Thursday, 9 March 2023

Cisco Demonstrates Co-packaged Optics (CPO) System at OFC 2023

THE CASE FOR CO-PACKAGED OPTICS:  LOWER POWER


As network traffic continues to grow due to higher bandwidth applications, such as AI/ML (Artificial Intelligence/Machine Learning), high-resolution video streaming and virtual reality, the strain placed upon data center networks continues to increase.  These insatiable demands for more bandwidth are resulting in higher speed and higher density optics and ASICs.  The aggregate throughput of switch and optics devices is doubling every two to three years, which ultimately results in doubling the speed and increases in power of the host to pluggable optics electrical interface.  Unfortunately, while Moore’s Law continues to allow us to scale our chips and equipment (despite non-trivial technical challenges), its corollary, Dennard Scaling, has been dead for a while.  This means the power required for the new generation of switch and optics semiconductors is higher than the previous one.

For Cisco’s Webscale data center customers, this has many implications.  To continue scaling a typical data center built around a fixed electrical power budget, both compute and networking must keep up with these new bandwidth demands, but within the same power envelope as before or face an expensive upgrade.

In the compute space, the requirement to remain within a fixed power budget has forced changes:

◉ Movement from single core to lower frequency multicore CPUs (central processing units)
◉ Movement away from general purpose CPUs to focused accelerators GPUs (graphics processing units) for applications such as AI/ML inference and training.

In the networking space, data center topology compromises must occur to remain within the required power envelope, and we must reconsider how we design our equipment.

◉ Take a “clean sheet” architectural approach. Cisco’s Silicon One achieves significant power efficiency improvements by rethinking how networking silicon is built.
◉ Use the latest silicon process technology to optimize the design
◉ Innovate thermal design to reduce the power needed to cool the system
◉ Holistically design our silicon, optics, and systems to optimize power consumption and thermal cooling

However, in our continued quest for innovative designs, we needed to continue to innovate. This is where co-packaged optics (CPO) come in.

THE THREE PILLARS OF CO-PACKAGING OPTICS


Pillar #1 – Removal of a Level of DSPs to Save Power

As switch system speeds and densities have increased, so has the percentage of the system power consumed by front panel pluggable optics. At 25G/lane and faster speeds, the necessity of active DSP-based retimers has driven up system power.

One of the key innovations of co-packaged optics is to move the optics close enough to the Switch ASIC die to allow removal of this additional DSP (see Figure 1).

SP360: Service Provider, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Learning, Cisco Certification, Cisco Prep, Cisco Preparation, Cisco Tutorial and Materials

Pillar #2 –The Remote Light Source

In traditional pluggable optics, all sub-components of the optics reside in the pluggable modules. But as optics move closer to the ASIC, the partitioning of the optical components is a critical decision.  Lasers are highly sensitive to high temperature and experience increased failure rates when placed in hotter environments (e.g. adjacent to a very hot switch ASIC).  Moving the lasers away from the high power ASIC to cooler locations within the system chassis results in several improvements:

1. Lasers can be passively cooled to a lower temperature, enabling them to be more efficient in generating optical power / Watt, lowering system power without active components like a TEC (thermo-electric cooler).

2. Lasers can be replaced from the chassis faceplate. Since the lasers are the least reliable components of the optics subsystem, making the light source accessible from the system front panel to allow easy insertion and removal is important to ensuring CPO systems have similar MTBF (mean time between failure) to legacy systems.

3. The industry can standardize on the form factor and design of the remote light source, which allows for multi-vendor sourcing. [Industry standard MSA for ELSFP (External Laser Small Form Factor Pluggable)] Cisco’s demo at OFC is the first system demo to use the industry standard form factor.

Pillar #3 – Production-Proven Silicon Photonics Platform

To place optical components very close to the Switch ASIC silicon die, two orders of magnitude (over 100x) of miniaturization is required over existing pluggable modules.  To do this, many previously separate ICs (TIA, driver, modulator, mux/demux) must be combined together on a single IC.  Cisco’s Silicon Photonics technology enables this.

SP360: Service Provider, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Learning, Cisco Certification, Cisco Prep, Cisco Preparation, Cisco Tutorial and Materials
Figure 2 – 4x OSFP800 vs. Cisco 3.2T CPO module (>100x volume reduction)

In this era of supply chain challenges, it is important to choose a partner with proven, reliable technology. One of Cisco’s advantages in the CPO space is the experience developing, optimizing, and shipping millions of Silicon Photonics-based optical modules.

SP360: Service Provider, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Learning, Cisco Certification, Cisco Prep, Cisco Preparation, Cisco Tutorial and Materials
Figure 3 – Cisco 106.25Gbps/lane Silicon Photonics SISCAP modulator (a) First generation siscap configuration; (b) driving siscap; (c) measured pam4 53gbaud transmit waveform (106.25Gbps) from second generation siscap and driver

CPO SYSTEM BENEFITS SUMMARY


As a result of these innovations, the power required for connecting the Switch ASIC to front panel pluggable optics can be reduced by up to 50%, resulting in a total fixed system power reduction of up to 25-30%.

