Cisco Blogs


Cisco Blog > Data Center and Cloud

Security for an Application-Centric World

October 1, 2014 at 5:00 am PST

Organizations are migrating to the cloud because it dramatically reduces IT costs as we make much more efficient use of resources (either ours or by leveraging some cloud provider’s resources at optimal times). When done right, cloud also increases business agility because applications and new capacity can be spun up quickly on demand (on-premises or off), network and services configurations can be updated automatically to suit the changing needs of the applications, and, with enough bacon, unicorns can fly and the IT staff can get home at a reasonable hour.

Whenever you ask a CIO-type at any of these organizations what’s holding them back from all this cloud goodness, though, more often than not the answer has something to do with security: “Don’t trust the cloud…”, “Don’t trust the other guy in the cloud…”, “Cloud’s not compliant…”.  You have to be something of a control freak to be a CIO/CISO these days, and, well, isn’t “cloud” all about giving up some control, after all (in return for efficiency and agility)?

Even if you overcome your control issues and you find a cloud you can trust (even if it’s your own private cloud – we can take baby steps here…), if we are going to achieve our instant on-demand application deployment, network provisioning and cost-efficient workload placement process, it turns out all the security stuff can throw another obstacle in our way. Cloud security isn’t like old-fashioned data center security where you could just put a huge firewall in front of the data center and call it good. For secure multi-tenancy and a secure cloud overall, virtually every workload (or “every virtual workload”?) needs to be secured from every other (except for the exceptions we want to make). Some folks call this “microsegmentation”, a fancy word for an old concept, but, a fundamental requirement that cloud deployments need to address. (Spoiler alert: ACI does this very well.) Read More »

Tags: , , ,

New Cisco Nexus Data Broker Release 2.0 Now Available

September 26, 2014 at 5:00 am PST

We are excited to announce the availability of Cisco Nexus Data Broker software release 2.0. Using the Cisco Nexus Data Broker software, Cisco’s approach replaces the traditional purpose-built matrix switches used for network taps or SPAN aggregation with one or more OpenFlow-enabled Cisco Nexus switches.

Visibility into application traffic has traditionally been important for infrastructure operations to maintain security, resolve problems, and perform resource planning. Now, however, as a result of technological advances and the ubiquity of the Internet, organizations increasingly are seeking not just visibility but real-time feedback about their business systems to more effectively engage their customers. Also, with the rapid evolution of cloud-based technologies, there is a strong need for scalable and cost-effective network traffic tap/SPAN aggregation for traffic monitoring solutions. The traditional approach that uses purpose-built matrix switches for netowrk tap/SPAN aggregation to feed traffic to multiple systems for security, compliance and application performance monitoring has three primary challenges:

  • This approach is too expensive to scale the visibility to meet today’s business requirements.
  • The purpose-built switches are statically programmed with predetermined filtering and forwarding rules, so they cannot act in an event-based way to provide traffic visibility in real time.
  • Support for interconnecting multiple switches for a scalable deployment that suits your data center architecture is limited.

With Cisco Nexus Data Broker (see Figure 1), the traffic is tapped into this bank of switches in the same manner as in a purpose-built matrix network. However, with Cisco Nexus Data Broker, you can interconnect these Cisco Nexus switches to build a scalable tap and SPAN aggregation infrastructure. You also can use a combination of network taps and SPAN sources to bring the copy of the production traffic to this infrastructure. In addition, you can distribute the network tap and SPAN sources and traffic monitoring and analysis tools across multiple Cisco Nexus switches.  Cisco Nexus Data Broker also provides the flexibility to aggregate traffic from multiple tap or SPAN sources and replicate and forward traffic to multiple analysis tools for monitoring.  See Table 1 for a list of important features and functions.

