Get The Secrets You'll Want to Know
When it comes to Cisco technology, most of us have wondered if we could do more to get the most out of our investments. Are we aware of all the “hidden gems”—advantages tucked away within the architecture that could put us ahead of the game with relatively little effort?
Five Ways to Say Eureka!
Recently, Sharon Besser delivered a talk at Cisco Live in which he presented the Top Five efficiency gems that can be a real bonanza for your Cisco investment. In this eBook he shares those configuration and design tips here for using Cisco technology to the utmost in monitoring and security. In addition, he discusses ways to use access switching and built-in Cisco features more effectively. Finally, the eBook covers key points to consider in relation to data center operation, interconnect and security.
About Net Optics, Inc.
Net Optics is the leading provider of Intelligent Access and Monitoring Architecture solutions that deliver real-time IT visibility, monitoring and control. As a result, businesses achieve peak performance in network analytics and security. More than 7,500 enterprises, service providers and government organizations—including 85 percent of the Fortune 100—trust Net Optics’ comprehensive smart access hardware and software solutions to plan, scale and future-proof their networks through an easy-to-use interface. Net Optics maintains a global presence through leading OEM partner and reseller networks.
Exploring the Future Potential of AI-Enabled Smartphone Processors
Net Optics Top 5 Ways to Enhance Your Cisco Environment
1.
2. About the Author
Sharon Besser, VP of Technology, Net Optics Inc.
Sharon Besser has successfully created, developed and launched new security products
for some of the industry’s leading technology vendors. Before joining Net Optics he
served as Vice President of Product Strategy for application data security and compliance
leader, Imperva. Previously, he served at Websense, a leading provider of the content
filtering and web security solutions, where he was director of products. At Websense,
Besser was primarily responsible for Content Protection Suite, which was recognized
by independent research firm, Gartner as the market leader. Prior to Websense, Besser
was director of products at PortAuthority Technologies, a provider of information leak
prevention solutions which was acquired by Websense. Besser also served as director of
Security Solutions for security vendor Check Point Software Technologies.
Earlier in his career, Besser founded PubliCom, a provider of integrated data security
and communications solutions, which was acquired by COMSEC. Besser holds a BSC in
Mathematics, Computer Science and Geography from Bar Ilan University in Israel.
Net Optics is a registered trademark of Net Optics, Inc. Additional company and product
names may be trademarks or registered trademarks of the individual companies and are
respectfully acknowledged. Copyright 1996-2013 Net Optics, Inc. All rights reserved.
3. Top Five Ways
To Enhance Your Cisco Environment
The Secrets You Will Want To Know
When it comes to Cisco technology, most of us have wondered if we could
do more to get the most out of our investments. Are we aware of all the
“hidden gems”—advantages tucked away within the architecture that could
put us ahead of the game with relatively little effort?
Five Ways to Say Eureka!
Recently, I delivered a talk at Cisco Live in which I presented the Top Five
efficiency gems that can be a real bonanza for your Cisco investment. I’ll
share those configuration and design tips here for using Cisco technology
to the utmost in monitoring and security. In addition, I’ll discuss ways to
use access switching and built-in Cisco features more effectively. Finally,
I’ll cover key points to consider in relation to data center operation,
interconnect and security.
The Top Five at a Glance
1. Not all switches are created equal. Store-and-forward vs cut-through.
Choose the right switch architecture and boost your efficiency.
2. Make sure you’re SEC(ure). Using MACsec (IEEE 802.1AE) protocol to
provide switch-port-level encryption.
3. Don’t lose sight of the gems. Achieve virtual visibility without the
overload penalty.
4. “SLA” yourself. Use built-in IP SLAs to benchmark and monitor the health
and performance of your network.
5. Netflow is your friend. Learn it. Use it. Support it.
1
4. The Cisco Data Center: A Rich Vein of Productivity
The multitiered Cisco data center is at the heart of today’s computational power,
volume storage and sophisticated applications. It represents the leading edge of
progress and potential in scalability, performance, flexibility and maintenance/
management. Naturally, efficient planning is key for resilience, agility and investment
value.
By investing in Cisco, you’ve staked your claim to the future of virtual computing. Now
let’s mine those gems to strike it rich in optimizing your investment.
1. Not all switches are created equal.
Store-and-forward vs. cut-through.
Choose the right switch architecture and boost your efficiency.
