• Save
Net Optics Top 5 Ways to Enhance Your Cisco Environment
Upcoming SlideShare
Loading in...5
×
 

Net Optics Top 5 Ways to Enhance Your Cisco Environment

on

  • 669 views

Get The Secrets You'll Want to Know ...

Get The Secrets You'll Want to Know

When it comes to Cisco technology, most of us have wondered if we could do more to get the most out of our investments. Are we aware of all the “hidden gems”—advantages tucked away within the architecture that could put us ahead of the game with relatively little effort?

Five Ways to Say Eureka!

Recently, Sharon Besser delivered a talk at Cisco Live in which he presented the Top Five efficiency gems that can be a real bonanza for your Cisco investment. In this eBook he shares those configuration and design tips here for using Cisco technology to the utmost in monitoring and security. In addition, he discusses ways to use access switching and built-in Cisco features more effectively. Finally, the eBook covers key points to consider in relation to data center operation, interconnect and security.

About Net Optics, Inc.

Net Optics is the leading provider of Intelligent Access and Monitoring Architecture solutions that deliver real-time IT visibility, monitoring and control. As a result, businesses achieve peak performance in network analytics and security. More than 7,500 enterprises, service providers and government organizations—including 85 percent of the Fortune 100—trust Net Optics’ comprehensive smart access hardware and software solutions to plan, scale and future-proof their networks through an easy-to-use interface. Net Optics maintains a global presence through leading OEM partner and reseller networks.

Statistics

Views

Total Views
669
Views on SlideShare
668
Embed Views
1

Actions

Likes
1
Downloads
0
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Net Optics Top 5 Ways to Enhance Your Cisco Environment Net Optics Top 5 Ways to Enhance Your Cisco Environment Document Transcript

