Regardless of where you are in adopting collaboration technologies, we’re focused on delivering what works best for your needs.
Since starting with VoIP, we’ve expanded our portfolio’s depth and breadth. We continue to lead in the enterprise voice space, with a worldwide market share of 39%, but we don’t sit still (Source: Synergy Research). We’re always evolving, including extending into the cloud with team-based solutions.
Our new 8821 Wireless IP Phones have increased network security when configuring and authenticating.
Within our Contact Center portfolio, we’ve increased security within Cisco Unified Customer Voice Portal, Cisco MediaSense, and Cisco Unified Contact Center Express.
Administrator and User Experience Cisco Jabber’s user experience is improved by supporting several devices within the same message thread. Video quality improvements come from our media adaptation and resiliency implementation, an element of Cisco Spark, Communications Manager, Jabber, and most Cisco endpoints. New pre-configuration enhancements streamline implementation and operations of Business Edition 6000. Meanwhile, both Business Edition 6000 and 7000 solutions now have an assurance and analytics option.
You can now register room and desktop video endpoints devices within Cisco Expressway, which includes user experience enhancements as well as new multistreaming capabilities for remote participants.
Our customer care portfolio includes several experience enhancements, including built-in chat and email within Unified Contact Center Enterprise. Both Contact Center Enterprise as well as Contact Center Express now feature single sign-on. Cisco Unified Intelligence Center has a refreshed agent and supervisor user interface. And, we’ve increased scale:
Packaged Contact Center Enterprise now supports up to 2,000 agents and 1,500 outbound ports.
Cisco Unified Customer Voice Portal scales up to 3,000 calls per Virtual Machine.
Extended Collaboration We’ve enhanced premises-to-cloud hybrid capabilities through Cisco Expressway connectivity to Cisco Spark Hybrid Services. To ease interoperability, Cisco Unified Border Element now has video-signaling suppression and pass through.
For contact centers, Cisco Unified Contact Center adds APIs to allow greater control over outbound campaigns. For more access options, Unified Customer Voice Portal now supports a virtual voice browser in Unified Contact Center Express, Packaged Contact Center Express, and Hosted Contact Center.
As you can see, Release 11.5 includes a lot of new features and functionality. But, this is only a taste.
Cisco Further Expands Technology Partner Ecosystem – New Partners and New Tech Integration Areas
Security is an interconnected system, not a bunch of disparate boxes. Like a school of fish, security should operate collaboratively to accomplish a goal. Not just for the sake of “integration”, but because the very nature of securing networks, applications and data require it. There is no security “god box” that can do everything. It would be great if there was, because security would be simpler and we would all be more secure. But until such time that nirvana is achieved (likely never… security is distributed just like networks and compute are), the best approach is creating open platforms that can collaborate with each other to solve security problems more effectively and more efficiently. That is the approach we take at Cisco.
It took Cisco awhile to get here. We now have the Cisco Security Technical Alliances (CSTA) program, which is a program with nearly 100 partners with certified platform-to-platform integrations… not just company logos on a slide. But that wasn’t always the case. In our early years we had trouble spelling “API” much less opening up our platforms with them. But for the last 3 years we have been on quite a tear opening up our security platforms with APIs and advanced data sharing frameworks, as well as driving security data exchange standards on multiple fronts. Just a couple weeks ago we announced 10 new pxGrid integration partners taking that part of our security ecosystem to 40+ partners in less than 2 years. Networks and data are safer when security vendors integrate with each other.
To help create better security through these integrations, today we are announcing several extensions and expansions to the CSTA partner program. Here’s a snapshot of what’s new:
Two New Security Ecosystems – Cisco AMP and Incident Response
Cisco Advanced Malware Prevention (AMP) is the platform for threat intelligence, advanced sandboxing, and real-time malware blocking on endpoints and integrated in the Cisco network. In addition to its multi-dimensional malware visibility, AMP now exposes an AMP Endpoint API that allows direct access to threat data and events in the AMP cloud instead of solely via the AMP management console. This enables greater flexibility in how the data is used, visualized and analyzed. Two of our SIEM technology partners, AccelOps and Splunk are leading the market with support of the AMP Endpoint API. This provides our joint customers turnkey integration they can use today.
