Cisco Ranked #1 in Market Share for Industrial Networking

When people think of networking, they think of Cisco. But in the industrial networking space, sometimes that isn’t the case. In the past, organizations connecting areas such as manufacturing floors, oil rigs, traffic intersections relied on specialized vendors for their industrial IoT networking needs. Not anymore. I am proud to announce that for the second year in row, Cisco is #1 in industrial networking market share. This includes layer 2 and layer 3 switching, wireless and routing. In fact, according to IHS, Cisco is the only major vendor growing across all categories.

No Longer Will Any Networking Solution Do

Data from IoT projects is critical to helping organizations stay competitive.  But problems with scale, IoT security and complexity block progress. More and more, operations are bringing in IT specialists to overcome these issues and lay a solid network foundation to help ensure project success. And this is where Cisco is uniquely equipped to help.

Cisco Enterprise Networking and Security

Other networking solutions are more complex. To connect an IoT deployment, IT often must add another domain. This creates added burden, forcing IT to manage one more network. And with the large number of devices connected, manual setup and operations isn’t an option. Only Cisco offers an integrated multi-domain networking architecture. It extends the powerful capabilities of the enterprise network, including intent-based networking, to the IoT edge. With Cisco intent-based networking (IBN), you can automate key IT functions and provide centralized visibility and control across your entire network – from your campus to your branch, data center and to your IoT deployments.

And because most IoT projects bring more risk, security must be part of the equation. We are uniquely positioned to deliver a fully integrated Cisco security architecture without gaps in coverage. Our multi-layered, built-in approach is across every layer of our IoT stack. Coupled with our multi-domain architecture and intent-based networking, you can enforce unified security policies throughout your enterprise.

These networking and security capabilities provide scale and security unlike anyone else in the market so that you can deploy with confidence.

Industrial Protocol Interoperability

The second part of the equation adds interoperability and compliance. To get data, a large number of IoT sensors and machines must connect to the Internet. But the protocols they use are not common in traditional IT networks. Our industrial networking products support a wide variety of industrial protocols such as Modbus, Profinet, CIP, and IEC 61850 GOOSE. You get interoperability and compliance with the network scale and security you need.

The Right Form Factor and Design

The third part of the equation ensures that you can scale and deploy IoT wherever you need it. Key business operations are not always in the headquarters or the branch office. The data you need can be on the front lines of your operations like in remote oil pipelines, dirty/dusty manufacturing floors, or service vehicles. None of these are conducive to rack-mounted, ambient temperature network products. To help you connect, Cisco IoT offers ruggedized and heavy-duty routers, switches and wireless access points in small and modularized form factors. We have built them to withstand extreme temperatures, dust and moisture, and vibration. They come in sizes that are small enough to deploy in cars or on light poles or wherever you need it – not just in a 19-inch rack. And unlike many other vendors, no extra enclosures required!

Cisco Industrial Networking: The Foundation for IoT Success

When added together, these are the core networking capabilities that you need as a foundation for a successful IoT project. IT gets the network that they know and trust without added burden. Operations gets a solid network foundation that is reliable, scalable and secure and that works in their environment allowing them to capture the data the need to move the business forward.

Continue reading

SD-WAN Security: Built-in is Better than Bolt-on

Securing enterprise data and business applications is undoubtedly at the forefront of every IT professional’s mind. However, efforts to secure data and applications competes with the priority to open up resources for a distributed workforce by moving applications and data to multiple cloud and SaaS platforms. It’s the task of the Wide Area Network (WAN) to securely connect cloud apps to the workforce on campus and branch sites. Unfortunately, by circumventing the security layers of the enterprise data center and using direct internet connections, data and devices can be exposed to a host of threats.

Secure, cloud-scale Software-Defined Wide Area Networks (SD-WAN) address these challenges with a designed-in set of features that combines security at scale with implementation flexibility. SD-WAN addresses flexibility with transport independence, enabling connections over direct internet broadband, MPLS circuits, and LTE/5G. Multiple connection types can carry traffic simultaneously so that the best path is automatically selected for optimal application experience, as well as for instant failover protection.

