Cisco Intelligent, Secure Business Platform in the Digital Age
What does a business need from the network?
Business leaders of modern companies are rarely interested in the intricacies of IT and the nuances of network technologies. This is not surprising: the result is important for business.
But the desired business result is obtained thanks to the coordinated work of many business processes. Most of them are related to the transfer of information. And most of these business processes rely on network applications running on top of the network.
In a modern corporate environment, business cannot work without a network and applications. Moreover, in the era of digitalization and the Internet of Things (IoT), business’s dependence on IT is only increasing, because more and more business-critical applications running on top of the network appear.
Thus, to ensure proper operation of network applications and, consequently, the network - is crucial for modern companies.
How to do it?
To solve this problem, it is necessary to follow the many recommendations described in the design guides and in the special literature. But ultimately, based on them, we can formulate three key areas:
- Reliable transportation.
- Cross-cutting policies.
- Pass-through orchestration.
At the same time, the most important and necessary component of each direction is information security, ideally according to the model of zero trust or "white list", within which access to a specific resource is provided only to those users for whom there is such a business need.
Consider these areas in more detail.
Task 1: reliable transportation
A fundamental and obvious point. The network should work and transmit information from point A to point B whenever the business needs it. Otherwise, business processes will not be able to work, and the business will incur direct or indirect losses.
Task 2: cross-cutting policies
Transferring information from point A to point B is necessary, but not enough. The correct work of business processes is possible only with the implementation of various kinds of policies. For example, to ensure confidentiality, integrity, authenticity of information, it is necessary to implement security policies. Another example - the proper quality of business applications requires compliance with the required values of delays, jitter and packet loss. In turn, this may require the implementation of a Quality of Service (QoS) policy.
The peculiarity of the implementation of policies is that the effect of them is as strong as the weakest link. This means that end-to-end policy implementation, which covers the entire corporate network, is required to achieve the desired business result.
In addition, the lack of policies or their inadequate implementation can lead to problems in the implementation of the basic point of communication. For example, inefficient implementation of a security policy can skip an attack on a network infrastructure or services, and the complexity of hardware configurations combined with the human factor can lead to errors in hardware configuration. Any of these examples creates the prerequisites for failures in traffic transmission and unavailability of services.
Task 3: pass-through orchestration
The implementation of policies can only be effective when the policies are consistent with each other and can be promptly updated at the pace needed by the business.
The realities of modern business dictate the need for prompt updating of these end-to-end policies. This usually happens when new business processes are launched, changes in existing processes or when work is being done to optimize their support from the network. Delays in updating policies are unacceptable, as they will delay the launch of new business initiatives or increase business risks. Therefore, speed is very important, and in terms of digitalization it becomes even more important. A gain in speed can lead to significant financial results. In some cases, speed is so critical that the success of the entire business initiative depends on it.
To fulfill these conditions and properly implement the policies, orchestration tools are needed that operate along the entire information transfer route — for example, from the computer of a remote office employee to a server in a corporate data center.
Orchestration tools are becoming increasingly important and necessary functionality of a modern corporate network. Indeed, without them, it is simply impossible to implement end-to-end policies on a large number of network infrastructure elements, and then also to update them quickly, in practice.
Solving the first two tasks — ensuring reliable transport and cross-cutting policies — are prerequisites for orchestration. Obviously, any services rely on transport. It is also clear that orchestration is possible only when there are effective, flexible mechanisms for implementing policies. Thus, the orchestration is "at the top of the pyramid" of the three problems considered.
Difficulties of today's corporate networks
How are things going in terms of the designated tasks in the typical corporate networks of today?
Theoretically, a typical corporate network can easily perform task 1 and provide reliable transport, because for this there are the necessary technical means - for example, dynamic routing protocols, high availability tools, etc.
In practice, the solution to this problem is much more complicated. In addition to transferring packets from point A to point B, you must also implement policies. And any non-trivial policy affects transport. There are interdependencies between the functionality that implements policies and the functions that solve transport problems. The configuration of network devices is much more complicated. As a result, network operation and troubleshooting are also complicated. Technological windows are getting longer, the probability of error is higher. Ultimately, the availability of the network, and hence business processes, is reduced. And this is less and less convenient for business.