The new Incident Response and Breach Recovery Partner Program is a different sort of program for CSTA. It focuses on systems integration partners with specialized services expertise with Cisco security products. In this new services ecosystem, systems integration partners BAE Systems, Dimension Data and Optiv provide specialized incident response and breach discovery services to help customers triage, contain and clean up after a breach. These partners are experts who are trained in use of tools, such as Cisco AMP and Threat Grid, to provide these specialized discovery and response services at a moment’s notice.
Firepower Management Center Ecosystem Enhancements
In Firepower Management Center (FMC) v6.1, Cisco introduced a “write” function in addition to the existing “read” capability on our Firepower REST API. This enables management of Firepower firewall policy from 3rd party management tools, thereby simplifying creation of consistent policies across a deployment… even when there are multiple firewall vendors in the environment. Leaders in this space—AlgoSec, FireMon, KPN, and Tufin—are adopting these new API capabilities and can be used as common firewall policy management platforms with Cisco Firepower. Availability varies by partner, but all will be available by year end.
IBM QRadar is adding Firepower eStreamer API support for FMC 6.x and will be first to market among SIEMs supporting the latest Firepower releases. eStreamer provides highly-enriched event data (far better than syslog) for Firepower firewall, IPS and AMP network events. With this support, to be released this summer, IBM QRadar provides the greatest visibility and event management to Cisco’s Firepower customers. Accelops now also supports eStreamer in addition to their integration with the AMP cloud noted above.
Cisco has also updated its integration with Tenable Nessus, allowing Tenable endpoint vulnerability data to populate the FMC event tables. This enables association of IPS, AMP and firewall events in FMC with vulnerability event data from Tenable. This provides a more complete view of the significance of events in FMC. In a similar vein, packet capture partner Viavi can perform advanced forensics on firewall and IPS events through their new integration with FMC.
Also worth noting, our Cisco eStreamer partners can now connect to a dedicated, live version 6.0.x Firepower Management Center. This test platform makes it easy for partners to test and certify their existing eStreamer clients against Cisco’s latest Firepower version as well as develop new clients. The deployment runs 24×7 and generates live events across the API’s entire schema.
Cisco and Infoblox already have an excellent pxGrid integration in production. But a key function of the pxGrid security data exchange framework is the ability for any pxGrid adopter to share their data or service capabilities with any other partner in the pxGrid ecosystem. Infoblox is blazing the trail as the first pxGrid partner utilizing this new function since it shipped earlier this year. Using Infoblox DDI data published to the grid, other pxGrid partners can subscribe to this data to get real-time DHCP and IP address lease information. This provides very accurate and granular endpoint and device data that is universally applicable to a number of security and networking integration use-cases.
5thColumn is a managed security service provider specializing in orchestration of threat monitoring and incident response for global enterprises. They utilize many Cisco security platforms in providing their service, but what makes them interesting is the customization they have done on top of these platforms. Utilizing Firepower APIs, eStreamer, pxGrid and other Cisco security integration points, 5thColumn has integrated Cisco security with 5thColumn’s own StackBOSS™ software to create a truly differentiated and high value managed security orchestration service for their customers. They illustrate how a Cisco security tech partner can move the ball forward in security through multi-product integration.
New AMP Threat Grid Malware Analytics and Threat Feed Partners
The Cisco AMP Threat Grid integration ecosystem continues to expand, adding 14 new partners across a breadth of security technologies. These new partners— Anomali, BluVector, BrightPoint Security (now ServiceNow), Centripetal Networks, Cybersponse, EclecticIQ, Fox-IT, IID (now Infoblox), NTT Security, Phantom, Swimlane, ThreatConnect, ThreatQuotient and TrapX—are leveraging AMP Threat Grid for file analysis to detect malware, threat intelligence queries, and premium threat feeds curated hourly and daily from the malware analysis results.
Cisco welcomes all these new and expanding technology partner integrations. All integrations noted above are available now or within the next 90 days, unless otherwise noted.
Whether you are a customer deploying security platforms, a vendor partner or start-up integrating security platforms, or a services integration partner building unique security service offerings there is goodness to be had by an open integration environment. For integrations to Cisco Security, you can start your path on the Cisco DevNet Security Developer Center and see what fits for you.
I’m excited to share that today Cisco announced its intent to acquire CloudLock Inc., a leading cloud security solution that gives companies visibility and policy control over content shared in cloud applications.
