Lessons in Deploying Security and Cloud with Cisco SD-WAN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everybody I know some of your faces so as Tom mentioned I spent three years with rip teller a running technical marketing for botella obviously since the acquisition in August last year I'm now part of the Cisco SD when a technical marketing team led team around solutions Cisco SD one is what we call now Vic teller so when you hear the term Cisco SD when don't be alarmed don't think what it is it is basically the patellar technology under the hood plus we are obviously continue innovating and enhancing their technology with the broader portfolio from Cisco I'm going to touch on some of those points today all right so I know you're not shy asking questions so I'm here for your for those questions so keep them coming we want to make sure that we're cognizant of time so we'll try to address as many questions as you can and anything that has a follow-up we'll follow up after the after the presentation so today I had three main topics for you a plus the recap I don't know how much you're familiar with sd when right so I wanted to spend a short amount of time just setting the baseline so you and people watching online are aware of what s the Cisco SD one is what are some of those fundamental principles of Cisco SD one and how that solution is built together then we're going to talk about three topics the first topic is of a high interest I've been here since Sunday and I've done three sessions including an eight hour tutorial and that session comes repeatedly is what happens with Cisco Sdn and Cisco routers so we're gonna address that straight on with a demonstration of how it works right and the second topic we're going to talk about which is also of a high interest is the secure branch so security is a very top of mind and SD when it's security is many times sort of go and go hand in hand so we want to make sure that we address that and how we do layered security in the branch and different security controls that you have in the branch when you run a square's to N and lastly that also comes up all the time is the cloud everybody has a cloud project everybody has an office 365 project or everybody's trying to go to AWS and Microsoft Azure so this the cloud story is very very important and sd1 is extremely cloud friendly and so we're we're absolutely going to talk about what it means for the cloud adoption and different types of clouds that are out there right so that's our agenda for today and so as I said I'll start with a single slide of just setting the baseline of what what Cisco sd1 is just kind of a show of hands have you has anybody not heard about Cisco Estevan great ok obviously I can't pull people on online but so cisco sd1 is a software-defined networking solution and as a software-defined networking solution has three tiers like any traditional software-defined networking approach data plane control plane management plane so we're strictly following that that methodology that philosophy right so you have a layer of data plane which you can think about as routers they come in different shapes and forms they can be the patella traditional appliances which is what we call V edges they could be the upcoming Cisco eyesore and ASR routers right so you have a choice of platforms in here they can also be physical or virtual so you can deploy those as physical appliances or as virtual machines on top of any x86 platform cisco has a an x86 platform called a NCS and so you can deploy this on an e NCS which is kind of like a you know server with management and or you can deploy that on top of any x86 platform that you want as long as you run the supported hypervisor which is ESXi and KVM so you have that layer of data plane and then you have the layer of control plane which is what we call V smart controllers so everything north of here is cloud right ever since south of here is branch's data centers campuses and potentially clouds when we talk about the cloud you'll see how the data plane extends into the cloud as well but primarily anything that is north of that is cloud anything south of that is primarily the on-prem deployment and so what you have in the cloud is you have a layer of controllers which we call V smart controllers and you have a layer of management that we call so be smart and we manage our the control plane and management plane elements obviously we want we're not going to go into details of how they operate but think about that as intelligent control plane that runs between the routers and the V smart controllers to distribute information around in regard to eligibility security context policies and what not very smart protocol single control plane protocol we call this OMP it stands for overlay management protocol and then the management is to be managed just an Operations tool that you can go in tweak change things software upgrades policies templates visibility whatnot third-party applications or third-party automation tools can plug in through REST API s-- and which obviously we expose reach set of REST API is levy manage GUI itself is built on those api's and then you can have an optional layer of analytics on top of that and that's an add-on element into the cisco estimate solution it's not a mandatory element but many of our customers opt for that and it gives you further insight into the trends that run in your fabric the managers is an awesome visibility tool but it's not a trending and analytics tool for that we separated it out into the V Analytics right so that's kind of the the lay of the land and then you have the connectivity into the SAS in IAS environments we're going to talk about that so just to set the baseline all right so let's talk about the topics that we have for today which is cisco ESD when on the cisco routers right so I'll have this slide kind of build all the options in gray are available today so you can run Cisco Sdn on a