Cisco Blogs


Cisco Blog > Data Center and Cloud

Cisco Live Milan 2015: Hi-Tech revisits City of Tradition and Fashion

When I first visited Milan last year in January, the occasion was Cisco Live and I was pleasantly surprised to learn that the Alpine city is known as much for its Hi-tech as it is for fashion and tradition. I am one of the lucky few in Cisco to be visiting this great city for a second year in row as Cisco Live Europe is all set to commence here next week. What is special this year? From a Cisco Data center standpoint ACI, Inter-Cloud, IOT and UCS continue to grab the headlines. Particularly, ACI has established itself as the dominant SDN technology with more than 1,000 plus N9K customers, 200 plus ACI customers and a growing eco-system of 34 partners in just one year. In this blog, I am going to present excerpts of what attendees can broadly expect to see and experience at the buzzing event, and I will take you on a tour of how ACI is ready to engage and enrich you.

Milan2015

At the outset, I’d recommend that you attend all keynotes to understand Cisco’s strategy for the emerging technology trends and market transitions. Cisco Execs Carlos Dominguez and Jeremy Bevan kick-start the proceedings with an opening keynote on Jan 27 as they review the amazing things we have achieved in building the internet over the last decade and look at what we must do to build an Internet fit for purpose for the next decade. Don’t miss several technology trends keynotes occurring on Jan27 and 28. Soni Jiandani’s session scheduled for Jan 28 on SDN/ACI topic is going to be a sell-out. Come and listen to Soni to understand how ACI enables business outcomes and IT automation through the creation of an agile infrastructure.

Now I want to segue to ACI specifics. The last year has been phenomenal from an ACI eco-system momentum standpoint. F5 and Citrix, leading ADC vendors, have developed joint solutions with ACI and we have experienced several customer wins and success stories. F5 is a platinum sponsor and has a big presence at Cisco Live Milan this year to delight the 8,000 plus attendees. At the world of solutions F5 has dedicated demo stations to showcase multiple Cisco ACI-F5 joint solutions (featuring both BIG IP and BIG IQ), and F5’s engineers will be happy to explain via whiteboard how these solutions are relevant to your needs. Vincent Ng from F5, an expert presenter, has a technical breakout session on Jan 27 featuring ACI-F5 joint solution. Vincent’s expertise spans hands-on demos alongside lucid architectural illustrations, so do not miss this session.

Citrix has been a regular platinum sponsor at Cisco Live events. This year at Cisco Live Milan, Citrix has a large booth presence in the partner area. The key activities at the booth include joint solution demos featuring UCS-XD/XA, ACI-NetScaler, Mobility and Cloud among other major ones. Besides, David Potter and Christian Hietzschold from Citrix are doing a presentation on topic, “Delivering the best in SDN and ACI integration solutions.” If you happen to be in the DevNet zone, you may want to check out Citrix’s short theater presentations to get a well-rounded view of our joint alliance.

A10 Networks and Radware both have a presence in the WOS, showcasing joint solutions with ACI, thereby providing further evidence for the fast growing ACI L4-L7 eco-system.

At the World of Solutions (WOS) this year, ACI and Cloud take center stage in the Data center category. There are 10 demos showcasing ACI innovations and 6 on the Data Center Networking front. We also have an “Ask the Expert- Solutions Design Center” where Cisco architects will help address your data center, cloud, ACI strategy and design questions to accelerate ROI and reduce TCO. The ACI demos cover broad customer interest areas such as Analytics/Telemetry/Visibility, popular Cloud Management Platforms such as Microsoft Azure and Open Stack, Support for Multi-Hypervisors, Secure Application deployment etc. Our ACI subject matter experts will be on site to give you a real-life demo and explain how these are relevant to your needs.

cancun4

We also have Hands-on labs at the WOS that give you the opportunity to explore and evaluate a range of Cisco technologies, and our Meet the Engineer and Technical Solution Clinics give you access to the people who design Cisco’s solutions and give you the insight you need about your own environment and technical challenges. So stop by the WOS to explore new technologies and get answers to your unique questions.

In addition to the hands-on demos, we also have round the clock mini-presentations at the WOS Cisco Theater. This year we have three innovative ACI theater topics namely “Simplifying day-0, day-1, day-2 operations with ACI”, “Securing Applications with ACI” and “NX-OS Programmability and Automation”. The special draw at the WOS Theater is the topic of “Simplifying Operations with ACI”. This presentation will cover how application deployment can be accelerated and how easy it is to troubleshoot problems with ACI. To satisfy your broader interests we also have theater sessions on UCS, Cloud and Nexus switching portfolio. Check our WOS Theater roster in the agenda handout.

