The FlightChops teams reaches 100K Subs!

So many of you know I am good friends with Steve Thorne from www.flightchops.com and also his amazing YouTube channel located HERE

I want to take this moment to congratulate Steve and his team for reaching 100K subs, as of this writing he is actually at 107K.   This has been an amazing story about someone who was passionate about a topic, took that online in their own way.   People attacked Steve alot in the beginning, and even now for posting mistakes, troubles and pitfalls of learning to fly but the truth is – that is what made his channel popular.

Sponsors have taken note, and big names too like Bose and ForeFlight have put some support behind Steve.  Even with the big name support he still receives a significant contribution from Patreon (including me) and he never forgets those who got him here, by running many contests for everything from Bose Aviation headsets to a San Juan Islands Adventure trip!

Content is king – bottom line – and Steve and his team of editors and videographers have amassed a ton of content and gone from twice monthly to sometimes 4 times per month publishing this amazing content.      Steve continues to do this his way, and sponsors do not impose on content.   His “day job” of video and media production has brought a significant professional flair and production quality to his episodes and that production quality has been steadily increasing.

Will this ever reach “Mainstream” television?  You mean YouTube isn’t mainstream?   I would appear to me that the likes of “Outdoor Network” are only interested in fake shows auctioning off storage units sadly.

So if you are a private pilot, or just an airplane nerd like me – go and check out his humble little channel and I promise you will learn something along the way, as Steve says “Keep your Flight Chops Sharp!”

Congrats again Steve on your channels success!

Advertisements

Cisco dCloud Team Releases SD-Access V2

The Cisco dCloud team has released SD-Access V2 lab which includes DNA Center.

Due to the dCloud environment being so popular you may need to wait until later this week to get your hand on it, but the good news is, it delivers.    Many have been asking about getting their hands on DNA Center.     This is a BETA – so following the lab guide is advisable or things may not work – keep in mind it isn’t actually programming real switches in the back end.

2017-07-11 15_20_06-4D_SD_Access_v2 (1).pdf

Well it is here, and you get to setup a new network, deploy SSID’s, and build policy.   Right now this is just a DNA Center demo walk through.   You will get the change to design, provision and build policy in the live demo.   DNA Assurance – NDP or Network Data Platform is not available at this time.

The team was quick to get this demo in our hands, so go out there and get your hands on DNA and see how intuitive you think it is.

 

 

Cisco Announces “The Network. Intuitive.”

With content courtesy of Cisco Systems

Last year I broke down the Cisco DNA – Digital Network Architecture in an article called “Beyond Marchitecture”, because quite frankly, it was a ton of marketing with little substance.

This year at Cisco Live! 2017, Cisco has done this the right way.   With a new campaign, backed by the technical prowess we expect from Cisco and launched with all the big names, and big programs we expect.  This was well thought out, and if this is what Chuck Robbins is going to bring to the table of Cisco Systems – there should be some big things ahead.

In a series of interviews with different business units, it was revealed that the “Handcuffs are off” and departments have been given the ability to innovate, collaborate and tear down the silos.  This new program demonstrates that.

The Network.  Intuitive.

2017-07-05 11_36_44-DNA for CL Vegas.pdf - Adobe Reader

First get past the grammar related issues of the new DNA Campaign, and realize that is it not “The Network Intuitive” it is “The Network. Intuitive.”  – punctuation matters here

The key to understanding “The Network.  Intuitive.” is in two powerful words.

Intent

As announced by Chuck Robbins in the Cisco Live keynote, they want you to power your network with business intent.   No more programming VLANs, or setting up routing, but truly going into a unified console and telling it what you want to do.

“A computer will do what you tell it to do, that may be totally different from what you had in mind” — Quote Unknown

The idea that “Machine A” can talk to “Server B” and “User Y” and talk to “System X” without worrying about the underlying infrastructure is where they are going.

This is a construct, not a product, but unlike DNA-2016, there is a strong technical basis for this idea.

Context

Intent does not do you any good, unless you have context in your network.   We need to understand, who is where, and understand what they are before we can set our intent against that object.