portfolio of the VH routers that range from 100 megabits per second throughput to all the way up to 20 gigabits of throughput per individual device encrypted you can have them as horizontally scalable so you can go north of 20 gigs and some of our customers have really high capacity data centers where they want to get 200 gigs and beyond or capacity in those data centers so all of them possible through horizontal scale so you have one deployment model the second deployment model that I mentioned full virtualized on e n CS or any x86 platform third model is placed those data plane elements into the cloud today we support Microsoft Azure and with AWS with automation we're going to talk about that and that's the new one so you can't find it right now because it's not out yet but it's a sneak peek that's what we're coming up with next month right and that's the ability to be able to run this entire intelligence on the Cisco router so if you own one of these routers it's supported model we're kind of gradually going into which models are going to be supported but if you have a supported model the upgrade is easy as doing software upgrades all right great and it only takes 15 minutes ok so I have a video here so let me let me show you obviously we're not gonna take 15 minutes so it's fast-forwarding through a through quite a few it actually takes only two and a half minutes but I just wanted to make have you see that it's not just smoke and mirrors this is all working ok so ok it's starts off I'll just say well we're starting off with so what we're starting off with is we have a Cisco an ISR 4k it's I think it's 4331 router that had been loaded this new image that is basically an SD one image and what we're doing now we're going to boot that image right there this system in here on top is the plug-and-play system which you may also think of as a zero touch provisioning so back in Reptilia days we call this zero touch provisioning so now zero touch provisioning still works for the VH routers for the Cisco platforms it's a Cisco's plug-and-play right so I'll just let this thing run and walk you through what's happening so it's not necessarily what you would actually do in production but just to show you sort of the art of possible so we cleared all the configs we rebooted the device it's booting here you can see that device basically had been defined it shows unreachable because it hasn't booted yet and those hashes will show you how it boots right then we can go through the menus of you manage and we can go into the templates and you can see I've prepared a template for that device you can see the type of the devices I saw in there it's a little bit small I hope you can make it and so it's a template they had been prepared for this device when it boots it's going to become part of an SD one fabric and inherit that config from the V managed right and here's the composition of the config everything is to the graphical user interface and there's lots of tweaks you can do in there or you can just leave them default right so while we're talking the router is booting right and a PNP and red direction is happening and you can kind of see some of those things in here that are happening as far as PNP is concerned we can see the log of what happens on the PNP server you don't necessarily have to look at that but just so you know that PNP is doing its work to make sure that the router has a boot strapping with a proper configuration so it can talk to the management and controllers and eventually join join the fabric right so yeah the status changes there into a redirection successful we can see the count of the devices if you remember there was 10 now it shows 11 and you can see the device is now reachable yet the number of connections is zero so it hasn't really fully come up yet and so it been it's been kind of connected to the management system but the control plan hasn't fully come up so control plan continues coming up you can already see messages here that we're talking to the V smart controller tunnel interface V smart controller initialize initialization phase so think about this OMP is sort of this smart control plane protocol that behaves a little bit like routing protocol right so we go through similar phases that the routing protocols would go through establishing the connection advertising things around things like that at the end of the day it becomes it becomes fully reachable and one of these devices is actually the guy and I can go into the device dashboard it shows me the inventory from that moment on yes it is a cisco router it is a fully Sdn appliance you can see I can manage everything about that appliance from the from the V manage so for any practical purposes I've turned this router into an SD wine appliance looks like a Cisco router behaves as an SD wine appliance and then I can there is a CLI that you can access so we're not blocking and locking you out of a CLI the sale is still there for people who want to see under the hood what happens there although all the operation happen from the GUI so CLI is mostly for curiosity and some deep level troubleshooting there's a fair amount of troubleshooting you can do straight from the GUI but if you really need to get into the weeds then you can hop into the CLI around some show commands cannot configure device from CLI CLI is locked for configuration once the device is managed by V manager so many of those controls are in place to make sure that the device is fully compliant with what you're doing in SD when fabric so this a version of iOS XE or is this the Teleco ported to cisco platform some sort of kind of a hybrid of the two and this is an iOS XE in its foundation um but it's not the entirety of iOS XE it's a nice it's a selective services from iOS exceed that are compatible with SD when um and then the patella services are sort of ported over on top of this iOS XE foundation so you have a bit of a hybrid of iOS XE foundation