Not better things with politicians. The TCP / IP protocol stack does not have the means to denote the belonging of packets to any group of users or hosts and apply policies to such packets. Therefore, in practice, administrators have to look for a replacement and the IP address is used almost everywhere as such a replacement, although it is not intended for this. However, it is the IP address that is usually used as a criterion for a package to belong to a certain group of users.
This method of applying IP addresses creates an interdependence between two different functions — addressing and policing. And the changes desired for one function inevitably affect the other. As a result, the network loses its flexibility. For example, addressing optimization, as well as other significant changes in the IP addresses of a corporate network, often become almost impossible, because the result is a violation of policies.
But this is only part of the problem. Work with addresses, as a rule, occurs manually, and the policies based on them become very complex, cumbersome and very vulnerable to the "human factor". As a result, the speed and quality of the application of policies suffers, and the risks of business process disruptions due to network problems significantly increase.
As for the end-to-end orchestration of services, it is not in the typical corporate network. A real corporate network is rarely homogeneous. Rather, it is built on the basis of a set of equipment with heterogeneous functionality, from different manufacturers, with different implementations, not only of the command line interfaces, but also of network protocols and standards. Not on all devices such functionality is present in the right form and volume. In addition, the network equipment configurations of the real network are inconsistent and complex, and over time, complexity and inconsistency tend to increase. The orchestration of services in such a network is not only difficult to implement, but also likely to lead to failures due to conflicts between automated and manual approaches to network management.
Another problem is coordination. Before business intentions are realized in specific network equipment teams, you need to go through a chain of people from different departments, with completely different specializations and mentalities - for example, from business leaders through a chain of managers to application technicians and data centers, network technologies, security . Such people "speak different languages." When a task is translated in a chain, its meaning is not always preserved in its exact form and in full. In addition, the situation is often complicated by the peculiarities of interdepartmental cooperation characteristic of many organizations.
In the final analysis, the complexity of implementation often leads to the fact that the initiative a business needs is implemented with insufficient quality, not in full, not on time. Sometimes the implementation is so stretched that the initiative becomes obsolete before the implementation is completed. Or the implementation is not carried out at all.
What does Cisco offer?
As we saw in the previous section, even the tasks of providing reliable transport and building end-to-end policies, not to mention end-to-end orchestration, are not always satisfactorily solved in a typical modern corporate network.
But for effective support of business processes, the solution of all three tasks is required - and with high quality and in full.
Understanding this, Cisco purposefully develops not just new products and technologies, but holistic architectures, such as Cisco DNA, aimed at effective business support.
Creating such architectures requires end-to-end implementation of policies and orchestration tools. In turn, for this, the manufacturer must have a product portfolio and in-depth expertise in all technological areas covered by the architecture. For a modern corporate network, such areas are local computing wired and wireless networks (LAN / WLAN) at the central site and in branches, data center networks, wide area networks (WAN), and end-to-end information security solutions. In addition, the effective implementation of the solution requires additional funds in the field of traffic monitoring and its analysis to the application level, supported by powerful analytics.
Today, Cisco is the only manufacturer able to cover all of these areas. Moreover, Cisco has already implemented solutions in each of the areas. Consider them in more detail.
Network factories: the transport infrastructure of the new generation
Modern Cisco solutions for building corporate network transport infrastructure are based on the concept of a network fabric. The network factory includes two network topologies: the basic IP network, which solves the problem of transferring information from point A to point B, and the overlay network topology that runs on top of this IP network, on the basis of which policies are implemented. According to established terminology, the term “network factory” often implies an overlay that runs on top of the core network.
Traditionally, in campus networks, both transport and policies were implemented on the basis of a single network topology. Practice has shown that attempts to solve problems and transport, and policies in the same network topology usually lead to the fact that it is impossible to effectively solve either the first or second task. This happens because these tasks make conflicting demands on the network. Reliable transport requires high availability of the network and, in turn, its stability, minimum changes. On the other hand, applying policies and keeping them up to date requires making changes to the network and violates its stability.
Moreover, in practice, when combining transport functions and policies in a single topology, interdependencies arise. Changes in the functionality related to the solution of one task change the solution to another. This complicates the network, complicates the implementation of services and policies, slows down the implementation of business initiatives.
The concept of a network factory allows to overcome these contradictions. The single complex task of simultaneously implementing both transport and policies characteristic of a network based on a single topology is divided into two simpler tasks — a separate implementation of transport and policies in the IP backbone network and the overlay of the network factory.
