Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #data center tag

What SD-Access Services Can Do for You?

September 20 2017 , Written by Cisco & Cisco Router, Network Switch Published on #Networking, #Cisco Technology - IT News, #IT, #Technology, #Cisco Certification - CCNA - CCNP - CCIE, #Data Center

What the Cisco Software-Defined Access (SD-Access) Services can do for you? Accelerate your journey to the new network with SD-Access Services

By automating day-to-day tasks such as configuration, provisioning, and troubleshooting, SD-Access reduces the time it takes to adapt the network, improves issue resolution, and reduces the impact of security breaches. This results in significantly simpler operations and lower costs.

The core components that make up the SD-Access solution are:

● Cisco DNA Center

● Cisco Identity Services Engine (ISE)

● Network platforms: See the following Table

SD-Access Use Cases: Building on the foundation of industry-leading capabilities, SD-Access can now deliver key business-driven use cases that truly realize the promise of a digital enterprise while reducing total cost of ownership.

Use case

Details

Benefits

Security and segmentation

● Onboard users with 802.1X, Active Directory, and static authentication

● Group users with Cisco TrustSec (security group tags)

● Automate VRF configuration (lines of business, departments, etc.)

● Traffic analysis using AVC and NetFlow is further enhanced using Encrypted Traffic Analytics (ETA)

● Reduced time to provision network segmentation and user groups

● Foundation to enforce network security policies

● Ability to detect and intercept threats at line rate (not samples) from the center to the last mile, including all devices on the network edge

User mobility

● Single point of definition for wired and wireless users ● Seamless roaming between wired and wireless

● Distributed data plane for wireless access

● Simplified guest provisioning for wired and wireless

● Management of wired and wireless networks and users from a single interface (Cisco DNA Center)

● Ability to offload wireless data path to network switches (reduce load on controller)

● Scalable fabric-enabled wireless with seamless roaming across campus

Guest access

● Define specific groups for guest users

● Create policy for guest users’ resource access (such as Internet access)

● Simplified policy provisioning

● Time savings when provisioning policies

IoT integration

● Segment and group IoT devices

● Define policies for IoT group access and management

● Device profiling with flexible authentication options

● Simplify deployment of IoT devices

● Reduce network attack surface with device segmentation

Monitoring and troubleshooting

● Multiple data points on network behavior (syslog, stats, etc.)

● Contextual data available per user and device

● Significantly reduce troubleshooting time

● Use rich context and analytics for decision making

Cloud/data center integration

● Identity federation allows exchange of identity between campus and data center policy controllers

● Administrator can define user-to-application access policy from a single interface

● End-to-end policy management for the enterprise

● Identity-based policy enforcement for optimized ACL utilization

● Flexibility when enforcing policy at campus or data center

Branch integration

● Create a single fabric across multiple regional branch locations

● Use Cisco routers as fabric border nodes

● Simplified provisioning and management of branch locations

● Enterprisewide policy provisioning and enforcement

 

SD-Access 1.0 Hardware and Software Compatibility Matrix

Fabric edge

Catalyst 9300 Series Switches

Catalyst 9400 Series Switches (Sup1)

Catalyst 3850 and 3650 Series Switches

Catalyst 4500E Series Switches (Sup8E, Sup9E)

IOS XE 16.6.1

IOS XE 16.6.1

IOS XE 16.6.1

IOS XE 3.10.0E

Fabric border and control plane

Catalyst 9500 Series Switches

Catalyst 3850 Series Fiber Module

Catalyst 6807-XL Switch (Sup6T, Sup2T)

Catalyst 6500 Series Switches

Catalyst 6880-X Switch

Catalyst 6840-X Switch

Nexus 7700 Switch (Sup 2E, M3 line cards only)

4000 Series Integrated Services Routers

ASR 1000 Series Aggregation Services

Cloud Services Router (CSR) 1000V (control plane only)

IOS XE 16.6.1

IOS XE 16.6.1

IOS 15.4(1)SY2 IOS 15.4(1)SY2 IOS 15.4(1)SY2 IOS 15.4(1)SY2 NxOS 8.2(1)

IOS XE 16.6.1

IOS XE 16.6.1

IOS XE 16.6.1

Subtended node

Catalyst 3560-CX Series

Catalyst Digital Building Series

IOS 15.2(6)E

IOS 15.2(6)E

SD-Access wireless

802.11 Wave 2 access points: Aironet 1800, 2800 and 3800 Series

802.11 Wave 1 access points: Aironet 1700, 2700 and 3700 Series

Cisco 3504, 5520 and 8540 Series Wireless Controllers

AireOS 8.5.103.0 AireOS 8.5.103.0 AireOS 8.5.103.0

Note:

● Wave 1 access points won’t support the following functions when deployed for SD-Access: IPv6, Application Visibility and Control (AVC), NetFlow.

● A device cannot act as fabric edge and fabric border at the same time.