and some of the iOS access services and side by side you have the VST web services it's all integrated those s different services are not running in container or something that it's fully integrated into the image to its inherent part integral part of the image itself but but this isn't just a feature that gets added to an existing iOS XE image like no you're choosing one or the absolutely they're gonna run as they are traditional router as iOS XE or you're gonna run it as if of tella image which is gonna have a subset of features from you're absolutely right now yes and when you turn that when you load the new code you are making a decision that this device is no longer a cisco router running iOS XE it's a cisco router running sd1 image it doesn't mean that you lose all of the features but it does mean that not every feature you had before is supported day one so yes there's certain things that are not going to be supported day one so you sort of quote-unquote lose some of the features then you gain as divine features and then we are bringing back some of those features in a later point based on the roadmap is that roadmap is a goal full feature parity or is it going to be some level of parity well I think iOS sixy has like 2,000 features or so so I just I think I you know using using an ISR yeah as as a router has a lot of different potential purposes this is go world right now yes use as a voice gateway you can use it as a firewall you can use a VPN endpoint for you know other other things right so knowing which features are there is important knowing which features are going to be integrated and knowing which features probably aren't going to be integrated I think matters that matters a lot that's absolutely right some of the features you sort of lose from the traditional route in standpoint but you get an equivalent feature on the sd1 front for example security you had zone based firewall in a traditional world but now guess what we have zombies viral in SD when so it's the same song this zombies file which just runs in a different image right so you're not necessarily losing features some of those features you actually transfer the features from high OS X C into the SD one image obviously get a whole lot of new features which is the from the SD one world but yes you're absolutely right you have to be kind of mindful of some of those things when you when you deploy the image so from a pain point perspective can you tell us any of the features that aren't going to be available day one that people might have an issue with and the most painful quote-unquote feature and that that I see kind of been frequently asked about this voice so for for for people that are used to doing things like SST that is not an immediate feature next month so we don't have enough time to talk about how you address those things but there are different ways you can address that and whether it's a two box solution which is an fully featured is our 4k and side-by-side every edge for example which is the SD one so it's a two box solution not very elegant I would agree the second option you can have this as a virtualized so you can have a physical machine which is the x86 server two virtual machines on top of that one full-featured iOS XE 1 SD when a little bit more elegant still 2 elements to manage but at least one physical platform so that is if you're asking for this today if you are planning ahead then then roadmap will help you along the same lines we were also tracking a lot of interest in things like sip so people who have been running SST and have this traditional approach is that if I had been doing this in my traditional world I must be doing that in the sd1 world that does not come that doesn't really transfer like that right so if you if you have an SST you might want to ask around there maybe as a sip project happening and if it's a sip project it's all about IP connectivity and will give you awesome IP connectivity right with QoS application rerouting all the controls that sd1 gives you any move away from that so it's a bit of a kind of a loaded conversation but in essence you're right when you make the switch be cognizant of what you're getting and what you may not be getting day one all right before we move on at all someone's talked about the edge yes so that that's the product that came over as part of the acquisition hardware product has Cisco made commitments about and how long they're going to support v edge so if you buy today you can buy a VH I think there's some hesitancy around jumping in on that if Cisco's not going to give a lifecycle and how long that's going to last yeah it's a legitimate question right we get asked that question as well right what's going to have what's the future of the V edge right and so I can answer you this there's no plans right now to announce any end of sale or end-of-life of any one of the VH platforms you know every Hardware has certain lifecycle a Cisco always stands behind the products so if at any point it becomes announced as an end of end of sale you have the traditional Cisco lifecycle of supporting that Hardware just goes committing to that have the same Fieseler absolutely no horizon once it does get an absolutely yes so even in case it gets announced X amount of years from now you still have the years of support ahead of you so I would not I wouldn't take that as some as an inhibitor something that's a good answer okay all right cloud so let's move into into the clouds and I call this multi clouds because there's different clouds out there right so we'll start with the SAS right so as I mentioned in the beginning there is sass there's is alright so if we talk about sass what is says so this is kind of a traditional look at what SAS applications look like in today's data centers or today's environments you have your wide area network traditional remote offices data centers some regional data centers campuses whatnot and then you have your cloud