Cisco Blogs

Cisco Blog > Data Center

What Du Can Do With ACI

It seems people sometimes have this view of SDN as addressing rather esoteric use cases and situations. However, the reality is that while there are instances of ‘out there stuff’ happening, there are many situations where we see customers leverage the technology to address pretty straightforward issues. And these issues are often similar across different business/vertical/customer types.

Aftab Rasool is Senior Manager, Data Center Infrastructure and Service Design Operations for Du.   I recently had the chance to talk with him about Cisco’s flagship SDN solution – Application Centric Infrastructure (ACI) – and Du’s experience with it. I found there were many instances of Du using ACI to simply make traditional challenges easier to deal with.

Du is an Information & Communications Technology (ICT) company based in Dubai. They offer a broad range of services to both consumer and business markets, including triple play to the home, mobile voice/data, and hosting. The nature of their business means the data center, and thus the data center network, is critical to their success. They need a solution to effectively handle challenges of both deployment, as well as operations…and that’s where ACI comes in.

I’ll quickly use the metaphor of driving to summarize the challenges Aftab covers in the video. He addresses issues that are both ‘in the rear view mirror’ as well as ‘in the windshield’ – with both being generalizable to lots of other customers. What I mean is that there are issues from the past that, though they are largely behind the car and visible in the mirror, still impact the driving experience. There are also issues on the horizon that are visible through the windshield, but are just now starting to come into focus and have effect.

Rear view mirror issues – These are concepts as basic as scalability associated with spanning tree issues, or sub optimal use of bandwidth, also due to spanning tree limitations. These issues are addressed with ACI, as there is no spanning tree in the fabric, and the use of Equal Cost Multi Pathing (ECMP) allows use of all links. Additionally, use of BiDi allows use of existing 10G fiber plant for 40G upgrades, thus obviating the expense and hassle of fiber upgrades. As a result, the ACI fabric, based on Nexus 9000’s, provides all the performance and capacity Du needs.

Windshield issues – These are represented by a range of things that result from business’s need for speed, yet are diametrically opposed by the complexity of most data centers. The need for speed through automation is becoming more and more critical, as is simplifying the operating environment, particularly as the business must scale. Within this context, Aftab mentioned both provisioning and troubleshooting.

Provisioning: Without ACI, provisioning involved getting into each individual switch, making requisite changes – configuring VLANs, L3, etc. It also required going into L4-7 services devices to assure they were configured properly and worked in concert with the L2 and L3 configurations. This device by device configuration not only was time consuming, but created the potential for human error. With ACI, these and other types of activities are automated and happen with a couple of clicks.

Troubleshooting: Before ACI, troubleshooting was complicated and time consuming, in part because they had to troll through each switch, look at various link by link characteristics to check for errors, etc. With ACI, healthscores make it easy and fast to pinpoint where the challenge is.

Please take a few minutes to check out what Aftab has to say about these, and other aspects of his experience with ACI at Du.


Tags: , , , , , , ,

DMZ Basics

Lately I made the change from deep technical consultant to a more high-level architect like kind of consultant. I now do my work on the turning point between business and technique. One of my first jobs is to make my customer ready for an audit to use the dutch official authentication method, which is called DigID.

There are several requirements, which have to be fulfilled before the customer can make use of the DigID authentication method. One of these requirements is that all the internet facing systems are placed in a DMZ. I tried to explain the importance of a well functioning DMZ. For us as network specialists this fact is obvious, but a lot of people don’t understand the meaning and working of a DMZ. This blog is about the essentials of which a DMZ has to consist.

First we need to understand what we are trying to achieve with a DMZ
• Separation and identification of network areas
• Separation and isolation of internet facing systems
• Separation of routing and security policies

After understanding the achievements, there is another point of interest. Are you gonna build your DMZ with dedicated switches, firewall’s and ESX hosts (physical) or do u use a separate vlan (virtual). There is no clear answer; fact is that bigger organizations build physical DMZ’s more often than smaller ones. Besides the technical aspect, there is off course a financial aspect. Resulting out of the physical/virtual debate comes the debate whether to use two physical firewalls or one physical firewall with several logical interfaces. Equally to the physical/virtual debate there is not just one answer.

For me personally one physical firewall with several logical interfaces with tight configured ACL’s is as good as two physical firewalls. One could dispute this with the argument that if a hacker gains access to one firewall he gains access to the whole network. Personally I don’t think this isn’t a valid argument, because when two physical firewalls are used they are often from the same vendor and use the same firmware with the same bugs and exploits. So if the hacker’s trick works on one firewall, it will often also work on the second one.

Some images to make the above a little more concrete.

A single firewall DMZ:

DMZ Basics

Read More »

Tags: , , , ,

SNMP: Spike in Brute-force Attempts Recently Observed

Simple Network Monitoring Protocol (SNMP) has been widely deployed as an important network management tool for decades, is a key component of scalable network device management, and is configurable in nearly all network infrastructure devices sold today. As with any management protocol, if not configured securely, it can be leveraged as an opening for attackers to gain access to the network and begin reconnaissance of network infrastructure. In the worst case, if read-write community strings are weak or not properly protected, attackers could directly manipulate device configurations.

Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices. We have been working with our Technical Assistance Center (TAC) to assist customers in mitigating any problems caused by the brute-force attempts.

While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints.

Cisco has published a number of best practices documents for securing the management plane, including SNMP configuration:

Tags: , , , , ,

Double Winner: Cisco Wins Information Security Awards at CSO40

CSO40 Award Ceremony

CSO40 Award Ceremony

The city in the forest—Atlanta, Georgia—extended a double dose of Southern charm to Cisco in April by awarding two prestigious information security industry awards at the 2nd Annual CSO40 Awards. The awards program recognizes projects and initiatives demonstrating innovative use of security in delivering outstanding business value.

Top honors went to the teams representing Cisco’s Enterprise ACL Management (EACLM) and Unified Security Metrics (USM) projects. Team members included: EACLM – Mark Sullivan, Network Engineer and Oisin MacAlasdair, Technical Staff and Security Prime for networking; USM – Gerwin Tijink, Information Security (InfoSec) Architect, Hessel Heerebout, USM Program Manager, and Ranjan Jain, IT Architect and Security Prime.

Read More »

Tags: , , , , , , ,

Top 10 Reasons to Upgrade to the 7.4 MD Software Release

As the famous saying goes, “Good things come to those who wait”. Delayed gratification – person’s ability to forgo a smaller reward now for a larger reward in the future – has been linked to better life outcomes as demonstrated by the often cited Stanford Marshmallow experiment and others. In most cases though, it requires a degree of self-control not easily achievable in today’s fast paced, ever-changing world with new mobile devices, protocols and technologies.

If you are one of the Cisco Wireless customers currently deploying Release 7.0 MD and waiting for the next Cisco Wireless Software Maintenance Deployment Release, the wait is over!

Release has achieved Maintenance Deployment (MD) status.

Release is the recommended MD release for all non-802.11ac deployments. For 802.11ac deployments, Release (Release 7.6 Maintenance release 1) is the recommended release.

For additional details on Software Release Recommendations and Guidelines, see Guidelines for Cisco Wireless Software Release Migration

Below are top 10 reasons (in no particular order) to upgrade from the current 7.0 MD release to the latest 7.4MD Release.

10. FlexConnect (improved and rebranded H-REAP) with efficient AP upgrade across WAN, BYOD policies support, Flex ACLs and split tunneling. Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,