● A device can act as fabric border and fabric control plane at the same time

More info about the Cisco Software-Defined Access you can read here:

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/software-defined-access/solution-overview-c22-739012.pdf

More Related

The Business Benefits of Cisco SD-Access

Why Migrate to Cisco Catalyst 9300 Switches?

Why Migrate to the Cisco Catalyst 9400 Series Switches?

Why Migrate to Cisco Catalyst 9500 Switches?

The New Catalyst 9000 Switches Simplify IoT & Cloud Requirements

 

Read more

The Cisco DNA-Ready Products

August 16 2017 , Written by Cisco & Cisco Router, Network Switch Published on #Networking, #Cisco & Cisco Network, #Cisco Technology - IT News, #IT, #Technology, #Data Center

Cisco DNA is a trending solution that matters for your organization. Why? With Cisco DNA, you get the benefits like this:

  1. Innovate faster by delivering differentiated experiences through contextual insights
  2. Achieve greater business agility with faster network services provisioning
  3. Lower costs with reduced network installation time
  4. Reduce risk with faster threat detection
  5. Protect investment with license portability and access to ongoing innovations

Cisco Digital Network Architecture (DNA) is an open, programmable architecture that turns business intent into business results.

Most Cisco routers, switches and wireless systems shipping today support Cisco DNA now or with a software update. And with Cisco ONETM Software, you can continue to protect your investments and benefit from new architecture innovations that can be activated through software.

The Main Cisco Digital Network Architecture Products and Solutions

Read more: Cisco DNA Products and Solutions

 

The Cisco DNA-Ready Products

The foundation for the Cisco Digital Network Architecture (Cisco DNA) is the world’s most modern network infrastructure. This infrastructure gives you innovative wired, wireless and router solutions, combined with a robust architecture, DNA.

With it, you can create and apply policies over the entire network with a few clicks and have the ability to diagnose past issues.

As data traffic is expected to grow exponentially, Cisco’s innovation with switching, wireless and routing provides a solid foundation that enables Cisco DNA.

You can roll out new services and applications more easily for the best possible experience with Cisco DNA. And policy compliance can be automated on a per-user-group basis.

Routing

The Cisco DNA-ready routing products combine two unique features that speed up the time it takes to deploy your branch office. With the Cisco Intelligent WAN (IWAN) app with the APIC-EM, IT can automate the provisioning of multiple branch offices and provide intelligent path selection and application control—with minimal programming and customization. These capabilities will simplify and streamline your network operations, reducing costs and saving time.

Cisco DNA-ready router products:

• Cisco 4000 Series Integrated Service Routers

• Cisco ASR 1000 Series Aggregation Service Routers

• Cisco Cloud Service Router 1000v and Cisco Integrated Services Virtual Router

• Cisco Meraki MX

Switching

The Cisco switching products offer a function called Unified Access Data Plane Application-Specific Integrated Circuit (UADP ASIC) for wired and wireless convergence. This feature enables converged wired and wireless access for operational simplicity and scale.

Cisco DNA-ready switching products:

Cisco Catalyst 9000 family-Cisco Catalyst 9300 Series Switches-Cisco Catalyst 9400 Series Switches-Cisco Catalyst 9500 Series Switches

• Cisco Catalyst 3650 and 3850 Series

• Cisco Catalyst 4500E Series + Supervisor 8E

• Cisco Catalyst 6500 Series + Supervisor 6T

• Cisco Catalyst 6800 Series

• Cisco Nexus 7700+M3 Card

• Cisco Meraki MS

Wireless

An exclusive function that the Cisco Aironet Access Points offer is Flexible Radio Assignment. This feature allows the access point to automatically adjust the network when client surges occur.

Cisco DNA-ready wireless products:

• Cisco Aironet 3800 Series

• Cisco Aironet 2800 Series

• Cisco Aironet 1800 Series

• Cisco 8540 Wireless Controller

• Cisco 5520 Wireless Controller

• Cisco Meraki MR

Learn more: Cisco DNA for Mobility, for Switching, and for Routing

Cisco Aironet Access Points Transition Guide

See What's Possible with Cisco Wireless Products

 

Learn More

With Cisco DNA You can…

Cisco DNA is a Game Changer for the Digital Era?

The New ISR 4221, the New Cisco DNA-Ready Platform

When You Buy Cisco ONE…

The New Cisco IOx and Fog Applications

Read more

New Catalyst 9000 Switches for a Changing World

July 11 2017 , Written by Cisco & Cisco Router, Network Switch Published on #Networking, #Cisco Switches - Cisco Firewall, #IT, #Technology, #Data Center, #Cisco & Cisco Network, #Cisco Technology - IT News

Cisco switches are constantly learning, constantly adapting, constantly protecting in your data center, core, or edge.

This is the new era in networking. The Network. Intuitive.

Now here comes the Cisco Catalyst 9000 Series.

Cisco’s new Catalyst 9000 switches, switching for a changing world, constantly adapt to help you solve new challenges.

  • Their integrated security helps you address ever-changing threats.
  • They simplify management of your evolving mobility, Internet-of-Things (IoT), and cloud requirements.