Today, you have your choice of two switching categories: 1) store-and-forward; and 2)
the newer cut-through switching, which is increasingly popular for high-speed, lowlatency applications. But which one is ideal for you depends on several factors.
Store-and-forward switching accepts the complete frame into the switch buffers for
error checking before forwarding on to the network. Cut-through switching reads only
the destination MAC address (the first six bytes of the frame following the preamble) to
determine the switch port to forward traffic to.
With store-and-forward switching, the LAN switch copies the entire frame into its
onboard buffers and computes the cyclic redundancy check (CRC). The frame is
discarded if it contains a CRC error or if it is a “runt” (less than 64 bytes including the
CRC) or a “giant” (more than 1518 bytes including the CRC). If the frame contains no
errors, the LAN switch looks up the destination address in its forwarding, or switching,
table and determines the outgoing interface. It then forwards the frame toward its
destination.
2
Top Five Ways To Enhance Your Cisco Environment
5. Cut-Through Switches Reduce Latency in the LAN
A cut-through switch reduces latency because it begins to forward the frame as soon
as it reads the destination address and determines the outgoing interface—even
before the entire payload is received. The primary advantage of this approach lies in
the amount of time the switch takes to start forwarding the packet (known as switch
latency), which is on the order of a few microseconds, regardless of packet size. So, if
latency issues are foremost for you, then cut-through switches will give you a better
night’s sleep.
Let’s take a theoretical application using 9000-byte frames. A cut-through switch can
forward the frame a few microseconds to a few milliseconds earlier than its store-andforward counterpart (a few microseconds earlier in the case of 10-Gbps Ethernet).
Cut-through switches are naturally more suited to extremely demanding, highperformance computing (HPC) applications that require process-to-process latencies
of 10 microseconds or less.
When Cut-Through Switching Is Not the Ideal Approach
Certainly, store-and-forward switching delays the time it takes for the frame to get
from source to destination. That’s because it waits to forward a frame until it has
received the entire frame and checked it for errors, comparing the last field of the
datagram against its own frame-check-sequence (FCS) calculations. So that additional
time is spent ensuring that the packet is purged of physical and data-link errors. Invalid
packets are dropped, whereas a a cut-through device would simply forward them on.
Also, a store-and-forward switch can perform ingress buffering for the flexibility to
support any mix of Ethernet speeds.
For Cisco, advances in ASIC design and other progress now enable cut-through
functions that are much more ingenious than in the past. With better load balancing
abilities and other functions, Cisco switches, such as the low-latency Cisco Nexus 5000
or Cisco Catalyst family, can perform low-latency switching while still preserving the
inspection advantages of store-and-forward switching.
So now you can make an informed decision as to whether store-and-forward switching
is worth the delay. In financial services and other HPC applications, where speed is of
the utmost importance, you probably want to reduce latency to the lowest possible
level by using the cut-through approach:
Enterprises that employ HPC include:
• Oil and gas exploration
• Automotive and aerospace manufacturing
• Biosciences
• Financial data mining and market modeling
• Academic and government research
• Climate and weather simulation
3
6. 2. Make sure you’re SEC(ure).
Using MACsec (IEEE 802.1AE) protocol to provide switch-port-level encryption.
When it comes to protecting data in motion, there aren’t too many solutions. Using
encryption is considered one of the better methods to protect data but often requires
installations of client applications.
MACsec to the Rescue
The MACsec protocol provides a method to encrypt data between two layer 2
points between the different network switches—without requiring an additional
server application or changing the whole infrastructure to IPV6. MACsec lets you
encrypt data communications between a switch and any attached device—most
importantly communication on wired LANs. The protocol is the brainchild of the
Institute of Electrical and Electronics Engineers (IEEE). Known as Security Standard
802.1AE. MACsec is the only reliable way of ensuring data integrity when it comes to
independent media access
Cisco provides switch-port-level encryption based on IEEE 802.1AE (MACsec) that
spans the network—from endpoints to the access layer and all the way to the data
center. Data encryption uses the 128-bit Advanced Encryption Standard (AES) cipher.
Encryption lets you block man-in-the-middle attacks, snooping, and other forms of
network intrusion and compromise. Layer 2 encryption can be implemented between
an endpoint device and an access switch, or between switch ports.
