EBOOK. Top Five Ways To Enhance Your Cisco Environment

Transcription

1 EBOOK Top Five Ways To Enhance Your Cisco Environment Rev. A, January 2014

2 2

3 Table of Contents The Secrets You Will Want To Know... 4 Five Ways to Say Eureka!... 4 The Top Five at a Glance... 4 The Cisco Data Center: A Rich Vein of Productivity Not all switches are created equal. Store-and-forward vs. cut-through Make sure you re SEC(ure) Don t lose sight of the gems SLA yourself Netflow is your friend

4 The Secrets You Will Want To Know When it comes to Cisco technology, most of us have wondered if we could do more to get the most out of our investments. Are we aware of all the hidden gems advantages tucked away within the architecture that could put us ahead of the game with relatively little effort? Five Ways to Say Eureka! Recently, I delivered a talk at Cisco Live in which I presented the Top Five efficiency gems that can be a real bonanza for your Cisco investment. I ll share those configuration and design tips here for using Cisco technology to the utmost in monitoring and security. In addition, I ll discuss ways to use access switching and built-in Cisco features more effectively. Finally, I ll cover key points to consider in relation to data center operation, interconnect and security. The multitiered Cisco data center is at the heart of today s computational power, volume storage and sophisticated applications. The Top Five at a Glance 1. Not all switches are created equal. Store-and-forward vs cut-through. Choose the right switch architecture and boost your efficiency. 2. Make sure you re SEC(ure). Using MACsec (IEEE 802.1AE) protocol to provide switch-port-level encryption. 3. Don t lose sight of the gems. Achieve virtual visibility without the overload penalty. 4. SLA yourself. Use built-in IP SLAs to benchmark and monitor the health and performance of your network. 5. Netflow is your friend. Learn it. Use it. Support it. The Cisco Data Center: A Rich Vein of Productivity The multitiered Cisco data center is at the heart of today s computational power, volume storage and sophisticated applications. It represents the leading edge of progress and potential in scalability, performance, flexibility and maintenance/management. Naturally, efficient planning is key for resilience, agility and investment value. 4

5 By investing in Cisco, you ve staked your claim to the future of virtual computing. Now let s mine those gems to strike it rich in optimizing your investment. 1. Not all switches are created equal. Store-andforward vs. cut-through. Choose the right switch architecture and boost your efficiency. Today, you have your choice of two switching categories: 1) store-and-forward; and 2) the newer cut-through switching, which is increasingly popular for high-speed, low-latency applications. But which one is ideal for you depends on several factors. Store-and-forward switching accepts the complete frame into the switch buffers for error checking before forwarding on to the network. Cut-through switching reads only the destination MAC address (the first six bytes of the frame following the preamble) to determine the switch port to forward traffic to. With store-and-forward switching, the LAN switch copies the entire frame into its onboard buffers and computes the cyclic redundancy check (CRC). The frame is discarded if it contains a CRC error or if it is a runt (less than 64 bytes including the CRC) or a giant (more than 1518 bytes including the CRC). If the frame contains no errors, the LAN switch looks up the destination address in its forwarding, or switching, table and determines the outgoing interface. It then forwards the frame toward its destination. Cut-Through Switches Reduce Latency in the LAN A cut-through switch reduces latency because it begins to forward the frame as soon as it reads the destination address and determines the outgoing interface even before the entire payload is received. The primary advantage of this approach lies in the amount of time the switch takes to start forwarding the packet (known as switch latency), which is on the order of a few microseconds, regardless of packet size. So, if latency issues are foremost for you, then cut-through switches will give you a better night s sleep. If latency issues are foremost for you, then cut-through switches will give you a better night s sleep. Let s take a theoretical application using 9000-byte frames. A cut-through switch can forward the frame a few microseconds to a few milliseconds earlier than its store-andforward counterpart (a few microseconds earlier in the case of 10-Gbps Ethernet). Cutthrough switches are naturally more suited to extremely demanding, high-performance computing (HPC) applications that require process-to-process latencies of 10 microseconds or less. When Cut-Through Switching Is Not the Ideal Approach Certainly, store-and-forward switching delays the time it takes for the frame to get from source to destination. That s because it waits to forward a frame until it has received the entire frame and checked it for errors, comparing the last field of the datagram against its own frame-check-sequence (FCS) calculations. So that additional time is spent ensuring that the packet is purged of physical and data-link errors. Invalid packets are dropped, whereas a a cut-through device would simply forward them on. Also, a store-and-forward switch can perform ingress buffering for the flexibility to support any mix of Ethernet speeds. 5