CloudLock specializes in Cloud Access Security Broker, or CASB, technology and helps organizations move faster to the cloud. CloudLock delivers cloud security to help track and manage user behavior and sensitive data in SaaS applications, such as Office365, Google Drive, and Salesforce. Enterprise IT can then enforce a granular security policy within these cloud applications. For example, CloudLock can help protect data and enforce access rules when an employee tries to access sensitive data stored in a SaaS application from an unprotected device, in a defined geography, at a specific time of the day – essentially, ‘security anywhere, anytime’ for content in the cloud. CloudLock extends these security controls to the IaaS and PaaS layers as well.
CloudLock’s unique cloud-first, platform and API-based approach means that they’re able to deliver an incredibly detailed level of understanding of how users are sharing data, what’s being shared, and potential security risks associated with sensitive information that shouldn’t be distributed. They do this while remaining invisible to an end user who is accessing the cloud.
In a crowded market of cloud access security broker vendors, CloudLock has built a powerful go-to-market engine that has managed to grow to attract over 700 customers, including Fortune 500 companies, in less than five years.
“Buy” has been a key part of our innovation strategy, alongside significant internal product development, to drive towards a fully integrated security portfolio. Today’s announcement builds on three quarters of consecutive revenue growth in Cisco’s security business. We have expanded our security footprint with milestone acquisitions including Lancope, OpenDNS, Sourcefire. Together, CloudLock and Cisco together will offer the industry’s broadest cloud security protection for users, applications, and data. The CloudLock team will join Cisco’s Networking and Security Business led by Senior Vice President and General Manager David Goeckeler.
Today Cisco announces the extension of scalable industrial solutions in the Internet of Things (IoT) portfolio with new IoT products. With these new technologies, Cisco continues to extend its leadership in the Industrial IoT space.
Enhanced Cisco Solutions Support Three Major IoT Use Cases:
Connected Machines:
With 92 percent of today’s 64 million machines not connected to a network, there is a great opportunity for organizations to make their production environments smarter and more efficient.
Cisco Connected Machines delivers a complete solution to securely connect devices, transform machine data into real-time insight and grow recurring business when working with machine builders and manufacturers.
By implementing the Connected Machines solution, Cisco’s manufacturing customers can benefit from the domain expertise of machine builders to drive machine process improvements through real-time corrective action and continuous, predictive maintenance.
Under the Connected Machines solution, Cisco is now offering an extension of new products, including:
IE4000 with IOx: This application framework runs on all IOx-enabled network infrastructure. The platform has pluggable micro-services and can reliably integrate with IoT sensors and cloud applications in a highly secure way, while processing data closer to the machine.
Connected Streaming Analytics: Provides real-time analytics running on the IE4000 for small footprint deployment with IOx-enabled fog applications
Cisco’s IE4000 switch, IOx enabled fog applications and Connected Streaming Analytics combine to securely connect machines, extract the machine data and deliver real-time actionable insights.
Mazak, a leader in manufacturing machine tools, is utilizing Cisco Connected Machines for its SmartBox, a solution that connects manufacturing equipment to a factory network. The SmartBox utilizes the Cisco IE4000 with the MTConnect fog application and connected streaming analytics. This technology is helping them build toward what Mazak is calling an iSMART Factory.
“Mazak continues to drive toward its iSMART Factory concept that uses advanced manufacturing cells and systems together with full digital integration to achieve free-flow data sharing in terms of process control and operation monitoring. Within that concept, the connection of today’s manufacturers to the Industrial Internet of Things (IIoT) allow them to achieve levels of efficiency and productivity never before realized,” said Brian Papke, president of Mazak Corporation. “And while the Mazak iSMART Factory concept centers around open connectivity and the Internet, we must also provide those manufacturers the highest level of security possible, and we do so through our Mazak SmartBox technology developed in collaboration with Cisco.”
Connected Factory:
The Cisco Connected Factory, enhanced with new IoT connectivity and security products, delivers a complete Industrial Zone solution for customers to scale security, simplify network management and extend the scope of IoT. As part of the Connected Factory framework, Cisco is announcing two new industrial switches IE4010 and IE1000, and enhancements to industrial security appliance ISA3000
IE 4010:This highly secure, easy-to-manage multi-gigabit speed ruggedized switch includes in-line Power over Ethernet/PoE+ multi-speed Ethernet ports, that can power up to 24 other devices in industrial applications.
