(This blog has been developed in association with Praveen Jain, VP, Engineering of Cisco’s Application Policy Infrastructure Controller, Juan Lage, Principal Engineer and others)
Security is top of mind in today’s data center and cloud deployments and security architectures have continued to evolve even as new threats manifest themselves in the digital world. Today’s security administrator requires a variety of “tools” to deal with the sophisticated attacks. One such tool is the ability to segment the network.
Traditionally network administrators have allocated subnets for different applications and mapped them to VLANs as a means of providing network segmentation, partitioning and isolating domains. This classic approach was relatively easy to implement and facilitated policy definition using Access Control Lists (ACLs) between subnets at the L3 boundary, usually the first hop router or perhaps a physical firewall.
However, this approach led to the undesired mapping of IP subnets to applications. Over time, it also led to an explosion of ACLs when subnet based policies were not sufficient (for instance, by requiring ACLs that match on specific IP Addresses). This in turn made it difficult to perform garbage collection of ACL entries when applications were decommissioned, complicating the ACL management problem.
So, while the broad constructs of segmentation are still relevant, today’s application and security requirements mandate increasingly granular methods that are more secure and operationally simpler.
This has led to the evolution of what we call as “micro-segmentation”. Broadly, the goals of micro-segmentation are as follows
- Programmatically define segments on an increasingly granular basis allowing greater flexibility (e.g. to limit lateral movement of a threat or to quarantine a compromised endpoint in a broader system)
- Leverage programmability to automate segment and policy managent across the entire application lifecycle (instantiation through de-commissioning)
- Enhance security and scale by enabling a Zero-Trust approach for heterogeneous workloads
Micro-segmentation with Cisco’s Application Centric Infrastructure
Cisco’s Application Centric Infrastructure (ACI) takes a very elegant approach to micro-segmentation with policy definition separating segments from the broadcast domain. It uses a new application-aware construct called End-Point Group (or EPG) that allows application designers to define the group of endpoints that belong to the EPG regardless of their IP address or the subnet they belong to. Further, the endpoint can be a physical server, a virtual machine, a Linux container or even legacy mainframes – i.e. the type of endpoint is normalized and therefore irrelevant, thereby offering great simplicity and flexibility in their treatment.
ACI still preserves the traditional segment, now called a Bridge Domain (or BD). IP subnets can still be assigned to Bridge Domains. This approach helps preserve any existing operational models, if required, allowing for creation of Bridge Domains with a single EPG that maps to the concept of a traditional VLAN.
The ACI architecture takes these even further. Multiple EPGs can belong to the same Bridge Domain, and EPGs can be provisioned programmatically (in fact, just like everything else within ACI) via an open API made available through Cisco’s Application Policy Infrastructure Controller (APIC). Simply put, the EPGs in the ACI architecture are “micro-segments” of a Bridge Domain.
The figure below illustrates this approach:
Read More »
Tags: Cisco ACI, micro-segmentation, security
Cisco UCS M-Series Modular Servers deliver exceptional value for online content delivery like gaming, web serving, transcoding, and HPC. Built around Cisco’s virtual interface card (VIC) technology and the policy-based management of UCS Manager, this new design brings the award-winning architecture and management of Cisco Unified Computing to the world of parallelized workloads.
Read More »
Tags: Cisco UCS, Modular Servers
In a few weeks Spring season will set in, and it’ll be a Ripper Down Under. For the Data Center technology geeks there is plenty of action in store to celebrate the onset of Aussie spring. I am talking about F5 Agility that is getting ready to rock Melbourne (Aug 18) and Sydney (Aug 20)
Just last week, I was at F5 Agility, Washington DC. It was an electrifying experience meeting customers and partners of Cisco and F5 and culminating in a powerful guest keynote by Colin Powell, the legendary American statesman and retired four-star general. Colin’s passion to help youth and transform the globe is totally extra-ordinary and most of us attendees were privileged to listen to him that day. That speech has super charged me to last for a long time, and in that mindset, let me switch context to F5 Agility, Melbourne Aug 18, and Sydney Aug 20. The agenda for both these events are identical. We have a packed set of activities from early morning till late evening. We are going to hear F5’s leaders, customers, and partners share how the latest solutions from F5 are transforming what’s possible for today’s organizations. In about a year’s time Cisco ACI and F5 partnership has demonstrated significant success in our joint solution momentum and customer adoption. I am pleased to invite you all to attend this premier industry event and get insights on how F5 and Cisco are bringing the power of cloud, data centers, converged systems, and as-a-Service together to enable fast, efficient, and secure application delivery in today’s challenging hybrid environments.