    • About the Author Sharon Besser, VP of Technology, Net Optics Inc. Sharon Besser has successfully created, developed and launched new security products for some of the industry’s leading technology vendors. Before joining Net Optics he served as Vice President of Product Strategy for application data security and compliance leader, Imperva. Previously, he served at Websense, a leading provider of the content filtering and web security solutions, where he was director of products. At Websense, Besser was primarily responsible for Content Protection Suite, which was recognized by independent research firm, Gartner as the market leader. Prior to Websense, Besser was director of products at PortAuthority Technologies, a provider of information leak prevention solutions which was acquired by Websense. Besser also served as director of Security Solutions for security vendor Check Point Software Technologies. Earlier in his career, Besser founded PubliCom, a provider of integrated data security and communications solutions, which was acquired by COMSEC. Besser holds a BSC in Mathematics, Computer Science and Geography from Bar Ilan University in Israel. Net Optics is a registered trademark of Net Optics, Inc. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged. Copyright 1996-2013 Net Optics, Inc. All rights reserved.
    • Top Five Ways To Enhance Your Cisco Environment The Secrets You Will Want To Know When it comes to Cisco technology, most of us have wondered if we could do more to get the most out of our investments. Are we aware of all the “hidden gems”—advantages tucked away within the architecture that could put us ahead of the game with relatively little effort? Five Ways to Say Eureka! Recently, I delivered a talk at Cisco Live in which I presented the Top Five efficiency gems that can be a real bonanza for your Cisco investment. I’ll share those configuration and design tips here for using Cisco technology to the utmost in monitoring and security. In addition, I’ll discuss ways to use access switching and built-in Cisco features more effectively. Finally, I’ll cover key points to consider in relation to data center operation, interconnect and security. The Top Five at a Glance 1. Not all switches are created equal. Store-and-forward vs cut-through. Choose the right switch architecture and boost your efficiency. 2. Make sure you’re SEC(ure). Using MACsec (IEEE 802.1AE) protocol to provide switch-port-level encryption. 3. Don’t lose sight of the gems. Achieve virtual visibility without the overload penalty. 4. “SLA” yourself. Use built-in IP SLAs to benchmark and monitor the health and performance of your network. 5. Netflow is your friend. Learn it. Use it. Support it. 1
    • The Cisco Data Center: A Rich Vein of Productivity The multitiered Cisco data center is at the heart of today’s computational power, volume storage and sophisticated applications. It represents the leading edge of progress and potential in scalability, performance, flexibility and maintenance/ management. Naturally, efficient planning is key for resilience, agility and investment value. By investing in Cisco, you’ve staked your claim to the future of virtual computing. Now let’s mine those gems to strike it rich in optimizing your investment. 1. Not all switches are created equal. Store-and-forward vs. cut-through. Choose the right switch architecture and boost your efficiency. Today, you have your choice of two switching categories: 1) store-and-forward; and 2) the newer cut-through switching, which is increasingly popular for high-speed, lowlatency applications. But which one is ideal for you depends on several factors. Store-and-forward switching accepts the complete frame into the switch buffers for error checking before forwarding on to the network. Cut-through switching reads only the destination MAC address (the first six bytes of the frame following the preamble) to determine the switch port to forward traffic to. With store-and-forward switching, the LAN switch copies the entire frame into its onboard buffers and computes the cyclic redundancy check (CRC). The frame is discarded if it contains a CRC error or if it is a “runt” (less than 64 bytes including the CRC) or a “giant” (more than 1518 bytes including the CRC). If the frame contains no errors, the LAN switch looks up the destination address in its forwarding, or switching, table and determines the outgoing interface. It then forwards the frame toward its destination. 2 Top Five Ways To Enhance Your Cisco Environment
    • Cut-Through Switches Reduce Latency in the LAN A cut-through switch reduces latency because it begins to forward the frame as soon as it reads the destination address and determines the outgoing interface—even before the entire payload is received. The primary advantage of this approach lies in the amount of time the switch takes to start forwarding the packet (known as switch latency), which is on the order of a few microseconds, regardless of packet size. So, if latency issues are foremost for you, then cut-through switches will give you a better night’s sleep. Let’s take a theoretical application using 9000-byte frames. A cut-through switch can forward the frame a few microseconds to a few milliseconds earlier than its store-andforward counterpart (a few microseconds earlier in the case of 10-Gbps Ethernet). Cut-through switches are naturally more suited to extremely demanding, highperformance computing (HPC) applications that require process-to-process latencies of 10 microseconds or less. When Cut-Through Switching Is Not the Ideal Approach Certainly, store-and-forward switching delays the time it takes for the frame to get from source to destination. That’s because it waits to forward a frame until it has received the entire frame and checked it for errors, comparing the last field of the datagram against its own frame-check-sequence (FCS) calculations. So that additional time is spent ensuring that the packet is purged of physical and data-link errors. Invalid packets are dropped, whereas a a cut-through device would simply forward them on. Also, a store-and-forward switch can perform ingress