MACsec, Cisco, and Net Optics: a Triple Compliance and Security Solution
MACsec is probably the best prescription on the market for CSO and CIO peace of
mind. In a landmark Cisco Live demo in Cisco’s own booth, visitors could see in real
time just how effectively Cisco’s new MACsec software protects the confidentiality of
network LAN traffic. In MACsec-enabled switches, packets are encrypted on exiting the
transmitting device and decrypted on entering the receiving device. They are “in the
clear” only when they are within the respective devices.
To prove the point, Net Optics HD8 Fiber Taps™ passively gathered data on the
connections, sending transmissions to Net Optics Director xStream Pro™, which
collected and displayed the data clearly in its user interface.
The difference was dramatic: Unencrypted data from the non-MACsec machine, a
Cisco 3500 switch, clearly revealed its types and protocols, an irresistible vulnerability
to malicious intrusion. But the MACsec-protected data flowing from Cisco 6500
switches was impenetrable and unreadable.
Cisco Catalyst and Nexus Switches: Cisco Catalyst® 2900, 3560, 3700, 4500, and 6500 Series
Switches and Cisco Nexus® 7000 Series Switches interact with network users for authentication and
authorization. Access to the network is dictated by policy, user identity, and other attributes. Flexible
authentication methods include 802.1X, web authentication, and MAC authentication bypass, all
controlled in a single configuration for each switch port. Furthermore, Cisco switches can tag each
data packet with user identity information so that additional controls can be deployed anywhere
in the network. Cisco Nexus switches also support MACsec for data-in-motion confidentiality and
integrity protection.
4
Top Five Ways To Enhance Your Cisco Environment
7. 3. Don’t lose sight of the gems.
Achieve virtual visibility without the overload penalty.
As adoption of virtualization gains momentum, data centers worldwide are building
out their virtualized components. The growing adoption of hypervisor technologies
creates monitoring, security, and compliance challenges as a result of virtual
networks, switches and machines. Several solutions exist to improve manageability
and visibility of virtual systems.
Nexus 1010 Virtual Services Appliance: One of Cisco’s “hidden gems”
Cisco Nexus 1010 VSA is an optional appliance that can provide improved
management and scalability in Cisco Nexus 1000V Switch and VMware vSphere
deployments. The Cisco Nexus 1000V can be deployed exclusively as software
running in a VMware vSphere cluster; Cisco Nexus 1010 VSA provides customers
with an additional deployment option, allowing administrators to completely
offload management functions handled by the Cisco Nexus 1000V Virtual Supervisor
Module (VSM). This approach gives administrators improved scalability and
availability for the VSM.
Cisco Nexus 1010 VSA offers impressive benefits:
• A dedicated appliance for VSMs simplifies the overall design and management
of the VMware vSphere cluster by moving the VSMs off the VMware hosts.
Eliminating the dependency on VMware means that networking services are no
longer dependent on the VMware server’s being up and running, which can be
helpful during scenarios such as data center restarts.
• Because the Cisco Nexus 1010 VSA runs Cisco NX-OS and VSMs are now being
installed on the VSA instead of on a VMware vSphere server, the network
operations team is working in a familiar environment and gets a total Cisco
installation experience.
• The automatic support of active-standby VSMs improves overall system
availability.
But Cisco’s switch doesn’t provide the same level of visibility as a true network Tap.
So the question becomes, how do you achieve the 100 percent visibility that you
need for compliance and security purposes?
Phantom Virtual Tap to the Rescue for Total Inter-VM Visibility—Penalty-Free
Net Optics’ groundbreaking Phantom Virtual Tap was engineered to monitor traffic
going through the Cisco virtual switch using Nexus 1000v. The key to this advantage
is visibility: Phantom enhances network visibility, including inter-VM traffic
monitoring, without suffering from the inherent limitations of hypervisor Span ports.
This makes it an ideal security and compliance resource that:
• Delivers 100 percent visibility of traffic passing between VMs on hypervisor stacks
• Supports best-of-breed hypervisors and virtual switches
• Integrates seamlessly with the hypervisor at the kernel level
5
8. • Eliminates promiscuous probes or counterintuitive shaping and routing
• Bridges virtual traffic to physical monitoring tools
Net Optics Phantom Virtual Tap protects records and transactions from malicious
intrusion while documenting compliance with regulations such as Payment Card
Industry (PCI) standards and SOX-404.