To your heart’s delight is how I’ll describe Cisco technical breakout sessions. Yes, we have more than 500 breakouts from industry recognized experts at the show. ACI breakouts feature prominently and ACI domain experts Carlos Pereira, Mike Cohen, Mike Herbert, Maurizio Portolani all co-present Jan 26 on topic ‘ACI-Policy Driven Data Center”. This session ranks at the top for me. If you are an Open Stack fan then you must look into the session “APIC Integration with Open Stack” presented by Sebastian Jeuk and Lijun Deng. Harry Petty is doing an ACI operations focused session PSODCT-2455. Data Center operators focused on tenant on-boarding, application monitoring and trouble-shooting will find this session very relevant, so mark this as a must-attend. There are many more breakouts and Lab sessions on ACI, and check out the session catalog for details. Another insightful breakout session PSODCT-1200 by Craig Huitema focuses on the Nexus switching portfolio and ACI and how together they enable a faster, responsive and flexible IT.

As a Cisco Live attendee you benefit from the opportunity to interact with your peers, Cisco staff and partner technical experts in both structured and informal settings. Our Welcome Reception and Customer Appreciation Event are the highlights of the week’s social calendar. Read more on the Social Events & Networking Onsite section. Our online communities on Facebook and Twitter provide year round access to like-minded individuals as well as valuable content, news and updates. We’d love it if you would join the conversation.

I can go on and on, but I’d never be able to cover all of the excitement in store. I’d leave some for you to explore on your own and our Meet and Greet ambassadors will be more than happy to assist you at the show. As for me, if time permits, I am planning on acquainting myself with some of the legendary artworks of MichelAngelo. Safe travels and a happy Cisco Live.

Related Links

www.cisco.com/go/aci

www.blogs.cisco.com/datacenter

http://www.ciscolive.com/emea/

www.cisco.com/go/acif5

 

Tags: , , , , , , , , ,

Automated PBR and Route Health Injection with RISE

RISE is an innovative architecture that logically integrates an external service appliance such as Citrix NetScaler or the Cisco Prime NAM so that it appears & operates as a service module within the Nexus 7000 Series switches.
RISE integration with the Citrix NetScaler provides features like Route Health Injection (RHI) and Automated PBR (APBR) which allow easy configuration to redirect client and server traffic to the load balancer.
Screen Shot 2014-09-26 at 11.47.15 AM

 

Automated Policy Based Routing (APBR)
Existing solutions to have server traffic return to the load balancer are Source NAT and PBR. Using Source NAT causes applications (server) to lose the visibility to client IP, burning IP address pool for Source NAT configuration and manual configuration. Policy Based Routing (PBR) requires complex initial configuration from the user (susceptible to human errors), configuration updates when a server is added or removed which can be cumbersome as the number of network devices and servers/VIPs grow.
  • Auto PBR eliminates the need for Source-NAT or manual PBR configuration in an one-arm mode design of load balancers
  • Preserves client IP visibility for applications/servers without the need for manual PBR
  • APBR feature allows the NetScaler to program policies on the N7K server-facing interfaces to redirect return traffic to the NetScaler appliance set up in one-arm mode
  • NetScaler passes information about real servers to N7K via the RISE channel and a policy is applied on the N7K interface through which the real server can be best reached
  • Since it is desirable to change the SRC IP to VIP for the return traffic, the APBR policies redirect traffic to the NetScaler IP without modifying the packet
  • The NS appliance will then direct the packet to the client by changing the source IP to VIP
Screen Shot 2014-09-26 at 11.51.47 AM
Please reach out to nxos-rise@cisco.com for more information on RISE features.
Resources

RISE At A Glance white paper: http://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/at-a-glance-c45-731306.pdf

RISE announcement blog: http://blogs.cisco.com/datacenter/rise

RISE Video at Interop: https://www.youtube.com/watch?v=1HQkew4EE2g

Cisco RISE page: www.cisco.com/go/rise

 

Tags: , , , , , , , ,

Enabling Data Center Services with RISE : Remote Integrated Services Engine

Data Centers are becoming increasingly smart, intelligent and elastic. With the advancement in cloud and virtualization technologies, customers demand dynamic workload management, efficient and optimal use of their resources. In addition the configuration and administration of Data Center solutions is complex and is going to become increasingly so.RISE

With these requirements and architectures in mind we have a industry first solution called Remote Integrated Service Engine (RISE).  RISE is a technology that simplifies provisioning, out of box management of service appliances like load balancers, firewalls, network analysis modules. It makes data center and campus networks dynamic, flexible, easy to configure and maintain.

