Cisco Blogs


Cisco Blog > Data Center and Cloud

ITD: Load Balancing, Traffic Steering & Clustering using Nexus 5k/6k/7k

best

Data traffic has grown dramatically in the recent years, leading to increased deployment of network service appliances and servers in enterprise, data center, and cloud environments. To address the corresponding business needs, network switch and router architecture has evolved to support multi-terabit capacity. However, service appliance and server capacity remained limited to a few gigabits, far below switch capacity.

Cisco Intelligent Traffic Director (ITD) is an innovative solution to bridge the performance gap between a multi-terabit switch and gigabit servers and appliances. It is an hardware based multi-terabit layer 4 load-balancing, traffic steering and clustering solution on the Nexus 7000 and 7700 series of switches.

Read More »

Tags: , , , , , , , , , , , , , , ,

Scaling Application Security with ITD

Ready to scale your enterprise beyond limits?  How about slashing a whole layer of datacenter infrastructure, saving piles of cash in the process?  Or perhaps you’re interested in simplifying your enterprise while adding features, or trying to speed things up without spending money.  Sound too good to be true?  Well, thanks to a new technology from Cisco, you can have your cake and eat it, too.

Cisco Intelligent Traffic Director (ITD) is poised to disrupt data center load balancing. Combined with best-in-class products, such as Imperva SecureSphere, organizations can deploy and manage massively scalable applications securely with unprecedented ease and cost effectiveness.

What is ITD?

Cisco recently released a new feature, Intelligent Traffic Director (ITD) for the Nexus 7k switches that promises to be a disrupting force in the world of load balancing.  There has been an exponential growth in data traffic in the recent years leading to a growth in the deployment of network service appliances in enterprise, datacenter and cloud environments. To address the corresponding business needs, network switch and router architecture has evolved to support multi-terabit capacity. However, service appliance capacity remained limited to few gigabits, an order of magnitude far below switch capacity.

Cisco Intelligent Traffic Director (ITD) is an innovative solution that tries to bridge performance gap between the switch and service appliance(s). It allows customers to deploy service appliance(s) from any vendor with no network or topology changes. With a few simple configuration steps on a Cisco Nexus 7000 / 7700 series switch, customers can create a service appliance cluster and deploy multiple appliance(s) to scale service capacity with ease. The servers or appliance(s) do not have to be directly connected to the Nexus switch.

Application Security
Gartner published a paper called Web Application Firewalls are Worth the Investment for Enterprises in Feb, 2014 that makes the case that “Firewalls and intrusion prevention systems don’t provide sufficient protections for most public-facing websites or internal business-critical and custom Web applications.” Gartner advises enterprises to use a Web Application Firewall (WAF) to protect critical external and internal applications from attacks and threats.

Like other service appliances, a WAF appliance benefits from ITD’s ability to manage large scale traffic loads. Imperva SecureSphere WAF works with ITD, and the combination provides highly scalable application security.

I mention SecureSphere because Imperva was positioned as the only Leader in the Gartner 2014 Magic Quadrant for Web Application Firewalls. Some key capabilities of the SecureSphere WAF are:

  • Block attacks with laser precision
    Accuracy is critical with application security. If you have false positives, you block customers; if you have false negatives, you let the bad guys in.
  • World-renowned application security research
    Security is constantly evolving. To get ahead and stay ahead in the continuous fight against threats, Imperva has a dedicated security research team, the Application Defense Center (ADC), which provides regular signature and policy updates, and up-to-date threat intelligence for Imperva SecureSphere.
  • Shut down malicious sources and bots
    Imperva’s ThreatRadar Reputation Services help detect bad actors using IP reputation feeds of known malicious sources, anonymizing services, phishing URLs, TOR (“The Onion Router”), as well as IP geolocation data.
  • Stop application DDOS and business logic attacks
    Business logic attacks include things like posting comment spam in forums and message boards, scraping web content, and disabling access to your website. All of this can reduce competitive edge, frustrate customers, and damage reputation.
  • Instantly patch website vulnerabilities
    It takes organizations an average of 6 months to patch an application vulnerability once it’s discovered. SecureSphere integrates with vulnerability scanners to virtually patch applications. This allows businesses to stay protected, and fix the vulnerability on their own timeline, thus reducing the window of exposure and the associated costs.
  • Gain forensics insights with customizable reports
    Graphical reports enable organizations to quickly analyze security threats and meet compliance requirements.
  • Speed up deployment without risk
    SecureSphere protects applications without impacting performance and without requiring extensive network changes. It offers flexible inline, non-inline, and proxy deployment options that meet organizations’ diverse requirements. SecureSphere’s Fail-Open capabilities combined with unique, transparent bridge mode saves time and labor with drop-in deployment that requires no changes to existing applications or network devices, and delivers multi-Gigabit throughput while maintaining sub-millisecond latency.