The keynote by Julian Eames, F5 EVP of Business Operations, centers on “Innovate, Expand and Deliver” and lays the foundation for your business to innovate new paths to success, expand through barriers to growth, and deliver the applications your customers need to succeed. Julian will take you a tour of current market trends, how F5 has grown under John McAdam’s tenure, the evolution of the F5 Platform from simple load balancer to ADC to support Cloud based business models, the growing importance of enterprise security, recent F5 acquisitions, and last but not the least the growing eco-system of Partners. I recommend getting started with Julian’s keynote.
Following the keynote, Cisco Exec Shashi Kiran is hosting the Plenary, Platinum Sponsor session titled “Deliver Application Agility with Cisco Application Centric Infrastructure (ACI)”, 10.30 am local time. What’s unique about this Breakout Session? You will get the opportunity to hear Shashi eloquently walk you through the role of Cisco ACI in today’s Application-Oriented Economy, also see a key partner join him on stage and share their success stories with ACI. Shashi will discuss how emerging applications are placing huge demands on Data Center Infrastructure and how grossly unprepared they are to meet the same. Shashi will then introduce Cisco ACI, an open, scalable, programmable SDN solution that helps address these infrastructure challenges. Shashi will illustrate how Cisco’s open architecture enables seamless integration of F5 into ACI’s policy framework and how the joint solution brings unprecedented agility and end-end L2-L7 accelerated application delivery.
Shashi is also doing the Plenary Panel Session in the evening jointly with F5 Execs and the Guest Customer speaker. The topic centers around global trends and themes around Cloud adoption and drivers, SDN, Security etc. This session will be invigorating and sets the stage for a lively evening solutions expo tour.
For the technically oriented among you, we also have a number of technical breakout sessions hosted by F5 and its Partners. These sessions cover Security, Cloud in detail along-with other emerging Data center topics.
That is not all. Cisco ACI brings you additional customer engagement opportunity in the solutions expo hall. We are featuring cool demos showcasing our joint solutions namely, ACI -F5 BIG-IP and ACI – BIG-IQ on both Aug 18 and 20, during the expo hours. Stop by the Cisco booth where product experts are available to engage in white-board sessions and to compliment the demos, we also run short duration presentations in the Cisco theatre at periodic intervals. Should you desire, we are happy to meet you in 1-1 meetings, so let us know how we can enrich your experience at the event
For all the hard work we all do at the event, there is plenty F5 offers to let us relax and enjoy. The networking event at the solutions expo in the evening (5 – 7 PM) provides drinks and prize draws in addition to an exciting showcase of state of art technology innovations and demos. Network with your fellow attendees while enjoying tasty food and drink, knowledgeable guides, and more are awaiting you.
I am eager to see you all in Australia next week. There are some useful links for you to check out before your visit on how Cisco ACI and F5 work together on the innovation front.
For more information, Visit www.cisco.com/go/acif5
Join our Community discussions on ACI and find out “What is your SDN Spirit Animal?”
Take the quiz and find out!
Tags: Cisco ACI, Cisco Data Center, F5 Agility Australia, F5 BIG IP, F5 BIG IQ, SDN
As we continue our journey of openness that is summarized by ZK Research: Cisco’s Data Center Strategy is Built on Openness, we announced the Open NX-OS at Cisco Live San Diego in June 2015 that runs on Nexus 3K and Nexus 9K platforms.
