches and Meraki infrastructure like we see in the picture below:

Cisco Catalyst, Cisco DNA Center, Cisco Career, Cisco Tutorial and Materials, Cisco Guides, Cisco Career, Cisco Prep, Cisco Tutorial, Cisco Prep, Cisco Preparation
Figure 1: Use Case Examples of Cloud Monitoring for Catalyst

How do you know if Cloud Monitoring is right for your environment? In the next sections we will explore the following capabilities:

◉ Unified view of Cisco network infrastructure
◉ Device health and troubleshooting
◉ Network client and traffic information

Unified view of Cisco network infrastructure


Cisco Cloud Monitoring for Catalyst is especially interesting for environments with mixed Catalyst and Meraki devices because the Meraki dashboard can provide a unified view of the infrastructure including information like switch Up/Down status, model, version, serial number and firmware. Meraki dashboard also provides a topology view of the unified network:

Cisco Catalyst, Cisco DNA Center, Cisco Career, Cisco Tutorial and Materials, Cisco Guides, Cisco Career, Cisco Prep, Cisco Tutorial, Cisco Prep, Cisco Preparation
Figure 2: Unified view of Cisco network infrastructure in topology mode

Device health and troubleshooting


Meraki dashboard provides best-in-class cloud monitoring for Meraki devices and now to Catalyst devices as well.  Network administrators can monitor Catalyst connectivity and health from the dashboard, obtain real-time switch and port health, port-level packet and error counters, and alerts for switch or port issues. Catalyst devices also benefit from live troubleshooting tools, like ping and port cycle,  to help identify and correct problems remotely.

Cisco Catalyst, Cisco DNA Center, Cisco Career, Cisco Tutorial and Materials, Cisco Guides, Cisco Career, Cisco Prep, Cisco Tutorial, Cisco Prep, Cisco Preparation
Figure 3: Detailed port visibility and live troubleshooting tools

Network client and traffic information


Another very useful capability of the Meraki dashboard is that it provides visibility into the connected devices across the network and detailed network usage and traffic statistics. Meraki dashboard also provides application visibility including top users in the network and top application traffic over time.

Cisco Catalyst, Cisco DNA Center, Cisco Career, Cisco Tutorial and Materials, Cisco Guides, Cisco Career, Cisco Prep, Cisco Tutorial, Cisco Prep, Cisco Preparation
Figure 4: Application Visibility

What else do you need to know?


Besides the features and capabilities, there are a few other things you need to know to decide if this platform is the right operational choice for your environment.

◉ Platform: Meraki Cloud Dashboard – SaaS
◉ Capabilities: Monitoring Only (Meraki Dashboard will not configure the device)
◉ Supported Devices: Catalyst Switches 9200/L,  9300/L/X and 9500
◉ Switch OS: IOS-XE
◉ License: DNA Essentials or DNA Advantage

Cisco Catalyst switches mentioned in the list above can be on-boarded for cloud monitoring while retaining all features and capabilities available in IOS-XE. Having said that, the Meraki dashboard will only provide visibility on those features that are available in the Meraki Dashboard. For example, a Catalyst 9300 switch, can run a container with ThousandEyes Enterprise Agent. This switch can be monitored by the Meraki dashboard for all the capabilities mentioned in this blog. It can also retain the ThousandEyes Enterprise Agent installed. However, the Meraki dashboard will not provide monitoring capabilities on ThousandEyes Enterprise Agent deployed in the switch.

For Cloud Monitoring for Catalyst, the switches retain the IOS-XE operating system and the DNA license. There’s no requirement to convert the license to a Meraki license. The switches will leverage the DNA license and both “Essentials” and “Advantage” licenses are supported.  The difference between both is that traffic analytics is only available with the “Advantage” license. All other features are available with both “Essentials” and “Advantage” licenses.

Cisco Catalyst, Cisco DNA Center, Cisco Career, Cisco Tutorial and Materials, Cisco Guides, Cisco Career, Cisco Prep, Cisco Tutorial, Cisco Prep, Cisco Preparation
Figure 5: Essentials and Advantage Licenses

With this blog, I hope to have helped you decide your best choice for your operational platform for Catalyst infrastructure.

Source: cisco.com

Saturday, 3 December 2022

Cisco Catalyst 9200CX now orderable!