There are three series in Catalyst 9000 family:

Catalyst 9300 Series: The Catalyst 9300 Series is our top fixed-access enterprise network switch series, stacking to 480 Gbps.

Catalyst 9400 Series: Cisco’s leading modular-access switches for enterprise, the Catalyst 9400 Series supports up to 9 Tbps.

Catalyst 9500 Series: The Catalyst 9500 Series is the industry’s first fixed-core 40-Gbps switch for the enterprise.

More fast questions and answers help you learn more about the new Catalyst 9000 Series.

Cisco Catalyst 9000 network features and services (common to all Cisco Catalyst 9000 Switches)

Q: What feature sets do the Cisco Catalyst 9000 Switches support?

A: The Cisco Catalyst 9000 Series Switches support the packaging of features into Essentials and Advantage packages. The details of the features in each package are listed in the data sheets–link provided below in the Pricing and Ordering section.

Q: What programmability capabilities are available on the Cisco Catalyst 9000?

A: The Cisco Catalyst 9000 opens a completely new paradigm in network configuration, operation, and monitoring through network automation. The Cisco automation solution is open, standards-based, and extensible across the entire network lifecycle of a network device.

• Device provisioning: Through Plug-and-Play (PnP), Zero-Touch Provisioning (ZTP), and Preboot Execution (PXE)

• Configuration: Model-driven operation through open Application Programming Interfaces (APIs) over NETCONF, Python Scripting

• Customization and monitoring: Streaming telemetry

• Upgrade and manageability: In-Service Software Upgrade (ISSU), patchability, and config/replace

Q: What management capabilities are available for the Cisco Catalyst 9000?

A: You can manage it using the Cisco IOS Software Command-Line Interface (CLI), using Cisco Prime® Infrastructure 3.1.7 DP13, Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM), onboard Cisco IOS XE Software Web User Interface (WebUI), Simple Network Management Protocol (SNMP), or Netconf/YANG.

Q: Is there an onboard web GUI on the Cisco Catalyst 9000?

A: Yes. An onboard web GUI is available.

Q: What is the purpose of the blue beacon LED on the Cisco Catalyst 9000?

A: The blue beacon LED is common across the Cisco Catalyst 9000 Series Switches to simplify the operations. It makes chassis identification easier when several such switches are mounted on racks. A remote administrator can enable the LED to blink to help the local operator quickly locate the chassis. The local operator presses the mode button to acknowledge.

Q: What is the maximum number of VRF instances that I can configure on a Cisco Catalyst 9000?

A: The maximum number of VRFs that you can configure on a Cisco Catalyst 9000 is 256.

Q: What is Cisco’s direction for wireless?

A: Cisco believes that the best solution for a wired or wireless network is achieved when integrated into SD-Access, Cisco’s lead architecture for the next-generation enterprise network. This solution delivers consistency with wired infrastructure around policy, segmentation, orchestration and automation, and assurance. This new architecture delivers the best experience for mobility, guest, IoT, multicast services, and overall network performance with its distributed data plane and centralized control-plane architecture.

Q: What wireless support is provided with the Cisco Catalyst 9000 platforms?

A: Cisco Catalyst 9000 products are instrumental in supporting the following wireless capabilities in the SD-Access architecture:

• Connect access points and integrate them into the SD-Access fabric. The switch integrates with the fabric control plane (LISP), thereby providing reachability for the access points and clients in the fabric.

• Deliver macro (VRF) and micro (Scalable Group Tag (SGT) [SGT] group-based) segmentation to the access points to deliver end-to-end policies.

• Can terminate guest VXLAN traffic, so there is no need for a dedicated guest anchor controller.

The support for wireless capability at launch will be together with the AireOS 8.5 Controller running on an Cisco 8540 Wireless Controller, Cisco 5520 Wireless Controller, or Cisco 3504 Wireless Controller appliance with the Cisco Catalyst platforms functioning as Fabric Edge and Fabric Border nodes.

 

Q: What are the SD-Access wireless capabilities?

A: The new Cisco Catalyst 9000 Series switches provide a complete solution for Campus with Cisco AireOS Conrollers and Wave 2 access points.

Q: What are the advantages of integrating wireless in the SD-Access fabric architecture?

A: • Highest performance and scale: Distributed data-plane forwarding in hardware distributed in the network paired with the large control-plane scale offered by the dedicated controller appliances.

• Best guest: You don’t need a dedicated guest anchor controller in the Demilitarized Zone (DMZ): Traffic is sent directly to the fabric border to exit the fabric. Also, there is no sub-optimal traffic forwarding such as from an access point to a foreign controller and on to a guest anchor controller.

• Best mobility: IP addressing is simpler; there is one subnet for the entire wireless SSID across the network, and no hairpin of traffic when roams occur.

• Simple operation: Operation is simple because wired and wireless are treated the same and operated together; they have common policies and controller-based automation.

• Wired innovations applied to wireless: First-hop security innovations available for wired can also be applied to wireless; for example, Dynamic ARP Inspection (DAI), IP Source Guard (IPSG), and DHCP Snooping.