Such a division of logic abstracts tasks from each other, reduces interdependencies to a minimum and creates optimal conditions for solving these problems. That is why it is much easier to implement cross-cutting policies, automation and orchestration in a network factory and, ultimately, to ensure a quick network response to business initiatives.
This is the main idea of the network factory, implemented in modern Cisco solutions for the corporate network, including LAN, WAN and data center.
Network Fabrics for LAN and WAN: Cisco SD-Access and SD-WAN
The network factory of the campus network is implemented in the Cisco Software-Defined Access (SD-Access) solution. SD-Access allows you to build a software-defined campus network. This network is controlled by the Cisco DNA Center controller. The controller also provides a graphical interface that allows you to significantly speed up the process of planning and implementing a network, setting and automating policy execution, and monitoring, troubleshooting, and troubleshooting.
SD-Access implements the above logic separation idea, which allows to solve the problem of transport and cross-cutting policies across the campus network. In addition, the separation of logics and the use of a DNA Center controller allows you to quickly implement new policies and adapt existing policies to new business requirements.
DNA Center also provides a REST API for integration with higher-level orchestration systems, third-party applications, and full-time customer specialists. The API abstracts the network and makes it possible to implement a scalable orchestration of services in terms relevant to applications and business. The API also provides access to analytics and trend analysis results from the Assurance tools of the DNA Center controller.
The API allows you to get the orchestration of services not only within the network factory at the central site, but also to integrate this factory with the rest of the corporate network, including the WAN and local networks of the branches.
Overlay network topologies as such have long arrived in the WAN in Cisco solutions. They have already been used in DMVPN technology, then they were further developed in the Cisco IWAN solution based on DMVPN. Today’s and tomorrow’s WAN solutions in Cisco’s portfolio are SD-WANs managed by a DNA Center controller and incorporating Viptela technologies.
Cisco offers a network factory concept for branch offices. Under this concept, the network fabric covers routers, switches, and branch office WLAN infrastructure, also managed using a DNA Center controller.
Applying the concept of a network factory in the campus network, in the WAN and in the branches opens the way to building a homogeneous transport environment with flexible end-to-end policies and orchestration possibilities.
As a result, SD-Access and SD-WAN provide an effective solution to all three tasks - from reliable transport to end-to-end orchestration of policies and services in a network factory with the possibility of extending orchestration to the entire corporate network.
Network Factory for Data Center: Cisco ACI
The implementation of a network factory in a corporate network would be incomplete without the coverage of the data center network infrastructure. Cisco solved this problem in 2013 by releasing the Cisco Application Centric Infrastructure (ACI) solution.
Like SD-Access, ACI includes a backbone IP network that solves transport problems, and an overlay that implements policies. The Cisco ACI network fabric is managed by a cluster of APIC controllers, with which the administrator sets policies and performs the remaining tasks of managing and monitoring the data center network.
Ultimately, the data center is created to run corporate business applications that implement the necessary business services. The landscape of such applications is usually quite complex. Ensuring the operation of even one business service may require complex interactions of groups of different server types. Information is transferred between them and is processed in a certain sequence, executing the required business logic.
The fundamental difference between traditional data center networks and ACI is in the approach to the implementation of such business logic. In a traditional network, you must first translate business logic from the terms of the application world to the terms of the world of network technologies, and then assemble it from "low-level" network structures, such as VLAN, VRF, etc. This process involves the tight collaboration of people with different areas of competence, such as experts in the field of network, applications, etc., requires a significant investment of time and effort. And Cisco ACI allows you to initially set the desired interaction logic, implementing it in the network automatically by means of an APIC controller.
Another fundamental difference lies in the speed of implementation of this logic. The traditional approach involves the configuration of network infrastructure elements through the CLI or, at best, using the management system. This approach is adequate for static network configurations, but it works the worse, the more dynamic the environment and the more often you need to make changes to the transport settings and policies. But this is exactly what needs to be done in order to implement new services and applications, especially in modern data centers with virtualization.
ACI solves this problem thanks to the capabilities of the APIC controller in the field of automation and programmability. The controller offers a very rich object model, accessible through the REST API. The API accepts and returns messages specified in JSON or XML formats. In addition to the API, Cisco provides additional tools such as ACI Toolkit, Cobra SDK, Arya, etc., as well as automation using Puppet and Ansible.