The Open NX-OS extensibility supports:
- Object store and model-driven NX-API enhancements. NX-API enables common programmatic approach across entire Nexus switch portfolio (Nexus 2000 through Nexus 9000 switches)
- Built-in third party DevOps automation tools like Puppet
- Secure SDK enabling third party and custom application development running natively on NX-OS
The new programmability features in Open NX-OS, such as the bash shell environment, python interpreter and NX-API access, it enables the built-in DevOps Puppet tool to be extended to automate anything on the platform. Cisco and Puppet Labs are excited to make available the Puppet Cisco [NX-OS agent] http://docs.puppetlabs.com/pe/latest/install_nxos.html
and Cisco [Puppet Forge Module] http://forge.puppetlabs.com/puppetlabs/ciscopuppet
Companies are embracing software defined networking (SDN) and DevOps practices to deploy network changes repeatedly and consistently. Customers who run mega scale data centers like Web2.0/OTT and fortune 100 are looking to do more with less, increase “device:admin” ratio and agility, and respond faster to business needs in a world where continuous application update grows by the hour without breaking infrastructure operation.
Using Puppet Enterprise, you can not only realize those SDN benefits, but you also extend DevOps practices to network administration across mega scale data centers, commercial and large enterprises by defining your desired network configuration with infrastructure as code. Using infrastructure as code enables cross-team change collaboration, automated infrastructure testing, and automated application deployments that span compute, storage, and network.
Tags: automation, Cisco Nexus 9000, devops, Nexus 3000, NX-API, NX-OS, Puppet Labs
Traditional to Big Data to IoT: Transaction Processing Performance Council Establishes Internet of Things Working Group (TPC-IoT)
Over the past quarter century, the Transaction Processing Performance Council (TPC) has developed several industry standard benchmarks for database performance, pretty much in line with major technology trends. The two most influential benchmark standards have been TPC-C (standard for benchmarking transaction processing systems) introduced in 1991, and TPC-D and its successor TPC-H (standards for benchmarking decision support systems) introduced in 1994. These standards have been significant driving force behind the development and advancement of several database, server and storage related technologies. In addition, the TPC laid a solid foundation for complete system-level performance, and methodology for calculating total-system-price and price-performance, that have been widely adapted in the industry.
There is no doubt that industry and technology landscapes have changed and are still continue to change at a fast pace. Two of the technologies that will change the world in next 10 years are Big Data and Internet of things (IoT).
Big Data: Big Data is a popular term now that describes the exponential growth of data, often defined by the 5Vs, and the associated technologies to storage and process effectively and drive business values. The Big Data technology and services market represents one of the fast-growing, multi-billion dollar, worldwide market that is expected to grow to a $60 billion market driving $300 billion worldwide IT spending directly or indirectly by 2020.
Foreseeing the importance, in 2014 the TPC has developed TPC Express Benchmark HS (TPCx-HS) to provide the industry with verifiable performance, price-performance, and availability metrics of hardware and software systems dealing with Big Data. This standard can be used to assess a broad range of system topologies and implementation of Hadoop systems in a technically rigorous and directly comparable, and vendor-neutral manner. This is the first major step while the TPC continues to enhance and develop new standards in this area such as TPC-DS with support for Hadoop and TPC-Big Bench.
Internet of Things (IoT): IoT has emerged in the last few of years, poised to transform virtually every major market segments, which contains a complex mix of technologies and products, from data collection and data curation to complex analytics exploiting the data generated by exploding number of connected devices. According to IDC the global IoT market will grow from $665 billion in 2014 to $1.7 trillion in 2020. To put that in perspective, it’s an absolutely enormous figure; only 16 economies in the world had gross domestic products exceeding $1 trillion in 2014.
As the IoT ecosystem evolves in the enterprises, it is eminent to have a set of standards that enable effective comparison of hardware and software systems and topologies in a technology and vendor-neutral manner. Continuing its commitment to bring relevant standards to the industry, today the TPC announced the formation TPC-IoT benchmark committee tasked with developing industry standard benchmarks for benchmarking hardware and software platforms associated with IoT.
We’d like to connect with companies, research and government institutions, to ensure holistic perspective during the benchmark development process. Anyone interested in our efforts can visit our membership page.
Tags: Big Data, internet of things, IoT