SP360: Service Provider, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Learning, Cisco Certification, Cisco Prep, Cisco Preparation, Cisco Tutorial and Materials
Figure 4 – 51.2T system power reduction from pluggable to CPO

CISCO’S OFC DEMONSTRATION OF CO-PACKAGED OPTICS (CPO)


At OFC 2023, Cisco is proud to demonstrate these next steps – a side-by-side comparison of the real power reduction between:

◉ Cisco 8111-32EH, a conventional 32-port 2x400G 1RU router fully populated with 2x400G-FR4 pluggable optics modules (64x400G FR4) based on the Cisco Silicon One G100 ASIC

◉ Cisco CPO router populated with a full complement of co-packaged Silicon Photonics-based optical tiles driving 64x400G FR4 also based on the Cisco Silicon One G100 ASIC with CPO substrate

SP360: Service Provider, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Learning, Cisco Certification, Cisco Prep, Cisco Preparation, Cisco Tutorial and Materials
Figure 5- Cisco’s OFC 2023 CPO Demo System (in 128x400G FR4 chassis configuration)

KEY ADVANTAGES


Cisco’s CPO demonstration at OFC 2023 highlights some of the key advantages of Cisco’s technology development.

Integrated Silicon Photonics Mux/Demux for 400G FR4

One of the challenges of co-packaging optics is the requirement to miniaturize the optical components to fit on an ASIC package (over 100x lower volume than a conventional QSFP-DD or OSFP module). This requires optics and packaging innovation.

Any CPO architecture must provide the flexibility to support all data center optics types, including those using parallel single mode fiber, e.g. 4x100G DR4, and CWDM (coarse wave division multiplexing) e.g. 400G FR4.

400G FR4 uses 4 different wavelengths of light on the same fiber, each carrying 100Gbps. This means 4 different wavelengths need to be combined together.  This is often done using an external lens, which takes up significant volume.

Cisco has invented an innovative way to do this mux/demux on the Silicon Photonics IC, which we are demonstrating as part of the OFC demo.

SP360: Service Provider, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Learning, Cisco Certification, Cisco Prep, Cisco Preparation, Cisco Tutorial and Materials
Figure 6 – 400G FR4 module block diagram (highlighting mux/demux)

Multiple modules running at once

Integration of optical tiles on the Switch ASIC package requires innovation in package mechanical design (to ensure mechanical reliability), power delivery (to deliver current to both the switch ASIC and the optical tiles in a small area), and thermal cooling (to remove the higher power density).

Cisco’s demo has a full complement of optical tiles drawing their full power.

Enhanced thermal design to permit conventional air cooling

Another of the challenges of integrating optics with switch ASICs is while total system power decreases, the thermal density in the center of the system grows, because optics move from the front panel to the ASIC package.

Other vendors use liquid cooling to manage this higher thermal density.

Cisco has worked with key partners to develop advanced heat sink technologies, which allow conventional, reliable air cooling to continue to be used instead of forcing customers to change their infrastructure to support liquid cooling before they want to.

CISCO IS THE RIGHT CHOICE FOR OF CO-PACKAGED OPTICS (CPO)


Cisco recognizes the potential benefits of CPO technology and is investing to ensure we are ready for this inevitable transition.

However, CPO poses extremely complex problems that system vendors and network operators must solve before significant deployments can begin.  For example, it must be reliable, serviceable, deployable, offer significant power savings, and be cost-effective.  This is the reason for our demo at OFC.  Cisco expects trial deployments coincident with the 51.2Tb switch cycle followed by larger scale adoption during the 101.2Tb switch cycle.

We believe it’s not a matter of if co-packaged optics will occur, it is a matter of when. Cisco has expertise in systems, ASICs, and optics, which makes it one of the few companies that can successfully implement and deploy co-packaged optics in volume.  We remain dedicated to investing for this inevitable transition, but realistic that it may be still some ways away.

Source: cisco.com

Tuesday, 7 March 2023

ACI Segmentation and Migrations made easier with Endpoint Security Groups (ESG)

Let’s open with a question: “How are you handling security and segmentation requirements in your Cisco Application Centric Infrastructure (ACI) fabric?”

I expect most answers will relate to constructs of Endpoint Groups (EPGs), contracts and filters.  These concepts are the foundations of ACI. But when it comes to any infrastructure capabilities, designs and customers’ requirements are constantly evolving, often leading to new segmentation challenges. That is why I would like to introduce a relatively recent, powerful option called Endpoint Security Groups (ESGs). Although ESGs were introduced in Cisco ACI a while back (version 5.0(1) released in May 2020), there is still ample opportunity to spread this functionality to a broader audience.

