Cisco Blogs

Cisco Blog > Data Center

vBrownBag Cisco ACI Panel Session at VMworld 2015

ACIKewlHave you seen the vBrownBag Tech Talks at previous conferences or maybe checked them out on YouTube? If not, I highly recommend it. If you’re not familiar with vBrownBag it is actually several things! For one, it’s a weekly podcast (or videocast, really) with different guest hosts every week who usually give about an hour presentation and demo on various technologies. vBrownBag has also taken on a strong role at tech conferences by allowing presenters from every arena give lightning tech talks that are streamed live as well as recorded for later viewing on YouTube. In essence, it’s an awesome and free way to get and give information.

Cisco has long supported the vBrownBag effort and we will be participating in the vBrownBag Tech Talks on Monday evening at 5:30pm in the Hang Space at VMworld. Instead of doing what we normally do, which is one person giving a presentation, we’ve decided to do a panel session with some of the fantastic folks from the Insieme BU including Joe Onisick, Carly Stoughton, Yogesh Kaushik, and me (Lauren Malhoit) as the moderator.

I’m excited about this panel session for several reasons. For one, I’m also a part of the vBrownBag crew so it’s always fun when these two worlds collide. More than that, though, is getting to hear these brilliant people talk about new features in Application Centric Infrastructure. While there are several new features in the new release of ACI, the panel will be concentrate on the new Troubleshooting Wizard, ACI Optimizer, which is a capacity planning tool, and last but not least the enhanced microsegmentation offerings. Not only are we utilizing dynamic end point groups to enable microsegmentation, we’ve also included a distributed firewall which can do stateful packet inspection between end point groups. Read More »

Automating Configuration in a Multi-Sourced Environment

The landscape of IT has changed. The single-source provider era is quickly coming to an end as more companies embrace the world of multi-sourcing. In a 2014 report by IAOP & Information Services Group (ISG) Annual State of the Industry1, it stated that the number of enterprise IT organizations using multi-sourcing as a strategy increased by 75% in that year and predictions for 2015 shows continued growth.

Companies are moving more rapidly to a multi-sourcing strategy to achieve greater agility and improved customer satisfaction, and it’s paying off. Effective multi-sourcing companies are experiencing improved performance, reduced IT costs, acquiring best-in-class expertise while freeing up time and resources so personnel can focus on the company’s core business.

Automation Is at the Forefront of IT Change

Girl and guy in high-tech areaThe speed of change in IT is getting faster and innovation via automation is at the forefront of this change. FAST IT is helping enterprises keep up with this accelerated pace.

Fast IT simplifies operations at a time when complexity is mounting — and IT budgets are flat. By offering automated, programmable, and agile infrastructure, Fast IT frees IT organizations from manual configuration, changes, and maintenance.2

In my January blog post, Building Innovation: Achieve Fast IT with Customers, I shared with you that if companies are going to deliver new solutions at a more rapid pace, IT needs to be able to integrate and automate all support interactions that it is responsible for delivering.

There Are Challenges

Just as there are benefits with multi-sourcing, there are some challenges. Multi-sourcing creates new complexities that can stand in the way of business progress. Forward-thinking, proactive companies can address these challenges head-on by answering crucial questions such as:

  • How do we implement end-to-end delivery methods in a multi-vendor environment?
  • How do we manage the configuration of our devices when changes are being made by multiple outsource providers?
  • How do we onboard new providers with minimal effort and impact on the ecosystem?

Changes made within the ecosystem can easily disrupt and fragment service delivery causing your company and other service providers to be out of policy, SLA or regulatory compliance.

Case in Point

We recently saw a situation at a large financial institution where the customer was facing a security audit that they were most likely going to fail. They called us for help. In just two-and-a-half weeks following service activation we had updated nearly 2,000 configurations and the company passed their security audit. They were so pleased with our performance they gave us 23,000 devices to manage for policy, configuration, and change.

Two men in tech area

But, that’s not the end of the story. The bank wanted to benchmark the effectiveness of their service providers against their established service level agreements (SLAs). Immediately we knew an automated closed loop process was needed. Our Compliance Management and Configuration Service (CMCS) coupled with ServiceGrid fit the bill.

When this project goes live, ServiceGrid, a tool that gets the right data to the right place and person, will be used to connect the customer and their service providers ticketing systems to one another as well as to CMCS. In turn, CMCS will perform a baseline analysis of all connected network devices and elements and automatically stabilize and upgrade them to Corporate Standards. This improves communication among all connected parties. It also gives the bank greater transparency into their vendor management activities and provides real-time compliance monitoring.

Combining ServiceGrid and CMCS enables us to automate multi-vendor network configuration and compliance while giving the customer higher value and a better outcome than if we offered either one of the services alone. The bank’s desire to build a robust, elegant, secure, and seamless multi-party network became an opportunity to let two of our premier services shine, making the future brighter for our customer and Cisco Services.

What about you? How is your organization addressing configuration management in a multi-sourced environment?


CMCS At-A-Glance
ServiceGrid Overview Brochure
CMCS Integration with ServiceGrid (technical white paper)


  1. Annual State of the Industry Jagdish R. Dalal, IAOP
  2. Fast IT: Accelerating Innovation in the Internet of Everything Era

Social Media:

Follow us on Twitter, Facebook, and YouTube.