applications so those cloud applications they are most popular listed here office 365 is by far the most popular one every has an office excuse if I project so it's like there's no you can almost assume that people have an office 365 project even before they answer the question and so office 365 is really pervasive there but there's others too there's you know Dropbox and Salesforce Google Apps these are all kind of applications people are exploring right so the idea is those applications they're cloud what is cloud clouds is internet so the question is where is my internet right and if I decide where my internet is then I can engineer around what's the best way to connect to the internet so many of the engineers are kind of struggling with this what should I do is it a direct Internet access straight from the branch office is it a back hole through my data center which is obviously the least preferred one is it some regional break out I can do through regional data centers and regional hubs so you have options right and the really the question becomes as you transition from many times from an on-prem infrastructure to a cloud infrastructure how do you choose this best performing path given the fact that you have variety of them and that's exactly what we try to innovate and what we call is we call a cloud on-ramp it's a functionality it's a set of features that we have and they extend both for sass and is so we start with sass so again here's the typical SD wine implementation you have the offices you have a remote site and you have two ISP connections in here right you have two ice P connections which means there's two ways to get to the cloud the question which one is better okay so in a normal way you would have to have some sort of a tool that goes and monitors those then mostly you would have a human going and changing some routing configuration to make sure it fails over and if it changes again somebody who goes and fails it over again maybe you have some automation tool that does that so some scripting but in any case it's hard it's not easy so what we do is we fully automate that we start doing what we call the quality probing which is basically we simulate a client connection so what would a client do it would initiate a DNS request an HTTP connection that's exactly what we do we initiate DNS requests we resolve where login to office 365 is we initiate initiate HTTP requests we measure measure performance measure performance we collect it we collect it for is P 1 is P 2 main decision which one is better is P 1 is good right now awesome route over is P 1 is P 1 degrades is P 2 is better Center is P 2 so the logic is not that complicated yet it's fully automated you set it up once there is a certain configuration steps you go through and let it run and it just does its job so this is the first scenario that we see people with multiple ISPs at the branch office the second scenario may look like this I have a single ISP at deck at the location but then I have a different site that has its own internet connection so wouldn't it be nice if that system were to figure out that I can go locally but I can also do this backhaul through the fabric to get to the remote location and exit from there now what would be the situation that becomes interesting if your local ISP is having a bad day and your local loop is not working well so that will degrade the performance but then the other side has a different local loop maybe it has a different ISP right but for sure it has a different local loop the same issue that your local ISP is experiencing may not be relevant for the other location so I can't just compare is p1 to is p2 because I have the fabric in between so they have a composite metric we say how much will it cost you in terms of loss and latency to get from this side to this side plus we combine the metrics that we've calculated through the quality probing combine the two and that is the cost for me to get through MPLS and ISP to out compare that to a local ISP make a routing decision which way is better conditions change awesome conditions can change in the ISP network conditions could also change in fabric we will detect both in fabric we use different mechanisms but we also detect those conditions in the fabric so whatever changes in here is that the single leg of is p1 or is it any one of the legs from a MPLS and is p2 everything is accounted for so we will make sure that we route the traffic over the best-performing path and if there changes reroute no administrative intervention is needed for that and that's the cool part is the automation around it your questions on us go ahead Internet thank you for warning me the internet edges are they you define them or do you just use any any potential internet connection yeah I will show you okay and you you have a full control you don't just sort of let it run wild and just do whatever definition which application which site which interface and even more we haven't touched it yet but which VPN is the client going to be connected from okay so full control over probing that proper sort of performance for that application in the proper sir in the side in the VPN so all of that is making sure that we can get reading as close is what the client would get because that's what we're after you want to make sure what the client will experience the second question are the applications predefined or they definable question comes all the time today um it is not definable and it is predefined by us we have about a dozen and a half of most popular SAS applications and we have a whole list of applications we want to enable and there is the reason why we just don't you allow two we don't allow you to just choose an arbitrary arbitrary one because it has to do some of those applications they're a little bit complicated to open the first connection then there is some holes all sort of redirects happening so we want to make sure that when we make