For those who have not explored the topic yet, ESGs offer an alternate way of handling segmentation with the added flexibility of decoupling this from the earlier concepts of forwarding and security associated with Endpoint Groups. This is to say that ESGs handle segmentation separately from the forwarding aspects, allowing more flexibility and possibility with each.

EPG and ESG – Highlights and Differences


The easiest way to manage endpoints with common security requirements is to put them into groups and control communication between them. In ACI, these groups have been traditionally represented by EPGs. Contracts that are attached to EPGs are used for controlling communication and other policies between groups with different postures. Although EPG has been primarily providing network security, it must be married to a single bridge domain. This is because EPGs define both forwarding policy and security segmentation simultaneously. This direct relationship between Bridge Domain (BD) and an EPG prevents the possibility of an EPG to span more than one bridge domain. This design requirement can be alleviated by ESGs. With ESGs, networking (i.e., forwarding policy) happens on the EPG/BD level, and security enforcement is moved to the ESG level.

Operationally, the ESG concept is similar to, and more straightforward than the original EPG approach. Just like EPGs, communication is allowed among any endpoints within the same group, but in the case of ESGs, this is independent of the subnet or BD they are associated with. For communication between different ESGs, we need contracts. That sounds familiar, doesn’t it? ESGs use the same contract constructs we have been using in ACI since inception.

So, what are the benefits of ESGs then? In a nutshell, where EPGs are bound to a single BD, ESGs allow you to define a security policy that spans across multiple BDs. This is to say you can group and apply policy to any number of endpoints across any number of BDs under a given VRF.  At the same time, ESGs decouple the forwarding policy, which allows you to do things like VRF route leaking in a much more simple and more intuitive manner.

ESG. A Simple Use Case Example


To give an example of where ESGs could be useful, consider a brownfield ACI deployment that has been in operation for years. Over time things tend to grow organically. You might find you have created more and more EPG/BD combinations but later realize that many of these EPGs actually share the same security profile. With EPGs, you would be deploying and consuming more contract resources to achieve what you want, plus potentially adding to your management burden with more objects to keep an eye on. With ESGs, you can now simply group all these brownfield EPGs and their endpoints and apply the common security policies only once. What is important is you can do this without changing anything having to do with IP addressing or BD settings they are using to communicate.

So how do I assign an endpoint to an ESG? You do this with a series of matching criteria. In the first release of ESGs, you were limited in the kinds of matching criteria. Starting from ACI 5.2(1), we have expanded matching criteria to provide more flexibility for endpoint classification and ease for the user. Among them: Tag Selectors (based on MAC, IP, VM tag, subnet), whole EPG Selectors, and IP Subnet Selectors. All the details about different selectors can be found here: https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/security-configuration/cisco-apic-security-configuration-guide-60x/endpoint-security-groups-60x.html.

EPG to ESG Migration Simplified


In case where your infrastructure is diligently segmented with EPGs and contracts that reflect application tiers’ dependencies, ESGs are designed to allow you to migrate your policy with just a little effort.

The first question that most probably comes to your mind is how to achieve that? With the EPG Selector, one of the new methods of classifying endpoints into ESGs, we enable a seamless migration to the new grouping concept by inheriting contracts from the EPG level. This is an easy way to quickly move all your endpoints within one or more EPGs into your new ESGs.

For a better understanding, let’s evaluate the below example. See Figure 1. We have a simple two EPGs setup that we will migrate to ESGs. Currently, the communication between them is achieved with contract Ctr-1.

High-level migration steps are as follows:

1. Migrate EPG 1 to ESG 1
2. Migrate EPG 2 to ESG 2
3. Replace the existing contract with the one applied between newly created ESGs.

Endpoint Security Groups (ESG), Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Preparation
Figure-1- Two EPGs with the contract in place

The first step is to create a new ESG 1 where EPG 1 is matched using the EPG Selector. It means that all endpoints that belong to this EPG become part of a newly created ESG all at once. These endpoints still communicate with the other EPG(s) because of an automatic contract inheritance (Note: You cannot configure an explicit contract between ESG and EPG).

This state, depicted in Figure 2, is considered as an intermediate step of a migration, which the APIC reports with F3602 fault until you migrate outstanding EPG(s) and contracts. This fault is a way for us to encourage you to continue with a migration process so that all security configurations are maintained by ESGs. This will keep the configuration and design simple and maintainable. However, you do not have to do it all at once. You can progress according to your project schedule.

Endpoint Security Groups (ESG), Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Preparation
Figure 2 – Interim migration step

As a next step, with EPG Selector, you migrate EPG 2 to ESG 2, respectively. Keep in mind that nothing stands in the way of placing other EPGs into the same ESG (even if these EPGs refer to different BDs). Communication between ESGs is still allowed with contract inheritance.