In addition to flexibility, I believe organizations need to address security holistically, with end-to-end networking approach that embeds security layers directly into the SD-WAN fabric along with intelligent analytics to measure and maintain application quality of experience (QoE). Let’s look at three capabilities that SD-WAN needs to have to successfully provide security along with ubiquitous connectivity and high levels of application experience for distributed enterprises.

1. SD-WAN provides security without compromising flexibility, simplicity, and application experience.

By unifying security and networking, enterprises get the flexibility they need with the application experience they want. IT gets simplicity of centralized administration to manage distributed resources. Integrating flexible, transport-independent WAN capabilities with full stack security, all managed from one cloud portal, reduces the inevitable complexities that result from installing, configuring, and managing products from multiple vendors with multiple interfaces. Branch sites gain direct internet access to cloud applications with protection against threats originating from the internet.

SD-WAN flexibility and security can be extended to colocation facilities and cloud platforms to provide connectivity to regional branch sites and minimize the attack surface without deploying edge hardware to each site. Applying unified security and segmentation policies through SD-WAN through a cloud colocation platform keeps personal data regional to help meet regulatory and privacy requirements.

With the ability to centrally manage both the SD-WAN fabric and integrated security stack from a central cloud portal, IT can focus on providing the best application experience for the workforce. SD-WAN Cloud OnRamps for SaaS platforms, for example, provide performance specifically tuned for cloud applications such as Office 365, directing traffic from branches to the closest cloud gateways to meet pre-defined SLAs, and simplifying both connection management and access security.

Cisco’s integrated security solution provides the best balance of security and user experience for direct internet access Direct Internet

2. Security is an embedded full-stack solution, not an add-on.

As data leaves the control of tightly-managed data centers and spreads to multiple cloud and SaaS platforms, security controls have to be at the forefront of the network design. When considering the capabilities of an SD-WAN solution, look for a fully-integrated security stack that includes an application-aware enterprise firewall, intrusion prevention, advanced malware protection, and URL filtering operating at the edge or the cloud.

Be aware that when similar security layers are implemented as bolt-on sets of third-party point solutions, they must be individually integrated and managed, requiring additional IT training and time to unify them.

3. Protect data and applications with on-premise or cloud-based security

Where a SD-WAN security stack is deployed is less about the efficacy of protecting data than providing flexibility to adapt to changes in an organization’s operations. A holistic end-to-end solution that encompasses on-premise as well as cloud security—including integration with third-party security vendors—provides maximum flexibility.

◈ On-box security at each branch edge router, for example, provides flexibility to tailor each instance to branch-specific security, routing, and access policies—guest access, direct internet permissions, VPN tunnels—to meet business requirements.

◈ Easy-to-implement cloud-delivered security gateways, such as Cisco Umbrella, monitor traffic and apply security policies to guard against accessing known malicious sites, phishing attacks, and ransomware infections.

◈ SD-WAN with security as Virtual Network Functions (VNFs) hosted in colocation facilities provide connectivity for many regional branch sites with the same capabilities as on-premise branch implementation, along with unified security and segmentation policies to protect and keep data regional to meet regulatory and privacy requirements.

◈ SD-WAN built-in security is enhanced with knowledge derived from Cisco Talos, the leading cyber threat intelligence team, that constantly monitors emerging threats worldwide and automatically updates SD-WAN security solutions with proactive and actionable resolutions.

Security without Compromise

These three capabilities provide a foundation for evaluating an SD-WAN’s fit in an enterprise’s secure WAN architecture. Since security is a must-have to protect sensitive business data, and application performance is equally important to keep a workforce productive and meet customer experience levels, the two cannot be exclusive—there can be no compromise.

While implementing a flexible, high-performing SD-WAN solution solves a myriad of challenges, without built-in security, every connected resource is at risk. Likewise, installing the best security solutions without a flexible, dependable SD-WAN fabric to optimize application performance doesn’t provide the enterprise workforce with the information they need at the right place at the right time.