6 For Cisco, advances in ASIC design and other progress now enable cut-through functions that are much more ingenious than in the past. With better load balancing abilities and other functions, Cisco switches, such as the low-latency Cisco Nexus 5000 or Cisco Catalyst family, can perform low-latency switching while still preserving the inspection advantages of store-and-forward switching. So now you can make an informed decision as to whether store-and-forward switching is worth the delay. In financial services and other HPC applications, where speed is of the utmost importance, you probably want to reduce latency to the lowest possible level by using the cut-through approach: Enterprises that employ HPC include: When it comes to protecting data in motion, there aren t too many solutions. Oil and gas exploration Automotive and aerospace manufacturing Biosciences Financial data mining and market modeling Academic and government research Climate and weather simulation 2. Make sure you re SEC(ure). Using MACsec (IEEE 802.1AE) protocol to provide switch-portlevel encryption. When it comes to protecting data in motion, there aren t too many solutions. Using encryption is considered one of the better methods to protect data but often requires installations of client applications. MACsec to the Rescue The MACsec protocol provides a method to encrypt data between two layer 2 points between the different network switches without requiring an additional server application or changing the whole infrastructure to IPV6. MACsec lets you encrypt data communications between a switch and any attached device most importantly communication on wired LANs. The protocol is the brainchild of the Institute of Electrical and Electronics Engineers (IEEE). Known as Security Standard 802.1AE. MACsec is the only reliable way of ensuring data integrity when it comes to independent media access Cisco provides switch-port-level encryption based on IEEE 802.1AE (MACsec) that spans the network from endpoints to the access layer and all the way to the data center. Data encryption uses the 128-bit Advanced Encryption Standard (AES) cipher. Encryption lets you block man-in-the-middle attacks, snooping, and other forms of network intrusion and compromise. Layer 2 encryption can be implemented between an endpoint device and an access switch, or between switch ports. 6

7 MACsec, Cisco, and Net Optics: a Triple Compliance and Security Solution MACsec is probably the best prescription on the market for CSO and CIO peace of mind. In a landmark Cisco Live demo in Cisco s own booth, visitors could see in real time just how effectively Cisco s new MACsec software protects the confidentiality of network LAN traffic. In MACsec-enabled switches, packets are encrypted on exiting the transmitting device and decrypted on entering the receiving device. They are in the clear only when they are within the respective devices. To prove the point, Net Optics HD8 Fiber Taps passively gathered data on the connections, sending transmissions to Net Optics Director xstream Pro, which collected and displayed the data clearly in its user interface. The difference was dramatic: Unencrypted data from the non-macsec machine, a Cisco 3500 switch, clearly revealed its types and protocols, an irresistible vulnerability to malicious intrusion. But the MACsec-protected data flowing from Cisco 6500 switches was impenetrable and unreadable. Cisco Catalyst and Nexus Switches: Cisco Catalyst 2900, 3560, 3700, 4500, and 6500 Series Switches and Cisco Nexus 7000 Series Switches interact with network users for authentication and authorization. Access to the network is dictated by policy, user identity, and other attributes. Flexible authentication methods include 802.1X, web authentication, and MAC authentication bypass, all controlled in a single configuration for each switch port. Furthermore, Cisco switches can tag each data packet with user identity information so that additional controls can be deployed anywhere in the network. Cisco Nexus switches also support MACsec for data-in-motion confidentiality and integrity protection. 3. Don t lose sight of the gems. As adoption of virtualization gains momentum, data centers worldwide are building out their virtualized components. Achieve virtual visibility without the overload penalty. As adoption of virtualization gains momentum, data centers worldwide are building out their virtualized components. The growing adoption of hypervisor technologies creates monitoring, security, and compliance challenges as a result of virtual networks, switches and machines. Several solutions exist to improve manageability and visibility of virtual systems. Nexus 1010 Virtual Services Appliance: One of Cisco s hidden gems Cisco Nexus 1010 VSA is an optional appliance that can provide improved management and scalability in Cisco Nexus 1000V Switch and VMware vsphere deployments. The Cisco Nexus 1000V can be deployed exclusively as software running in a VMware vsphere cluster; Cisco Nexus 1010 VSA provides customers with an additional deployment option, allowing administrators to completely offload management functions handled by the Cisco Nexus 1000V Virtual Supervisor Module (VSM). This approach gives administrators improved scalability and availability for the VSM. 7

