Cloud Security 101
NetCraftsmen sent a large group of our employees to Cisco Live 2018 with three main goals. First, we wanted to focus on learning and growing our capabilities. Second, we wanted to enhance our relationships with our customers, prospective customers, and partners. Finally, we wanted to get to many of the attendees as potential future employees as we continue to grow our Company.
As you will read below, our attendees learned a LOT at Cisco Live. Our collective learnings will directly benefit our current and future customers.
If you attended our Happy Hour Tuesday evening, you were able to network with NetCraftsmen’s best, enjoy craft beer and food, and build a closer relationship between us. If you missed our Happy Hour, we will do it again in San Diego at Cisco Live 2019!
And, we were fortunate to meet many attendees who have what it takes to join us in the future.
Below, you will find the NetCraftsmen attendees highlights from Cisco Live 2018!
I refreshed on Multi-Cloud with Shannon McFarland’s talk BRK-CLD-3440: Multi-Cloud Networking: Design and Deployment. It was stellar, not to mention comprehensive, as Shannon’s presentations usually are. This and associated sessions are key readings if you’re designing cloud connectivity. Note it also spoke to Azure and Google, and the slide deck contains sample CLI to spin up instances, configure virtual routers, etc. You might want to first read BRKARC-2023: Building Hybrid Clouds in Amazon Web Services with the CSR 1000v. Also, very well done! I can see SD-Access is moving fast in terms of features. If you have it and ACI (or even without ACI), BRKDCN-2489: Cisco SD-Access – Integration with Data Center Architectures was quite useful. I also sat in on a couple of IPv6 presentations to catch up on new points of interest and refresh some of my IPv6 neurons. Good stuff!
My 2018 Cisco Live was focused on training in data center network architecture, related overlay networks and security topics for my primary government client. I participated in several ACI (Application Centric Infrastructure) sessions to better understand where, when and why to deploy it, ultimately deciding that it is probably not the right fit at this time for my client. The OTV (Overlay Transport Virtualization) Operation and Troubleshooting session was one of the highlights of the week giving me key tips and the confidence to deploy it in my client’s network. Lastly, the several security sessions I attended reinforced the vigilance required in network design and operation to harden and secure networks. I learned that there is a packet capture function built into ASA firewalls that I was formerly unaware of, but now added to my toolkit for future troubleshooting. After the week in Orlando, I came away better equipped to help my client achieve their network objectives and goals.
Network automation is a real industry focus and one that is gaining interest and traction. After starting the week with an SDN session presented by Jason Davis, it was clear that there is an ever-growing presence of development-savvy engineers looking to “work smarter, not harder” not only for themselves, but also fellow colleagues and customers. In terms of products, I heard DNA Center mentioned several times throughout the week.
Interest in and adoption of SD-WAN solutions (specifically Viptela) is definitely real. A lot of these sessions were booked or waitlisted well in advance of the week. I fortunately was able to get a seat in a large session focused on Viptela Data Center and Branch Integration design. Given the large room for the session, the number of attendees, and the number of questions asked, it’s safe to say that many partners and customers are finding value in the Viptela solution.
On the collaboration front, Cisco is still committed to not only remaining a leader in the market but also in providing interoperability across vendor platforms. The B2B / federation sessions for Cisco and Skype / O365 were well attended and very informative as always. Expressway combined with Cisco Meeting Server is the centerpiece of inter-op between the Cisco and Microsoft collaboration worlds. Expressway X8.9 introduced a traffic classification capability that can identify SIP Variants and determine whether specific workloads are Cisco or Microsoft and route them accordingly. CMS is then used as an external transcoder for video interop between the two solutions.
At Cisco Live 2018, my focus was SD-WAN. Most of the sessions that I attended were focused around the Viptela Architecture, Implementation, Migration and troubleshooting. Like most other engineers attending these sessions, there were multiple questions around interoperability and support functionality. One of the key takeaways for me was geared towards branding / marketing. Many attendees referenced Viptela when discussing this new technology. Cisco was quick to inform individuals that we must say “Cisco SD-WAN powered by Viptela”. I guess it’s not what you say, but how you say it…
One of my most memorable moments came when we attended the Healthcare tour in the World of Solutions (WoS). We attended this tour with one of our customers. The key takeaway for me was my introduction to the Infrastructure Adoption Model (INFRAM). Cisco has partnered with HIMSS Analytics to create the first ever Infrastructure maturity model offered by the organization. INFRAM focuses on the following five domains:
INFRAM leverages seven stages that outline the info systems maturity level. Look for a blog post regarding INFRAM as we gather more information and work with our customer on this adoption model.