To successfully transition enterprise resources to cloud and SaaS computing, an SD-WAN architecture must encompass the best of both security and application performance. An end-to-end software-defined networking architecture embeds security directly into the SD-WAN fabric to provide the optimal solution for IT and a distributed workforce.

Continue reading

Continuing innovations on Nexus9K ITD – Additional server load-balancing use cases

A couple months ago we released the new Cisco Innovated Intelligent Traffic Distribution (ITD) features on NX-OS 9.3.1. In this latest addition to Nexus 9000, we introduced ITD over VXLAN and ITD with destination NAT. The Cisco ITD feature in NX-OS was developed to addresses concerns with respect to capacity limitation on network service appliances in a multi-terabit environment, while providing a hardware-based scalable solution for Layer 3 and Layer 4 traffic distribution and redirection. These are the primary use cases for ITD a L3-L4 based load balancing across network service nodes or web servers and traffic redirection and distribution to WAN Optimizers or Web Proxies.

Benefits of ITD includes:

◈ Simplified provisioning during scaling of services nodes(scale-up);

◈ Provides line rate traffic load balancing;

◈ Health monitoring, failure detection and recovery; and

◈ Unlike ECMP, ITD provides even distribution of traffic and more granular control on traffic distribution

ITD over VXLAN

In a VXLAN fabric architecture, the endpoints, such as clients, physical servers, and virtual servers, are distributed across the fabric. Traffic flow from and to these clients and servers needs to be load-balanced in this fabric environment. With this ITD release, the single-switch ITD solution has been expanded to the VXLAN fabric so that now the fabric will act as a massive load-balancer. The NX-OS 9.3.1 release covers only the VIP-based load balancing mechanism in a VXLAN scenario, which means servers and clients can be connected anywhere in the fabric and glean the benefit of this fabric-based load-balancing function.

Traffic flow from and to clients and servers in a fabric environment using ITD

ITD with NAT

Due to security reasons and a need for IP space conservation, customers look at NAT solutions to reuse the private IP address and hide the real-IP of the servers or services. Prior to this release, ITD was supported with Direct Server Return (DSR) mode. DSR mode is where clients have the visibility into the real-IP address of the servers/services. These servers were configured with the same public Virtual IP address (VIP), and servers reply directly to clients with the VIP as source IP bypassing the ITD. With this feature in NX-OS 9.3.1, clients no longer have visibility into real-IP’s of servers/services endpoints. Now, ITD on the switch will perform load balancing as well as NAT functionality, and ITD with destination NAT changes the destination address of the IP header. This helps redirecting the incoming packets with a destination of public IP to a real server private IP inside the network. The reverse path of the packet flow also follows the same approach, such as translating source address/real server IP to the VIP address, and then forwarding the traffic to the clients. ITD with destination NAT is applicable only in standalone switch today.  ITD w/ NAT will be supported over VXLAN fabric in future releases.

Clients sending traffic to the ITD virtual IP address (20.1.1.1)

In the above example, clients send the traffic to the ITD virtual IP address (20.1.1.1), assuming it as real destination IP of the server. ITD switch translates and load balances the traffic to one of the server’s private IP address by adding its own IP as the source IP. The return traffic from the server is translated by ITD to its own VIP as source IP and forwarded back to the client. This way the traffic gets load balanced across the servers behind NAT without exposing the real-IP of servers to clients.

Continue reading

Cisco DNA Center Real Time Event Notifications into Webex Teams!

Find out about network issues before your users do!

Cisco DNA center has a powerful issue correlation engine for enterprise wired and wireless networks. Taking real time feeds of network telemetry it is able to identify issues and provide context for resolution.  The next question is what to do with the events?  Some customers would like to send them to an email system, where as others would like to create a message in an instant messaging system.

Fortunately, there is a webhook based notification that can be used to process and handle issue notifications.  This blog post provides a simple python script to send a notification to a Webex Teams room, or email server.  Version 1.3.1 of Cisco DNA Center provides native email integration, so I will focus on the Webex Teams integration.

Getting  Started

As with all of my examples, the sample code is posted on github.