• Segmentation across wired and wireless:

-The virtual network now passes all the way to wired as well as wireless devices.

-This segmentation is important for separation of certain devices from others, such as IoT and building automation devices connected over wireless.

-It is also important for security reasons to reduce attack the surface; if someone gets into a segment, the person can move only within that segment.

-Because segmentation is handled by the fabric, the number of SSIDs can be limited.

• Best multicast:

-The solution offers the best performance of distributed replication in hardware across the network.

These switches truly deliver the best of wired and wireless together.

 

More Related

The New Catalyst 9000 Switches Simplify IoT & Cloud Requirements

Why Migrate to the Cisco Catalyst 9400 Series Switches?

http://www.router-switch.com/Price-cisco-wireless-ap-cisco-wlan-controller_c60

Read more

What Changes We can Expect from Cisco in 2017

June 13 2017 , Written by Cisco & Cisco Router, Network Switch Published on #Networking, #Cisco News, #IT, #Data Center, #Technology, #Cisco Technology - IT News

For all kinds of customers, what can they expect from Cisco in 2017? In the following article, Zeus Kerravala (the founder and principal analyst with ZK Research, and provides a mix of tactical advice to help his clients in the current business climate.) listed the main points that users and clients expect from Cisco in 2017.

  • Cisco will take a chunk of the security market. The security market is easily the most fragmented of all of the IT submarkets. It’s currently a $75 billion market, with no single vendor having anywhere close to double-digit share. Cisco, in particular, has fumbled around in security for years with different initiatives and architectures that have been ineffective.

    Times are different today. As I pointed out in an earlier post, Cisco has never been positioned better in the security industry, and the company is finally using its greatest asset—its dominance in the network—to create tangible differentiation. Look for 2017 to be the year it breaks away from the competition and takes a chunk of the security share.
  • Cisco breaks away in collaboration. Collaboration at Cisco has had its ups and downs over the past few years, but the company now pointed in the right direction. Spark was launched as a Slack-like team collaboration tool, but in actuality, it’s much more than that. It’s a fully integrated cloud, hardware and software experience that can deliver seamless, easy-to-use experiences on a mobile phone, desktop or meeting room. Expect Cisco to continue to innovate around Spark and create its next wave of growth in collaboration.
  • The data center gets a shot in the arm with an acquisition. The Unified Computing System (UCS) carried the data center business unit at Cisco for years. Recently, though, the growth of the product has slowed. In fact, this past quarter saw the data center revenue fall 3 percent.

    UCS is a great product, but the compute industry is shifting to hyperconverged infrastructure (HCI). Cisco’s current offering, HyperFlex, is an OEM from SpringPath, and channel feedback has been that they would prefer Cisco to own the product rather than OEM it. The OEM allows Cisco to dip its toe in the water, and in 2017 Cisco will jump in with both feet by acquiring SpringPath, which will stimulate data center growth.
  • Expect Cisco to focus on analytics. When one thinks of analytics, the name Cisco is rarely top of mind. However, analytics is becoming a core component of Cisco’s strategy. Not only is it at the core of the recently announced Tetration product, but it is also fundamental to the company’s differentiation in security, Internet of Things, network operations and collaboration. Expect to see Cisco do more analytics on more network data to differentiate its offering from the many smaller competitors that can’t match its footprint.
  • Cisco will push its engineer base to learn new skills. Markets transition. That’s a fact. And when then do, the engineers who work with the technology need to change their skills. Most vendors don’t see the transition, won’t admit its happening or don’t want to upset their engineer base by forcing them to change. And that always ends up being a disaster.

    Think of engineers who worked with mainframes, Token Ring, TDM voice, SNA and other trends. Most are gone, as are the vendors that sold the stuff.

    One of Cisco’s competitive advantages is its huge base of engineers, many of whom are steeped in the way networking was done. Based on my discussions with Cisco executives, including Jeanne Dunn, who runs Cisco’s learning group, I believe Cisco wants to disrupt its engineer base and have them learn new skills—such as automation, data sciences, programming and business skills. Some won’t like the changes to the certification requirements, but the fact is Cisco engineers need to start developing skills for the digital era.
  • Executive churn will slow down. Since Robbins took the helm, there has been a steady churn at the executive level, including Kelly Ahuja, Rob Soderberry and the famed “MPLS” group—just to name a few.

    I believe Robbins’ team is set now. And while there might be the odd departure here and there, this is the team he’s going to run with.

    One question I’ve been asked is if the company would replace the recently departed CTO Zorawar Biri Singh. I believe engineering is in the best hands they can be under the co-leadership of Rowan Trollope (IoT and applications) and David Goeckeler (networking and security), and the structure will stay as is. Get used to the faces at the top; they should be sticking around for a while.

One thing that will remain the same at Cisco is the company’s commitment to changing the world. Cisco’s former CEO, John Chambers, had a great desire to have Cisco make the world a better place. As I pointed out earlier this year, Robbins has picked up the Corporate Social Responsibility (CSR) ball and is running with it faster than ever.