To complete the migration, as a final step, configure a new contract with the same filters as the original one – Ctr-1-1. Assign one ESG as a provider and the second as a consumer, which takes precedence over contract inheritance. Finally, remove the original Ctr-1 contract between EPG 1 and EPG 2. This step is shown in Figure 3.

Endpoint Security Groups (ESG), Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Preparation
Figure 3 – Final setup with ESGs and new contract

Easy Migration to ACI


The previous example is mainly applicable when segmentation at the EPG level is already applied according to the application dependencies. However, not everyone may realize that ESG also simplifies brownfield migrations from existing environments to Cisco ACI.

A starting point for many new ACI customers is how EPG designs are implemented.  Typically, the most common choice is to implement such that one subnet is mapped to one BD and one EPG to reflect old VLAN-based segmentation designs (Figure 4). So far, moving from such a state to a more application-oriented approach where an application is broken up into tiers based on function has not been trivial. It has often been associated with the need to transfer some workloads between EPGs, or re-addressing servers/services, which typically leads to disruptions.

Endpoint Security Groups (ESG), Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Preparation
Figure 4 – EPG = BD segmentation design

Introducing application-level segmentation in such a deployment model is challenging unless you use ESGs. So how do I make this migration from pure EPG to using ESG? With the new selectors available, you can start very broadly and then, when ready, begin to define additional detail and policy. It is a multi-stage process that still allows endpoints to communicate without disruption as we make the transition gracefully. In general, the steps of this process can be defined as follows:

1. Classify all endpoints into one “catch-all” ESG
2. Define new segmentation groups and seamlessly take out endpoints from “catch-all” ESG to newly created ESGs.
3. Continue until all endpoints are assigned to new security groups.

In the first step (Figure 5), you can enable free communication between EPGs, by classifying all of them using EPG selectors and putting them (temporarily) into one “catch-all” ESG. This is conceptually similar to any “permit-all” solutions you may have used prior to ESGs (e.g. vzAny, Preferred Groups).

Endpoint Security Groups (ESG), Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Preparation
Figure 5 – All EPGs are temporarily put into one ESG

In the second step (Figure 6), you can begin to shape and refine your security policy by seamlessly taking out endpoints from the catch-all ESG and putting them into other newly created ESGs that meet your security policy and desired outcome. For that, you can use other endpoint selector methods available – in this example – tag selectors. Keep in mind that there is no need to change any networking constructs related to these endpoints. VLAN binding to interfaces with EPGs remains the same. No need for re-addressing or moving between BDs or EPGs.

Endpoint Security Groups (ESG), Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Preparation
Figure 6 – Gradual migration from an existing network to Cisco ACI

As you continue to refine your security policies, you will end up in a state where all of your endpoints are now using the ESG model. As your data center fabric grows, you do not have to spend any time worrying about which EPG or which BD subnet is needed because ESG frees you of that tight coupling. In addition, you will gain detailed visibility into endpoints that are part of an ESG that represent a department (like IT or Sales in the above example) or application suite. This makes management, auditing, and other operational aspects easier.

Intuitive route-leaking


It is well understood that getting Cisco ACI to interconnect two VRFs in the same or different tenants is possible without any external router. However, two additional aspects must be ensured for this type of communication to happen. First is regular routing reachability and the second is security permission.

In this very blog, I stated that ESG decouples forwarding from security policy. This is also clearly visible when you need to configure inter-VRF connectivity. Refer to Figure 7 for high-level, intuitive configuration steps.

Endpoint Security Groups (ESG), Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Prep, Cisco Preparation
Figure 7. Simplified route-leaking configuration. Only one direction is shown for better readability

At the VRF level, configure the subnet to be leaked and its destined VRF to establish routing reachability. A leaked subnet must be equal to or be a subset of a BD subnet. Next attach a contract between the ESGs in different VRFs to allow desired communication to happen. Finally, you can put aside the need to configure subnets under the provider EPG (instead of under the BD only), and make adjustments to define the correct BD scope. These are not required anymore. The end result is a much easier way to set up route leaking with none of the sometimes confusing and cumbersome steps that were necessary using the traditional EPG approach.

Source: cisco.com

Saturday, 4 March 2023

Meraki Network Management with ServiceNow Graph Connector

Cisco Certification, Cisco Career, Cisco Prep, Cisco Learning, Cisco Guides, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs

ServiceNow is a popular cloud-based platform that offers a wide range of IT services management solutions. Apart from being a great CRM tool, one of the key features of ServiceNow is its ability to integrate with other applications and systems.

The ServiceNow Graph Connector for Meraki is one such integration that provides a seamless way to monitor your Meraki organizations, networks, and devices. And create workflows to efficiently manage incidents and alerts.

How does Meraki integrate with ServiceNow?


The Service Graph Connector application or in short the SGC application is a native integration between Meraki and ServiceNow.

