Cisco Blogs


Cisco Blog > Data Center and Cloud

Automated PBR and Route Health Injection with RISE

RISE is an innovative architecture that logically integrates an external service appliance such as Citrix NetScaler or the Cisco Prime NAM so that it appears & operates as a service module within the Nexus 7000 Series switches.
RISE integration with the Citrix NetScaler provides features like Route Health Injection (RHI) and Automated PBR (APBR) which allow easy configuration to redirect client and server traffic to the load balancer.
Screen Shot 2014-09-26 at 11.47.15 AM

 

Automated Policy Based Routing (APBR)
Existing solutions to have server traffic return to the load balancer are Source NAT and PBR. Using Source NAT causes applications (server) to lose the visibility to client IP, burning IP address pool for Source NAT configuration and manual configuration. Policy Based Routing (PBR) requires complex initial configuration from the user (susceptible to human errors), configuration updates when a server is added or removed which can be cumbersome as the number of network devices and servers/VIPs grow.
  • Auto PBR eliminates the need for Source-NAT or manual PBR configuration in an one-arm mode design of load balancers
  • Preserves client IP visibility for applications/servers without the need for manual PBR
  • APBR feature allows the NetScaler to program policies on the N7K server-facing interfaces to redirect return traffic to the NetScaler appliance set up in one-arm mode
  • NetScaler passes information about real servers to N7K via the RISE channel and a policy is applied on the N7K interface through which the real server can be best reached
  • Since it is desirable to change the SRC IP to VIP for the return traffic, the APBR policies redirect traffic to the NetScaler IP without modifying the packet
  • The NS appliance will then direct the packet to the client by changing the source IP to VIP
Screen Shot 2014-09-26 at 11.51.47 AM
Please reach out to nxos-rise@cisco.com for more information on RISE features.
Resources

RISE At A Glance white paper: http://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/at-a-glance-c45-731306.pdf

RISE announcement blog: http://blogs.cisco.com/datacenter/rise

RISE Video at Interop: https://www.youtube.com/watch?v=1HQkew4EE2g

Cisco RISE page: www.cisco.com/go/rise

 

Tags: , , , , , , , ,

Enabling Data Center Services with RISE : Remote Integrated Services Engine

Data Centers are becoming increasingly smart, intelligent and elastic. With the advancement in cloud and virtualization technologies, customers demand dynamic workload management, efficient and optimal use of their resources. In addition the configuration and administration of Data Center solutions is complex and is going to become increasingly so.RISE

With these requirements and architectures in mind we have a industry first solution called Remote Integrated Service Engine (RISE).  RISE is a technology that simplifies provisioning, out of box management of service appliances like load balancers, firewalls, network analysis modules. It makes data center and campus networks dynamic, flexible, easy to configure and maintain.

RISE can dynamically provision network resources for any type of service appliance (physical and virtual form factors). External appliances can now operate as integrated service modules with Nexus Series of switches without burning a  slot in a switch . This technology provides robust application delivery capabilities that accelerate the application performance manifold.

RISE is supported on all Nexus Series switches with services like Citrix NetScaler MPX, VPX, SDX and Cisco Prime NAM with many more in the pipeline.

Advantages & Features

  1. Simplified Out-of-Box experience : reduces the administrator’s manual configuration steps from 30 to 8 steps !!
  2. Supported on Citrix NetScaler MPX, SDX, VPX, and Nexus 1KV with VPX
  3. Supported on Cisco Prime Network Analyzer Module
  4. Automatic Policy Based Routing - Eliminates need for SNAT or Manual PBR
  5. Direct and Indirect Attach mode integration
  6. Show module for RISE
  7. Attach module for RISE
  8. Auto Attach – Zero touch configuration of RISE
  9. Health Monitoring of appliance
  10. Appliance HA and VPC supported
  11.  Nexus 5K/6K support (EFT available)
  12. IPV6 support (EFT available)
  13. DCNM support
  14. Order of magnitude OPEX savings: reduction in configuration, and ease of deployment
  15. Order of magnitude CAPEX savings: Wiring, Power Rackspace and Cost savings

For more information, schedule an EFT or POC Contact us at nxos-rise@cisco.com

Resources

RISE press release on Wall Street Journal : http://online.wsj.com/article/PR-CO-20140408-905573.html
RISE At A Glance white paper: http://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/at-a-glance-c45-731306.pdf
RISE Video at Interop: https://www.youtube.com/watch?v=1HQkew4EE2g
Cisco RISE page: www.cisco.com/go/rise
Gartner blog on RISE: “Cisco and Citrix RISE to the Occasion”: http://blogs.gartner.com/andrew-lerner/2014/03/31/cisco-and-citrix-rise-to-the-adc-occasion/

Tags: , , , , , , , , , , , , ,

ITD: Intelligent Traffic Director

Data traffic has grown dramatically in the recent years, leading to increased deployment of network service appliances and servers in enterprise, data center, and cloud environments. To address the corresponding business needs, network switch and router architecture has evolved to support multi-terabit capacity. However, service appliance and server capacity remained limited to a few gigabits, far below switch capacity.

ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 7xxx series of switches. It supports IP-stickiness, resiliency, NAT (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS. There is no service module or external appliance needed. ITD provides order of magnitude CAPEX and OPEX savings for the customers. ITD is available on Nexus 7000/7700 series in NX-OS 6.2(8) or later. It is available for demo on Nexus 5k/6k. ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.

Example use-cases: Read More »

Tags: , , , , , , , , , , , , , , ,

Scaling Application Security with ITD

Ready to scale your enterprise beyond limits?  How about slashing a whole layer of datacenter infrastructure, saving piles of cash in the process?  Or perhaps you’re interested in simplifying your enterprise while adding features, or trying to speed things up without spending money.  Sound too good to be true?  Well, thanks to a new technology from Cisco, you can have your cake and eat it, too.

Cisco Intelligent Traffic Director (ITD) is poised to disrupt data center load balancing. Combined with best-in-class products, such as Imperva SecureSphere, organizations can deploy and manage massively scalable applications securely with unprecedented ease and cost effectiveness.

What is ITD?

Cisco recently released a new feature, Intelligent Traffic Director (ITD) for the Nexus 7k switches that promises to be a disrupting force in the world of load balancing.  There has been an exponential growth in data traffic in the recent years leading to a growth in the deployment of network service appliances in enterprise, datacenter and cloud environments. To address the corresponding business needs, network switch and router architecture has evolved to support multi-terabit capacity. However, service appliance capacity remained limited to few gigabits, an order of magnitude far below switch capacity.

Cisco Intelligent Traffic Director (ITD) is an innovative solution that tries to bridge performance gap between the switch and service appliance(s). It allows customers to deploy service appliance(s) from any vendor with no network or topology changes. With a few simple configuration steps on a Cisco Nexus 7000 / 7700 series switch, customers can create a service appliance cluster and deploy multiple appliance(s) to scale service capacity with ease. The servers or appliance(s) do not have to be directly connected to the Nexus switch.

Application Security
Gartner published a paper called Web Application Firewalls are Worth the Investment for Enterprises in Feb, 2014 that makes the case that “Firewalls and intrusion prevention systems don’t provide sufficient protections for most public-facing websites or internal business-critical and custom Web applications.” Gartner advises enterprises to use a Web Application Firewall (WAF) to protect critical external and internal applications from attacks and threats.

Like other service appliances, a WAF appliance benefits from ITD’s ability to manage large scale traffic loads. Imperva SecureSphere WAF works with ITD, and the combination provides highly scalable application security.

I mention SecureSphere because Imperva was positioned as the only Leader in the Gartner 2014 Magic Quadrant for Web Application Firewalls. Some key capabilities of the SecureSphere WAF are:

  • Block attacks with laser precision
    Accuracy is critical with application security. If you have false positives, you block customers; if you have false negatives, you let the bad guys in.
  • World-renowned application security research
    Security is constantly evolving. To get ahead and stay ahead in the continuous fight against threats, Imperva has a dedicated security research team, the Application Defense Center (ADC), which provides regular signature and policy updates, and up-to-date threat intelligence for Imperva SecureSphere.
  • Shut down malicious sources and bots
    Imperva’s ThreatRadar Reputation Services help detect bad actors using IP reputation feeds of known malicious sources, anonymizing services, phishing URLs, TOR (“The Onion Router”), as well as IP geolocation data.
  • Stop application DDOS and business logic attacks
    Business logic attacks include things like posting comment spam in forums and message boards, scraping web content, and disabling access to your website. All of this can reduce competitive edge, frustrate customers, and damage reputation.
  • Instantly patch website vulnerabilities
    It takes organizations an average of 6 months to patch an application vulnerability once it’s discovered. SecureSphere integrates with vulnerability scanners to virtually patch applications. This allows businesses to stay protected, and fix the vulnerability on their own timeline, thus reducing the window of exposure and the associated costs.
  • Gain forensics insights with customizable reports
    Graphical reports enable organizations to quickly analyze security threats and meet compliance requirements.
  • Speed up deployment without risk
    SecureSphere protects applications without impacting performance and without requiring extensive network changes. It offers flexible inline, non-inline, and proxy deployment options that meet organizations’ diverse requirements. SecureSphere’s Fail-Open capabilities combined with unique, transparent bridge mode saves time and labor with drop-in deployment that requires no changes to existing applications or network devices, and delivers multi-Gigabit throughput while maintaining sub-millisecond latency.