Chicken before the egg syndrome a little bit, how do we secure, route and prioritize our network, if we do not know what this traffic, who they are and what they are trying to do.  Today context generally comes from things like IP Addresses and subnets.    In DNA-2017, this context come from Cisco ISE.

The Network. Intuitive.  InfoGraphic.

2017-07-05 14_38_42-DNA for CL Vegas.pdf - Adobe Reader

The latest info-graphic from Cisco really does provide a good overview of this new architecture.

The underlying technology for this new intuitive network technology is SD-Access – Software-Defined Access.  This of “ACI – Application Centric Infrastructure” but now it is user centric – make our decisions and policies and apply them to users, and where they are is unimportant.

SD-Access Building Blocks

SDAccessInfoBlock

I want to help build the SD-Access story for you, so you can understand how this technology comes together.  Like like years DNA announcement, SD-Access is a reference architecture, but there are bespoke technologies around it.

Transport Layer – Network

At the very basic transport layer, SD-Access relies on a few switch options that are available today.      Supported on Catalyst 9K, 3650, 3850, 4500E, 6500/6800 and Nexus 7K.  Wireless options are 3800, 2800, 1560 and controllers 8540, 5520 and 3504.

The new one to this party is the Catalyst 9000, developed by the team at Cisco with the new DopplerD series CPU with tons of power and supporting ETA – Encrypted Traffic Analytics.    Please see my future blog post on the Catalyst 9000 series.

These devices do all the transport and implementation of policy in the background of SD-Access and move the bits around your network

cat9k

Understanding the Campus Fabric

The underlay network will transport your traffic from place to place, this is what makes up your campus fabric.   True virtual networking to the endpoints through encapsulation, not just through VLANs anymore.    The idea is we want to segregate the forwarding plane, from the services plane, why should our physical network dictate how traffic flows around our network, but how can we add capabilities without massive complexity.

2017-07-09 07_46_09-(48) TechWiseTV_ A Deeper Look at Software-Defined Access - YouTube

If you want me to sit here and admit that this is as easy as the old VLANs and IP addresses in your network – it simply is not.   However the security, control and simplicity once it is implemented is worth it.  The automation and contextual data you will receive.

The transport does not need to be complex, by using an overlay, we can deliver features through the overlay, and the underlay network, the hardware does not need to be complex.

LISP – Location Identity Separation Protocol – Layer 3

This bring together location and identity.    Think of the old way for a moment, we know switch port, and IP address or subnet, and we have a weak idea of the context of a user, who and where they are.  LISP takes the IP and Location and segregates them so that IP and Location are not tied anymore.

LISP is like DNS for packets,  when a switch needs to forward packets from place to place, LISP identifies to the network device locations and the routes required using a map server or resolver.   This could be an IOS device or a virtual machine somewhere.   LISP allows a device to live in any place on the network.  Getting in and out of the LISP environment is via a tunnel router or “XTR”.

This is what provides mobility of devices around your network, even if a user moves to another building or another floor, the IP address of that user does not change – they just move from place to place and the map system handles where that user is

VXLAN – Layer 2

Wait, why is VXLAN showing up in the access layer?   Well, LISP is really a layer 3 technology, it ensures that packets can route, but what if we have users across multiple layer 3 areas that need layer 2 connectivity?   What about multicast and broadcast traffic.

VXLAN provides the transport of our layer 2 traffic across our campus fabric.

Transporting Policy with Cisco TrustSEC

We can now add contextual information into the VXLAN headers through “SGT” or scale-able group tags.   We need to use TrustSEC so that we can apply policies against objects but not based on their IP, but their identity.     Instead of using the IP address, we use the SGT – tag to tell the rest of the network who owns this packet so we can make decisions based on security.  SGT is applied by ISE and then access lists and rules are applied against security groups, users are placed in those groups within ISE.

