With the recent launch of FirePower Threat Defense on Cisco 4000 Series Integrated Services Routers, I would like to spend some time talking about enterprise branch security and what are the requirements to keep in mind to secure your branch office. Let’s start out by examining your branch environment.
What’s happening at the branch today?
Cloud is redefining application delivery. Mobility is redefining network architecture. Next generation applications like Ultra High Definition videos, Web, and SaaS applications put increased pressure on bandwidth availability.
Organizations may be considering Direct Internet Access (DIA) at the branch to leverage local internet path for public cloud and internet access. Leveraging the local internet path at the branch reduces IT spending (freeing up costly WAN bandwidth for mission critical applications) and ensures better application experience, for example for applications hosted in the public cloud (less latency) but it may come with a cost since now the branch may be exposed to security threats. Read More »
Tags: branch office, Cisco FirePOWER, Cisco ISR, guest wi-fi, security, threat defense, threat protection
A new problem has arisen in CCNA class: We have a lab that asks the students to enable a debug command; the debug overruns the console buffer to the extent that commands cannot be entered, and this goes on for more than an hour!
In my 15 years of teaching CCNA classes, we have always taught the dangers of using debug commands on production equipment. To demonstrate this, we would have the students run the debug ip packet command, let it run for 30 seconds, and then turn it off. Of course, turning off the debug is challenging, so we would teach the trick of turning the debug off before we would turn it on: adding the undebug all command to our command history buffer.
Running this test on the 2500 series and 2600 series routers would usually cause a crash and a forced reboot. After we changed the lab equipment to the newer ISR 2800 series, the same demonstration no longer resulted in a router crash; however, it introduced a new problem: loss of control of the command line.
The sheer amount of debug messages would cause the command line to be unusable. The debug messages continued to overrun the console buffer for over an hour before we would finally run out of patience and power cycle the router. In a lab scenario, this causes the students to take an excessive amount of time to finish their lab, and for people studying for certifications, it wastes precious study time. A better way to manage debugs is needed. We would like to see the debug messages (they can be very helpful in both troubleshooting and understanding how protocols function), but we would also like to retain control of the command line. Read More »
Tags: #ciscochampion, CCNA, Cisco ISR
Over the past few weeks I’ve had the chance to come up from my rabbit hole of deployment projects and catch up on the tech news. In particular, the announcement at Interop New York where Cisco announced the new ISR 4400 family of routers along with a few other articles got me to thinking about how far branch office connectivity has come in the past decade or so and to a question: is one method of branch connectivity better than another?
In the Beginning…
In the past decade or so we have seen substantial change in how we connect to the internet and how fast we do so. Early on (circa early 2000s) the internet was fairly flat. Real time voice and video were still a thing of science fiction. In the enterprise we connected remote offices back to the central office via leased lines over a frame relay network. T1s were considered good and if you had a DS-3 link you must have been in a big IT shop. Compute services were limited to corporate email (Outlook/Exchange were the new kids on the block) and client/server based systems. Read More »
Tags: #ciscochampion, Cisco ISR, ISR 4000 Series, ISR 4431, ISR 4451-X, IWAN, VPLS, vpn
In my last blog I talked about the value of Pfr to the IWAN solution. This week I wanted to talk about DMVPN and why it is going to be a critical component of your IWAN deployment.
Your IWAN topology will most likely consist of one or more internet connections which means that your data will be traveling over untrusted connections and shared environments so security is going to be top of mind. So how do you secure your data over the internet and other untrusted or shared environments? Well DMVPN (Dynamic Multi-point Virtual Private Network) is based on VPN the same technology that many of you use today to securely connect back to your office when you are traveling or working from home. A VPN will create a tunnel between two end-points and then encrypt all data traveling over the tunnel. VPN’s can connect users to a remote site, client-to-site VPN, or connect two remote sites, site-to-site VPN. Unlike VPN, DMVPN can securely connect multiple points together dynamically.
So how does DMVPN work and what is the benefit to IWAN? DMVPN works on top of your WAN infrastructure which means that DMVPN tunnels will be established between branch sites as traffic flow demands. In a common hub and spoke topology example, when data needs to be sent from the spoke to the hub site, the spoke will establish a VPN tunnel to the hub by registering first with the hub. In order for each tunnel to function a new dynamic IP address is created at the branch since the hub site will initiate the connection. In order for data to be routed between sites over the DMVPN tunnels, routing information will need to be exchanged. As more tunnels are created there will be more dynamically created IP addresses and traditional routing protocols like BGP or EIGRP are used to efficiently share routing information so all sites can talk to each other. Lastly QoS is applied to each tunnel to ensure that the hub site does not oversubscribe the spoke sites.
Read More »
Tags: Cisco ISR, DMVPN, IWAN, PfR
Networking as a technology has been around for decades now and most people consider it to be mature with a crawling pace of innovation. But with big market transitions like cloud computing, nothing can be further from the truth as the Cloud Services Router (CSR) 1000V has proven with its announcement at Cisco Live! – San Diego on June 12th as part of our Cloud Connected Solution launch
Read More »
Tags: best of interop, Cisco Integrated Services Router, Cisco ISR, cloud, Cloud Connected Solution, cloud router, cloud services router, CSR 1000V, interop, router, routing, vPC