Cisco Blogs


Cisco Blog > Cisco Interaction Network

Five Golden Rules for Branch Consolidation

September 24, 2009
at 12:00 pm PST

Fun on the Set of TechWiseTV 50The first new TechWiseTV show of our fourth season is a Data Center show and it happens to be episode 50.  What is the proper gift for hitting 50? I don’t know…surprise me.  Welcome to the Show Notes!  If you have not seen the show yet, please check it out -- it aired live on September 24 and should be available for immediate replay within 24 hours of said date…

Before I get to the actual ‘notes’ you may be looking for…what did you think of this show?  We have a new production team that we are actually doing in-house and we have changed up the style quite a bit as we are also now shooting in San Jose’s building 13 -- the Industry Briefing Center…big shout out to Rob Sprenger and his team for letting us bunk down with him there as this is an OUTSTANDING place to see real Cisco technology solutions in these cool fake settings…like a doctors office, a hotel, a bank, a retail store, on and on….great place to hang out. Please add this to your Cisco ‘Bucket List’ in the San Jose area and come say hi.

Segments are getting shorter so we have a few more of them on the agenda -- this show ran short of an hour by about 10 minutes but I am really pleased with the amount of technical depth and discussion. Lets go segment by segment.

Segment 1 -- Today’s Objective: Find the 5 Golden Rules

Common wisdom now says that we must gather up all our precious data and re-centralize it.  This would allow us to keep a better eye on it, keep it available, redundant and secure.  But our users (clients…offices…) are out close to the customer – getting the work done and they are demanding, insatiable, and increasingSteve Phillips TechWiseTV 50 Data Center Showly harder to please.  So the question is, are we pursuing mutually exclusive goals?  To move data (and potentially the applications) further from the users so we can care for it better… while at the same time acknowledging our end users appetite for rich, engaging, productive expectations of their network and what it supposed to provide them are only going to grow.

Maybe it is time to re-think the relationship between ‘physical proximity’ and its traditional cousins…speed, availability, responsiveness and so on.   As we prepared the content for this show, I kept coming back to the obvious question: Does distance really matter?

All day every day, the heat of the e-commerce battle is unrelenting.  At any given moment…no, at every given moment, demands are being made of the network.  Users, applications, offices are craving the life-sustaining flow of data to maintain this crucial commerce of your globally dispersed business. 

The increasing reality of Moore’s law is only eclipsed by the reality none of this slows down.   So the crucial questions for the ever talented data center managers, network managers and facility operators who must excel in the middle of all this:

 How do you: 

-       Determine if devices are available or unavailable?

-       Know if key devices in the data center(s) are overloaded?

-       Measure the success of your load balancing technology?

-       Determine which of your Data Centers is closest to the requesting source? (or does it matter?)

-       React quickly to changes in load, availability or cost?

-       Provide data center persistence during a transaction?

-       Give conditional responses in data center availability and load?

 

 Segment 2 -- Noam and Jimmy Ray in the Lab -- WAAS & SSL

Noam and Jimmy Ray talk WAAS and SSL

WAAS Ease of Installation with Elizabeth McKion:

More reading on WAAS -- Wide Area Application Service

 

Ted Grevers and Joel Christner wrote a nice book with Cisco Press and their Fundamental’s Series (which I really find useful on a regular basis).  Check it out ‘Application Acceleration and WAN Optimization Fundamentals’

WAN Optimization at Cisco

 

Some helpful notes and pictures from Noam:

 SSL (Secure Socket Layer) and its successor protocol (TLS -- Transport Layer Security) are the most commonly used  cryptographic protocols to encrypt content in IP networks. SSL used primarily by HTTP applications, but also used to encrypt content within the enterprise.

SSL provides data encryption, server authentication, message integrity and optionally -- client authentication.

Cisco WAAS SSL Optimization SolutionWAAS optimization benefits are maximized only when applied to decrypted payload.

 

 

 

During initial SSL handshake, only the WAE at the core participates in the conversation. The connection between the WAEs is established securely using the WAE device certificates and the WAE cross-authenticate each other. Once the SSL handshake is done and the core WAE has the session key, it will transmit the session key (which is temporary) over to the edge WAE so that it can start decrypting the client transmissions and apply DRE. The optimized traffic is then re-encrypted using the WAE peer session key and transmitted in-band over the current connection (i.e. maintaining transparency) to the core WAE. The core WAE then decrypt the optimized traffic, reassembles the original messages and re-encrypt them using the session key with th e server, to be transmitted to the server securely.

If the client is using a client certificate, the core WAE will validate the client certificate in front of a CA or an OCSP (Online Certificate Status Protocol) responder to verify that the client is indeed still approved. The WAE will then use its own client certificate to communicate with the server.