Identity Layer – Context

This is where the context comes in.   ISE – Identity Services Engine is used to create network identity for objects, users and systems.    I know what some of you are thinking “Oh no – ISE”.   Have you taken a look at ISE 2.1+ ?  They have vastly improved the experience.    There is no question that adding ISE will complicate your life, but it is the contextual engine that provides the data you need to secure your network.   There is no avoiding ISE anymore, you will need to have it in your life, and your network.

ISE

There are benefits here, once ISE is implemented, all of your network devices start to see things are user activity, firewalls show users names not systems, you can start deploying policy against groups of objects and network authentication becomes very easy.   Your wireless network becomes easier to manage from a security perspective.

Interface Layer – Intent

This is the real veggies.   DNA Centre is the new package for the APIC-EM platform.    This is Cisco’s single pane of glass attempt by Cisco so make a UI front end for your network, the intent is a single pane of glass for your ENTIRE network.

dnacentre

This is where your contextual groups from ISE like users and servers will meet up with the policy you want to create.   There is no denying the interface is a little “Meraki” like, clearly they borrowed some design concepts.    All of the complex components of SD-Access meet here in DNA Centre, and are then pushed out to the rest of your network.   The automation from DNA Centre will automate everything for you.  From dealing with ISE to programming those Catalyst switches.   This is the automation layer.  Set what intent you want, and automation will turn that into action down on your hardware layer. Worrying about all this VXLAN and LISP stuff?  No worries, DNA Centre will help you here.

2017-07-09 07_56_42-(48) Cisco SD-Access - Campus Fabric with DNA Center Automation & Assurance with

NDP – Network Data Platform

No shortage of data about our network, we have NetFlow and Syslog and any number of tools to deliver data.   In the coming months as we get a better look into the new Network Data Platform, we will learn how this will help correlate network data and provide analytics.   This is where the old “Proverbial lead into gold” promise is supposed to deliver.   For me this is a wait and see approach, right now there just isn’t enough data out there, for now that is all I have to say.  This is still very early.

 

More to come in future posts about Catalyst 9000 and DNA Centre, NDP and ETA.

 

 

With content courtesy of Cisco Systems

 

Denise “Fish” Fishburne Designing new security focused “Network Detective Series”

If you have read my blog, you know I am a huge fan of Denise “Fish” Fishburne’s sessions, not only because Fish is an amazing dynamic speaker but these are not your typical sessions.

The Network Detective Series has been well reviewed, both here on my blog, and on other blogs.  If you are new to networking, and even old to networking this series will make you a better troubleshooter. Check it out HERE.

Screen Shot 2017-06-29 at 8.35.20 AM.png

During the event it was well known that “The Network Detective” series was ending this year as Denise transitioned to a security focus. In a series of tweets during Cisco Live, Denise announced that “Techniques of a Network Detective” will continue next year.

 

Screen Shot 2017-06-29 at 8.50.52 AM

networkdetective-229x229

In an adhoc interview after the Cisco Live Customer Appreciation Event we learned that not only will Network Detective continue with fresh content for Cisco Live! in 2018, but after that the old content will hit the floor and a new Security Content / Focused version of “Network Detective” will launch for 2019.

You know I will be there, front row to hear all the new “Techniques of a Network Security Detective” and will report back here.

CiscoLive! Techtorials – Worth it? #CLUS 2017

Are Techtorial Sessions Worth It ?

In a word?   YES.

Now to explain why….

This year I flew out Saturday, and was here on Sunday, in order to attend a techtorial.     I chose Immersive Journey Into IPV6.  Yes, it’s true, I am not a superpower when it comes to IPV6, I know enough to do what I need, and what my clients need, but I am lacking.

Where am I lacking?  Think about IPV4, ARP, DHCP, DNS, all those protocols and how they talk to each other, how they work at the bit level.   I know that stuff pretty cold, but IPV6 the light bulb never went on, for me I just didn’t feel comfortable, I didn’t feel like I knew it cold.

Well, that changed today, after an entire day in the room with amazing speakers, Denise Fishburne, Scott Hogg, Ed Horley, Tim Martin and Jim Bailey.   Feel free to check out their credentials, but Scott literally wrote the book on IPV6 Security as one example.     Denise “Fish” Fishburne is without question the premiere troubleshooter (See my previous blogs).