IE 1000:This highly secure, compact, lightly managed ruggedized switch includes in-line Power over Ethernet/PoE+ multi-speed Ethernet ports that power up to eight other devices in industrial applications.
ISA 3000:This enhanced threat protection appliance is purpose-built for industrial applications that require support for Common Industrial Protocol (CIP).
With Cisco Connected Factory, manufacturing customers benefit from a complete solution to securely connect machines and sensors and gain insight from IoT data in order to reduce cycle time, increase availability and reduce risk. And some are well on their way to achieving value from an overall Connected Factory architecture. One example of this is Israel based manufacturer Lordan.
Lordan is a manufacturer of thermal-engineering heating and cooling systems and has a global reputation for delivering high-quality custom-made designs and supply flexibility. To advance its IoT strategy and to work toward increasing overall efficiency on the factory floor, Lordan installed a Cisco 829 Industrial Router with WiFi access point, Cisco IOx, and the fog application LeaderMES.
“Within 2 weeks we could produce overall equipment effectiveness (OEE) reports and make decisions based on real data, not assessments. Within a month of installing LeaderMES, we increased our manufacturing floor productivity by over 10 percent,” said Yair Avigdor, COO, Lordan.
Hopf, a solution provider based in Germany that offers a range of products and services, is also seeing the value of industrial switching.
“No doubt about it, Cisco IoT technologies and solutions are already world-class. But now with the IE 1000 switch, we can cost-effectively deliver substantial quality and security. This helps customers who are facing a growing demand for entry level Ethernet ports to utilize Cisco solutions,” said Tilman Taubert, Senior Customer Solution Architect, Hopf Vertriebsgesellschaft mbH.
LoRaWAN™ solution: Increasing number of devices are connecting to the Internet, expected to reach 50 billion by 2020. Approximately 45 percent of such IoT devices are constrained by battery power and require long range for IoT connectivity.
The Cisco solution for LoRaWAN™ combines Low-Power-Wide-Area (LPWA) LoRaWAN™ with WiFi and cellular technologies and is designed for cost-effectively connecting billions of such battery powered, low-data rate and long distance IoT sensors. The solution includes the Cisco Integrated Module for LoRaWAN™, which extends existing industry-leading industrial routers IR809 and IR829 with a ruggedized LoRaWAN™ interface, Cisco IoT Field Network Director, and partner’s back-end LoRA® network server.
The Cisco solution for LoRaWAN™ offers customer a fully integrated architecture that enables both service providers and enterprise customers rapidly realize business outcomes with IoT. The Cisco solution for LoRaWAN™ can be deployed for a wide range of use cases in industrial and smart city applications such as the following:
Connected Assets (Asset tracking and asset management)
Smart cities (smart parking, street lighting, waste management, etc)
Intelligent buildings
Utilities (water and gas metering)
Agriculture (soil, irrigation management)
The Hamburg Port Authority (HPA) in Germany, a longtime Cisco customer, is already realizing the value of LoRa® technology. As part of its digital transformation strategy, the HPA deployed the Cisco solution for LoRaWAN™ and has installed sensors along Kattwyk Bridge at the entrance to the port. The bridge, which can be raised and lowered in order to let cargo ships pass through, is one of the first to deploy LoRa® technology. Sensors enable the technical maintenance department to precisely and predicatively plan maintenance and repairs, leading to lower maintenance costs and less downtime.
“Right now, the use of LoRa® technology and sensors along the Kattwyk Bridge help us tremendously improve operations,” said Dr. Sebastian Saxe, CIO & CDO of Hamburg Port Authority (HPA). “We no longer have to wait for a problem, but can proactively address issues before they arise. This will be one result of a sensor study, which will be published at the end of 2016. As we move into the future,we will look to technology like the Cisco Interface Module for LoRaWAN™, which is what we’re using in the heart of the Port Authority to drive smarter transportation, maintenance, and logistics.”
The extensions of these IoT solutions is yet another example of Cisco’s commitment to enabling organizations to increase efficiency, security and scalability with IoT. Are you seeing transformation in the industrial IoT space? Share your comments below.
The LoRa® name and associated logo are trademarks of Semtech Corporation or its subsidiaries. Semtech, the Semtech logo and LoRa® are registered trademarks of Semtech Corporation. LoRaWAN™ is a trademark of Semtech Corporation.
I am posting this blog on behalf of Vipul Shah, Sr Manager, Product Management.