ACI also offers a high level of information security. To transfer information through the ACI infrastructure, it is necessary to explicitly define groups of interacting hosts with an optional indication of the types of allowed traffic. This approach is convenient for implementing security policies on the model of zero trust ("white list").
Cisco SD-Access and ACI network factories integrate with each other, providing policy translation and end-to-end operation across the entire corporate network — from a personal computer in a branch office to a server in a corporate data center.
Thus, Cisco ACI offers opportunities to solve all three tasks.
Security policies and software defined segmentation: Cisco TrustSec and ISE
In the previous sections, we touched on the importance of implementing Cisco policies and solutions for the corporate network infrastructure, including data center.
A key place among the politician is security policy. Given the continued growth in the activity of intruders and the abundance of attack vectors, intruders penetrate into the corporate network is only a matter of time. This requires the use of effective protection measures in conditions where the attack has already taken place and the attackers "penetrated" inside the network (according to ZK Research, about 80% of intruders penetrate from the inside of the protected perimeter.}.
An effective security measure in such conditions is the segmentation of users and resources into groups isolated from each other, between which only the traffic necessary to solve business problems is allowed to be exchanged. And if the business tasks do not involve the exchange of traffic between groups, then it is completely blocked. Such an approach (according to the model of zero trust or "white list") allows to significantly limit the damage from the attacks that took place, and also impede or prevent their further advancement through the corporate network. Quotes:
- Digital Guardian: “Eataly’s network segmentation prevented a system at other locations across the globe.”
- US-CERT: “Effective network segmentation ... reduce the extent to the network”.
- If you’re trying to get the best of your health, you’ll be able to do this.
Traditionally, the segmentation problem was solved by creating static virtual topologies and access control lists on the network, using the IP address as a criterion for decision making. But as practice shows, such an approach requires a lot of effort, deprives the network of flexibility and is associated with significant implementation risks. In general, the traditional approach works the worse, the more dynamic the segmentation environment and the more diverse the groups of segmented users and resources. Effective solution of the segmentation problem requires the means to centrally set and automatically apply access control policies throughout the network.
Cisco has developed technology TrustSec to solve this problem. TrustSec does not use IP addresses, but SGT (Scalable Group Tag) tags as a criterion for applying access control policies. Tags are automatically assigned to groups of users at the TrustSec domain boundary by the Cisco ISE server based on the results of authentication and authorization of the user or device, and then the network infrastructure applies access control policies based on the value of tags and rule-based tags. These rules are set by the administrator centrally on the Cisco ISE server and are automatically loaded onto the elements of the network infrastructure as SGACL access control lists. The rules can also be set in the interface of the DNA Center controller, in which case they are synchronized with Cisco ISE and then distributed across the network infrastructure.
SGT tags are used as a criterion for implementing access control policies on network infrastructure elements, such as switches and routers, and on Cisco Firepower firewalls, Cisco Web Security Appliance web traffic control servers, and other devices.
Cisco ISE can be used as a single source of identification (identity) information in the SD-Access campus network and ACI-based data center. In this case, the ISE contains the group IP address mappings for the SGT labels on the campus network and the EPG host groups in the ACI environment. This allows you to create end-to-end policies in the corporate IT infrastructure.
In addition, Cisco implemented ISE's REST API and Cisco Platform Exchange Grid (pxGrid) interfaces, offering automation and integration of information security solutions into a single context-sensitive system that takes advantage of the capabilities of the system's components.
As a result, businesses receive flexible, scalable, and powerful segmentation tools suitable for automating access control policies. Such means are necessary to solve the tasks of implementing policies and orchestration.
Analytics and Telemetry
The requirements of modern business to the availability of IT-infrastructure, as well as the efficient and effective implementation of policies lead to the need for a new toolkit. It is important for administrators to make sure that the infrastructure acts as it should, and, if necessary, take measures to bring the infrastructure to the target state as soon as possible. That's why Cisco pays close attention to analytics and telemetry. Consider some of them.
Campus Network Analytics and Telemetry: DNA Center Assurance
Traditionally, in the course of network operation and troubleshooting, administrators use an extensive array of disparate tools and sources of information, trying to ensure business continuity. But as practice shows, this has at least three serious drawbacks.