8 Cisco Nexus 1010 VSA offers impressive benefits: A dedicated appliance for VSMs simplifies the overall design and management of the VMware vsphere cluster by moving the VSMs off the VMware hosts. Eliminating the dependency on VMware means that networking services are no longer dependent on the VMware server s being up and running, which can be helpful during scenarios such as data center restarts. Because the Cisco Nexus 1010 VSA runs Cisco NX-OS and VSMs are now being installed on the VSA instead of on a VMware vsphere server, the network operations team is working in a familiar environment and gets a total Cisco installation experience. The automatic support of active-standby VSMs improves overall system availability. But Cisco s switch doesn t provide the same level of visibility as a true network Tap. So the question becomes, how do you achieve the 100 percent visibility that you need for compliance and security purposes? Cisco s switch doesn t provide the same level of visibility as a true network Tap. Phantom Virtual Tap to the Rescue for Total Inter-VM Visibility Penalty-Free Net Optics groundbreaking Phantom Virtual Tap was engineered to monitor traffic going through the Cisco virtual switch using Nexus 1000v. The key to this advantage is visibility: Phantom enhances network visibility, including inter-vm traffic monitoring, without suffering from the inherent limitations of hypervisor Span ports. This makes it an ideal security and compliance resource that: Delivers 100 percent visibility of traffic passing between VMs on hypervisor stacks Supports best-of-breed hypervisors and virtual switches Integrates seamlessly with the hypervisor at the kernel level Eliminates promiscuous probes or counterintuitive shaping and routing Bridges virtual traffic to physical monitoring tools Net Optics Phantom Virtual Tap protects records and transactions from malicious intrusion while documenting compliance with regulations such as Payment Card Industry (PCI) standards and SOX-404. Virtualization presents a new, unique set of challenges for auditors needing visibility of virtualized as well as physical data. This makes the Phantom Virtual Tap a welcome resource. Whether the concern is passing encrypted credit card numbers between infrastructures, monitoring derivatives, or conducting other complex transactions, the Phantom Virtual Tap keeps data isolated, secure and verifiable. 4. SLA yourself. Use built-in IP SLAs to benchmark and monitor the health and performance of your network Cisco IOS IP Service Level Agreements, known as IP SLA, is a hidden gem built into most Cisco devices that deserves more widespread knowledge and use than it has been getting. This important component is a network s best friend, letting you measure and benchmark 8