Imagine a data center network for an e-commerce business that allows for on-demand allocation of bandwidth as a result of high traffic volumes generated by large number of transactions during the holiday shopping season, or a data center network for a financial services company that can intelligently reroute critical transactions around brownouts, error prone links, and network congestion using per-application policy. Finally, imagine a content delivery network (CDN) that can logically segment the physical infrastructure to speed the delivery of web content by separating large and small traffic flows. All of these scenarios require an agile network that can provide some type of explicit forwarding path to the applications while reducing latency. This is what Segment Routing does. It provides the most optimal path to the applications, which in some cases may not be the shortest path.
As the networking industry continues to stride towards Digitization and simplification of the data center, Cisco continues to innovate and execute on the concept of software defined networks (SDN). Segment Routing is one such innovation, whereby it provides the benefits of SDN but also adds intelligence into the network making it adaptive to the needs of the application itself.
The insatiable growth of applications has fueled a demand for network agility, security and performance guarantees. Segment Routing can address these requirements with its application optimized network transport. By encoding the path information directly at the source; i.e. either at the virtual switch or at the top-of-rack (TOR), and using per-application policies, Segment Routing puts powerful control in the hands of the network operators by empowering then to create secure, adaptive, and optimal paths based on application requirements.
As industry first, Cisco recently delivered Segment Routing for the data center with the Nexus 9000 and Nexus 3000 series switching platforms, with commitment to support additional platforms in the future. This strategic capability in the data center complements Cisco’s Application Engineered Routing that leverages Segment Routing for the wide-area network (WAN) and essentially provides the means to enable an unified end-to-end policy and application aware network architecture between the data center and the WAN. Additionally, by combining High Availability using ISSU with Segment Routing on the Nexus 9000 & Nexus 3000 provides a more powerful agility story for the Segment Routing network. The Nexus switching platforms also enhances orchestration capabilities with programmatic access using NXAPI REST support. Adding a controller can provide visibility into the performance metrics of the entire network; the learning of bandwidth consumption of all the fabric links provides the ability to create and program dynamic forwarding paths on demand. This level of granularity makes Segment Routing much more intelligent for application awareness.
Today, large content providers are looking for ways to speed up content delivery by enabling this unified forwarding paradigm with the Nexus platforms in their data centers. Similarly, large financial firms are looking to utilize Segment Routing by building a multi-plane architecture with the Nexus platforms in their data centers, allowing them to separate business transactions from non-critical applications over the same network fabric.
With a commitment to deliver on standards based technologies, Cisco has built Segment Routing in partnership with the industry. There are over 25 drafts in the IETF led by Cisco, with contributions from major customers, networking vendors and operators. Several key documents are now in working group status in the IETF.
If you are interested in learning more about Cisco’s industry leading Segment Routing solution please join us in our upcoming TechWise TV Workshop where we will discuss details about the technology and specific customer use cases. Please register here
Optimize Applications with increased Network Intelligence using Segment Routing!
The award recognizes the successful contributions of large corporations working within the startup/scaleup ecosystem as partners for co-creation and investments. We received the good news on June 9th when it was announced at the Startup Europe Summit in Berlin. You can read the press release here and listen to my interview with Monocle Magazine to learn more.
The judges for the ranking were a “who’s who” lineup of startup ecosystem leaders and influencers from across Europe. They included:
Sherry Coutu (author of The Scale-up Report and angel investor)
Alberto Onetti (Chairman of Mind the Bridge)
Dolf Wittkamper (Head of EIT Digital’s Accelerator)
Candace Johnson (entrepreneur behind SES, Loral Teleport Europe and Europe Online)
Other companies recognized in the ranking were Unilever, Telefonica, Virgin, Microsoft, and BMW.
In comments given in a Forbes piece about the ranking, Alberto Onetti praised Cisco for being “really active in the European startup ecosystem at various levels.” He also noted that the recently launched Cisco EIR program in London “is very well designed to build long-term strategic relations between Cisco business units and early stage companies.” He concluded that he and the other judges “expect concrete results out of [Cisco EIR] in terms both of commercial partnerships and acquisitions.”
I’m delighted by the recognition Cisco is receiving for our work with startups around the world and our open innovation initiatives. With this award, we’re seeing Cisco EIR specifically held up as a successful model for how large corporations can engage the startup/scaleup ecosystem.