The first step is to download the code and create a python virtual environment (the virtual environment is optional). You need to change directory into the WebHookServer directory.

git clone https://github.com/CiscoDevNet/DNAC-Platform

python3 -mvenv env3
source env3/bin/activate
cd DNAC-Platform/WebHookServer

The next step is to install the required python libraries

pip install -r requirements.txt

You will also need to edit the configuration file  config/dummy_spark_config.py and add a Webex Teams roomId and provide a valid Webex Teams token.  To get a token and find the API call to discover the roomID go to developer.webex.com .

AUTH="Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
# alerts room
ROOMID="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

You need to run the server and it will listen on port 9000. This can be changed if required.

./server.py

Testing out the issue notifications

The next challenge is to generate an issue. Fortunately, I have provided a sample script to generate some “dummy” issues.

The client directory contains some “fake issues” that can be sent to the server for testing.

If you run the client.py program will no arguments, a list of valid issues is provided.

./client.py
Run with --event and a valid example.
Valid Examples:ap_down_eg, ap_flap_eg, border_dhcp_eg, device_unreachable_eg, swim_eg, new_flap_eg

The schema for issues changed between 1.3.0 and 1.3.1.  There are examples for both old and new versions.  New versions has prefix “new.”   The new_flap_eg is an example of a new issue.  I am going to send the new format example.

$ ./client.py --event new_flap_eg
Sending:new_flap_eg
200

The server will display the JSON payload, as well as sending it to the Webex Teams room.

Example Issue Notification

If you want to take a look at the payloads, you can look at the source of the issues in the github directory:

https://github.com/CiscoDevNet/DNAC-Platform/blob/master/client/examples/ 

Cisco DNAC configuration

I am going to focus on the 1.3.1 configuration.  This has changed a lot from earlier releases and is now real time (vs 15min delay).

The first step is to go to Assurance->Manage->Issue Settings

Manage Issues

 Then click top right “Manage Subscriptions.”  A tip is to make sure you click “show more” a few times so all 53 issues can be selected. Only the first 10 are shown by default.

Select Issues

You can then click top left “subscribe,” and then “Create a new subscription.”  You will see the screen below.

Select the  “created a new endpoint option.”  For this example, we need the IP address of the server and the port (9000 was the default).   Note that this needs to be https. You also need to select the HTTP Method (POST).

Create Subscription

For the simple example, there is no authentication, but this is easy to add.   Click “subscribe” and the subscription will be created for the selected events.

Congratulations, you now have a working integration between your DNA Center and the python webhook server into webex teams.

Continue reading

Now It is Easy to Get High Score in 200-125: CCNA Routing and Switching (CCNA) Certification Exam with Cisco.

Exam Name: Cisco Certified Network Associate

Exam Code/Number: 200-125 CCNA

Exam Overview: This exam tests a candidate's knowledge and skills related to network fundamentals, LAN switching technologies, IPv4 and IPv6 routing technologies, WAN technologies, infrastructure services, infrastructure security, and infrastructure management.

Practice Exam: Cisco Certified Network Associate Routing and Switching Practice Test

Sample Questions: Cisco 200-125 Sample Questions

Read Must:-

• How to Pass Cisco CCNA Certification Exams?
• How to Prepare for Cisco CCNA (200-125) Exam?
• How to Become CCNA Certified?
• Benefits of Earning Cisco CCNA Service Provider Certification

Continue reading

Build Indoor Location Services into Your Applications

Show location of people, assets, products in 3-D

Indoor Location Services is a term that we have been hearing a lot for the past couple of years now. Within this space, Cisco has both indoor location and proximity products which we will touch upon as later in the blog. Glance is an indoor wireless location service application based on Cisco Meraki and Cisco DNA (Digital Network Architecture) Spaces for Wireless IP and Bluetooth Low Energy (BLE) devices. There is a “wow-factor” associated with this application as it can show and render location or people and assets in 3-D.

Glance lets you see locations or people and assets in 3-D.

Open-source Glance opens up innovation potential

This application has been installed at multiple Cisco innovation centers around the world as well as at Cisco Live events. But there is vast potential for indoor location services enabled applications in a wide variety of wireless-covered areas – such as retail, manufacturing, healthcare, entertainment, public services, etc.