a routing decision its deterministic and some of those applications would not really be full compatible with this type of routing you may think you're getting a good behavior but you actually not so that's why we don't we kind of lock it down and say you can just define an arbitrary IP address or URL and just go monitor that and and while on the topic of monitoring we also give you a score of how that particular internet exit is behaving as far as the access to this application is concerned and it's a score from 1 to 10 kind of like for the administrator to keep an eye on this okay so I'll do a very brief demo and that's not what I wanted to open here all right so this is the V manage that's the graphical user interface if I go into the configurations there's something called cloud Express it's kind of an older name for cloud on-ramp so we'll rename it but for now think about this is the cloud owner and for SAS if you're looking for that in the product this is where it's at and you can see applications that had been enabled for I can say you know office 365 here the three exits I can see that score about how that is performing as far as loss and latency is concerned if I wanted to add a new application I can go to manage applications add application then I can select let's say Oracle select which VPN I want this to be in sort of things like that right so that's the extent of an administrative work that goes I have to go through a couple of more steps to define which sides I'm on which interfaces that want to connect through so a couple of more clicks away you wrap it up save done after your after you're done it will take a couple of minutes for the system to sort of figure out the performance you'll get a graph like this and then you can always come back to here see how it's doing do you have to come here not really if it's doing its job just let it run many of our customers just basically set it up once and forget about it yeah it's a good question and because it's internet and we don't want to be sort of overly aggressive because again we want to be deterministic and so what I can tell you is that the action that is taken on this system is something in order of minutes two minutes three minutes something like that we do in averages and stuff like that right as far as overheads minimal as you can imagine if we're polling every couple of minutes then you know it's really small requests right so yes do not expect this feature to be instantaneous right because at the end of the day it's in things are kind of flaky the other reason we don't want to do that very frequently and that was kind of an interesting thing you may be able to guess why that is if you pull something too frequently what will they say about you exactly so the last thing we want is for somebody to say hey these guys are just tossing me and start doing some some blocking and disconnecting that site so so that's the reason we want it to be a little bit more cautious first its Internet and things are changing and second we didn't want the the cloud service providers to detect that you're doing something funny with them are you doing anything besides just like a ping response are you actually crafting a data frame packet that would look like something from box or drop I am no we're not we're not doing anything like we're not trying to play a certain sequence or things like that no we're basically just trying to check the front door of the service so if something really happens behind the scenes after you gone through the front door and started doing some crazy looping within the CCS B's Network normally it doesn't happen those guys are responsible when they design their networks so usually it doesn't happen but we will not try to we won't prompt you for our credentials give us our officers give you office 365 credentials so we can log into your mailbox and check it out all the way that will be a little bit too much intrusive into your privacy right and now for the is what we're after is that this is a typical way that infrastructures the service is connected today and you have the remote side scamp assist you have data center you have tunnels IPSec tunnels that go to those cloud service providers right so what we want to do is we want to say how we can when we transition to sd one we want to make sure that those cloud destinations are treated exactly as any other SD website right because SD when is smart and this is compute environment if I have some resources here and I run my SD encode why can't I run my SD one codon here cannot put anything in office 365 that's I don't have control over that but I can put something in AWS and Microsoft sure the question is how can i aughtta mate it and that's exactly what we're doing so imagine this is your starting point and next slide is going to show aw yes it's going to be sorry M except assure it's going to look exactly like that and okay I realized I have a small error in here it says v-net when it should say VPC okay I should have fixed that okay so imagine this says BBC so you have your host V pcs those existed before you deploy it as the when those are there right now the question is I want to plug them in unto my SD one fabric so what do I have I have you managed that's my starting point for administration so I will go into the manage and I launched a configuration wizard what does that configuration wizard do it asks me a bunch of questions and goes to work and you take a 15-minute break so what happens in those 15 minutes so in those 15 minutes we instantiate a new V PC and we call this a gay to a PC we grab two virtual routers from the marketplace and replace them inside the gate to V PC we instantiate vgw on the existing Holvey pcs because in that script will ask you which host three pcs would you like to connect to will instantiate vgw we run standards-based IPSec on it and bgp and we will redistribute BGP into OMP which is the overlay management protocol to make sure