First, a reactive rather than proactive approach to exploitation. The available tools do little to help with prevention. In most cases, administrators solve problems, not prevent them.
Secondly, numerous disparate tools complicate operation and troubleshooting and do not provide a holistic picture of what is happening.
Thirdly, the abundance of data that requires processing and comprehension, leads to overload and does not speed up the solution of problems. Administrators need no data as such, they need conclusions.
To solve these difficulties, Cisco implemented Assurance analytics functionality based on a DNA Center controller. It offers opportunities to increase the availability of business processes by proactively identifying and solving problems in the network infrastructure.
The principle of Assurance is based on the collection of service data, streaming telemetry and contextual information from the network infrastructure, client devices and service servers such as Cisco ISE, as well as ITSM (IT Services Management) and IPAM (IP Address Management) systems.
Assurance analyzes and correlates the collected information in real time using analytics and machine learning tools. Based on the findings, Assurance provides the administrator with a comprehensive picture of what is happening, including conclusions about the state of network infrastructure elements and client devices, problems and trends, as well as specific recommendations and steps for troubleshooting. In addition, Assurance offers assistance in resolving incidents through the automated implementation of issued recommendations.
As a result, Assurance allows you to ensure the proper operation of your IT infrastructure and, if necessary, immediately take concrete measures to resolve incidents, thereby helping administrators ensure business continuity.
Analytics and Data Center Telemetry: Cisco Tetration Analytics
Effective policy development requires a mandatory understanding of the information flows for which these policies are developed. Such an understanding of the corporate network can be obtained by analyzing business processes running on top of the network. This analysis reveals the key applications needed for business, the protocols on top of which these applications work, the location of sources and consumers of information flows.
This task, already difficult in the corporate network, becomes especially difficult in the conditions of a modern data center. This happens because the landscape of modern applications that implement the necessary business services is very complicated. Applications can have a distributed architecture with multiple interdependencies. With the spread of microservices, the picture becomes even more complicated. And taking into account the dynamics of the data center application environment and the mobility of modern virtualized loads, the task of identifying and analyzing information flows in a modern data center is turning into a rapidly moving target. In practice, such a target is unattainable by "manual" methods of analysis due to the enormous volume of information flows and their dynamics.
To solve this problem, Cisco offers a platform Tetration Analytics, which includes the means of data collection and analytics. Data collection is implemented by compact software sensors at the level of server operating systems, hardware sensors based on integrated circuits (ASIC) of the corresponding Cisco Nexus 9000 series switches, as well as sensors that process ERSPAN and NetFlow traffic. Analytics is implemented by software that runs on a high-performance server cluster.
The server cluster receives highly accurate information from the sensors on the data center every 100 ms. The system analyzes information flows in real time accurate to the packet at the speed of the communication channel, while the solution is currently scaled to 25,000 servers (virtualized and physical). Having such data sources makes Tetration Analytics a unique solution in the market.
Using tools for behavioral analysis and machine learning, Cisco Tetration Analytics provides accurate and relevant insights about the information flow in the data center, the interdependencies of applications, the possibility of retrospective analysis and real-time analysis. As a result, the IT service gains a deep understanding of information flows, allowing it to take concrete actions, in particular, to form effective policies. In addition, on the basis of the obtained data and machine learning tools, Tetration Analytics offers behavioral analysis functionality. The expansion of threat detection and prevention capabilities is also realizable through integration with the specialized behavioral analysis system Cisco Stealthwatch, as well as in the future through interaction with the Cisco Talos cloud security service (in the plans).
Tetration Analytics offers the ability to automatically distribute security policies to hosts in the data center and keep them up-to-date with the help of pre-installed software agents. Agents translate policies into system firewall rules (IP Tables, IP Set, Windows FW) and allow you to implement nano-segmentation of services by isolating services and applications directly at the host and operating system level, before they enter the network. In addition, by integrating with the Cisco ISE access control server, the Scalable Group Tag (SGT) tags are provided for use in defining policies, annotations, etc.
As a result, the implementation of a white list model in the data center is greatly facilitated, for which a complete understanding of information flow and integration with specialized information security solutions is very important.
Tetration Analytics allows you to implement a policy orchestration in the data center using the open REST API.