Tags: , , , , ,

Designing and Deploying Scalable SAN using Cisco MDS 9396S

Data is the lifeblood of your business, and it continues to multiply exponentially, creating big challenges for today’s storage area network managers. Accessing that data quickly and cost-effectively 24 hours a day, 7 days a week requires a SAN architecture that can scale easily and economically while supporting a wide variety of protocols and storage methods.

Attend this Webinar:  August 25th 8:00 PST.  Learn how to design and deploy a next-generation storage area network that scales easily yet cost-effectively using the new Cisco MDS 9396 16G Multilayer Fabric Switch.

This live 60-minute webcast will show you how the innovative new Cisco MDS 9396S 16G Multilayer Fabric Switch can help you overcome your SAN design challenges. See how this next-generation solution delivers enterprise-class performance, pay-as-you-grow scale options, and true plug-and-play installation at a remarkably affordable price.

Webinar topics to be discussed include:

  • Introduction to the new Cisco MDS 9396S
  • Architectural innovations
  • Enterprise-class features and scale options
  • Design and deployment scenarios
  • Best practices for implementation
  • Q&A

REGISTER NOW:  Webinar Aug 25th :  8:00 PST

Read More »

Tags: ,

5 Top Challenges of SAN Design: View from our SAN Design Experts – Part 1

SAN Engineer

Look after your SAN experts!

One of the aspects I really enjoy about my job is that I get to learn from some of the world’s top network and data center design engineers, and I get to hear about technology adoption challenges across the world. If there is a complex network or data center design being worked by our customers, if our customers are under time pressure, or if our customers are facing key business or technical challenges, Cisco Services’ consultants are often called in to help.  Globally then, they experience first hand the challenges of deploying advanced technologies.  In this blog, in the same spirit as my OpenStack Deployment Challenges blog, I’d like to share their experiences on some of the most common challenges and misconceptions faced by our customers when building Storage Area Networks (SAN).  I’ll publish this in 2 parts – so look out for the concluding part next week.

Before continuing, I’d like to thank two of our SAN expert consultants, Barbara Ledda and Wolfgang Lang, for sharing their experiences and challenges.

Read More »

Tags: , , , , , , , , , ,

Micro-segmentation: Enhancing Security and Operational Simplicity with Cisco ACI

(This blog has been developed in association with Praveen Jain, VP, Engineering of Cisco’s Application Policy Infrastructure Controller, Juan Lage, Principal Engineer and others)

Security is top of mind in today’s data center and cloud deployments and security architectures have continued to evolve even as new threats manifest themselves in the digital world. Today’s security administrator requires a variety of “tools” to deal with the sophisticated attacks. One such tool is the ability to segment the network.

Traditionally network administrators have allocated subnets for different applications and mapped them to VLANs as a means of providing network segmentation, partitioning and isolating domains.  This classic approach was relatively easy to implement and facilitated policy definition using Access Control Lists (ACLs) between subnets at the L3 boundary, usually the first hop router or perhaps a physical firewall.

However, this approach led to the undesired mapping of IP subnets to applications. Over time, it also led to an explosion of ACLs when subnet based policies were not sufficient (for instance, by requiring ACLs that match on specific IP Addresses). This in turn made it difficult to perform garbage collection of ACL entries when applications were decommissioned, complicating the ACL management problem.

So, while the broad constructs of segmentation are still relevant, today’s application and security requirements mandate increasingly granular methods that are more secure and operationally simpler.

This has led to the evolution of what we call as “micro-segmentation”.  Broadly, the goals of micro-segmentation are as follows

  • Programmatically define segments on an increasingly granular basis allowing greater flexibility (e.g. to limit lateral movement of a threat or to quarantine a compromised endpoint  in a broader system)
  • Leverage programmability to automate segment and policy managent across the entire application lifecycle (instantiation through de-commissioning)
  • Enhance security and scale by enabling a Zero-Trust approach for heterogeneous workloads

Micro-segmentation with Cisco’s Application Centric Infrastructure  

Cisco’s Application Centric Infrastructure (ACI) takes a very elegant approach to micro-segmentation with policy definition separating segments from the broadcast domain. It uses a new application-aware construct called End-Point Group (or EPG) that allows application designers to define the group of endpoints that belong to the EPG regardless of their IP address or the subnet they belong to.  Further, the endpoint can be a physical server, a virtual machine, a Linux container or even legacy mainframes – i.e. the type of endpoint is normalized and therefore irrelevant, thereby offering great simplicity and flexibility in their treatment.

ACI still preserves the traditional segment, now called a Bridge Domain (or BD). IP subnets can still be assigned to Bridge Domains. This approach helps preserve any existing operational models, if required, allowing for creation of Bridge Domains with a single EPG that maps to the concept of a traditional VLAN.

The ACI architecture takes these even further.  Multiple EPGs can belong to the same Bridge Domain, and EPGs can be provisioned programmatically (in fact, just like everything else within ACI) via an open API made available through Cisco’s Application Policy Infrastructure Controller (APIC). Simply put, the EPGs in the ACI architecture are “micro-segments” of a Bridge Domain.

The figure below illustrates this approach:


Read More »

Tags: , ,