This year at Cisco Live I deliberately focused on SD-WAN / Viptela as a way of jump-starting my knowledge. I did some pre-conference research and reading of whitepapers.
At Cisco Live, my Viptela experience included attending five technical breakout sessions, completing two walk-up labs to get some hands-on practice, and participating in a meet-the-engineer session with two Viptela engineers (There were also some brief discussions with other engineers).
At a high level, the Viptela SD-WAN components consist of:
The key features of Viptela SD-WAN include transport independence (run WAN edge routers data plane over whatever you have), cloud-managed, end-point options (vEdge or Cisco ISR / ASR), integrated security, and application quality of experience (real-time application monitoring with dynamic path control).
Overall, I found that the SD-WAN / Viptela solution looks quite intriguing right now, and I expect in the very short-term to start helping customers deploy it.
Next steps for me include more in-depth training, further hands on, and some future blogs.
I primarily focused on Cisco’s SD-WAN solution and their architecture strategy. The center piece is the Viptela acquisition. Phase 1 of Cisco’s integration strategy is based exclusively on the Viptela SEN with the vManage, vSmart / vBond, and vEdge appliances.
Phase 2 of the integration plan extends vEdge capabilities into IOS-XE platforms, such as the ISR. This will be delivered as an alternative platform OS, where the IOS-XE device provides the data plane and the vManage and vSmart provide the management and control plane, respectively. Phase 3 is focused on delivering an end-to-end experience with full DNA integration, including integrated workflows for SD-Access and SD-WAN.
I walked away from the various SD-WAN sessions with a better understanding of the Viptela components and the benefits of fabric architectures, such as SD-WAN. Particularly the simplicity and opportunity to implement consistent policy enforcement.
Automation and programmability were central themes spun throughout the conference. I believe this is the fourth year for DevNet Zone and it is even bigger than last year, which I thought was pretty large. It has been clear for the last 2-3 years that network engineers will need to understand APIs and data structures as part of their job role. Whether they develop applications to manipulate the APIs or parse data structures or not is immaterial. They will need to understand how these pieces go together or, more importantly, why there is a need for this level of abstraction. In the end, an API is just another way to interact with a device or piece of software, no different than the CLI or a GUI. APIs just give us a way to provision complex systems or retrieve structured data.
I started my IT career as a software developer and, in part, that is how I got into UC and Collaboration, where APIs have been a staple of my daily job role. So, I am pretty stoked about how this is all shaking out.
This was my first year attending Cisco Live as a Cisco Champion, and so I took advantage of several opportunities Champions had for behind-the-scenes tours and NDA “whisper suite” briefings where we could peek into the future. Overall, I came away impressed. There weren’t a lot of big product or technology announcements at Cisco Live this year, but the ones from last year have matured and started to become real, and there’s clearly more to come. In particular, network design is changing, and embedding identity-awareness into an intelligent network is becoming realistically viable for many more customers than it ever was before. DNA Center is real.
My focus at the conference was on security-related topics with some enterprise networking mixed in. Here are a few selected highlights: In Optimizing Your FirePower/FTD Deployment, I learned about how to build hierarchical policy sets in FMC to leverage inheritance in a way that will improve both security and supportability. In Dissecting Firepower-FTD & Firepower-Services, a TAC engineer worked us through a number of troubleshooting scenarios and tips for improving firewall performance (by 2-3 times in some cases). In Advanced ISE Services, Tips & Tricks, the session was filled with worthwhile tidbits, like links for the ISE Design Guides at http://cs.co/ise-guides and mention of a bug that caused people to deploy virtual appliances with too few VCPUs assigned (CSCvh71644). I really appreciated the insight into how the bug came to be, and plan to check VM-based ISE installations I come across in the future to make sure they have the right number of VCPUs. I took more notes in this ISE session than any of the other technical sessions I attended. In Advanced Security Group Tags, Darrin Miller was able to give good, concrete examples of SGT use cases and caveats. One thing I particularly noted here was that FTD cannot use an SGT as the destination in its policies. I’m looking forward to deploying SGTs as part of an upcoming SD-Access solution to improve internal segmentation for one of our customers soon and knowing those kinds of caveats up front can help a lot. DevNet had some great security focused exercises. Seriously, if you’re into Cisco security, getting hooked up with DevNet can help you build key skills for increased productivity. DevNet is worth doing.