Thus, Tetration Analytics is a key tool for solving the tasks of implementing policies and orchestration in the data center.
Monitoring and managing software performance: Cisco AppDynamics
As modern business processes increasingly rely on network applications and IT infrastructure in their work, it becomes critical to ensure proper performance of business applications. This is especially true of large companies in which failures or even just non-optimal workflow of business processes can lead to losses of millions of dollars.
Performing even a single business transaction usually involves multiple servers and software processes distributed and interconnected. Therefore, monitoring and managing the performance of business applications is a very difficult task and requires special tools.
To solve this problem allows the platform Cisco AppDynamics. It provides end-to-end monitoring and performance management of the entire application landscape, from a browser on a user's computer or an application on a mobile device to backend application servers or databases.
The key components of the solution are the controller and software agents installed on the hosts. Agents can integrate into a wide range of software environments, including C / C ++, Java, .NET, Python, PHP, Node.js, etc. Further, they collect relevant information, including performance metrics, conditions and errors in the execution of program code, and much more. Agents send this information to the controller for further analysis and decision making.
AppDynamics automatically calculates the baseline values of performance metrics that are “normal” for a given environment. Using these metrics set by the policy manager and data from agents, the system detects performance anomalies and helps to localize the source of the problem.
As a result, the system provides end-to-end monitoring and performance management of business transactions and applications, from a browser on a user's computer or an application on a mobile device to backend application servers or databases, as well as monitoring the performance of IT infrastructure hardware, including servers and network equipment.
Moreover, as part of the Business iQ functional, the system provides dynamic, extensive data about each business transaction, offering an analysis of business metrics correlated with application performance metrics. As a result, AppDynamics can provide answers to business questions, such as the impact of incidents or changes in the IT infrastructure on a company's revenue.
AppDynamics also provides extensive integration with other systems using extensions and the REST API. This makes the product a suitable tool for solving the problem of end-to-end orchestration.
Behavioral Network Traffic Analysis: Cisco Stealthwatch
Security features in the Cisco architecture are not limited to access control, but include a whole range of security features integrated with each other.
The most important security tool that runs inside the perimeter of the corporate network is Cisco Stealthwatch Enterprise.
Stealthwatch allows you to set behavioral policies that correspond to the normal network traffic profile. Politicians can be both high-level and very detailed. Next, using network telemetry tools such as NetFlow, IPFIX, etc., Stealthwatch analyzes the traffic passing through the network for compliance with specified policies and identifies anomalies. Sources of information can be both elements of the network infrastructure, including routers, switches, firewalls, and personal computers of users, with the Cisco AnyConnect Network Visibility Module (NVM) software client.
The analysis covers all areas of the network from which Stealthwatch receives telemetry, and all directions of traffic. As a result, administrators receive a detailed understanding of the security picture on the network, based on which concrete actions can be taken.
Stealthwatch can also be integrated with the Cisco ISE access control server using pxGrid. This allows you to implement dynamic access control policies of devices based on their "behavior", for example, blocking access to an attacker or transferring it to a quarantine network based on behavioral analysis data from Stealthwatch. This solution is called Cisco Rapid Threat Containment and includes a whole range of Cisco security products.
In addition, Stealthwatch can detect threats even in encrypted traffic (without decrypting it) by analyzing a number of metadata, such as sequence and timing of packets, distribution of bytes, as well as analyzing the process of establishing an encrypted TLS connection. This feature is called Encrypted Traffic Analytics (ETA) and is available when receiving Enhanced NetFlow telemetry from modern Cisco network infrastructure elements.
Putting it all together
Working together, the considered components form a complete, integrated system that allows you to solve all three tasks: to provide reliable transport, implement cross-cutting policies and their orchestration.
Separate technologies and components have been developed by Cisco for a long time and have been present on the market not for the first year. The time is coming to combine them and develop a holistic solution.
The basis of this solution is the concept of a network factory, covering the entire network. It is the network factory that provides opportunities for efficiently solving the tasks of implementing end-to-end policies and orchestration that are not available in classic networks based on the same network topology.
By controlling the network fabric overlay, Cisco controllers automatically set policies that are transparent to the core network. Such transparency gives policy implementation flexibility and distinguishes the architecture of new-generation networks from classic networks, in which it is extremely difficult to implement policies without affecting transport.