Our session went down like this..

Screen Shot 2017-06-25 at 3.21.43 PM.png

This was a SERIOUS content download, we went into a ton of detail in each section.  Fish talked about how she learned IPV6 from the packet and backwards into the RFC,  Scott talked about IPV6 hacking and vulnerabilities and how to protect yourself from common attacks.   The design section went into IPv6 address design and even had a enterprise design practical example.  Ed went into AMAZING detail about host operating IPV6 support, what works, what doesn’t and tips for deployment.   This section I really appreciated, there are so many nuances.

Why is the money worth it?

Quite simple – bang for your buck.   Sure, one techtorial is about 30%  more on top of the cost of your entire full conference pass, but in previous years I noticed I was taking out so much time for World of Solutions, DevNET and other sessions, I couldn’t FOCUS on topics I wanted a deep dive on.   I also missed sessions I wanted.  With the Sunday session techtorial, I could get in the room, listen from multiple amazing speakers on a great topic and there is nothing else I am missing.  I could FOCUS.

The benefit of going all day on this topic is, each section threads into each section and you get continuity in learning.   Don’t forget, this is a Sunday, that means there is also less of a chance that your regular job duties will interrupt you.

If you want to get the most out of your CiscoLive! trip, you want to be able to see as much as possible. Focus on the Sunday on the topic you wanted that deep dive on, it allows you to learn better. This will free up time later in the event to hit the World of Solutions, try new things in DevNet, and hit up even more of the smaller sessions.

Keep in mind, you can pay for techtorial sessions with Cisco Learning Credits (CLC) so make sure when you purchase Cisco Hardware and Software to make sure your partner and Cisco rep are working to get you those CLC’s.

disclaimer:  I won this techtorial last year in a social media contest, and redeemed that free credit this year.  I did not pay out of pocket to attend this session.

Cisco Live! Returns to Hot Breakfast!

Last year I wrote this blog about the breakfast offerings at Cisco Live!, outlining the importance of a good breakfast on learning comprehension.   I made sure that this information received wide distribution, and many of you helped with your retweets to the team @CiscoLive, and as a result it did become something considered this year.

I have been advised by the Cisco Live team that hot breakfast sandwiches have been added to the menu for Monday through Thursday!    This is amazing news.    I have to thank in particular Kathleen Mudge @KathleenMudge  for helping spread the word at Cisco Live offices.

“Food is like a pharmaceutical compound that affects the brain,” – ULCA Professor of Neurosurgery and Physiological Science Fernando Gómez-Pinilla.

Short term memory and auditory attention are higher when a breakfast offered with protein as opposed to refined carbohydrates is offered, no more sugar crash, and power through your day.

For me personally, this is important, as I have recently embarked on a low-carb Ketogenic lifestyle.  More options give us better ability to learn and interact.

This is a great win for all delegates, and for the social media community as a whole.

 

 

NSX – The Network Redefined

Looking Forward

The network has been a long haul.   Wow, what a long way we have come from a long time ago, to hubs, to switching and now to networks being virtualized, on hardware, on software and sometimes even on the occasional Raspberry Pi device.

There are so many terms out there, and nobody agrees on what the definition of “SD” anything is.   If we go by Wikipedia, they claim ”

Software-defined networking (SDN) is an approach to computer networking that allows network administrators to programmatically initialize, control, change, and manage network behavior dynamically via open interfaces[1] and abstraction of lower-level functionality.”

That is a little general, isn’t it?   I mean how does that concept help a business actually deliver on value?  How do I get from “SDN” to business value, without spending millions of dollars and hiring people to internally write “stuff”.

Everyone tried to create something, and as things normally go, everyone said “let’s use this open protocol” – not realizing that the open protocol did about 60% of what we needed in the real world, didn’t have an interface because it is a protocol and we need a gaggle of PHD’s to deploy it.