Between DevNet, the vendor spaces in World of Solutions, the Walk-in-Self-Paced (WISP) labs, and technical sessions, I was able to get a good mix of personal interactions and worthwhile classes this year. I always recommend prioritizing the people you meet at an event like this since the training is available for later reference. I’ve already started filling in some of the sessions I couldn’t get to in person by skimming through the slide decks or watching the video replays of them, and I heartily recommend you check out some of these great sessions at your convenience in the On-Demand learning section of the Cisco Live website. I didn’t come close to doing everything I wanted to do at Cisco Live this year, but I’m already looking forward to Cisco Live 2019!
My biggest takeaway from Cisco Live this year was the conviction that if you are a network engineer, you will be left behind unless you learn something about coding. Software-defined networking is real and not going away. Python is built into some equipment, Ansibile is an easy tool for scripting network changes, APIs give you the ability to integrate with multiple applications. You may not end up as a DevOps person, but you need to be able to understand and take advantage of the way network equipment is now a platform, not just hardware. Cisco is devoting a lot of resources to help network engineers learn “NetDevOps” at no charge, including classes, blogs, and sandboxes. Check out the following links:
Cisco Live 2018 seemed to be full of automation. Everywhere I looked there were examples of automating network configuration and control. Perhaps I was focused on automation, since I had signed up for a full set of automation sessions. But the topic kept appearing, from the keynotes to the larger-than-before DevNet section in the World of Solutions. I also took advantage of the opportunity to talk with several experts who are using automation in real networks. Nick Russo, a Cisco engineer, has been working with a customer for almost a year to get them accustomed to automation. He started with some simple data collection automation scripts, then advanced to collecting basic troubleshooting data. After using his tools for a while, the customer asked about automating the maintenance of a big, problematic NAT table. By addressing a major source of trouble, he was able to help the customer learn how to apply automation without the risk of network downtime. I’ll be using the information from the technical sessions along with the examples from Nick to help our customers with the migration from “Finger-Defined Networking” (acknowledgement to Jason Davis of Cisco for the definition of FDN) to true automation.
Cisco Live refreshed me on all things SD-Wan with BRKRST-2091 – Cisco SD-WAN (Viptela) Data Center and Branch Integration Design, BRKCRS-2112 – Serviceability for Next Generation SD-WAN and I had several private discussions with Viptela staff. I also finalized a deal with Criterion Networks — the Viptela training partner.
I also sampled a number of Cloud meetings, but mostly the shorter presentations at the World of Solutions.
Given our Utility relationships, I also attended SOLIOT-1016 – The New Digital Utility and did a number of IOT follow-ups, split between Power Utilities and Medical applications.
Apart from that, I spent a fair amount of time hanging out in the DEV-Net area, initiated a discussion with RedHat and helped establish ourselves as a RedHat Ansible partner. Additionally, I spent time with both the ThousandEyes team and the Logzilla team on our existing partnerships.
I found a number of interesting potential partners and was introduced to Exabeam (a newer SEIM vendor).
Cisco Live was very busy and tiring, but the movement between the Keynotes, Sessions and the World of Solutions had me averaging about 12,000 steps per day, which made up for the time and calories spent entertaining clients.
Attending Cisco Live for the first time was an experience full of excitement. Being able to talk to other engineers and attending technical sessions and walk-in labs provided insights to building new skills. With evolving technologies like Software Defined Networking (SDN) and SD-WAN, it is becoming essential to acquire new skills with programming languages, such as Python, and not only be an expert in the traditional routing and switching technologies. It was also an amazing experience being part of such a huge event with all the fun activities and entertainment!
As the Vice President of Sales, my focus at Cisco Live was spending time with our customers as opposed to focusing on technical content. One of the things I heard from several of my clients was that they thought the sessions were somewhat valuable, but where they really found the most value was the access to the product managers and people from the BU. They appreciated being able to ask direct questions in a small setting and the candid feedback they received from those Cisco resources.
Cloud Security 101
BGP Traffic Engineering
Design: Is It One Site or Two?
Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.
Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.
John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services. Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.
He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.