Scaling Application Security

Using ITD in VIP Mode to load balance provides a fast and economical way for organizations to provide highly scalable and available infrastructure.  By leveraging ITD, an enterprise can deploy a single IP address (the VIP), which is then load balanced across many SecureSphere WAFs, with each one protecting the back-end webservers. This is done right from the 7K – There’s no need for an external load balancer in the middle.

Why is this better than other Load Balancers?

By combining Cisco ITD and SecureSphere’s advanced capabilities to monitor and secure HTTP traffic, several key advantages are apparent:

  • Eliminates the need for external load balancers, freeing up large amounts of budget and resources
  • You get the advantages of a proxy-type load balancer (1 single VIP represents many webservers), but still get ‘fail-open’ bridges on WAFs
  • ITD proxies traffic without interfering with the TCP Source IP Address , allowing SecureSphere to leverage the source IP, User and Session details for blocking and alerting.
  • To work with SecureSphere, ITD requires no modification to HTTP Headers (e.g., X-Forwarded-For), which can break applications and slow down traffic

What does this mean for the future of high performance WAF deployments?

By teaming up the Cisco Nexus 7K with SecureSphere WAFs, organizations can cost effectively deploy scalable, high-availability  WAF farms to handle large amounts of traffic to webservers.  As the web traffic increases, WAFs can be seamlessly added to the pool to scale up with the enterprise. Since every port on the 7K can be used as a load balancer this provides the potential to scale up to multi-terabits of throughput to a SecureSphere WAF cluster.

In conclusion, ITD and SecureSphere provides simple, cheap, fast, scalable, and reliable security infrastructure. Sort of like having your cake, with icing, and cherries on top – and eating it, too.

Feedback or Query: For feedback, query or EFT/PoC/demo please email: ask-itd@external.cisco.com

ITD White paper:  At a glance

Configuration Guide: Config guide

 

Tags: , , , , , , ,

IWAN Wed: Three reasons why you should consider Cisco WAAS

Screen Shot 2014-08-12 at 4.47.02 PMThere are a billion reasons (okay, I may be exaggerating but you get my point) why you should choose Cisco WAAS as THE WAN optimization solution for your company.  But today, I want to emphasize the following three:

#1. Not your ordinary WAN optimization

With Cisco WAAS, you’re not just getting WAN optimization but much more.  WAAS is integrated into the industry leading branch routers – the ISRs – and this means the capabilities are not only limited to WAN optimization and application acceleration but to security, application visibility, QoS and much more.  The Cisco Intelligent WAN is an entire package along with WAAS to provide an uncompromised user experience over any connection.  Regardless of the type of connection that particular branch has, WAAS can reduce bandwidth usage and accelerate applications working alongside with Intelligent Path Control, Transport Independence, and Security.

Read More »

Tags: , , , , , ,

Delivering Application Optimization for Office 365

We in IT are faced with many challenges from our end users.  From IT costs to application performance, while always keeping an eye on our network security posture.  This reminds me of a sign on the wall of my auto mechanic’s shop: Good, Fast, Low-cost. I was always told I am allowed to pick only two.  I would of course question him, “why cant I have something with high quality, on time, and within budget?”  This always made him smile, but he still told me I could only pick two.

So back to our IT challenges: Cost, Performance, and Security. Application performance is something we can all see, feel and touch. When thinking about performance, we need to also consider where these applications are coming from.  Looking at applications like Microsoft’s Office 365, we are seeing mission critical applications from outside our data centers being delivered as Software as a Service (SaaS) solution. Does this matter to our end users?  They sit at their PC’s, Tablets, Mac’s, etc. and know when something is not going fast enough.  Their expectations are growing; they always expect the best performance. If they don’t feel their Outlook e-mail is opening fast enough or that the saving of their PowerPoint file is taking too long, they do not hesitate to let us know.  And oddly enough, everyone just assumes it is the network.  So not only do we need to think about our networks, but the Internet performance as well.

Read More »

Tags: , , , , , , ,

Data Center Replication: WAN Optimization vs. Bandwidth Upgrade

During the past years WAN optimization devices were used to optimize end-user traffic mainly. Employers connecting to remote applications can achieve better user experience if a couple of WAN optimization are deployed. Typically web applications, file sharing and email can be well accelerated: end users can increase their productivity with a little investment.

On the other side providers usually offer free bandwidth upgrade during a contract renewal.

So the question are:

  • Can Data Center replication take advantage of WAN optimization?
  • Can a Bandwidth upgrade always supersede WAN optimization?

The answers are, as always: it depends. Read More »

Tags: , , , , ,