If you are a developer you are probably reading this thinking – “It is not that hard” – but for some of us, especially traditional network types or managers, it really is that hard, and what about the <1000 user crowd.

VMWare does for the network what it did for servers

This is that kind of thing, VMWare is changing the game, again.

2017-06-12 14_06_20-NFD15-VMware NSX-vFINAL.pdf

I have to admit, I was not a believer.  I was truly the person that sat here and thought “If I want to virtualize my network I want to do it in silicon”.   CPU power has reached a point where that argument does not hold water anymore, and we can engineer our way around that anyway, it is a moot point.

Virtualizing Network Hardware Is Different

Here is the problem with something like a pure Cisco ACI, or virtualized in the hardware.   The entire point of network virtualization is that the network shouldn’t matter.   If I want to create a truly elastic infrastructure, then my environment must not care what the transport is underneath.

I am not suggesting the wild west, on the contrary, you still need to monitor, manage and engineer the underlying network to attain the performance you want, but if my intention is to create a Hybrid strategy into cloud services like Azure, AWS, TATA or Long View ODI, I shouldn’t much care.   I want to put the workload where I want, when I want, with the security definitions I need, and I don’t want to use 27 different tools to achieve that.

Applications Are The Focus

Everyone is talking this way, Cisco is talking ACI – Application Centric Infrastructure and VMWare is talking NSX, but the concepts are the same.   You need the security of your apps and data but you need to deal with changes in threats and user behavior.   You need analytics and security.

2017-06-12 14_02_49-NFD15-VMware NSX-vFINAL.pdf

The APP itself needs to be decoupled from the underlying infrastructure to make things elastic, but to attain the true elasticity, you need an automation platform that does a few things

  1. Delivers on IT and business process
  2. Automates to remove mistakes
  3. Does not require significant programming knowledge

2017-06-12 14_07_06-NFD15-VMware NSX-vFINAL.pdf

Ideally you need to have all of this in a single pane of glass to make it easy to manage, otherwise, cross management integrations are going to cause you a ton of headaches.  When people say “service chaining” I start to get a migraine.  Not to say you cannot to that, you can, and they integrate with a huge ecosystem of partners, but I should not have to pick a management platform and then everything else is a partner product.

You can go wild if you want

2017-06-12 14_10_47-NFD15-VMware NSX-vFINAL.pdf

I keep complaining about going “fully open protocol” – but the good ews is, if you want you can go full open protocols, full automation and full custom with NSX if that is what you want.  They have the automation tools to get you there.  So if you are the developer type, and I am not, feel free to go and get your python on and chef yourself some puppet stacks – I will be over here wishing I honestly understood all that stuff.

Give me the veggies

Here is the story on what you need to know, we will break it down into a few bite sized chunks.

Architecture

2017-06-12 14_12_56-NFD15-VMware NSX-vFINAL.pdf

vCenter is still here

So the big things you need to knows.  vCenter is still very much a part of how you live, and NSX Manager plugs into vCentre to give you all the management you know and love.  The good news is, they are not reinventing the world here, so if you are already a VCP or VMWare savvy person you should feel right at home.

NSX Controller

The NSX Controller manages the world of NSX, but is configured by the NSX manager plane.  All of your logical networks, and control is done here.  This isn’t in the data path, it is basically orchestrating the config download to all of the componants.  The distributed logical router (fancy name for a virtual router) and the switching endpoints.  You don’t really deal with this day to day

Data Plane

This is your hypervisor, and you don’t really change anything here – your connectivity is in place, and the hypervisor knows from the controller which domain each VM is in, and if it needs to be transported between sites and to whom it can talk to.   This is where your logical switch, distributed logical router and firewall processes actually live.

Multi-Site Capabilities

This is where I think NSX really shines, not just in the ability to segment, but to take that segmentation and make it elastic across locations.  Pick up and move a VM across data centers, and IP addresses do not change, and security constructs remain intact.   Doing maintenance in a DC and need a full shut down?  No problem, move your workloads and shut it down.   Distribute your apps using the built-in load balancer across the network.