Figure 1

Visibility leads to insight

Table 1

Features of the New Cisco Data Broker Release 2.0

Features/Benefits

Scalability

Supported topology for Cisco® Monitor Manager network

  • Cisco Nexus Data Broker software discovers the Cisco Nexus switches and associated topology for Tap/SPAN aggregation.
  • The software allows you to configure ports as monitoring tool ports or input Tap/SPAN ports.
  • You can set end-device names for easy identification in the topology.
Support for QinQ to tag input source Tap/SPAN port

  • You can tag traffic with a VLAN for each input Tap or SPAN port.
  • Q-in-Q support in edge Tap and SPAN ports allow you to uniquely identify the source of traffic and preserve production VLAN information.
Symmetric hashing or symmetric load balancing*

  • You can configure the hashing based on Layer 3 (IP address) or Layer 3 + Layer 4 (protocol ports) for load balancing the traffic across a port-channel link.
  • You can spread the traffic across multiple tool instances to meet the high-traffic-volume scale.
Rules for matching monitored traffic

  • You can match traffic based on Layer 1 through Layer 4 criteria.
  • You can configure the software to send only the required traffic to the monitoring tools without flooding the tools with unnecessary traffic.
  • You can configure action to set the VLAN ID for the matched traffic.

Visibility

Replicate and forward traffic

  • You can configure the software to aggregate traffic from multiple input Tap/SPAN ports that could be spread across multiple Cisco Nexus switches.
  • You can replicate and forward traffic to multiple monitoring tools that can be connected across multiple Cisco Nexus switches.
  • This solution is the only one that supports any:many forwarding across a topology.
Time stamping**

  • You can time-stamp a packet at ingress using the Precision Time Protocol (PTP; IEEE 1588), thereby providing nanosecond accuracy. You can use this capability for critical transaction monitoring and archiving data for regulatory compliance and advance troubleshooting.
Packet truncation**

  • You can configure the software to truncate a packet beyond specified bytes.
  • The minimum is 64 bytes.
  • You can retain a header for only analysis and troubleshooting.
  • You can configure the software to discard the payload for security or compliance reasons.
End-to-end path visibility

  • For each traffic forwarding rule, the solution provides a complete end-to-end path visibility all the way from source ports to the monitoring tools, including the path through the network.

Security

React to changes in the Tap/SPAN aggregation network states

  • You can monitor and keep track of network condition changes.
  • You can configure the software to react to link or node failures by automatically reprogramming the flows through an alternative path.
Management for multiple disjointed Cisco Monitor Manager networks

  • You can manage multiple independent traffic monitoring networks, which may be disjointed, using the same Cisco Nexus Data Broker instance. For example, if you have five data centers and you want to deploy an independent Cisco Monitor Manager solution for each data center, you can manage all of these five independent deployments using a single Cisco Nexus Data Broker instance by creating a logical partition (network slice) for each monitoring network.
Role Based Access Control (RBAC)

  • Application access can be integrated with corporate AAA server for both authentication and authorization
  • You can create port groups and associate the port groups with specific user roles
  • Capability to assign users to specific roles and port groups; users can manage only those ports

*Feature supported only on Cisco Nexus 3500.

**Feature supported only on Cisco Nexus 3100.

Please visit the Cisco NDB website for more information.  If you are going to be in NYC at Interop Sep 29 -- Oct 2, please visit us to hear Jothi Prakash Prabakaran talk about Nexus Data Broker as a scalable network traffic monitoring solution in the Cisco booth (#611) theater.

Tags: , , , , , ,

CCAP+Remote PHY and the Path Towards FTTH, Unified Access and Virtualization

jchapmanBy John Chapman, Cisco Fellow, CTO, Cable Access BU

This week, we and 10,000 or so hard-core engineering colleagues within the cable industry descend upon the city once known as the cable capital of the world — Denver, Colorado — and, like it’s been since the earliest days of the Society of Cable Telecommunications Engineers’ annual Cable-Tec Expo, a trending topic, now and forever, is bandwidth.

The reasons why are obvious, but indulge me a brief recap: Consumer usage of broadband grows at an compound annual rate of 50% or more, ever since about 2009, when Netflix began streaming video, in addition to mailing DVDs. Add to that the sheer number of video-capable, IP-connected screens we all use, and the fact that video itself is only scheduled to get bigger (we’re looking at you 4K), and it’s easy to envision why it’s a considerable challenge to keep the cable infrastructure updated, and capable of ever-increasing carrying capacities.