The world is becoming increasingly digitized, and many of the digital enablers—such as IoT, cloud and mobility—are network centric. The coming year presents Cisco a great opportunity to flex its enormous networking muscles and move into the next wave of growth.

The original article from http://www.networkworld.com/article/3148784/lan-wan/what-to-expect-from-cisco-in-2017.html

More Cisco News and Reviews

Cisco-Brand Leader Awards Voted By IT Pros in 2016

Migration to Cisco NGFW

With SDN It can Help You Unify…

The Latest Cisco Nexus 9000 Innovations

Cisco’s Next Generation Storage Networking Innovations

The Most Common NGFW Deployment Scenarios

Read more

Cisco ASA FirePOWER Management Options

May 26 2017 , Written by Cisco & Cisco Router, Network Switch Published on #Networking, #IT, #Technology, #Data Center, #Cisco & Cisco Network, #Cisco Switches - Cisco Firewall

In the book Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP (it was written by Omar Santos), the author shared more contents about the Design of Cisco ASA with FirePOWER Services.

Now in the following part we selected some chapters that were shared with you: Cisco ASA FirePOWER Management Options

There are several options available for network security administrators to manage the Cisco ASA FirePOWER module. The Cisco ASA FirePOWER module provides a basic command-line interface (CLI) for initial configuration and troubleshooting only. Network security administrators can configure security policies on the Cisco ASA FirePOWER module using either of these methods:

  • Administrators can configure the Cisco Firepower Management Center hosted on a separate appliance or deployed as a virtual machine (VM).
  • Administrators can configure the Cisco ASA FirePOWER module deployed on Cisco ASA 5506-X, 5508-X, and 5516-X using Cisco’s Adaptive Security Device Manager (ASDM).

Figure 1 shows a Cisco ASA with FirePOWER Services being managed by a Cisco Firepower Management Center (FMC) in a VM.

Cisco ASA with FirePOWER Services Managed by a Cisco Firepower Management Center

 

In Figure 1 the Cisco Firepower Management Center manages the Cisco ASA FirePOWER module via its management interface. The following section provides important information about configuring and accessing the Cisco ASA FirePOWER module management interface.

Accessing the Cisco ASA FirePOWER Module Management Interface in Cisco ASA 5585-X Appliances

In the Cisco ASA 5585-X, the Cisco ASA FirePOWER module includes a separate management interface. All management traffic to and from the Cisco ASA FirePOWER module must enter and exit this management interface, and the management interface cannot be used as a data interface.

The Cisco ASA FirePOWER module needs Internet access to perform several operations, such as automated system software updates and threat intelligence updates. If the module is managed by the Firepower Management Center, the FMC is the one that needs to have Internet access to perform those tasks.

Figure 2 shows an example of how you can physically connect the Cisco ASA FirePOWER module management interface to be able to reach the Internet via the Cisco ASA interface.

Cisco ASA 5585-X FirePOWER Module Management Interface

 

In Figure 2, the Cisco ASA 5585-X has two modules:

  • A module running Cisco ASA software
  • A module running FirePOWER Services

The Cisco ASA is managed via the interface named management 0/0 in this example. This interface is configured with the IP address 192.168.1.1. The Cisco ASA FirePOWER module is managed via the interface named management 1/0, configured with the IP address 192.168.1.2. The Cisco ASA FirePOWER module is being managed by a virtual Cisco Firepower Management Center. Both interfaces are connected to a Layer 2 switch in this example.

NOTE: You can use other cabling options with the Cisco ASA FirePOWER module management interface to be able to reach the Internet, depending on how you want to connect your network. However, the example illustrated in Figure 4 is one of the most common scenarios.

In order for the Cisco ASA FirePOWER module management interface to have an Internet connection, the default gateway of the Cisco ASA FirePOWER module is set to the Cisco ASA management interface IP address (192.168.1.1 in this example). Figure 3 illustrates the logical connection between the Cisco ASA FirePOWER module management interface and the Cisco ASA management interface.

Cisco ASA FirePOWER Module Management Interface

 

Accessing the Cisco ASA FirePOWER Module Management Interface in Cisco ASA 5500-X Appliances

In the rest of the Cisco 5500-X appliances, the management interface is shared by the Cisco ASA FirePOWER module and the classic Cisco ASA software. These appliances include the Cisco ASA 5506-X, 5506W-X, 5506H-X, 5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X, and 5555-X appliances.

Figure 4 shows a Cisco ASA 5516-X running Cisco ASA FirePOWER Services.

Cisco ASA 5500-X FirePOWER Module Management Interface

 

In Figure 4, the management interface is used by the Cisco ASA FirePOWER module. The management interface is configured with the IP address 10.1.2.2. You cannot configure an IP address for this interface in the Cisco ASA configuration. For the ASA 5506-X, 5508-X, and 5516-X, the default configuration enables the preceding network deployment; the only change you need to make is to set the module IP address to be on the same network as the ASA inside interface and to configure the module gateway IP address. For other models, you must remove the ASA-configured name and IP address for management 0/0 or 1/1 and then configure the other interfaces as shown in Figure 5.