Now is the time to make sure your network is ready for a hybrid world where the workplace is anywhere, endpoints could be anything, and applications are hosted all over the place.

Extending the power of the secure network as close to the edge as possible helps you to better respond to the unexpected… transforming the challenges of hybrid work into opportunities for innovation.

Introducing Cisco® Catalyst® 9200CX compact switches


Cisco Catalyst 9200CX, Cisco Tutorial and Materials, Cisco Guides, Cisco Skills, Cisco Jobs, Cisco Learning, Cisco Prep, Cisco Preparation
Figure 1: Catalyst 9200CX 12 port

As part of the Catalyst 9000 family, these highly anticipated compact switches bring IOS® XE and enterprise-class access down to the very edge with an extra level of security, and the features required to handle our ever-changing world of hybrid work.

The new compact Catalyst 9200CX models are optimized for flexibility and security and are ideal for

◉ Fiber to the edge
◉ Small branches
◉ Healthcare, retail, hospitality, sports, media, and entertainment
◉ smart building retrofits
◉ places where space is at a premium and quiet operation is a must.

The smaller footprint and quiet, fan-less design means Catalyst 9200CX compact switches can go in places other switches cannot, like on or under a desk, mounted on the wall or ceiling, or in a closet, hospital room, or classroom. But at the same time, they offer many advanced features that are firsts for a compact switch:

◉ MACsec-256 encryption
◉ Full flexible NetFlow/IPFIX
◉ Plug-and-play zero-touch provisioning
◉ SD-Access edge node capabilities with 16 VNs!

And to top it off, they’re also IPsec, AVB/PTP, and BGP EVPN hardware ready. 

Cisco Catalyst 9200CX, Cisco Tutorial and Materials, Cisco Guides, Cisco Skills, Cisco Jobs, Cisco Learning, Cisco Prep, Cisco Preparation

The Catalyst 9200CX is designed to allow you to secure your network from the inside out, applying continuous zero-trust security anywhere you need it, and often extending your network to places it has never been before.

Whether in the board room or the bedroom, at the checkout counter, or the check-in desk, don’t box in your network to a traditional workspace or workplace; embrace the future of hybrid work with Catalyst 9200CX compact switches.

Source: cisco.com

Thursday, 1 December 2022

Cisco Catalyst 9300X – IPsec And Cisco Umbrella

In this blog, you will learn how to configure IPsec and Cisco Umbrella tunnels on a Catalyst 9300X by onboarding it with the Plug and Play (PNP) Cloud Service and Cisco DNA Center.

This capability is supported with Cisco DNA Center 2.3.4. The switch will need IOS-XE 17.8.1 for onboarding and an Advantage license. The IPsec feature on the switch requires an HSEC K9. Please refer to Part 1 of this series to understand at least three use cases that can leverage IPsec on a Catalyst switch.

PnP Cloud Service (Onboarding C9300X with IPsec)


The onboarding section below assumes that the switch only has direct internet and requires a secure connection back to Cisco DNA Center for management. Traditionally a switch has access to a local PnP Server but with this lean branch deployment with just the 9300X connectivity back to a PnP server is highly unlikely.

Cisco Umbrella, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Certification, Cisco IPsec, Cisco Catalyst
Figure 1. Day 0 Automation Workflow for onboarding Catalyst 9300X

Cisco has augmented the PNP Connect with Plug and Play as a Service (PnPaaS). This enhancement allows Cisco DNA Center to send the Day 0 switch configuration file to the PnP Cloud Service. Once the switch sends its PnP request to devicehelper.cisco.com, the PnP Cloud Service responds with the configuration file. This allows the switch to establish the IPsec tunnel and for Cisco DNA Center to manage the newly onboarded switch.

Cisco Umbrella, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Certification, Cisco IPsec, Cisco Catalyst
Figure 2. Onboard Catalyst 9300X Device using PnP Cloud

So, how do you create the Day 0 configuration file? Easy, it’s pretty straightforward. Just go to Cisco DNA Center Provision –> Services –> Secure Tunnels and click on Onboard New Device. The form will ask for a Site and a Virtual Account where the switch is associated. Once this information is confirmed, the form can be completed with the following: the switch serial number, a management IP (resulting in a loopback address on the switch), the IP address of the Head-End (or remote side), an IPsec pre-shared key, the HSEC token, and a switch hostname. If the switch already has the HSEC token pre-installed from manufacturing at the time of purchase (it requires a selection in CCW), then the HSEC token entry does not need to be filled in. To look at the configuration file prior to its implementation, select the Day-0 Configuration Preview tab.