Cisco EIR is one of multiple ways Cisco is engaging with startups. For example, Cisco’s corporate venture capital arm, Cisco Investments, manages a portfolio of more than 100 active startups valued at over $2B. Recent investments in Europe include AdBrain and Startupbootcamp.
Our No. 1 ranking comes on top of significant momentum for Cisco and Cisco EIR. In my last blog post, I shared several recent milestones. We had another successful demo day in Silicon Valley last month. We launched a new Cisco EIR program in London. We now have 33 companies in Cisco EIR’s global network, more than 30 active strategic engagements with Cisco business units and two Cisco acquisitions under our belt. Plus, more than $50M raised by our companies collectively since they joined our program.
With Cisco EIR firmly in place in London—and with our “Corporate Startup Star” award in hand—we’re committed to helping to lead the next phase of growth in Europe’s startup/scaleup ecosystem. We continue to see leading-edge technology and high-caliber entrepreneurs in the region driving significant market transitions in the Internet of Things, AI/deep learning, security, and other areas strategic to Cisco. Expect more exciting news from Cisco EIR in the coming months.
When an NBA basketball team takes the floor for a game, the fans in the stands, in sports bars and at home all focus on the team’s starting line-up. When they watch league MVP Steph Curry drain a game-winning three-pointer or LeBron James slam home a dunk over an opponent, it’s easy to lose sight of the contributions of the other four teammates on the floor or the eight other players who are sitting on the bench. And it’s easy to forget the hundreds of people who play important supporting roles behind them. It’s the team that makes the most skilled contributors that much better.
I want to tell you about those behind-the-scenes teams that are hard at work to make sure that fans are connected to every second of the action at an NBA game.
For example, at Philips Arena in downtown Atlanta, Boingo chose Cisco equipment to help build a state-of-the-art Wi-Fi network that creates an unforgettable fan experience. Boingo has installed Cisco access points in their high density network, a network that lets Atlanta Hawks fans get closer to their team than ever before. In addition to sharing their experience with others around the world via social media, fans are able to easily upgrade their seats, make their smartphones part of the “ATL lights” pre-game ceremonies, find concession stands, track players’ stats, and enter game-night give-away contests. It doesn’t matter whether you’re sitting courtside or up high in the stands, you’re always at the center of the action.
“Our average ticketholder at the Hawks is 34 years old. Wi-Fi is their oxygen,” says Steve Koonin, the CEO of the Hawks and Philips Arena. Boingo who designed, developed and manages the network deployed the Cisco access points in the arena last fall. Boingo provides fully managed network solutions before, during and after games and events. You can learn more about the digital fan experience and support that Boingo is providing the Hawks in Boingo’s Stadium Stories video.
https://www.youtube.com/watch?v=4qkmZINnh7A
And Cisco’s connections with the NBA go far beyond our equipment that Boingo used at Philips Arena in Atlanta. As the official technology partner of the NBA, Cisco created a high-speed arena network that feeds video and data from each NBA venue to a central media management center in New York. From there, it provides game video and statistics to fans’ computers and mobile devices no matter where they are. In this video you’ll see how Cisco and the NBA are delivering the digital experiences that today’s fans expect.
Around the world we are working with sports and entertainment properties to meet fans’ expectations. More than 350 stadiums and arenas in more than 40 countries have implemented our Cisco Connected Sports Solutions to boost the fan experience. We’re building the networks and delivering the digital solutions that keep fans connected today and into the future. In the last three years, we’ve seen fans’ interest in digital experiences more than double. In a recent global survey, fans told us that they expect more in their sports experience. Half of all fans surveyed want to control what they see on their mobile device, including unique camera angles. More than 60% want to be able to select replays to complement the live action. We think that number will continue to explode as more fans take more devices to games, connecting in new and more engaging ways.
Past, present and future, we’ve been working with innovators like Boingo to deliver a more connected and unforgettable digital fan experience. There’s never been a better time to be a sports fan.
First off, let me put forth a disclaimer: I know next-to-nothing about genomics.
I don’t know the names of the institutions involved in it, I don’t know who funds it, who is making major breakthroughs, how to use the industry lingo, or what the latest findings have been.
But I do know this: Organizations involved in genomics—like those involved in most other scientific research—have an almost bottomless appetite for technology. They need (and have reliably purchased) truckloads of servers and storage devices to process and manage the mountains of data they generate.