NOTE: The management interface is considered completely separate from the Cisco ASA, and routing must be configured accordingly.

The Cisco ASA FirePOWER module default gateway is configured to be the inside interface of the Cisco ASA (10.1.2.1), as illustrated in Figure 5.

Cisco ASA 5500-X FirePOWER Module Default Gateway

 

If you must configure the management interface separately from the inside interface, you can deploy a router or a Layer 3 switch between both interfaces, as shown in Figure 8. This option is less common, as you still need to manage the ASA via the inside interface.

Cisco ASA 5500-X FirePOWER Module Management Interface Connected to a Router

 

In Figure 6, the Cisco ASA FirePOWER module default gateway is the router labeled R1, with the IP address 10.1.2.1. The Cisco ASA’s inside interface is configured with the IP address 10.1.1.1. The Cisco ASA FirePOWER module must have a way to reach the inside interface of the ASA to allow for on-box ASDM management. On the other hand, if you are using FMC, the Cisco ASA FirePOWER module needs to have a way to reach the FMC.

Reference from http://www.ciscopress.com/articles/article.asp?p=2730336&seqNum=3

More Related

How to Deploy the Cisco ASA FirePOWER Services in the Internet Edge, VPN Scenarios and Data Center?

The Most Common NGFW Deployment Scenarios

Cisco ASA with FirePOWER Services

How to Start a Cisco ASA 5585-X Series?

Read more

Introducing Cisco Software-Defined Storage Solutions

November 23 2016 , Written by Cisco & Cisco Router, Network Switch Published on #Networking, #Cisco & Cisco Network, #Technology, #IT, #Data Center

Today the Storage plays a more and more important role in the data center: from storing email messages and documents to saving business-critical information, intellectual property, and transaction detail. As businesses continue to become more connected, the old ways of storing and archiving data are changing to accommodate growing amounts of data and demand for anytime, anywhere access to information.

Historically, IT organizations transitioned from systems with individual disk drives to storage arrays that allowed disk drives to be grouped together to form a larger area of capacity. When fast and easy access to more capacity was needed, storage area networks (SANs) and network attached storage (NAS) emerged to deliver capacity over the network. More recently, integrated systems and hyper-converged infrastructure have been added to networks to simplify resource acquisition and deployment and facilitate easy scaling. As companies try to balance storage access, performance, and cost, software-defined storage is becoming more popular, taking this evolution a step farther.

Software-defined storage is the next phase of server virtualization technology, moving beyond virtual machines to virtual data stores. It combines industry-standard x86-architecture servers that are optimized for direct-attached storage (DAS) with a distributed software abstraction layer. This intelligent software transforms systems into a single, logical pool of cost-effective, scale-out storage resources that are easily integrated and managed within your data center.

Cisco Solutions for Software-Defined Storage

Our solutions provide the storage flexibility you need to support growing amounts of data and deliver fast access to information and innovation. You can choose from a variety of systems and expansion cards according to the capacity and performance needs of your users and applications. Our modular approach lets you:

• Reduce risk and complexity: You need confidence that your software-defined infrastructure will work right the first time. Cisco’s collaboration and validation with a large partner ecosystem of software vendors gives you a choice of proven solutions and reference architectures while helping your IT staff integrate storage innovation with your IT processes and business applications at low risk. As a result, you can easily procure the solution you need and accelerate implementation and deployment.

Cisco Solutions Deliver the Foundation for Software-Defined Storage Deployments

Target Environments

  • File, block, and object storage
  • Email servers
  • Collaboration environments
  • Video surveillance archiving
  • Content distribution networks
  • Data protection solutions
  • Private cloud storage

• Gain versatility: The Cisco Unified Computing System (Cisco UCS) portfolio offers a variety of server options for rightsizing your software-defined storage deployments. You can deploy Cisco UCS C-Series Rack Servers to support many common storage scenarios, and use Cisco UCS S-Series Storage Servers when you need highly scalable and available storage infrastructure (Figure 1).

• Scale on demand: You can scale the storage capacity, performance, and protocols used in your software-defined storage infrastructure at your pace and with a smaller increment of scale than with traditional large-scale storage solutions. With the flexibility to choose what to scale and when to scale it, you can start with a small configuration and expand to petabytes of capacity, and you can distribute I/O operations among servers to accelerate I/O operations.

• Improve the efficiency of your IT operations: Cisco UCS Manager provides the automation you need to be efficient. Role- and policybased management makes it easy to deploy terabytes to petabytes of storage capacity in minutes. Cisco UCS service profiles and storage profiles extend these capabilities, allowing you to specify the ways that servers and disk drives should be identified, configured, connected, and used. You can configure hundreds of storage servers as easily as you can configure one, in a repeatable manner.