That is why we have open-sourced Glance. Now developers across industries can develop indoor location services applications based on Meraki and Cisco DNA Spaces for IP/BLE wireless devices to serve more end-users in different scenarios and make Glance more powerful.

How to engage and contribute to open-source Glance

You are welcome to download and freely use the codes of the Glance project, as well as Apache license agreement 2.0, and easily setup your own indoor location services with the latest updates. Glance includes basic administrative functions and docker-compose deployment scripts. We also welcome your contribution to Glance project so that it can better serve people under different circumstances.

Let’s look at some of the features that Glance has to offer

Glance supports interactive, 3-D, multi-floor maps with real-time indoor navigation, people/things tracking, and facility finding (such as restrooms, service counters, elevators). The maps also support visualized illustration of objects such as furniture and signs to emulate real surroundings. People-tracking with Glance is a customer-friendly support service which enables customers to find, tag, and show the location of hundreds of people among thousands of people.

Glance provides real-time, 3-D heat-map capabilities, which facilitates analysis of people flow, as well as administrative functions for service setup.

Glance Software Stack

Glance Service structure

Deployment of Glance

Cisco has two products in the indoor location and proximity space

Indoor Location and Proximity with Cisco Meraki:

Meraki provides Real-Time Location Services (RTLS) which enables tracking of live client device location within a network. Cisco Meraki APs can track location of client devices independently, using the signal strength of each client device. This helps to locate client devices that are either stationary or moving inside the intended area. Meraki also has a BLE radio which can scan BLE clients within close proximity.

Cisco DNA Spaces:

Cisco DNA Spaces (previously called Cisco CMX (Connected Mobile Experiences)) provides wireless customers with rich location-based services, including:

◈ location analytics

◈ business insights

◈ customer engagement toolkits

◈ asset management

◈ BLE management

◈ location data APIs

Cisco DevNet has development resources concerning how to code with Cisco CMX solutions, that are now part of Cisco DNA Spaces.

Glance has advantages over other positioning apps

◈ Glance offers an easy way to map physical device IDs with person/asset. If wireless network access requires ID-authentication, the administrator can batch-import user/asset profiles (such as Excel sheets) including end user display names & Wi-Fi authentication IDs. The moment the end user’s personal device gets network connection, the Glance back-end will automatically log him/her in. If wireless network access does not require ID-authentication, our customers can check-in and check-out of the system by themselves, so long as the administrator has batch-imported user/asset profiles including the names. Then the end user uses his/her personal device to scan a QR code, access a specified check-in/check-out URL, pick his/her name to complete the check in process or press the “Check out” button to check out. If the end user’s personal device doesn’t have a browser, Glance can also map the physical ID of the device with a person/asset.

◈ Meraki and DNA Spaces use different data models and coordinates. However, Glance has an indoor location service adapter to convert them into one common data model, and map the locations of people/assets to the customized multi-floor map. Therefore, Glance works on top of both Meraki and DNA Spaces.

◈ Converting the physical device IDs in Meraki and DNA Spaces into much more visualized elements rich in properties/tags (such as people, assets, signs, facilities) and easier to categorize/search, Glance’s customized 3-D, multi-floor map emulates the real surroundings and offers a more user-friendly interface.

◈ Third-party services can easily integrate Glance into their location services because Glance provides specified APIs where physical device IDs are replaced with visualized elements. Glance also has integrated third-party services such as WebEx Teams messages and SMS.

Glance’s customized 3-D, multi-floor map emulates real surroundings and offers a more user-friendly interface.

Continue reading

Using CESA to Solve Endpoint Blindness for a World Class InfoSec Team

Cisco has an amazing set of products like AMP for Endpoints and Cisco Umbrella protecting devices from advanced malware threats. There were other user and endpoint scenarios that remained unsolved until we introduced the new Cisco Endpoint Security Analytics (CESA) solution that was recently announced. CESA provides an unprecedented level of endpoint and user networking visibility built on Cisco AnyConnect Network Visibility Module (NVM) endpoint telemetry and Splunk Enterprise. Underlying the NVM technology is a protocol called nvzFlow (en-vizzy-flow) that I have blogged about in the past.