RISE can dynamically provision network resources for any type of service appliance (physical and virtual form factors). External appliances can now operate as integrated service modules with Nexus Series of switches without burning a  slot in a switch . This technology provides robust application delivery capabilities that accelerate the application performance manifold.

RISE is supported on all Nexus Series switches with services like Citrix NetScaler MPX, VPX, SDX and Cisco Prime NAM with many more in the pipeline.

Advantages & Features

  1. Simplified Out-of-Box experience : reduces the administrator’s manual configuration steps from 30 to 8 steps !!
  2. Supported on Citrix NetScaler MPX, SDX, VPX, and Nexus 1KV with VPX
  3. Supported on Cisco Prime Network Analyzer Module
  4. Automatic Policy Based Routing - Eliminates need for SNAT or Manual PBR
  5. Direct and Indirect Attach mode integration
  6. Show module for RISE
  7. Attach module for RISE
  8. Auto Attach – Zero touch configuration of RISE
  9. Health Monitoring of appliance
  10. Appliance HA and VPC supported
  11.  Nexus 5K/6K support (EFT available)
  12. IPV6 support (EFT available)
  13. DCNM support
  14. Order of magnitude OPEX savings: reduction in configuration, and ease of deployment
  15. Order of magnitude CAPEX savings: Wiring, Power Rackspace and Cost savings

For more information, schedule an EFT or POC Contact us at nxos-rise@cisco.com

Resources

RISE press release on Wall Street Journal : http://online.wsj.com/article/PR-CO-20140408-905573.html
RISE At A Glance white paper: http://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/at-a-glance-c45-731306.pdf
RISE Video at Interop: https://www.youtube.com/watch?v=1HQkew4EE2g
Cisco RISE page: www.cisco.com/go/rise
Gartner blog on RISE: “Cisco and Citrix RISE to the Occasion”: http://blogs.gartner.com/andrew-lerner/2014/03/31/cisco-and-citrix-rise-to-the-adc-occasion/

Tags: , , , , , , , , , , , , ,

ITD: Intelligent Traffic Director

Data traffic has grown dramatically in the recent years, leading to increased deployment of network service appliances and servers in enterprise, data center, and cloud environments. To address the corresponding business needs, network switch and router architecture has evolved to support multi-terabit capacity. However, service appliance and server capacity remained limited to a few gigabits, far below switch capacity.

ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 7xxx series of switches. It supports IP-stickiness, resiliency, NAT (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS. There is no service module or external appliance needed. ITD provides order of magnitude CAPEX and OPEX savings for the customers. ITD is available on Nexus 7000/7700 series in NX-OS 6.2(8) or later. It is available for demo on Nexus 5k/6k. ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.

Example use-cases: Read More »

Tags: , , , , , , , , , , , , , , ,

Scaling Application Security with ITD

Ready to scale your enterprise beyond limits?  How about slashing a whole layer of datacenter infrastructure, saving piles of cash in the process?  Or perhaps you’re interested in simplifying your enterprise while adding features, or trying to speed things up without spending money.  Sound too good to be true?  Well, thanks to a new technology from Cisco, you can have your cake and eat it, too.

Cisco Intelligent Traffic Director (ITD) is poised to disrupt data center load balancing. Combined with best-in-class products, such as Imperva SecureSphere, organizations can deploy and manage massively scalable applications securely with unprecedented ease and cost effectiveness.

What is ITD?

Cisco recently released a new feature, Intelligent Traffic Director (ITD) for the Nexus 7k switches that promises to be a disrupting force in the world of load balancing.  There has been an exponential growth in data traffic in the recent years leading to a growth in the deployment of network service appliances in enterprise, datacenter and cloud environments. To address the corresponding business needs, network switch and router architecture has evolved to support multi-terabit capacity. However, service appliance capacity remained limited to few gigabits, an order of magnitude far below switch capacity.

Cisco Intelligent Traffic Director (ITD) is an innovative solution that tries to bridge performance gap between the switch and service appliance(s). It allows customers to deploy service appliance(s) from any vendor with no network or topology changes. With a few simple configuration steps on a Cisco Nexus 7000 / 7700 series switch, customers can create a service appliance cluster and deploy multiple appliance(s) to scale service capacity with ease. The servers or appliance(s) do not have to be directly connected to the Nexus switch.