9 performance, identify issues and alert when you re going off standard benchmarks. The value is self-evident. A network engineer may need to evaluate a design or evaluate a QoS approach. It s a natural for helping troubleshoot the network. And with its focus solely on performance metrics, IP SLA helps confirm new business-critical IP applications and IP services that utilize data, voice, and video, in an IP network. Cisco has augmented traditional service level monitoring and advanced the IP infrastructure to become IP application-aware by measuring both end-to-end and at the IP layer. With Cisco IP SLA, you can verify service guarantees, increase network reliability, proactively identify network issues, and increase Return on Investment (ROI) by streamlining deployment of new IP services. Cisco IP SLA uses active monitoring to generate traffic in a continuous, reliable, and predictable manner an important resource for measuring network performance and health. 5. Netflow is your friend. Learn it. Use it. Support it. I ll bet all of you have Netflow and I ll also bet that most of you are not using it to its full extent or gaining full benefit. Surprisingly few people know how to get the most out of this unique technology, qualifying it as a bona fide hidden gem. This is surprising because it shines very brightly, particularly for security and compliance purposes. Netflow is a feature of Cisco IOS software that monitors packet flows across a router. It identifies protocol elements used and extracts packet content and metadata for analysis of data relationships and communications patterns. With Netflow, you can monitor a particular IP address so as to actually see where that address originated, where it ended, and how long it took to get there and back. For Service Providers this information is critical in billing customers for differentiated services or QoS. Another benefit is that Netflow ties into superb public domain tools you can use in any size deployment. I ll bet all of you have Netflow and I ll also bet that most of you are not using it to its full extent or gaining full benefit. So why should Netflow be a hidden gem? Maybe it s merely perceptions that prevent users from taking advantage of all it has to offer such as the it s difficult to deploy perception. Not so! Your Netflow vendor can help, as well as ensure that you have Netflow Version 9 with its free tools to enhance your Cisco investment. Cisco s suite of virtual data center offerings is growing. The launch of such products as the Nexus 1000V and the VN-Link means that thousands more organizations can now utilize Cisco solutions to support their data center virtualization plans. But even as virtualization soars, stringent regulations proliferate and threaten to clip the productivity and competitiveness wings of companies lacking intelligent access and monitoring solutions. Virtual Visibility Plus Netflow Eases Compliance and Security Tasks Now you can take Netflow-generated network statistics, and integrate them with Director xstream Pro for almost unlimited compliance visibility. Net Optics is the only company capable of providing the enterprise-level reliability in monitoring and access demanded by Cisco s Data Center 3.0 environments. 9

10 The Phantom solution enables faster and broader adoption of virtualization technologies concurrent with Cisco s advances across organizations worldwide. Net Optics Is a Close Fit, Now and in the Future, with Cisco s Vision Net Optics solutions work hand-in-glove with Cisco products to deliver monitoring and access capabilities to Cisco s Data Center 3.0 environments and beyond. Right now, by providing total visibility of data and traffic running through Cisco s Virtual Infrastructure solutions including VN-Link with Cisco Nexus 1000V the Net Optics Phantom Virtual Tap is a vital resource for compliance, security and management in your Cisco environment. This tight integration helps to fortify Cisco s multi-tier data center vision and spur faster, broader adoption of virtualization technologies in organizations worldwide. Find out more about how Net Optics helps you put the Top Five to work in your Cisco environment. visit or contact Net Optics at (408) About the Author Sharon Besser, VP of Technology, Net Optics Inc. Sharon Besser has successfully created, developed and launched new security products for some of the industry s leading technology vendors. Before joining Net Optics he served as Vice President of Product Strategy for application data security and compliance leader, Imperva. Previously, he served at Websense, a leading provider of the content filtering and web security solutions, where he was director of products. At Websense, Besser was primarily responsible for Content Protection Suite, which was recognized by independent research firm, Gartner as the market leader. Prior to Websense, Besser was director of products at PortAuthority Technologies, a provider of information leak prevention solutions which was acquired by Websense. Besser also served as director of Security Solutions for security vendor Check Point Software Technologies. Earlier in his career, Besser founded PubliCom, a provider of integrated data security and communications solutions, which was acquired by COMSEC. Besser holds a BSC in Mathematics, Computer Science and Geography from Bar Ilan University in Israel. 10

11 11

12 EBOOK Ixia Worldwide Headquarters Agoura Rd. Calabasas, CA (Toll Free North America) (Outside North America) (Fax) Ixia European Headquarters Ixia Technologies Europe Ltd Clarion House, Norreys Drive Maidenhead SL6 4FL United Kingdom Sales (Fax) Ixia Asia Pacific Headquarters 21 Serangoon North Avenue 5 #04-01 Singapore Sales Fax Rev. A, January 2014