The application enables you to import your Meraki organizations and thus all its networks and devices into ServiceNow’s CMDB. Once imported, you can start receiving Meraki alerts and generate incidents that can be assigned and tracked. The application works by leveraging the Meraki Dashboard API and Webhooks.

How to set up a Service Graph connector to start receiving Meraki alerts?


First step is to install this application from the ServiceNow store.

Second step, head over to our detailed step-by-step configuration guide to connect your Meraki organizations with the application and start generating incidents.

What’s new in the Service Graph Connector v1.3


Recently the SGC application was updated to support the Tokyo version of ServiceNow.
With this new version update, some new features were included such as:

◉ Simplified and improved setup experience with a step by step configuration guide.

Cisco Certification, Cisco Career, Cisco Prep, Cisco Learning, Cisco Guides, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs
Guided Set Up

◉ New CMDB sync filters based on specific Meraki Organizations.
◉ Support for pre/post scripts in the import job so that users have the ability to adjust the data mappings as necessary.
◉ New administrative and debugging menus to add more troubleshooting.
◉ Enhanced ServiceNow security settings for receiving Meraki webhooks.
◉ Integration Dashboard to get a concise view of CMDB execution status and integration errors.

Cisco Certification, Cisco Career, Cisco Prep, Cisco Learning, Cisco Guides, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs
Integration Dashboard

The SGC application leverages Meraki Webhooks to send alerts to the ServiceNow instance. The built in ‘ServiceNow’ webhook payload template enables you to easily export these alerts in the format that is compatible with ServiceNow.

Cisco Certification, Cisco Career, Cisco Prep, Cisco Learning, Cisco Guides, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs
Built-in ServiceNow Webhook template

The ServiceNow Graph Connector for Meraki is a powerful and efficient tool for managing your Meraki network incidents. Coupled with the Meraki Dashboard platform, this integration helps ensure your network is always running smoothly.

Source: cisco.com

Thursday, 2 March 2023

Greater Monitoring and Visibility for your Security Success

Cisco Exam, Cisco Exam Prep, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Security

Managing network and security needs of a modern enterprise


Today’s digital transformation is fostering the modernization of enterprise networks. It’s very common for an enterprise to mix and match vendors to build its network and security infrastructure just like you would use different sources to build your home entertainment center. With the increasing adoption of different point products, SOC (Security Operations Center) engineers are getting overwhelmed with all the consoles they need to keep track of. They need a way to pool all the information together just like you would use a receiver to connect all the components of your home entertainment center

SIEM (Security Information and Event Management) is the “receiver” used to address this challenge by offering a common console to visualize data. Cisco has collaborated with Splunk, one of the market leaders in the SIEM space, to produce a comprehensive SOC dashboard.

Using Cisco SD-WAN and Splunk to create efficiencies 


Your enterprise solution often has comprehensive logging streams, and your SOC team needs an efficient approach to make sense of all the chaos around them. In addition, it’s becoming increasingly challenging to find and retain security professionals. All this and much more fuel the argument that a SIEM is becoming extremely important in enterprise networks.

Cisco has developed the SD-WAN Splunk application to ensure we are not leaving you ‘high and dry’. The application automatically parses the router’s security logs when they are sent to your Splunk environment and populates the data on a pre-built security dashboard.

How it works


You can locate and download the application on the Splunk marketplace, Splunkbase, using your existing Splunk license. The Cisco SD-WAN and Splunk integration can be achieved in a few simple steps

Cisco Exam, Cisco Exam Prep, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Security
Figure 1 – Cisco SD-WAN / Splunk Topology

1. Download and install the Cisco SD-WAN Splunk App and App Add-on https://splunkbase.splunk.com/app/6657 Cisco SD-WAN Splunk App

2. Under the application settings, add the Cisco SD-WAN IP and port number as a source for the log forwarding

On Cisco SD-WAN vManage, add the Splunk Application IP as a destination to forward logs

Cisco Exam, Cisco Exam Prep, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Security
Figure 2 – Cisco SD-WAN App on Splunkbase

Deliver significant insights out of a mountain of alerts


You’re then able to make use of a comprehensive SOC dashboard to visualize all the threats captured by the SD-WAN router.

This will serve as a one-stop shop to gain a holistic view of the security events in your network. You can navigate through charts and graphs to drill down to device-level details and inspect what packet flows triggered a security event. These events are listed in three main sections.

Cisco Exam, Cisco Exam Prep, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Security
Figure 3 – Threat Inspection Dashboard

Together, Cisco SD-WAN and Splunk enable you to transform your network and security operations


Enterprises rely on Cisco to build secure and agile networks that can safeguard their users and applications from bad actors and external threats. Just like an amplifier helps your receiver consume all the components of your home entertainment center for the best overall experience, the new Cisco SD-WAN Splunk Application helps enterprises collect vital security analytics and ensure their SOC team is on top of all the security events traversing their network.