that those bgp routes land in OMP we will advertise a default route through bgp into the hosts vp sees quite a lot of steps that you could do manually but you'd be working really hard and we'll take you where hey over 15 minutes if you've ever operated this environments you know that it takes forever and your sd1 fabric it's a little bit light in here but your Sdn fabric basically gets extended all the way to the doorstep of those host tree pieces the only thing between your gay to be PC in host v pieces is just the network the AWS network it's the only thing in here something that is an order of milliseconds of connectivity between hosts he pcs in the edge of your Sdn fabric all of that is fully automated just run through the script answer a couple of questions v pieces are on board it we're showing two but we have customers who do this for hundreds we show in one gateway you can have a horizontally scalable gate with e pcs so think about this in terms of scalability I can really massively extend this into those cloud providers through this automation and make sure that I rope in all of those host V pcs into the st1 fabric now I'll let I'll let the next slide build out because you're gonna see it's exactly the same we do exactly the same for Microsoft deserve are we gonna do it for other cloud providers yes today it's automated for this too because that's what we see most of the interest and you can guess who the third one is going to be things like Express route and Direct Connect that I saw and I showed you in a previous slide that's something that you can come after so we don't include that in this automation because it's a little bit more customized to the to your own needs but yes you can plug in Express route from Microsoft or Direct Connect from AWS and you can have diversity and connectivity you can have internet and an MPLS transport blending on your gateway PC it's a really cool way both of those are on ramp options for SAS and is are extremely popular I know we're going a little bit over time for the last ten minutes but you guys okay right you asked questions along the way we don't have to take it the last ten minutes for it right okay all right I'll skip this slide but that's kind of the notion of it that's what we're trying to get to your fabric connects to the cloud any cloud alright the last one we want to look at and I'll skip the demo because it will take some time to operate it but there's video there are videos or videos online that we have created that actually show you that and most of the smart stuff actually happens under the hood so the wizard itself is nothing but the next next next next takes about three minutes to complete a secure branch so security in the branch is today primarily is around positioning the firewalls and if you have an MPLS Network doing VPNs in your MPLS network that's pretty much the extent of of branch security that people have today right do I put a firewall in every branch and do I do segmentation over VPNs if and I'm bound to an MPLS service so lacking things like transport independence if I'm going to the st1 because sd1 is promising a transport independence so none of that exists in here I'm have a backhaul a latency if I if I have my Center firewalls so all of those things are like the artifacts of traditional networking approach and a security bolt on on top of the of the of the networking so our idea is to take this and sort of create a more title tighter integration the way we do that is through layered approach so different controls that you have so first control you have is a VPN segmentation so a VPN is not a tunneling technology in our term VPN is a segmentation technology so one VPN cannot talk to another VPN they run in the same tunnel but they're just being separated so traffic there is a voice traffic is not mixing with PCI traffic there is not mixing with patient record data things like that so different verticals have different use cases behind how VPN segmentation occurs but VPN segmentation then within the context of a VPN we can have an individual controls we can have an application firewall through the use of a deep packet inspection we can have a stateful zone based firewall through the use of the zone based firewall we can even impact dedicated firewalls and I'm going to show you how it's done through service insertion which means keep your traditional firewalls service insert them into an SDN fabric so you have things that you can do in the sd1 fabric your traditional security controls that can be service inserted into the fabric and if you're going to the cloud use cloud security all right so that's kind of very typical for for organizations to look at that layers of VPNs plus security controls on a per VPN basis now segmentation is pretty straightforward it's basically just that right so I have VPNs which are think about those as VR F's in a Cisco world but this is not just vrf it's gonna be a reference steroids it's it has much more than routing table virtualization it does it it has to do with policies as well and things like that so it's a very powerful term but that segmentation that exists on the same device obviously things that belong to different VPNs don't talk across the network things that belong to different VPNs don't talk so if you have voice traffic you want to separate voice traffic again from PCI traffic great from IT systems traffic grid all of those can be different VPNs they don't talk they don't mix their own mix on the land side because you put in different VLANs why would the mix on a website so that's the philosophy extended segmentation into the when into the when as well so segmentation is pretty a pretty straightforward from that from that standpoint now if you're looking about providing stateful security so yes I have those VPNs but what happens if I'm in the same VPN so can i still inspect things in the same VPN yes for that we have those controls that I mentioned right