buffering for the flexibility to support any mix of Ethernet speeds. For Cisco, advances in ASIC design and other progress now enable cut-through functions that are much more ingenious than in the past. With better load balancing abilities and other functions, Cisco switches, such as the low-latency Cisco Nexus 5000 or Cisco Catalyst family, can perform low-latency switching while still preserving the inspection advantages of store-and-forward switching. So now you can make an informed decision as to whether store-and-forward switching is worth the delay. In financial services and other HPC applications, where speed is of the utmost importance, you probably want to reduce latency to the lowest possible level by using the cut-through approach: Enterprises that employ HPC include: • Oil and gas exploration • Automotive and aerospace manufacturing • Biosciences • Financial data mining and market modeling • Academic and government research • Climate and weather simulation 3
    • 2. Make sure you’re SEC(ure). Using MACsec (IEEE 802.1AE) protocol to provide switch-port-level encryption. When it comes to protecting data in motion, there aren’t too many solutions. Using encryption is considered one of the better methods to protect data but often requires installations of client applications. MACsec to the Rescue The MACsec protocol provides a method to encrypt data between two layer 2 points between the different network switches—without requiring an additional server application or changing the whole infrastructure to IPV6. MACsec lets you encrypt data communications between a switch and any attached device—most importantly communication on wired LANs. The protocol is the brainchild of the Institute of Electrical and Electronics Engineers (IEEE). Known as Security Standard 802.1AE. MACsec is the only reliable way of ensuring data integrity when it comes to independent media access Cisco provides switch-port-level encryption based on IEEE 802.1AE (MACsec) that spans the network—from endpoints to the access layer and all the way to the data center. Data encryption uses the 128-bit Advanced Encryption Standard (AES) cipher. Encryption lets you block man-in-the-middle attacks, snooping, and other forms of network intrusion and compromise. Layer 2 encryption can be implemented between an endpoint device and an access switch, or between switch ports. MACsec, Cisco, and Net Optics: a Triple Compliance and Security Solution MACsec is probably the best prescription on the market for CSO and CIO peace of mind. In a landmark Cisco Live demo in Cisco’s own booth, visitors could see in real time just how effectively Cisco’s new MACsec software protects the confidentiality of network LAN traffic. In MACsec-enabled switches, packets are encrypted on exiting the transmitting device and decrypted on entering the receiving device. They are “in the clear” only when they are within the respective devices. To prove the point, Net Optics HD8 Fiber Taps™ passively gathered data on the connections, sending transmissions to Net Optics Director xStream Pro™, which collected and displayed the data clearly in its user interface. The difference was dramatic: Unencrypted data from the non-MACsec machine, a Cisco 3500 switch, clearly revealed its types and protocols, an irresistible vulnerability to malicious intrusion. But the MACsec-protected data flowing from Cisco 6500 switches was impenetrable and unreadable. Cisco Catalyst and Nexus Switches: Cisco Catalyst® 2900, 3560, 3700, 4500, and 6500 Series Switches and Cisco Nexus® 7000 Series Switches interact with network users for authentication and authorization. Access to the network is dictated by policy, user identity, and other attributes. Flexible authentication methods include 802.1X, web authentication, and MAC authentication bypass, all controlled in a single configuration for each switch port. Furthermore, Cisco switches can tag each data packet with user identity information so that additional controls can be deployed anywhere in the network. Cisco Nexus switches also support MACsec for data-in-motion confidentiality and integrity protection. 4 Top Five Ways To Enhance Your Cisco Environment
    • 3. Don’t lose sight of the gems. Achieve virtual visibility without the overload penalty. As adoption of virtualization gains momentum, data centers worldwide are building out their virtualized components. The growing adoption of hypervisor technologies creates monitoring, security, and compliance challenges as a result of virtual networks, switches and machines. Several solutions exist to improve manageability and visibility of virtual systems. Nexus 1010 Virtual Services Appliance: One of Cisco’s “hidden gems” Cisco Nexus 1010 VSA is an optional appliance that can provide improved management and scalability in Cisco Nexus 1000V Switch and VMware vSphere deployments. The Cisco Nexus 1000V can be deployed exclusively as software running in a VMware vSphere cluster; Cisco Nexus 1010 VSA provides customers with an additional deployment option, allowing administrators to completely offload management functions handled by the Cisco Nexus 1000V Virtual Supervisor Module (VSM). This approach gives administrators improved scalability and availability for the VSM. Cisco Nexus 1010 VSA offers impressive benefits: • A dedicated appliance for VSMs simplifies the overall design and management of the VMware vSphere cluster by moving the VSMs off the VMware hosts. Eliminating the dependency on VMware means that networking services are no longer dependent on the VMware server’s being up and running, which can be helpful during scenarios such as data center restarts. • Because the Cisco Nexus 1010 VSA runs Cisco NX-OS and VSMs are now being installed on the VSA instead of on a VMware vSphere server, the network operations team is working in a familiar environment and gets a total Cisco installation experience. • The automatic support of active-standby VSMs improves overall system availability. But Cisco’s switch doesn’t provide the same level of visibility as a true network Tap. So the question becomes, how do you achieve the 100 percent visibility that you need for compliance and security purposes? Phantom Virtual Tap to the Rescue for Total Inter-VM Visibility—Penalty-Free Net Optics’ groundbreaking Phantom Virtual Tap was engineered to monitor traffic going through the Cisco virtual switch using Nexus 1000v. The key to this advantage is visibility: Phantom enhances network visibility, including inter-VM traffic monitoring, without suffering from the inherent limitations of hypervisor Span ports. This makes it an ideal security and compliance resource that: • Delivers 100 percent visibility of traffic passing between VMs on hypervisor stacks • Supports best-of-breed hypervisors and virtual switches • Integrates seamlessly with the hypervisor at the kernel level 5