Scaling Application Security

Using ITD in VIP Mode to load balance provides a fast and economical way for organizations to provide highly scalable and available infrastructure.  By leveraging ITD, an enterprise can deploy a single IP address (the VIP), which is then load balanced across many SecureSphere WAFs, with each one protecting the back-end webservers. This is done right from the 7K – There’s no need for an external load balancer in the middle.

Why is this better than other Load Balancers?

By combining Cisco ITD and SecureSphere’s advanced capabilities to monitor and secure HTTP traffic, several key advantages are apparent:

  • Eliminates the need for external load balancers, freeing up large amounts of budget and resources
  • You get the advantages of a proxy-type load balancer (1 single VIP represents many webservers), but still get ‘fail-open’ bridges on WAFs
  • ITD proxies traffic without interfering with the TCP Source IP Address , allowing SecureSphere to leverage the source IP, User and Session details for blocking and alerting.
  • To work with SecureSphere, ITD requires no modification to HTTP Headers (e.g., X-Forwarded-For), which can break applications and slow down traffic

What does this mean for the future of high performance WAF deployments?

By teaming up the Cisco Nexus 7K with SecureSphere WAFs, organizations can cost effectively deploy scalable, high-availability  WAF farms to handle large amounts of traffic to webservers.  As the web traffic increases, WAFs can be seamlessly added to the pool to scale up with the enterprise. Since every port on the 7K can be used as a load balancer this provides the potential to scale up to multi-terabits of throughput to a SecureSphere WAF cluster.

In conclusion, ITD and SecureSphere provides simple, cheap, fast, scalable, and reliable security infrastructure. Sort of like having your cake, with icing, and cherries on top – and eating it, too.

Feedback or Query: For feedback, query or EFT/PoC/demo please email: ask-itd@external.cisco.com

ITD White paper:  At a glance

Configuration Guide: Config guide

 

Tags: , , , , , , ,

Citrix NetScaler Device Package for Cisco ACI goes FCS

The Cisco-Citrix partnership has expanded significantly in recent years from UCS-XenDesktop based Desktop virtualization solutions to span Mobility, Desktop as A Service (DaaS) and most recently ACI-NetScaler joint solutions. I have been fortunate enough to be part of this momentum. And it’s been fun. In this blog, I want to announce another significant milestone on the Cisco ACI-Citrix eco-system front. The Citrix NetScaler Device Package for Cisco ACI is now FCS. You may recall earlier in August, we started shipping Cisco APIC worldwide. Read Blog

Citrix NetScaler needs no introduction and powers some of the world’s largest clouds providing capabilities that smartly and affordably scale application and service delivery infrastructures without additional complexity. Cisco ACI delivers a centralized fabric control and automation framework capable of managing application policies. This framework allows resources to be dynamically provisioned and configured based on application requirements. Citrix NetScaler provides core network services such as load balancing, SSL, SSL-VPN, and firewalls that can be used by applications in an automated, programmatic and simple fashion.

Now let us segue to the Citrix NetScaler Device package integration with Cisco APIC. Citrix NetScaler integrates with Cisco Application Policy Infrastructure Controller (APIC) through open APIs and provides per-app, per-tenant L4-L7 policy configuration and dynamic service chaining and insertion. In addition, the integrated solution also allows exchange of intelligent telemetry information between NetScaler and APIC for application and tenant visibility.

The diagram below illustrates the integration architecture.

onslideforblog-1

The Citrix NetScaler Device Package for Cisco ACI comprises a device Model and a device Script. The device Model defines the functions provided by NetScaler SDX/VPX/MPX such as load-balancing, content switching etc., The device Script provides the adapter functions required for NetScaler to communicate with APIC.

The Citrix NetScaler device package is now available for download

The advantages of deploying Cisco ACI + Citrix NetScaler solution is multi-fold. First and foremost it accelerates application deployment with reliability, security and multi-tenancy on existing NetScaler physical and virtual appliances. All of this without disrupting services operational best practices. Second, NetScaler’s built-in Autoscale feature proactively signals Cisco APIC when to add or drop application capacity. This capability allows customers to efficiently and seamlessly utilize their resources without any added downtime.

The delivery of NetScaler device package  is just the beginning of the Cisco ACI and Citrix NetScaler journey. Together, Cisco and Citrix are also focusing on driving  standard protocols and open initiatives. Our engineering teams are in the process of defining within IETF standards body, the Network Service Header protocol (NSH)  which defines service insertion specifications for application- and service-aware infrastructures.  We are also co-authoring the OpFlex, an extensible policy protocol that abstracts service policies independently from device-specific configurations and contribute to Open Daylight.

Related Links:

https://www.citrix.com/downloads/netscaler-adc.html

http://blogs.cisco.com/datacenter/f5-device-package-for-cisco-apic-goes-fcs/

www.cisco.com/go/aci

www.cisco.com/go/ns1000v

Tags: , , , , , ,