inside the context of VPN you can enable zone based firewall you can enable application firewall which means match on a certain signature drop that signature don't allow the traffic to go out so these are the controls you can have even within the context of VPN and you have multiple VPNs you can have each one of those VPNs either have those controls or not have those controls so as you can see it's kind of like peeling an onion it's very granular that I can say this type of traffic is mapped to this VPN and then this VPN is going to be subjected to these controls right now so that's all great because that's built in into the fabric the question is what if I have my traditional firewalls firewalls ids/ips appliances what do I do with those so first thing I can put them where they tradition the world which is at the every branch but that may run into issues of you know administrative points and things like that so what we advocate is why don't you do service insertion why don't you take your firewalls and just sprinkle them around when when I mean sprinkle them around connect them in some regional locations regional hubs and do a service insertion to say that if in the VPN which otherwise would be unprotected why don't you take traffic in this VPN and swing it by a service so I can have one VPN with zone based firewall another VPN with zombies firewall and Application Firewall a third VPN with service inserted firewall a fourth VPN just segmented no security just segmented from the rest of it so you can see it's really powerful when you have the security controls and they're separated on a per VPN basis and each the traffic that lands in that VPN gets subjected to those controls and lastly what is over my interest is when you go to the cloud right so you remember we talked about how easy it is to onboard into the cloud the question is how safe it is to go to the cloud all right so because that device is now exposed to the cloud you can still have those zone based firewall and application firewall controls again you're trying to go to the cloud stateful security zone based firewall gets you and gets it to the cloud be that a Cisco umbrella or we also support the third-party right so the same level of controls that operate within the VPN in your fabric can also apply to the traffic that goes out of this VPN into the wild wild Internet and hits the in hits the cloud right and if you want to do inspection in a cloud great you can have a VPN that gets inspection in the cloud like that lastly we have a sort of a barrier of denial of service protection on the device itself because if you're going to the cloud that means you have a direct internet access if you have a direct internet access that means you open sort of a door for potential attacks you want to make sure the infrastructure itself is protected so think about this is a barrier that protects the device itself from somebody trying to try to launch an attack against the device trying to melt down the CPU or things like that okay I know it's been a lot and maybe that's why you've been quiet but it's kind of like weekly recap of what they've done 15 minutes if you're doing software upgrades in place and you and you and you and with you end up with an SDN appliance which was your Cisco ice or ASR now it's an SDN appliance the upgrade takes about 15 minutes a better user experience for SAS applications because you're able to because you're able to route based on an actual performance towards the assess applications right and choose the best the best performing path automatically extend into the IAS environments because you have that script that runs in that cloud on-ramp that basically just in a matter of 15 minutes or so 15 to 30 minutes will complete its run and have your fabric fully resident inside the inside the cloud inside the public cloud and this layered security which may not be over high interest to everybody but at some point everybody needs security right and that's that's why this layered approach and security through VPN segmentation as sort of the basic thing but then building on top of that VPN segmentation with zone based firewall Application Firewall DDoS protection cloud security all of those things are in the administrators toolkit to be able to secure the traffic that goes over over the fabric or just goes to the cloud I'm done question so in all that I may have covered it but I may have not heard it sure um so at a branch office if I want local breakout for workday and whatever else this zone Bay is the zone based firewall that allows that to happen just go out rather than backhauling it to a regional hub or actually it's a it depends if you want connectivity plus security if you just want connectivity and you want to make sure that it's it's so there's two approaches first don't care just spray out send it direct internet access don't care about performance right great that's like the default right the second one is I actually care about performance right so let me go let me go into cloud on-ramp for SAS when I start monitoring applications in steering traffic based on their performance and that may end up di a regional backhoe datacenter whatever the system comes back with after it's figured out the performance numbers so first one was don't care second one was the intelligence of probing and routing accordingly now if you want to have security on top of that then you can enable zombies firewall is it a requirement no but you can enable zone based firewall for that very same traffic they won't really collide with each other right one is intelligent steering another one is security you need sort of both

Info

Channel: Tech Field Day

Views: 32,881

Rating: 4.9202657 out of 5

Keywords: Tech Field Day, TFD, Tech Field Day Extra, TFDx, Cisco Live US, Cisco Live, CLUS, CLUS18, Cisco, Jeff Foster, Cisco Intersight

Id: qeCXCEYHT4g

Channel Id: undefined

Length: 42min 36sec (2556 seconds)

Published: Wed Jun 13 2018