Application Security
Gartner published a paper called Web Application Firewalls are Worth the Investment for Enterprises in Feb, 2014 that makes the case that “Firewalls and intrusion prevention systems don’t provide sufficient protections for most public-facing websites or internal business-critical and custom Web applications.” Gartner advises enterprises to use a Web Application Firewall (WAF) to protect critical external and internal applications from attacks and threats.

Like other service appliances, a WAF appliance benefits from ITD’s ability to manage large scale traffic loads. Imperva SecureSphere WAF works with ITD, and the combination provides highly scalable application security.

I mention SecureSphere because Imperva was positioned as the only Leader in the Gartner 2014 Magic Quadrant for Web Application Firewalls. Some key capabilities of the SecureSphere WAF are:

  • Block attacks with laser precision
    Accuracy is critical with application security. If you have false positives, you block customers; if you have false negatives, you let the bad guys in.
  • World-renowned application security research
    Security is constantly evolving. To get ahead and stay ahead in the continuous fight against threats, Imperva has a dedicated security research team, the Application Defense Center (ADC), which provides regular signature and policy updates, and up-to-date threat intelligence for Imperva SecureSphere.
  • Shut down malicious sources and bots
    Imperva’s ThreatRadar Reputation Services help detect bad actors using IP reputation feeds of known malicious sources, anonymizing services, phishing URLs, TOR (“The Onion Router”), as well as IP geolocation data.
  • Stop application DDOS and business logic attacks
    Business logic attacks include things like posting comment spam in forums and message boards, scraping web content, and disabling access to your website. All of this can reduce competitive edge, frustrate customers, and damage reputation.
  • Instantly patch website vulnerabilities
    It takes organizations an average of 6 months to patch an application vulnerability once it’s discovered. SecureSphere integrates with vulnerability scanners to virtually patch applications. This allows businesses to stay protected, and fix the vulnerability on their own timeline, thus reducing the window of exposure and the associated costs.
  • Gain forensics insights with customizable reports
    Graphical reports enable organizations to quickly analyze security threats and meet compliance requirements.
  • Speed up deployment without risk
    SecureSphere protects applications without impacting performance and without requiring extensive network changes. It offers flexible inline, non-inline, and proxy deployment options that meet organizations’ diverse requirements. SecureSphere’s Fail-Open capabilities combined with unique, transparent bridge mode saves time and labor with drop-in deployment that requires no changes to existing applications or network devices, and delivers multi-Gigabit throughput while maintaining sub-millisecond latency.

Scaling Application Security

Using ITD in VIP Mode to load balance provides a fast and economical way for organizations to provide highly scalable and available infrastructure.  By leveraging ITD, an enterprise can deploy a single IP address (the VIP), which is then load balanced across many SecureSphere WAFs, with each one protecting the back-end webservers. This is done right from the 7K – There’s no need for an external load balancer in the middle.

Why is this better than other Load Balancers?

By combining Cisco ITD and SecureSphere’s advanced capabilities to monitor and secure HTTP traffic, several key advantages are apparent:

  • Eliminates the need for external load balancers, freeing up large amounts of budget and resources
  • You get the advantages of a proxy-type load balancer (1 single VIP represents many webservers), but still get ‘fail-open’ bridges on WAFs
  • ITD proxies traffic without interfering with the TCP Source IP Address , allowing SecureSphere to leverage the source IP, User and Session details for blocking and alerting.
  • To work with SecureSphere, ITD requires no modification to HTTP Headers (e.g., X-Forwarded-For), which can break applications and slow down traffic

What does this mean for the future of high performance WAF deployments?

By teaming up the Cisco Nexus 7K with SecureSphere WAFs, organizations can cost effectively deploy scalable, high-availability  WAF farms to handle large amounts of traffic to webservers.  As the web traffic increases, WAFs can be seamlessly added to the pool to scale up with the enterprise. Since every port on the 7K can be used as a load balancer this provides the potential to scale up to multi-terabits of throughput to a SecureSphere WAF cluster.

In conclusion, ITD and SecureSphere provides simple, cheap, fast, scalable, and reliable security infrastructure. Sort of like having your cake, with icing, and cherries on top – and eating it, too.

Feedback or Query: For feedback, query or EFT/PoC/demo please email: ask-itd@external.cisco.com

ITD White paper:  At a glance

Configuration Guide: Config guide

 

Tags: , , , , , , ,