Here in Denver, we are focused on this challenge. Big picture, we are “transforming” cable access from a DOCSIS focus, to integrate DOCSIS with service provider  WiFi, PON & FTTx, and MetroE into a single, easily- managed portfolio, which only Cisco can deliver. Doubleclicking on the DOCSIS pillar alone, we are taking the CMTS architecture and redefining it to deliver far more bandwidth, for far less cost. We see two technologies that stand out: Read More »

Tags: , , , , , , ,

Leading the SDN transition with ACI – One Customer At a Time

The last several months have been a roll with several customers, channel partner and technology partner engagements. With the ACI starter kits and lab bundles shipping, customers can bring this solution into their labs and subsequently into their production Pods with the Application Policy Infrastructure Controller (APIC) and the Nexus switching platforms. We see a healthy interest in these kits with customers as they explore its SDN capabilities. Several ecosystem partners like F5 and Citrix have started to ship device packages. We just came off a company wide sales conference at Las Vegas a couple of weeks ago that was hugely energizing. Policy as a means to drive automation, security and scale is now the major focus area for SDN as outlined originally by Cisco as more industry vendors now endorse the vision as evidenced by initiatives like OpenStack Congress. Investment protection continues to be a major Overall the new fiscal year promises to be an exciting one.

ACI. SDN central interview with Soni Jiandani and Shashi Krian

Soni Jiandani on  SDN Central -- Click for Q&A

Following up on the Unleashing IT magazine (ACI special edition) released last month, I wanted to share the momentum we’re experiencing with customers and partners as the acceleration continues. As John Chambers had outlined during the last earnings call, the adoption rate has been off to a tremendous start with some of the customers and partners featured in the video above.

We also continue to take the opportunity to answer questions as the vision around ACI continues to crystallize and rapidly evolves from concept to hard reality. This week we took the opportunity to have a Q&A session with SDN central. Soni Jiandani, SVP of Insieme Networks Business Unit at Cisco led the conversation. The featured interview can be accessed here. Soni crisply articulates the ACI value proposition while addressing some of the top of mind questions that come from the media.

Read More »

Tags: , , , ,

Software Defined Networking, Cisco Style

As new technologies emerge and replace traditional ones, IT teams are discovering that building an infrastructure around new functionality is advantageous in a slew of ways.

One such disruptive technology gaining ground is software defined networking, or SDN.

clouds

The premise of SDN is to allow the user to determine how the network behaves by decoupling the control plane from the data plane. Control planes are essentially the “data directors,” instructing the data plane on where to transfer packets of data. The data plane then establishes the best path and carries the data to its destination. By separating these two functions, the user can program the open-source network to act in accordance with business requirements—using a central management interface in a vendor-neutral manner.

Not only has Cisco joined the SDN approach, they’ve gone beyond the basics of SDN to include an application-driven infrastructure. It’s called, appropriately, Cisco Application Centric Infrastructure, or Cisco ACI.

Cisco ACI combines hardware, policy-based control systems, and software to deliver management automation, programmatic policy, and dynamic workloads. It’s built around the application, not the network.

What’s the advantage? Doing so enables greater support for scalability, a more dynamic network, and centrally-defined portable policies—all of which lend to faster application provisioning and a more efficient environment.

While many SDN solutions are focused solely on software and virtualization, the reality is that hardware still exists and is an integral part of the network. Cisco ACI leverages existing hardware—because no matter how de-emphasized it may become, the physical infrastructure remains important.

As Cisco senior vice president of marketing Soni Jiandani tells Unleashing IT, “ACI is SDN plus a whole lot more. Other SDN models stop at the network. ACI extends the promise of SDN—namely agility and automation—to the applications themselves. Through a policy-driven model, the network can cater to the needs of each application, with security, network segmentation, and automation at scale. And it can do so across physical and virtual environments, with a single pane of management.”

And Shashi Kiran, senior director of market management at Cisco, shares his views on Cisco ACI in this blog.

As businesses are becoming more dependent on applications, they must stay competitive and relevant by considering updating their infrastructure to speak directly to the needs of the application. Learn more in this edition of Unleashing IT, a special release focused on Cisco ACI -- produced by Cisco and Intel® - and see how early adopters are realizing the benefits it brings to the table.

Subscribe for access to content from customer successes to thought leadership to Cisco ACI-related resources.

 

 

 

Tags: , , , ,