Cisco Umbrella, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Certification, Cisco IPsec, Cisco Catalyst
Figure 3. Cisco DNA Center Plug and Play Status

After selecting the Onboard Device option, the onboarding status of the switch can be verified under Provision –> Network Devices –> Plug and Play. Initially, the switch will appear as Unclaimed, and the state as Planned. When the process completes (please be patient, it will take several minutes) the switch appears under Provisioned and the state as Provisioned.

Cisco Umbrella, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Certification, Cisco IPsec, Cisco Catalyst
Figure 4. Cisco Catalyst 9300X with IPsec in Inventory

After the switch is onboarded, it can be managed over the IPsec tunnel using the loopback by selecting Provision –> Network Devices –> Inventory.

Cisco Umbrella – Creating Secure Tunnels


Now that the switch is under Cisco DNA Center management, additional IPsec tunnels can be configured to connect to a Secure Internet Gateway (SIG). In this case, it will be to Cisco Umbrella, but it can also be to a third party like Zscaler. In order to automate both sides of the tunnel the switch and Cisco Umbrella there is a prerequisite to integrate Cisco Umbrella and Cisco DNA Center using API Keys (System –> Settings –> External Services). This topic is not covered here. Cisco DNA Center will only automate the switch portion when the API integration is not established.

Cisco Umbrella, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Certification, Cisco IPsec, Cisco Catalyst
Figure 5. Cisco Umbrella IPsec Tunnel Creation in Cisco DNA Center

In order to add the Cisco Umbrella tunnels, go to Cisco DNA Center Provision –> Services –> Secure Tunnels but this time click on Create Secure Tunnel. The form will require the following information: Site, Device, number of Cisco Umbrella tunnels (up to 4), Tunnel Name, and Tunnel Source Interface. In addition, a selection of the Cisco Umbrella data center location can be made, otherwise, the selection will be made based on the switch site location. If you have more than one tunnel, either the same data center or a different location can be selected.

Cisco Umbrella, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Certification, Cisco IPsec, Cisco Catalyst
Figure 6. Cisco Umbrella IPsec Pre-Shared Key in Cisco DNA Center

The next screen will ask for the Cisco Umbrella Tunnel Pre-Shared Key and the option to change the default IKEv2 and Transform Set values. The default values are for best practice and should not be changed unless it is for interoperability or other security reasons.

Cisco Umbrella, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Certification, Cisco IPsec, Cisco Catalyst
Figure 7. Handling Site Traffic using ECMP or PBR

In the next screen, traffic can be handled either by sending all traffic to Cisco Umbrella using Equal-Cost Multi-Path (ECMP) load balancing when using multiple tunnels or traffic can be steered using Policy-Based Routing (PBR). Handling the traffic in this manner should help with most use cases. Subsequently, there will be a summary screen and a selection to create the tunnel(s).

Cisco Umbrella, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Certification, Cisco IPsec, Cisco Catalyst
Figure 8. Cisco DNA Center and Cisco Umbrella Tunnel Confirmation

After the switch and Cisco Umbrella have been provisioned, the status of the tunnels can be verified under Cisco DNA Center Provision –> Services –> Secure Tunnels.

Cisco Umbrella, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Certification, Cisco IPsec, Cisco Catalyst
Figure 9. C9300X IPsec Tunnels Cisco DNA Center and Cisco Umbrella

The IPsec tunnel information to both Cisco DNA Center and Cisco Umbrella can be verified via the CLI as well. Tunnel1 is the tunnel to Cisco DNA Center and Tunnel2 is the tunnel to Cisco Umbrella.

Cisco Umbrella, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Certification, Cisco IPsec, Cisco Catalyst
Figure 10. Cisco Umbrella UI IPsec tunnel to C9300X

Alternatively, Cisco Umbrella can also display the IPsec tunnel established to the Catalyst 9300X.

Source: cisco.com