Virtualization presents a new, unique set of challenges for auditors needing visibility
of virtualized as well as physical data. This makes the Phantom Virtual Tap a welcome
resource. Whether the concern is passing encrypted credit card numbers between
infrastructures, monitoring derivatives, or conducting other complex transactions, the
Phantom Virtual Tap keeps data isolated, secure and verifiable.
4. “SLA” yourself.
Use built-in IP SLAs to benchmark and monitor the health and performance of
your network
Cisco IOS IP Service Level Agreements, known as IP SLA, is a hidden gem built into
most Cisco devices that deserves more widespread knowledge and use than it
has been getting. This important component is a network’s best friend, letting you
measure and benchmark performance, identify issues and alert when you’re going off
standard benchmarks. The value is self-evident.
A network engineer may need to evaluate a design or evaluate a QoS approach. It’s a
natural for helping troubleshoot the network. And with its focus solely on performance
metrics, IP SLA helps confirm new business-critical IP applications and IP services that
utilize data, voice, and video, in an IP network. Cisco has augmented traditional service
level monitoring and advanced the IP infrastructure to become IP application-aware
by measuring both end-to-end and at the IP layer.
With Cisco IP SLA, you can verify service guarantees, increase network reliability,
proactively identify network issues, and increase Return on Investment (ROI) by
streamlining deployment of new IP services. Cisco IP SLA uses active monitoring to
generate traffic in a continuous, reliable, and predictable manner—an important
resource for measuring network performance and health.
5. Netflow is your friend.
Learn it. Use it . Support it.
I’ll bet all of you have Netflow—and I’ll also bet that most of you are not using it to its
full extent or gaining full benefit. Surprisingly few people know how to get the most
out of this unique technology, qualifying it as a bona fide hidden gem. This is surprising
because it shines very brightly, particularly for security and compliance purposes.
6
Top Five Ways To Enhance Your Cisco Environment
9. Netflow is a feature of Cisco IOS software that monitors packet flows across a router.
It identifies protocol elements used and extracts packet content and metadata for
analysis of data relationships and communications patterns. With Netflow, you can
monitor a particular IP address so as to actually see where that address originated,
where it ended, and how long it took to get there and back. For Service Providers this
information is critical in billing customers for differentiated services or QoS. Another
benefit is that Netflow ties into superb public domain tools you can use in any size
deployment.
So—why should Netflow be a hidden gem? Maybe it’s merely perceptions that prevent
users from taking advantage of all it has to offer—such as the “it’s difficult to deploy”
perception. Not so! Your Netflow vendor can help, as well as ensure that you have
Netflow Version 9 with its free tools to enhance your Cisco investment.
Cisco’s suite of virtual data center offerings is growing. The launch of such products
as the Nexus 1000V and the VN-Link means that thousands more organizations
can now utilize Cisco solutions to support their data center virtualization plans. But
even as virtualization soars, stringent regulations proliferate and threaten to clip the
productivity and competitiveness wings of companies lacking intelligent access and
monitoring solutions.
Virtual Visibility Plus Netflow Eases Compliance and Security Tasks
Now you can take Netflow-generated network statistics, and integrate them with
Director xStream Pro for almost unlimited compliance visibility. Net Optics is the only
company capable of providing the enterprise-level reliability in monitoring and access
demanded by Cisco’s Data Center 3.0 environments.
The Phantom solution enables faster and broader adoption of virtualization
technologies concurrent with Cisco’s advances across organizations worldwide.
Net Optics Is a Close Fit, Now and in the Future, with Cisco’s Vision
Net Optics solutions work hand-in-glove with Cisco products to deliver monitoring
and access capabilities to Cisco’s Data Center 3.0 environments and beyond. Right
now, by providing total visibility of data and traffic running through Cisco’s Virtual
Infrastructure solutions—including VN-Link with Cisco Nexus 1000V—the Net Optics
Phantom Virtual Tap is a vital resource for compliance, security and management
in your Cisco environment. This tight integration helps to fortify Cisco’s multi-tier
data center vision and spur faster, broader adoption of virtualization technologies in
organizations worldwide.
Find out more about how Net Optics helps you put the Top Five to work
in your Cisco environment. visit www.netoptics.com or contact Net Optics
at (408) 737-7777.
7
10. Net Optics, inc.
5303 Betsy Ross Drive
Santa Clara, CA 95054
(408) 737-7777
twitter.com/netoptics
www.netoptics.com
Top Five Ways To Enhance Your Cisco Environment