It’s a blessing, and a curse. Information technology allows them (“you” if you’re one of them) to analyze data and drive breakthroughs at a previously unimaginable pace—but this technology is not cheap. In fact, it’s the opposite of cheap. And it has a name: High Performance Computing. HPC.
“What’s that?” you ask (if you’re not one of them).
Think specialized hardware for specialized applications run by specialists.
As I alluded to earlier—it’s a costly proposition.
But here’s the good news for genomics researchers—and companies of all stripes that depend on HPC to get the job done: Private cloud technology has advanced to the point where it stands to be of significant value to you. Not only can it reduce the aforementioned costs (especially if you’ve been dabbling in public cloud), but it allows you to implement cloud-native applications that can drastically increase the productivity of your research organization by making both its activities and underlying resources more flexible, scalable, efficient and portable.
I’m not going to say anything else, because we’ve reached the limit of my meager knowledge on the topic. But if you’re hungry for more info, you’re in the right place. We’ve just published a brief on the subject in partnership with SwiftStack (accessible here), and we’re hosting a webinar about it on 6/30 at Noon PDT (register here). We encourage you to partake of both, and if you still have questions after that, please don’t hesitate to reach out to one of our subject matter experts at copc-vss-group@cisco.com.
This is the second of a series of blogs where we will illustrate how to leverage Cisco ACI to implement Micro Segmentation. In the first blog we described how to use ACI micro segmentation to implement a web application that uses a tier of apache Web servers and a MySQL database.
We saw how all Virtual Machines involved could be on the same subnet and on the same dvPortGroup in a vSphere environment, and use Micro EPGs to group Virtual Machines according to the function they provide in order to get the right policies applied. The ACI white-list policy model ensures that only the required protocols and ports are allowed between the involved Virtual Machines, and Service Graphs can be used to insert advanced security provided by NGFW and Load Balancing functions.
In this blog, we will focus on how to dynamically implement a sandboxed development environment to modify that application. Before I get on with that, I want to explain that in order to make the demo a bit more fun, I also decided to add an L2 NGFW between the Web and DB tiers of our application. I did that to illustrate how the APIC can automate the NGFW configuration there. But in any case we can imagine that doing this is interesting anyways, because while the contracts on the fabric effectively act like a firewall in the sense that only TCP/3306 is allowed between Web and DB tiers, the fabric can’t really ensure that it is SQL traffic going over that protocol. You need to inspect at the application layer for that. An NGFW can do that, and also protect against SQL-related attacks, etc. So the “production” environment is represented like in the picture below, where I am just highlighting the change from the demo of the first blog:
You can check this video to see how we added that L2 Firewall using the ACI vCenter Plugin to insert an existing Service Graph Template.
Implementing a Dev/Test Environment
So now let’s imagine that Acme Co. wants to give their developers an environment to make changes to the application. If we remember, our Joomla-based Application Profile looks like this:
One of the advantages of SDN is that we can create and delete network configurations programatically, just like we create Virtual Machines. So we can build the development and testing environments on demand, and destroy them when they are no longer required. With ACI, this does not requiring anyone going box-by-box configuring network constructs. Instead, a program or script can talk to the APIC API and create, modify or delete complex network configurations, regardless of physical topology. You can also snapshot existing configurations … like you can snapshot a VM (… a promise long made by other SDN vendors, and long overdue … 😉 ).
In the demo of the video at the end of this article we do exactly that. We create a dev/test environment when we need it. For our demo, let’s assume that the developer will only change static web content, so we will create clones of the DB VM and leave them in the same dvPortGroup where we will place them on uEPGs when we run a script that queries the APIC, gets the production Application Profile details, and modifies it creating a sandboxed development environment and a corresponding testing environment.
Developers can then create additional Virtual Machines and connect them to the dvPortGroup corresponding to the JoomlaAppServers EPG. When a VM is placed there, by default it only has access to provisioning tools. Our development environment will look like this:
We create a new VRF on the fly that has the exact same subnet as the production environment. This allows us to keep an exact clone of the DB, including using the same IP address of the production DB, in the example it is 172.16.20.200 – notice this is done like this for the point of illustrating ACI capabilities, I am not suggesting that you should hardcode the IP address of the VM in the application like I did!