Source: cisco.com

Tuesday, 28 February 2023

An Easier Way to Secure Your Endpoints

Cisco, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Prep, Cisco Preparation, Cisco Learning, Cisco Endpoints, Cisco Guides, Cisco Learning, Cisco Secure

Why is it so hard to secure your endpoints? The most simplistic reason is because endpoints are in the hands of human beings who can inadvertently click on a link that introduces malware or unwittingly use an unsecure Internet connection which allows threat actors to access a corporate network.


Organizations became more prone to breaches over the course of the pandemic because more and more workers were not inside corporate walls (and firewalls) and instead worked from places like a home office or café. With more endpoints outside the confines of the corporate WAN, the attack surface abruptly increased, and with this came greater risk. Working to keep endpoints secure while having to grant access so workers can be productive makes for a difficult balancing act.

Endpoints are ground zero for organizations of all sizes and across all industry verticals. Cisco examined the nature of security incidents detected by sensors through Indication of Compromise (IOC), detecting suspicious behaviors and analyzing patterns of malicious activity. These are the top four critical severity IOCs we observed:

Cisco, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Prep, Cisco Preparation, Cisco Learning, Cisco Endpoints, Cisco Guides, Cisco Learning, Cisco Secure

Without the capability to bring visibility via focused detection, breaches can go undetected for months, until the organization’s critical data have likely already been compromised.

So, if we know endpoints are so often targeted, then why are many organizations having such a problem securing them?

Customers tell us their primary challenges are expertise, time, and evidence:

Challenge: Expertise Challenge: Time  Challenge: Evidence 
“My team can’t be experts on every new threat, or all be experts in threat hunting.” “I don’t have enough time to go after every new threat, alert, patch and compromised device.”  “We can’t always identify which threats to prioritize or get to the root cause of every attack.” 

These quotes have got to be music to the ears of threat actors. They know, like you do, how hard it can be to find skilled resources to staff your security team. Studies show that most organizations’ internal Security Operations Centers (SOCs) are only able to handle 7 to 8 investigations per day, in part because teams are burdened with frequent, false, and often redundant alerts. This leads to more manual effort for already understaffed teams, making it harder to keep pace with constantly evolving threats and issues. The result? You end up with gaps in security, higher operational costs, and a less efficient and, honestly, burned out team.

But I’m here to tell you it doesn’t have to be like that. Consider our solution offer, Cisco Secure MDR for Endpoint (formerly Cisco Secure Endpoint Pro):

◉ We do the heavy lifting of securing your endpoints: Our dedicated elite team of Cisco security experts performs 24x7x365 endpoint monitoring, detection, and response—so you don’t have to.

◉ We detect and respond to threats in minutes, not hours: Cisco specialists use automation and advanced playbooks, powered by the Cisco SecureX platform, and backed by Talos threat intelligence, to drastically reduce detection and response times.

◉ We investigate every threat and prioritize the most critical ones: We conduct an in-depth investigation of every incident you have and enable you to approve or reject remediation actions based on evidence from our experts.

Cisco Secure MDR for Endpoint can identify and then stop threats, block malware, and contain and remediate even advanced threats that evade frontline defenses. We look at all alert-able threats, investigate and prioritize them, and recommend response actions. We do this around the clock and around the globe, from dedicated, global Cisco SOCs.

By the way, let me tell you a bit more about the incredible Talos threat intelligence standing behind our detection and response capabilities. Talos is a recognized leader in threat intelligence research and proactive and emergency response security services. Their research work includes identifying over 30 billion events per day and then vetting those events with Talos’ 400+ researchers and investigators—benefitting our ability to detect and respond.

We built Secure MDR for Endpoint as a solution, so you don’t have to spend the time and money to build a SOC, develop or acquire the tools to make it work, and then recruit and train the personnel to staff it. Secure MDR for Endpoint takes the time, expense, and complexity out of identifying and responding to threats on endpoints. Our SOC experts use AI and machine learning to separate all the false positive alarms from the real issues that need to be pursued and managed.

Source: cisco.com

Saturday, 25 February 2023

The Rise and Rise of DevOps Adoption

DevOps Adoption, Cisco Certification, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Preparation

Thriving in the fast-changing world of technology means staying abreast of the latest trends and advancements. In recent years, one such trend—DevOps— has surged in popularity and usage. DevOps has become one of the most sought-after cultures to be adopted by organizations, with DevOps engineering roles among the IT industry’s highest in demand.

What led to the rise of DevOps? Why are organizations prioritizing DevOps adoption? Let’s take a step back and review what the term refers to, its benefits, and what we can learn from its impact on organizations and tech professionals shifting to the DevOps approach.

Demystifying DevOps


What is DevOps? Allow me to explain how the term received its name. The Development (Dev) team writes the code and performs extensive testing. The Operations (Ops) team builds the platform and manages the product’s infrastructure. As the software development lifecycle gets complex over time, it becomes difficult to assign responsibilities. The result is delayed rollouts and shortcomings in the feature’s quality.