The end-to-end network factory throughout the company, as well as components developed and integrated by a single manufacturer, translate to a new level and orchestration possibilities that in practice are absent in corporate networks.
The solution is complemented by the monitoring and analytics services considered in the previous sections, integrated with the network factory. They automate the solution of many operational tasks and help to significantly improve the level of security, productivity and, ultimately, the availability of the company's business processes.
Today, for individual components of the corporate IT infrastructure, such as campus networks and data center networks, are already available “boxed” orchestration solutions based on the DNA Center and APIC controllers.
Some large corporations are implementing the Cisco Network Services Orchestrator (NSO) solution as an orchestration tool covering the campus network, the wide area network and the data center network through the network infrastructure APIs. For example, NSO provides orchestration of the SD-Access solution through the DNA Center controller API.
The Cisco IT infrastructure APIs allow customers to not only integrate turnkey products from Cisco and other manufacturers, but also to implement their own designs that take into account the characteristics and individual needs of the business.
The Cisco solution is unique today, because Cisco is not only the only manufacturer covering all areas considered, but also a leader in these areas. Moreover, Cisco strives to be not just a leading manufacturer of IT equipment, but a business partner of its customers.
Value for business
What are the benefits of a business from implementing a Cisco solution?
Consider these advantages on the example of two conventional networks.
The first network is a “classic” or AS-IS network, which is a corporate network without solutions based on a network factory, with a single network topology, in which the tasks of transport and the application of policies are solved. The network has centralized management tools, but does not have controllers and orchestration tools.
The second network is the Cisco network, or the TO-BE network, built on the basis of the end-to-end network factory with controllers and orchestration tools. This solution is discussed in the "What Cisco Offers" section.
Business benefits can be classified in three key areas:
- Revenue increase;
- Cost reduction;
- Risk reduction.
Let's take a closer look at how a Cisco solution can help a business in each of these areas.
Revenue increase
Corporate networks, in contrast to networks of telecom operators, are by their nature connected with the company's revenue not directly, but indirectly, through the maintenance of business processes.
New business processes often require new individual policies from the network, and existing ones require changes and policy updates as a result of changes in the business environment.
The difference between the classic corporate network and the Cisco network is that the Cisco network allows you to more quickly implement new policies and update existing ones, and thus get the desired business result faster.
The difference is very significant. The Cisco network allows you to reach in minutes of what took days or weeks in a classic network.
This happens because, on a Cisco network, policies are deployed and updated automatically in the overlay. It is free from the difficulties characteristic of the classic network. For example, due to the overlay, interdependencies with transport functions are minimized. Thanks to the overlay, the problem of inconsistency of configurations, which makes automation difficult, is also solved. In addition, due to the overlay and orchestration, the translation of business intentions in the network configuration has been greatly facilitated, and the time required to coordinate the implementation of policies between departments has been minimized.
Time is money. In the conditions of digitalization, the impact of IT on the speed of business initiatives is becoming more noticeable. Indeed, in the modern world, new business ideas are usually implemented by new applications, and the beginning of receiving revenue from these ideas directly depends on the speed of their implementation. As a result, a gain in speed can lead to significant financial results. Ultimately, it contributes to gaining competitive advantage and expanding market share.
Cost reduction
According to Cisco's internal research, in 2016 corporate networks more than 90% of changes have so far been made manually, despite the wide choice of management systems. A significant part of the IT staff time is simply spent on maintaining the network in a healthy state.
Companies, in any case, need qualified IT specialists to operate the network - both the classic and the SDA network. But the latter makes it possible to significantly reduce the time spent on work with low added value, for example, to perform routine operations.
The company would benefit if the network allowed it to redirect the time and efforts of IT staff from routine to solving more important strategic tasks, to optimizing support for existing business processes and helping to launch new ones, to get new results.
Employees would benefit if they didn’t use working hours for routine operations, which do little to improve skills and value in the labor market, but to learn new technologies, introduce new solutions and, ultimately, help the employer achieve specific business results.
The Cisco network provides these capabilities to both companies and employees. Orchestration and automation, orientation to the implementation of policies and "business intentions", the possibility of rapid implementation of network infrastructure elements and client devices throughout the company, analytics functionality saves time and effort, allows them to be used as productively as possible.
Risk reduction
The Cisco network can significantly reduce the company's risks associated with the inaccessibility of business processes and information security threats.