With Cisco WAAS the SSL trusted model is maintained in the Data Center and ensures better enhanced security. Server private keys are stored securely only on Core WAE, and are never pushed distributed to branch. SSL Session keys distributed to the Edge WAE over a secure HTTPS connection between the Edge and the Core WAE.

Widest Range of SSL Acceleration. Real-time security check of certificates. Supports Client Authentication. Supports highly secure session key method default in some popular browser & server

Flexible Deployment -- Import Original Server Certificate and Private Keys signed by CA. Use Wildcard Certificates signed by CA. Generate Certificate signed by CA – derive session key without original server private key

 

  

 


 

 

Segment 3 -- Robb & Jimmy Ray -- Is DNS your weak link?

Key Point:  The very first routing decision you make is DNS. 

 - DHCP/DNS are THE most expensive, free resources on your network with the ability to instantly render your entire network useless at a moments notice.

DNS is not going to go away, but you how you deal with it could be that bit of knowledge that saves your job.  The first hop in your network should not be out of the frying pan and into the fire…

NOTES:

Steve Friedl’s did a very nice Illustrated Guide to the Kaminsky DNS Vulnerability

History of DNS
History (at Wired…1983)

“June 23, 1983: DNS Test Sets Stage for Internet Growth” (article published 2008)
Dan Kaminsky
(used to work for Cisco!)
Great article on Kaminsky from my favorite magazine,  ‘Wired’
 

“Oh s_it,” he mumbled. “I just broke the Internet.” …

The experts watched as Kaminsky opened his laptop and connected the overhead projector. He had created a “weaponized” version of his attack on this vulnerability to demonstrate its power. A mass of data flashed onscreen and told the story. In less than 10 seconds, Kaminsky had compromised a server running BIND 9, Vixie’s DNS routing software, which controls 80 percent of Internet traffic. It was undeniable proof that Kaminsky had the power to take down large swaths of the Internet.

 

Black Hat Interview with Dan
Steve Gibson and Leo Laporte on the Whiteboard

Note on Paul Vixie: (from Wikipedia)
Paul Vixie is the author of several RFCs and standard UNIX system programs, among them SENDS, proxynet, rtty and Vixie cron.
In 1988, while employed by DEC, he started working on the popular internet domain name server BIND, of which he was the primary author and architect, until release 8.

 

Segment 4 -- Steve with Jimmy Ray in the Lab to dig into -- ACE GSS

More Reading on the ACE GSS -- Application Control Engine Global Site Selector

 

Steve Phillips TechWiseTV 50 Data Center Show

Segment 5 -- Pulling it all together…the Whiteboard of Truth!

Check out Design Zone for some great Design Guides and Application Specific Implementations


TWTV50 Whiteboard of Truth 1 of 2TWTV50 Whiteboard of Truth 2 of 2

 

Cisco Learning Network Update

Cisco is at the forefront of the rapidly evolving field of Data Center unified computing and the demand for individuals who can manage and maintain these advance solutions has never been greater.

To meet this demand Cisco is offering two new specialist certifications. The Cisco Data Center Unified Computing Design Specialist and the Cisco Data Center Unified Computing Support Specialist repare individuals for Data Center jobs and equip them with cutting-edge skills in Data Center virtualization.
 
The Cisco Data Center Unified Computing Design Specialist is for Data Center architects designing virtualized data centers using Cisco’s “Unified Computing System” and surrounding Data Center topology while leveraging server, network, & storage expertise, and incorporating VMware or other virtualization systems.
 
The Cisco Data Center Unified Computing Support Specialist is for Data Center engineers who are implementing, deploying, operating, and supporting virtualized data centers using Cisco’s “Unified Computing System” & surrounding Data Center topology while leveraging server, network, & storage expertise, and incorporating VMware or other virtualization systems.
 
Two Options for Certification
Fast Track Exam Option Available For Both Specialist Certifications
Cisco will offer two options for candidates wishing to achieve their UC Support or UC Design Specialist certifications:
 
For candidates with a background in Cisco datacenter design and implementation, a Fast track or “Qualifier” exam will allows candidates to fulfill pre-requisite knowledge requirements.
 
Candidates without a previous background in Cisco Data Center technologies and applications may also achieve their specialist certification by completing the currently available Cisco Datacenter Specialist Certifications for Architects and Engineers.
 
 
Individuals who attain these new Data Center Unified Computing Specialist certifications  will demonstrate the ability to design, deploy, and integrate storage networks, advanced networking, application services, virtualization, and unified computing technologies into a consolidated Cisco Data Center unified architecture.
 
Courses for the new Data Center Unified Computing Specialist certifications  will be made available mid November through authorized Cisco Learning Partners. Data Center Unified Computing Specialist certifications exams will be made available in mid December through authorized VUE testing centers.
 
Find out more about these new Data Center Unified Computing Specialists  on the Cisco Learning Network at
www.cisco.com/go/learningnetwork.

Comments Are Closed