    • • Eliminates promiscuous probes or counterintuitive shaping and routing • Bridges virtual traffic to physical monitoring tools Net Optics Phantom Virtual Tap protects records and transactions from malicious intrusion while documenting compliance with regulations such as Payment Card Industry (PCI) standards and SOX-404. Virtualization presents a new, unique set of challenges for auditors needing visibility of virtualized as well as physical data. This makes the Phantom Virtual Tap a welcome resource. Whether the concern is passing encrypted credit card numbers between infrastructures, monitoring derivatives, or conducting other complex transactions, the Phantom Virtual Tap keeps data isolated, secure and verifiable. 4. “SLA” yourself. Use built-in IP SLAs to benchmark and monitor the health and performance of your network Cisco IOS IP Service Level Agreements, known as IP SLA, is a hidden gem built into most Cisco devices that deserves more widespread knowledge and use than it has been getting. This important component is a network’s best friend, letting you measure and benchmark performance, identify issues and alert when you’re going off standard benchmarks. The value is self-evident. A network engineer may need to evaluate a design or evaluate a QoS approach. It’s a natural for helping troubleshoot the network. And with its focus solely on performance metrics, IP SLA helps confirm new business-critical IP applications and IP services that utilize data, voice, and video, in an IP network. Cisco has augmented traditional service level monitoring and advanced the IP infrastructure to become IP application-aware by measuring both end-to-end and at the IP layer. With Cisco IP SLA, you can verify service guarantees, increase network reliability, proactively identify network issues, and increase Return on Investment (ROI) by streamlining deployment of new IP services. Cisco IP SLA uses active monitoring to generate traffic in a continuous, reliable, and predictable manner—an important resource for measuring network performance and health. 5. Netflow is your friend. Learn it. Use it . Support it. I’ll bet all of you have Netflow—and I’ll also bet that most of you are not using it to its full extent or gaining full benefit. Surprisingly few people know how to get the most out of this unique technology, qualifying it as a bona fide hidden gem. This is surprising because it shines very brightly, particularly for security and compliance purposes. 6 Top Five Ways To Enhance Your Cisco Environment
    • Netflow is a feature of Cisco IOS software that monitors packet flows across a router. It identifies protocol elements used and extracts packet content and metadata for analysis of data relationships and communications patterns. With Netflow, you can monitor a particular IP address so as to actually see where that address originated, where it ended, and how long it took to get there and back. For Service Providers this information is critical in billing customers for differentiated services or QoS. Another benefit is that Netflow ties into superb public domain tools you can use in any size deployment. So—why should Netflow be a hidden gem? Maybe it’s merely perceptions that prevent users from taking advantage of all it has to offer—such as the “it’s difficult to deploy” perception. Not so! Your Netflow vendor can help, as well as ensure that you have Netflow Version 9 with its free tools to enhance your Cisco investment. Cisco’s suite of virtual data center offerings is growing. The launch of such products as the Nexus 1000V and the VN-Link means that thousands more organizations can now utilize Cisco solutions to support their data center virtualization plans. But even as virtualization soars, stringent regulations proliferate and threaten to clip the productivity and competitiveness wings of companies lacking intelligent access and monitoring solutions. Virtual Visibility Plus Netflow Eases Compliance and Security Tasks Now you can take Netflow-generated network statistics, and integrate them with Director xStream Pro for almost unlimited compliance visibility. Net Optics is the only company capable of providing the enterprise-level reliability in monitoring and access demanded by Cisco’s Data Center 3.0 environments. The Phantom solution enables faster and broader adoption of virtualization technologies concurrent with Cisco’s advances across organizations worldwide. Net Optics Is a Close Fit, Now and in the Future, with Cisco’s Vision Net Optics solutions work hand-in-glove with Cisco products to deliver monitoring and access capabilities to Cisco’s Data Center 3.0 environments and beyond. Right now, by providing total visibility of data and traffic running through Cisco’s Virtual Infrastructure solutions—including VN-Link with Cisco Nexus 1000V—the Net Optics Phantom Virtual Tap is a vital resource for compliance, security and management in your Cisco environment. This tight integration helps to fortify Cisco’s multi-tier data center vision and spur faster, broader adoption of virtualization technologies in organizations worldwide. Find out more about how Net Optics helps you put the Top Five to work in your Cisco environment. visit www.netoptics.com or contact Net Optics at (408) 737-7777. 7
    • Net Optics, inc. 5303 Betsy Ross Drive Santa Clara, CA 95054 (408) 737-7777 twitter.com/netoptics www.netoptics.com Top Five Ways To Enhance Your Cisco Environment