According to Gartner, the cost of idle hours of business processes in a corporate environment can be hundreds of thousands of US dollars.
The most common cause of failure in the campus network and, as a consequence, the inaccessibility of business processes - the "human factor". And according to Cisco, for the same reason about 70% of violations of corporate policies also occur.
This is not surprising, because modern networks are complex. An additional complication is the coordination of actions between business and IT and IS departments, when each of these three "speaks their own language."
The Cisco solution takes on a significant part of the routine, hides the complexity of the network, giving the person the opportunity to focus on setting policies and "business intentions."
Each classic network is unique in terms of a combination of configured functions, a set of equipment and software, and a topology. Although manufacturers are making significant efforts to test new products and control their quality, there is a very high probability that such a “unique” configuration will not be tested in exactly the same way as implemented. This increases the risk of implementation.
In the case of automatic implementation of configurations and orchestration of services, the picture looks different. The network will be implemented configurations created as a result of the joint work of the developers of network infrastructure elements and the controller, the architects of the best implementation practices. The number of combinations of functions in such configurations, their degree of uniqueness will be significantly lower than in the classical network. Such configurations are much easier for developers to test. In addition, such "typical" configurations will not be unique, as in the case of the classical network, but implemented in many networks around the world. This reduces the risks of implementation.
Another problem with classic networks is the incomplete implementation of the necessary functionality, not following or incompletely following recommendations and best practices. Those. existing equipment and software may have security functionality, high availability, etc., necessary to reduce risks. But not necessarily such a functionality is actually implemented due to the congestion of IT employees with routine operations and fears associated with implementation difficulties. As a result, the business does not benefit from paid, but not implemented functions, does not reduce the risks to the functioning of business processes.
In addition, under the conditions of a shortage of IT staff time, the consistency of the configurations of devices of the classical network tends to decrease, and the implementation of “temporary” half-measures instead of system solutions increases. This increases the complexity of the network. The quality and volume of work performed also suffers. As a result, the risks of failures and breaches of security policy increase.
The Cisco network offers a solution to these problems by automating the implementation of the necessary functionality and making further changes.
In addition, the controller capabilities in the field of orchestration and automation are complemented by analytics functionality. The Cisco network provides IT personnel with complete and detailed information about incidents occurring on the network, conclusions about their impact on the network and users. These findings help to quickly take concrete action to eliminate the incident.
The Cisco network has integrated user segmentation functionality through TrustSec technology, as well as behavioral analysis tools and automated threat response.
As a result, the Cisco network offers business tools to significantly reduce the risk of business process disruptions, both due to the “human factor” and to information security threats.
Summing up
The business organization of the corporate segment is not in building networks, but in its core activities. The network is a tool needed to achieve business results.
Probably, it will be productive not to focus on minimizing capital expenditures, but to consider the implementation or modernization of the network as an investment project, compare the return on the project with the threshold rate of profitability of the organization, the required payback period and other financial indicators.
When analyzing the risks of such a project, it makes sense to evaluate not only the risks of action, but also the risks of inaction, the cost of lost opportunities characteristic of "classic" IT infrastructures.
We can expect that the Cisco solution will be especially effective for organizations in which:
- Dynamic business environment;
- A large number of business processes that require individual policies;
- A large number of users and large-scale network.
Digitalization, as well as network factories, automation, programmability are trends that are noticeable in the IT industry right now. As these trends evolve, more and more companies will benefit from them. As a result, they will also receive advantages in the competition, taking market share from other companies.
The Cisco solution provides these benefits today.
Links
The Network Architecture - the Cisco DNA
Software-the Defined the Access
the DevNet: the Cisco DNA Center the API
the SD-the WAN Solution
the Cisco the Application Centric is Infrastructure
the DevNet: the Application Centric is Infrastructure
the DevNet: the Find all resources you Up Need for the ACI
the Cisco Tetration
the Cisco AppDynamics
AppDynamics of APIs
the Cisco TrustSec
the Cisco the Identity Services Engine
the Cisco Platform Exchange Grid (pxGrid) Cisco Rapid Threat Containment
Network
Cisco Stealthwatch Enterprise Encrypted Traffic Analytics (ETA ) Solutions Cisco DevNet: APIs, SDKs, Sandbox, and Community for Cisco Developers