2017-06-12 14_08_57-NFD15-VMware NSX-vFINAL.pdf

The key here is that this works brownfield, no need to lift and shift all of your apps into a new network design to make it work, and no application has to change IP addresses to get this DR functionality.   Extend across geographical boundaries, keep your security posture in check.

When moving workloads there is no need to lose your security policies because you are moving workloads around, and you do not pay for NSX DR licenses for active standby, only for active active.

2017-06-12 14_51_22-NFD15-VMware NSX-vFINAL.pdf - Adobe Reader

The multi-site capabilities alone are a reason to deploy NSX – and many customers do, even if they are not micro-segmenting their network today, the mobility options alone are worth the price of admission.

 

Micro-Segmentation

What an industry word, but the bottom line is, we need to segment services from services at the service level – not at the subnet level.

This is a stateful firewall, with full chaining out to IPS/IDS possible, 5 tuple configured.

This is not just ACL, it is a full ALG, so it will take data and control / ephemeral ports and groups them so you do not end up with a giant mess in your rules as well.

2017-06-12 14_33_58-NFD15-VMware NSX-vFINAL.pdf

A bit of an eye chart, but the idea is that each VM can not be its own perimeter, and policies are created once and then grouped so mistakes against policies are reduced.  Threats have a hard time spreading when things are locked down like this.

2017-06-12 14_46_53-VMWare Distributed Firewall - Google Search

The firewall manager is very intuitive, basic rules to set everything up, but the challenge is how to setup the rules right?

Policy Creation Costs Reduced with ARM

The cost of deploying new policies is significant in many organizations – some spent 10-50x the cost of their firewalls just to come up with the policies to segment subnets, only to end up with giant holes in their firewall rule set.

This is what makes NSX something you can actually deploy, you really need a tool like this in order to put something like NSX in production.  Nobody understands application data flows (ok some people do) but there are always mistakes made when segementing your network.

The good news here is something called ARM – Application Rule Manager

2017-06-12 14_37_23-NFD15-VMware NSX-vFINAL.pdf

Everyone has done this, you set up your rules, set your allow all, watch your syslog for events, then go to deny, monitor your deny logs, anger a few users as things break, fix your firewall logs.   There has to be a better way, and there is with ARM.

You can monitor application flows in real time, and then create rule sets from those monitored data flows.   ARM has been segregated from normal flow monitoring, so there is no impact to production traffic, and they do limit the number of VM’s you can run ARM on at the same time.   You are not supposed to run this all the time.

2017-06-12 14_44_50-arm_ms_pic3.png (1639×997)

Remember this is an ALG, so it understands ephemeral ports, and protocols like FTP so if you allow FTP, then FTP will work.  Windows RPC is just Windows RPC.    All the rules can be cached and setup, without implementation and then you can get your security person to review all of them, approve and then move forward.

Once things are setup, now you can monitor the actual flows, and show packets and bytes so you can see your rules up and working.

2017-06-12 14_46_40-VMWare Distributed Firewall - Google Search

 

Automate with vRealize

The automation within vRealize has been around for some time, but now with the ability to deploy automated NSX rules and pre-defined architectures will provide large organizations with the power to deploy new applications, or even container applications very quickly.   The good news is, the interface here is very easy to understand and with a “canvas” style approach you can build out your applications and services in a graphical manner and see relationships with attached policies.

I could honestly go on for while about just automation, but here is a taste of the interface, expect more in another article.

2017-06-12 14_58_02-nsx vrealize automation - Google Search

 

Disclaimer for this article

This article was written a few months after I attended Networking Field Day 15, as in my previous disclaimer we normally receive things like bags and hats and some of my expenses are covered by the event.    However, after this presentation I was offered some free training vouchers from VMWare for NSX training and certification – they were offered months before I even wrote this article, and I have not consumed them as of this writing but I plan to.   I am disclosing this because of the sheer value of those vouchers exceeds the normal “here’s a free hat” offer.    I would like to thank VMware for their generosity, and I plan to use them to further my personal education on NSX.