The script copies the contracts from production without the service graphs because we don’t need them on the development environment: it is sandboxed, it has access to nothing outside of it. And you don’t need to create any firewall rules anywhere to isolate the environment … it’s in its own VRF, and without contracts, the EPG/uEPGs can’t access anything.
In the dev environment, the JoomlaWeb-Dev and JoomlaDB-Dev are Micro EPGs. We configure them so that Virtual Machines are placed in those uEPG depending on VM-attributes. In the demo, I use the VM name so that if a VM has a name that contains WebDev it will be on the JoomlaWeb-Dev uEPG. But in a real deployment I recommend using something like Custom Attributes for the same “tagging”, since that gives you a lot more flexibility.
The VM apache-server-03 runs CentOS and we use Ansible to install Apache and Joomla on it, along with the base files, etc. Once that is done, a simple VM-attribute change suffices to change the VM into the JoomlaWeb-Dev uEPG: the VM vNIC does not need to change dvPortGroup. In the demo, I show how the contracts in place enforce that only the required traffic is allowed, and also I show how a vSphere administrator can easily change those contracts from vCenter if the developer wants more freedom of connectivity in that environment.
There, our developer can make whatever changes they require. In our case, we are changing the image of one of the banners of the site. Once that is done, the changed application is ready for testing. Changing again VM-attributes will “move” (notice, not vMotion) the VM to the JoomlaWeb-Test Micro EGP. Again, this does not represent a dvPortGroup change, even if the VM also changed to a different VRF. 🙂 This is represented in this picture:
The test environment was also created by our script “copying” from the production environment. Here I actually “cheated” a bit because I hard coded a new Service Graph on my script – I don’t create that one on demand, although I could, I was just lazy. This Service Graph essentially connects our test VRF to the L3Out of the production VRF. Why? Because we want to be able to test the application from real desktops external to the fabric. So we need to connect the Test environment to a DMZ, and we do that with a Service Graph. Of course, we re-use the L3Out from production that already connects to the WAN. We also need the NGFW to NAT traffic towards our application, since we are assuming that we use overlapping address spaces (we can’t really announce the same subnet from two VRFs). That NAT is configured on the NGFW (Cisco vASA) directly from the APIC Service Graph. Also in the test environment I decided to use a different Load Balancer: open source HAProxy. Again this is done strictly with the intention of showing possibilities, not to indicate any vendor preference in this area.
Once the apache-server-03 VM changes to the JoomlaWeb-Test uEPG it has access to a copy of the production DB again, the one of the test environment. It is not available directly for external connectivity, because we programmed the ASAv to only allow access to a VIP on the HAProxy. The HAProxy however can access the new test VM. We can test that the application is working well and we are ready to move it into production. See below the complete picture of the process:
That is indeed the final step, where we once again modify the apache-server-03 VM attributes to indicate that it is now good for production environment. The VM changes to the JoomlaWeb-Prod uEPG. When this happens, the APIC detects the new IP (172.16.10.15) it will automatically add it to the F5 BigIP load balancer pool, and to the network-object in the vASA that we used to define security features to be applied when accessing the DB.
The final step is to modify the VM attributes of apache-server-01 and apache-server-02 to indicate that those two are no longer in production. When this is done, the following happens:
the F5 BigIP configuration is automatically changed by the APIC to delete the IP addresses of the decommissioned VMs from the pool
the ASAv configuration is also modified to remove the IP addresses of those VMs from the network-object
the decommissioned VMs are put back into the JoomlaAppServers EPG where they only have access to the provisioning tools
At this stage, we could instrument the same application changes on apache-server-01/02 and move them back into production, again changing the VM attributes, or simply delete those VMs if they are no longer required.
Once that is done, the development and testing configurations on APIC can be completely deleted as well. Until the next time we need to make changes.
And now the link to the demo … 🙂 If you read the blog, you can fast forward to minute 3:25 where the real demo begins:
In the next couple of blogs we will look at how Micro Segmentation can be used to implement a Zero Trust zone also at the infrastructure level: securing the vSphere and server management environment.
We will also look back at this specific example of the JoomlaApp dev/test/prod, and how the APIC provides Day-2 operational tools built-in, at no extra cost, that greatly simplify the work of IT teams.
If that interests you, stay tuned in the next couple of weeks … 🙂
The Hamburg Port Authority (HPA) in Germany, a longtime Cisco customer, is already realizing the value of LoRa® technology. As part of its digital transformation strategy, the HPA deployed the 