Why Did We Build CESA?

The CESA solution was originally developed by the Office of the Security CTO and then integrated into Cisco AnyConnect and Splunk products to solve a set of issues for Cisco InfoSec. Cisco InfoSec realized that getting all the endpoint visibility they needed to perform incident response was a challenge. There were also endpoint security blind spots as more Cisco employees were working off premise and connecting to both enterprise and cloud resources. They needed a way to collect and store a year of data for analysis of incidents while also getting information in real‑time to see what is happening in the network.

The Office of the Security CTO looks at current and future customer problems that are not being solved by existing technology and then come up with ideas on how to solve them. My fellow co-inventors, Andrew Zawadowskiy and Donovan O’Hara from the CTO Advanced Development team built the initial Proof of Concept and then worked on the final product release with the AnyConnect development team.

As we thought about ways to solve the problems Cisco InfoSec was facing, we wanted to do it in a way that built on standards technology so that not only could Cisco Stealtwatch and Cisco Tetration support it, but also provide an ecosystem for key partners to participate. This is why we chose to build on IPFIX. It is the perfect protocol to build the enhanced context found in nvzFlow. What do we mean by “Enhanced Context”?

The 5 key endpoint visibility categories conveyed by the protocol or “Enhanced Context” are:

◈ User
◈ Device
◈ Application
◈ Location
◈ Destination

At the end of the blog will be a helpful table to show you details of the enhanced context that is provided.

Working with Great Partners like Splunk and Samsung

One of the key features of CESA is Splunk Enterprise, which performs the analytics and alerting on the NVM telemetry, turning it into actionable events. The new CESA Built on Splunk product, available exclusively from Cisco, provides a Splunk package customized and priced specifically for analyzing NVM telemetry. Cisco InfoSec has been using the CESA solution for over two years now.

Spunk Enterprise is a fantastic tool. It was really easy for us to take the Cisco AnyConnect NVM data and not only import it into Splunk, but to also quickly create a high value set of dashboards and reports from the data. There are two components in the Splunk store that make up the solution: Cisco AnyConnect Network Visibility Module (NVM) App for Splunk and Cisco NVM Technology Add-on for Splunk. Because NVM produces so much high value data, Splunk created a special per-endpoint license available exclusively from Cisco that makes budgeting predictable and saves you money.

Below is an example of the dozens of reports available in the AnyConnect NVM Splunk Dashboard.
As you can see the solution provides visibility into what applications are connecting to what domains and how much data is being transmitted/received.

From there, you can then drill down on the specific application and obtain finer grained details including the SHA256 hash of the process, the names of domains and IP addresses it connected to, what account it is running under, etc. Just click on the specific element and it will take you to an investigation page for that observable.

You can easily integrate your favorite investigation tools right into the Splunk Enterprise dashboards. For example, you can pivot from a DNS domain name observable into Cisco Umbrella, Talos Intelligence or Cisco Threat Response with just a couple lines of HTML. This will allow you to obtain a threat disposition on the domain.

Similarly, you can take the SHA256 hash observable and pivot right into AMP for Endpoints, ThreatGrid or Cisco Threat Response. This will allow you to obtain a threat disposition on the binary.

We’ve provided those integrations for you in the default dashboards. You can easily add more just by editing them to include your favorite tools. Let us know if there is anything else that would be useful in the default screens.

Samsung has been another excellent partner from the start. We have worked with them closely on their Knox program for a number of years with AnyConnect integrations and neat features like per-app VPN. When we explained to them what we wanted to do with Cisco AnyConnect NVM, they were excited to help and developed the Network Platform Analytics (NPA) framework to make it possible. It is the only framework available on mobile platforms to support Cisco AnyConnect NVM. The best part is that you can enable and provision this capability using your favorite Enterprise Mobility Management (EMM) solution – no special device-mode needed! Keep an eye out for a forthcoming quick‑start guide on this technology. NVM is also available on Windows, MacOS and Linux platforms.

Continue reading