• Reduce vendor lock-in: Whether you need to support a remote or branch office or a large enterprise data center, our broad ecosystem of partners offers what you need. We work together to test, validate, and document joint solutions so that you can get your softwaredefined storage solutions up and running quickly and with confidence.

Next Steps Call your Cisco sales representative or authorized partner to find out how Cisco UCS solutions can help you create the best software-defined storage solution for your business and applications.

From https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/software-defined-storage-solutions/software-defined-solution.pdf

 

More Related Topics

Cisco’s New Storage Optimized UCS Server-UCS S3260

New Cisco UCS S3260 Storage Server: A Dense and Powerful Server for Scale-out Storage

Cisco UCS S3260-The New Storage Building Blocks

Cisco UCS S3260 Storage Server Big Data and Analytics

Read more

Configuring WCCP? GRE Redirection in WCCP Creates New Tunnel Interfaces

August 11 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Networking, #Data Center

The WCCP (Web Cache Communication Protocol) was initially designed as a component of IOS whose purpose was to intercept HTTP traffic traversing a router and redirects that traffic to a local cache with the aim of reducing access times to web sites and conserving wide area bandwidth. Typically the packets are redirected from their destination web server on the Internet to a content engine that is local to the client. In some WCCP deployment scenarios, redirection of traffic may also be required from the web server to the client. WCCP enables you to integrate content engines into your network infrastructure. With the introduction of WCCPv2 the scope of the protocol widened to include traffic types other than HTTP allowing the protocol to be used as a more general interception mechanism. In WCCPv2 clients specify the nature of the traffic to be intercepted and forwarded to external devices which are then in a position to provide services, based upon the traffic type, such as WAN optimisation and application acceleration.

Cisco IOS Release 12.1 and later releases allow the use of either WCCP Version 1 (WCCPv1) or Version 2 (WCCPv2).

WCCP VRF Support

The WCCP VRF Support feature enhances the existing WCCPv2 protocol by implementing support for virtual routing and forwarding (VRF).

The WCCP VRF Support feature allows service groups to be configured on a per VRF basis in addition to those defined globally.

Along with the service identifier, the VRF of WCCP protocol packets arriving at the router is used to associate cache-engines with a configured service group.

The interface on which redirection is applied, the interface which is connected to cache engine, and the interface on which the packet would have left if it had not been redirected must be in the same VRF.

In Cisco IOS Release 12.2(33) SRE, this feature is supported only on Cisco 7200 NPE-G2 and Cisco 7304-NPE-G100 routers.

Configuring WCCP

Until you configure a WCCP service using the ip wccp {web-cache | service-number} global configuration command, WCCP is disabled on the router. The first use of a form of the ip wccp command enables WCCP. By default WCCPv2 is used for services, but you can use WCCPv1 functionality instead. To change the running version of WCCP from Version 2 to Version 1, or to return to WCCPv2 after an initial change, use the ip wccp version command in global configuration mode.

If a function is not allowed in WCCPv1, an error prompt will be printed to the screen. For example, if WCCPv1 is running on the router and you try to configure a dynamic service, the following message will be displayed: "WCCP V1 only supports the web-cache service." The show ip wccp EXEC command will display the WCCP protocol version number that is currently running on your router.

Using the ip wccp web-cache password command, you can set a password for a router and the content engines in a service group. MD5 password security requires that each router and content engine that wants to join a service group be configured with the service group password. The password can consist of up to eight characters. Each content engine or router in the service group will authenticate the security component in a received WCCP packet immediately after validating the WCCP message header. Packets failing authentication will be discarded.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip wccp version {1 | 2}

4. ip wccp [vrf vrf-name] {web-cache | service-number} [group-address group-address] [redirect-list access-list] [group-list access-list] [password password [0| 7]]

5. interface type number

6. ip wccp [vrf vrf-name] {web-cache | service-number} redirect {out | in}

7. exit

8. interface type number

9. ip wccp redirect exclude in

Tunnel Interfaces

In IOS versions where WCCP is VRF aware, such as 15.0M and 15.1T, the use of GRE redirection will result in some new tunnel interfaces appearing. On the ASR platform these tunnel interfaces are also present from IOS XE release 2.5 onwards (although VRF support within WCCP on the ASR platform is not present until IOS XE release 3.1).

Examples of the new tunnel interfaces are shown below:

Router#show ip wccp summary
WCCP version 2 enabled, 3 services

Service     Clients   Routers   Assign      Redirect   Bypass    
-------     -------   -------   ------      --------   ------    
Default routing table (Router Id: 30.1.1.80):
web-cache   1         1         HASH        GRE        GRE       
61          1         1         HASH        GRE        GRE       
62          1         1         HASH        GRE        GRE       

Router#show ip interface brief | include Tun
Tunnel0                172.16.0.1      YES unset  up                    up     
Tunnel1                172.16.0.1      YES unset  up                    up     
Tunnel2                172.16.0.1      YES unset  up                    up     
Tunnel3                172.16.0.1      YES unset  up                    up     
Router#

The tunnels are created automatically to process outgoing GRE encapsulated traffic for WCCP. They appear when a cache engine connects and requests GRE redirection. They're not created directly by WCCP, but indirectly via a tunnel API. WCCP has no direct knowledge of these tunnel interfaces, but knows enough to cause packets to be redirected to them. This results in the appropriate encapsulation being applied, after which the packet is then sent to the cache engine. Note that these interfaces are not used in connection with incoming WCCP GRE return packets.