That is exactly what DevOps fixes.

DevOps combines the Development and Operations team into a single cohesive unit. (See Figure 1.)

DevOps Adoption, Cisco Certification, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Preparation
Figure 1. DevOps collaboration cycle between Development and Operations teams.

DevOps aims to improve the collaboration between the two teams. When development and operations work together, the result is a lessened delivery time for a feature to make its way from ‘whiteboard’ to ‘production.’

Benefits of DevOps adoption

DevOps offers a wide range of benefits to organizations, as well. Here are several reasons they choose to adopt DevOps:

1. Helps organizations move faster with feature rollouts maintaining product quality.
2. Defines the role and responsibilities of everyone involved, thus streamlining the delivery process.
3. Promotes transition to a more automated and integrated system management approach.
4. Provides reduced deployment frequency, lesser failure of new releases, and shorter time between patch fixes.  

Statistics on DevOps adoption

DevOps Adoption, Cisco Certification, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Preparation
Figure 2. Impact of DevOps on organizations. (Source: Atlassian)

Recent surveys and studies complement the steady increase in the adoption of DevOps in organizations. In a Global Market Insights study, the DevOps market size exceeded US$7 billion in 2021 and is expected to grow at a CAGR of over 20% from 2022 to 2028 to a value of over US$30 billion.*

Predictive analysis reveals Asia-Pacific’s DevOps market size is set to experience massive growth of around 25% by 2028. And with the staggering growth of the DevOps market, organizations are actively hiring engineers skilled in DevOps technologies.

Presently, there are over 17,000 DevOps engineer roles advertised on Indeed in the United States alone, with an average salary range of $96,600-$122,000.

Extensive research by Atlassian showed that once DevOps impacted their organization, 78% of the total respondents had to learn a new skill, 61% say it helped them produce higher quality deliverables and 49% say they see a faster time to market.

Organizations experience a multitude of positive impacts post-DevOps adoption, as shown in Figure 2. As DevOps practices continue to gain traction, businesses need to ensure it fits into their objectives and adds value to deliveries. As such, 83% of IT decision-makers report their organization is implementing DevOps practices.

The transition has its challenges, however. Only 18% of organization’s and teams have adopted a DevOps approach. Meanwhile, 78% consider themselves to be evolved to a middle level and 4% to a low level.**

DevOps Adoption, Cisco Certification, Cisco Tutorial and Materials, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Preparation
Figure 3. (Source: Atlassian)
Atlassian’s trend survey showed 84% of respondents have faced barriers to their DevOps implementation. As illustrated in Figure 3, the most common hurdles are a lack of skills in employees, legacy infrastructure and adjusting corporate culture. 

Outlook for DevOps in the  Future


While the transition to DevOps is rewarding for organizations, it comes with challenges. Management needs to carefully plan DevOps’ integration in the development lifecycle. Ideally, organizations should promote learnings on DevOps technologies to their employees and encourage them to take DevOps training and certifications to hone their skills in the area.

The Cisco Certified DevNet Expert certification recognizes NetDevOps leaders with the expertise to leverage automation methodologies, technologies and practices to improve networking—securely and at scale.

As we move further into future, DevOps will continue to evolve along with its rising compatriots; Cloud, Edge and IoT. Coming up, I’ll take a deep dive into DevOps and touch base with the technologies associated and provide a complete learning roadmap. Stay tuned! 

How has the adoption of DevOps impacted your organization? Have you faced challenges such as learning barriers or skills shortages? Please share your experience with me in the comments below. If you are an IT professional, I invite you to join me in the DevNet Certifications Community, where we can continue the conversation about how you can upskill into this highly sought-after field. 

* DevOps Market Size By Component (Solution [Management DevOps {Continuous Business Planning, Testing & Development, DevOps Analytics}, Delivery DevOps {Continuous Integration, Software Delivery Management}, Operation DevOps {Continuous Deployment, Monitoring & Performance Management}], Service [Professional Service, Managed Service]), By Deployment Model (On-premise, Cloud [Public Cloud, Private Cloud, Hybrid Cloud]), By Enterprise Size (Large Enterprises, SMEs), By Application (BFSI, IT & Telecom, Healthcare, Retail, Government, Manufacturing, Media & Entertainment), COVID-19 Impact Analysis, Regional Outlook, Growth Potential, Competitive Market Share & Forecast, 2022 – 2028, Global Market Insights, March 2022

** DevOps Stats And Facts – All The Numbers You Might Ever Need On DevOps In 2022, K&C, May 27, 2022

Source: cisco.com

Thursday, 23 February 2023

Getting to the Core of the Digital Divide with 5G Fixed Wireless Access

Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Learning, Cisco Job, Cisco Prep, Cisco Preparation

Even today, there is a sizeable U.S. population without internet connectivity. The majority of this population are rural households who either lack in-home broadband service or have few options for in-home broadband. And so, for this community, affordable connectivity remains largely out of reach. While fiber broadband would be the ideal solution, developing new infrastructure and even the trenching work required for fiber remains a significant challenge for broadband connectivity providers. A number of promising policies including the Global Connect Initiative and Advancing the Deployment of Broadband Through Dig Once are offering hope. Both were launched to bring cost savings, increase access to reliable broadband, and assist with faster deployment when a conduit is already in place. These policy initiatives are meant to help realize public and economic benefits. Improving access to broadband leads to prosperity and new opportunities where service is affordable and available.