There is one tunnel created per service group that is using GRE redirection, plus one additional tunnel to provide an IP address to allow the other tunnel group interfaces to be unnumbered but still enabled for IPv4. Some information about the tunnels is shown with the command show tunnel groups wccp, although this is unlikely to be useful to the end-user other than to confirm the connection between the tunnels and WCCP.

Router#show tunnel groups wccp             
 WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel0, locally sourced
 WCCP : service group 317 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel3, locally sourced
 WCCP : service group 318 in "Default", ver v2, assgnmnt: hash-table
   intf: Tunnel2, locally sourced
Router#show tunnel interface t0
Tunnel0
   Mode:multi-GRE/IP, Destination UNKNOWN, Source 30.1.1.80
   Application ID 2: WCCP : service group 0 in "Default", ver v2, assgnmnt: hash-table
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#show tunnel interface t1
Tunnel1
   Mode:multi-GRE/IP, Destination UNKNOWN, Source 172.16.0.1
   Application ID 2: unspecified
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#show tunnel interface t2
Tunnel2
   Mode:multi-GRE/IP, Destination UNKNOWN, Source 30.1.1.80
   Application ID 2: WCCP : service group 318 in "Default", ver v2, assgnmnt: hash-table
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#show tunnel interface t3
Tunnel3
   Mode:multi-GRE/IP, Destination UNKNOWN, Source 30.1.1.80
   Application ID 2: WCCP : service group 317 in "Default", ver v2, assgnmnt: hash-table
   Linestate - current up
   Internal linestate - current up, evaluated up
Router#

Note that service group number shown above is the internal tunnel representation of the WCCP service group number. Group 0 is the web-cache service, but for dynamic services subtract 256 to convert to the WCCP service group number. For interfaces used for redirection, the source address shown is the WCCP router ID.

Information relating to the connected cache engines and encapsulation, including software packet counters, can be seen with the command "show adjacency <tunnel-interface> ...":

Router#show adjacency t0              
Protocol Interface                 Address
IP       Tunnel0                   30.1.1.82(3)
Router#show adjacency t0 encapsulation
Protocol Interface                 Address
IP       Tunnel0                   30.1.1.82(3)
  Encap length 28
  4500000000000000FF2F7D2B1E010150
  1E0101520000883E00000000
  Provider: TUNNEL
  Protocol header count in macstring: 3
    HDR 0: ipv4
       dst: static, 30.1.1.82
       src: static, 30.1.1.80
      prot: static, 47
       ttl: static, 255
        df: static, cleared
      per packet fields: tos ident tl chksm
    HDR 1: gre
      prot: static, 0x883E
      per packet fields: none
    HDR 2: wccpv2
       dyn: static, cleared
      sgID: static, 0
      per packet fields: alt altB priB
Router#show adjacency t0 detail
Protocol Interface                 Address
IP       Tunnel0                   30.1.1.82(3)
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 1
                                   Encap length 28
                                   4500000000000000FF2F7D2B1E010150
                                   1E0101520000883E00000000
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of Ethernet0/0, addr 30.1.1.82
Router#show adjacency t0 internal
Protocol Interface                 Address
IP       Tunnel0                   30.1.1.82(3)
                                   connectionid 1
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 1
                                   Encap length 28
                                   4500000000000000FF2F7D2B1E010150
                                   1E0101520000883E00000000
                                   Tun endpt
                                   Next chain element:
                                    IP adj out of Ethernet0/0, addr 30.1.1.82
                                    parent oce 0x4BC76A8
                                    frame originated locally (Null0)
                                   L3 mtu 17856
                                   Flags (0x2808C4)
                                   Fixup enabled (0x40000000)
                                         GRE WCCP redirection
                                   HWIDB/IDB pointers 0x55A13E0/0x35F5A80
                                   IP redirect disabled
                                   Switching vector: IPv4 midchain adj oce
                                   IP Tunnel stack to 30.1.1.82 in Default (0x0)
                                    nh tracking enabled: 30.1.1.82/32
                                    IP adj out of Ethernet0/0, addr 30.1.1.82
                                   Adjacency pointer 0x4BC74D8
                                   Next-hop 30.1.1.82
Router#

For more information on configuring WCCP, please refer to the following document:

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/15-1mt/iap-wccp.html

Related Information

Common WAAS/WCCP issues on interactions with Security Devices

Troubleshooting Prepositioning on WAAS 4.1.1 and above

Topic from https://supportforums.cisco.com/document/60636/gre-redirection-wccp-creates-new-tunnel-interfaces

More Cisco and IT...Networking Topics you can visit: http://blog.router-switch.com/

Read more