At Cisco, we believe that affordability and connectivity should not be at odds with one another. To change this dynamic, and build towards a more inclusive future, we have been working to change the economics of the internet. The digital divide came to the forefront during the shift to remote work and learning prompted by the 2020 pandemic, exposing under-served communities and their lack of access to broadband. For communities without infrastructure already trenched in the ground, the use of mobile wireless broadband has become a lifeline for remote work, learning, and even telehealth. In this new era of hybrid work, 5G mobile broadband is an effective solution for extending reliable connectivity into underserved rural and suburban areas. While mobile broadband technology has been around awhile, it is just now, at the tail end of the 4G era and the beginnings of 5G with access to new mid-band and high-band spectrum, that mobile wireless broadband is becoming a serviceable reality. Communication Service Providers (CSPs) that have been slowed or even disincentivized by the time and cost of trenching new cable are recalculating and redressing the value of the last mile using Fixed Wireless Access (FWA) service for rural and suburban communities.

Why Fixed Wireless Access?


Fixed Wireless Access is a great tool for reducing the digital divide when it comes to accessibility and affordability. The economics for providing Internet services were in need of a change and FWA offers some good ones – reducing trenching requirements, increasing serviceable area, offering self-install customer equipment (CPE), and even providing a common wireless network architecture that can serve both Fixed Wireless Access and Mobile Access services.

When considering our approach to designing 5G networks, a guiding principle has been to improve through simplification, because managing one network and one core is simpler than managing two. The architectural differences between 4G and 5G are significant and many operators saw 5G NSA as the simplest route to early 5G, where you can introduce some limited 5G functions and features on top of existing 4G infrastructure. But 5G NSA is just a half-measure, affording a small amount of the 5G goodness we hear so much about. The next step, getting to 5G SA, is a significant achievement in network transformation for the few CSPs who have managed to accomplish the task.

Growing Fixed Wireless Access from 4G to 5G


With 5G SA new service capabilities can be explored without the limitations of the legacy architecture. Take 5G Fixed Wireless Access for example, unlike previous generations’ architectures, a 5G SA’s network architecture can flexibly deploy User Plane Function (UPF) nodes to anchor a FWA subscriber’s user plane traffic for peering at the nearest edge aggregation point. Unlike a typical mobile device such as a cell phone, fixed wireless devices are meant to be always-on and connected for serving end user devices. Meaning that the latency and reliability we commonly expect from traditional wireline services is expected from fixed wireless services too.

Even though Fixed Wireless Access isn’t new and 4G LTE FWA services have existed for several years, transitioning into 5G technologies for FWA services is a big step towards achieving the scale that rivals FTTx offerings. As a matter of fact, T-Mobile has already begun scaling up their 5G Fixed Wireless Access services, smoothly transitioning from their initial 4G service offering, using our Cisco Converged Core. The process has been so smooth, that in the 2022, T-Mobile became the fastest growing Internet service provider—doubling their number of FWA customers in the past six months. With over 2 million FWA subscribers and counting, the scalability and flexibility of having a Converged Core has proven invaluable. Being able to deploy UPF nodes for Fixed Wireless Access in remote locations while managing the Session Management Function (SMF) nodes at a central site(s) is effective for scaling the network, optimizing the usage of the transport infrastructure to deliver better end-user latency

Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Materials, Cisco Learning, Cisco Job, Cisco Prep, Cisco Preparation
Scaling and extending Fixed Wireless Access with the flexible deployment of UPF nodes, optimizing the routing for user plane traffic.

Of course, having a Converged Core is just a piece of the 5G puzzle. A service like Fixed Wireless Access leverages the Radio Access Network (RAN), converged Software Defined Network (SDN) transport, and a whole host of policy, security, management, and automation components. Additionally, managing the spectral efficiency and capacity available on the existing network infrastructure for FWA services are important for delivering wireless broadband. It is estimated that around 70 percent of communication service providers today offer a form of Fixed Wireless Access services, most of them still using 4G LTE which delivers a fraction of the performance of fiber. Upgrading network architectures to meet the needs of new 5G services needs a smooth plan for the transition and at Cisco, we believe that can begin in the core. With a Converged Core, communication service providers can migrate from 4G to 5G without disruption while scaling to serve the needs of millions of new subscribers.

Source: cisco.com