Posts

Showing posts from 2017

On PaloAlto and NSX Integration

Image
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto Networks next-generation firewalls and Panorama with VMware ESXi servers. Before getting into the technical part, make sure you understand what NSX is and how micro segmentation is deployed, what the difference between the Distributed Firewall and a traditional Firewall that protects the perimeter is. You can check out some of my previous posts in the Blog Map.

The idea is to deploy the Palo Alto Networks firewall as a service on a cluster of VMware ESXi servers where the NSX has been enabled. The objective is to protect the East-West traffic in your VMware environment and "steer" the FW rules between the NSX "native" Firewall and the Palo Alto Firewall. We are doing this integration in order to be able to later enforce different type of Security Policies depending on whether we want to protect the traffic within the VMs of the …

Nuage Networks VSP Deep Dive

Image
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and blogging about both these solutions, how they compare to each other and to some Open Source SDN solutions out there, such as OpenDayLight and Open Contrail |(check out the Blog Map section for some of my older posts). I even did boot camps and got the highest certifications in both NSX and ACI. SDN is still a rather new technology, and I wanted to make sure I have enough expertise to always explain to a customer which SDN solution is the right one for their Organization and why. Apart from ACI, NSX and open source solutions, there is another player on the SDN market, and from what I've seen - they mean business! I'm talking about Nuage Networks, acquired by Nokia from Alcatel-Lucent in November 2016. Even though I've known about this solution for a while, my opinion was that their strongest side was marketing, so I didn’t spend a lot of…

How to sell SDN

Image
The most important thing about presenting SDN to a potential Customer, and about how you need to focus your Presentation, and I cannot stress this enough: your entire speech needs to be adapted to your audience.

1. Networking and Security Department

What you need to know before you start planning the presentation:
Before we get to the point, you need to understand that the Networking guys do not want SDN. Within the Networking department you will easily distinguish two types of engineers:
- The ones who hate SDN, hate you for presenting it, and just want to continue doing things their own way.
- The ones who understand that unless they understand and learn SDN, the System guys will choose the product, learn it, and take care of Networking themselves, making the Networking department obsolete. You should always direct to this group in your presentations.

What's the most positive thing SDN brings to the table?

SDN is a concept of a Network that is Multi-Tenant, that has a single point o…

What are Cisco Cloud Suite (CliQr) and UCS Director, how to choose/integrate?

Image
Before we get into the details about each technology, and how you should choose which one best fits in your environment, I would strongly advise you to sit down and think about what exactly you need, what would be your ideal target environment. While doing this here are a few questions you need to ask yourself:

What do I want to offer, IaaS, PaaS, SaaS, or a combination of these?Do you want to automate the Application Deployment or Infrastructure Deployment?Are you really ready for automation? I strongly believe that once you choose your Platforms, you should stick to it, because everything can be done in each of these… It's just that some are more suitable for certain tasks/ways of use then the others.

USC Director is used for the Infrastructure Automation and Management (yes, management as well!). UCS has a huge Task Library for Infrastructure Elements such as Cisco Nexus and ACI, UCS, NetApp, EMC, vCenter, VMware vSAN etc.


The main competitors of UCS Director are:

vRealize Suite …

How DevOps and Cloud raise the importance of System Integrator

Image
System Integrators, buckle up, DevOps is coming, and if you play your cards right - your role is about to get crazy important.

Let me start this post by telling a story. It's a story that involves a stubborn customer, 3 big vendors and a Cloud. The reason I need to start this way is simple - the same scenario with different "players" has happened so many times in the last few years that someone should sum up what we've all learned (or haven't, in some cases). I guess this would be a great place for a Disclaimer, and  I'll quote my favourite disclaimer ever, from South Park: All Customers and events in this post, even those based on real people, are entirely fictional.

The story starts with Customer learning that Cloud is cool, and starting wanting it. The problem is that there is no manual on Google on how to build a personalised private cloud. That's no problem, why not just promote (rename) your head systems engineer to a Cloud Architect and follow his …

Cisco ACI Unknown Unicast: Hardware Proxy vs Flooding Mode

Image
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distributed switch. Cisco ACI preserves the Layer 2 forwarding semantics even if the traffic is routed on the fabric. The TTL is not decremented for Layer 2 traffic, and the MAC addresses of the source and destination endpoints are preserved.

When you configure the Bridge Domain in the ACI, you need to decide what you want to do with the ARP packets, and what you want to do with the Unknown L2 Unicast. You can basically:

Enable ARP Flooding, or not.Choose between the two L2 Unknown Unicast modes: Flood and Hardware Proxy.



Hardware Proxy By default, Layer 2 unknown unicast traffic is sent to the spine proxy. This behaviour is controlled by the hardware proxy option associated with a bridge domain: if the destination is not known, send the packet to the spine proxy; if the spine proxy also does not know the address, discard the packet (default mode).

The adva…

What is NFVi or Cisco NFV Infrastructure, and where exactly does it "fit"?

Image


First let's establish the difference between the NFV and the VNF:
VNF (Virtualized Network Function) refers to the implementation of a network function using software that is decoupled from the underlying hardware. It simply moves network functions out of dedicated hardware devices and into software. Cisco currently has around 90 VNFs ready to be implemented, mostly for the SP environment.NFV (Network Functions Virtualization) represents a concept, and it's based on running SDN functions, independent of any specific hardware platform.
This all simply means that we need the network functions virtualization (NFV) architecture to support the deterministic placement of virtualized network functions (VNFs).

Network Functions Virtualization is "the new black" in the Networking Security, and all of us Network Bloggers have been talking about it extensively within the past few years. What it basically means is that we are finding a way to virtualize one of …

Low Power Wide Area Networks for IoT: SigFox, LoRa, LTE-M, 5G LP-WAN

Image
[In collaboration with guest blogger Marc Espinosa]

The important topic of connectivity protocols was discussed in our previous IoT post, it is time to dive deeper into the telecommunications protocols underneath. The fact is that the technologies that enable the IoT architecture need to assume low power at the same time as the transmission via the long distances (meaning - lower frequencies). 
For example, if we need to cover a field, a campus, an entire building or turning a city smart, we will need a specific communication protocol. The truth is that ZigBee and 6LoWPAN do create a low-power and low-cost WPANs, but since the assets can be distributed in an pretty wide area - we need to include another variable to the equation: the range.
The following networks/technologies are called Low Power Wide Area Networks (LP-WAN). Regardless of the fact that the consumption of devices they are connecting is low, they actually cover a wide area network, making things easier and better to conn…

Understanding the IoT Protocols: MQTT, CoAP, ZigBee

Image
[In collaboration with the guest blogger, Marc Espinosa]

Let's start with the messaging protocols, MQTT and CoAP, and consider which of the following open standard protocols should be considered for your implementation.

If you're looking for the right guide to gain a solid perspective of the IoT business, these lines might just be what you need. The IoT can be defined as the a system of interrelated devices (such as sensors) that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

So, how do all these "Things" speak among them? Which are the languages/communication protocols they use and which one should we choose? The answer might surprise you... it depends!

There are 2 types of open standard protocols that work for small devices:

Message Queuing Telemetry Transport (MQTT)Constrained Application Protocol (CoAP)

MQTT and CoAP are two of the most promising protocols for …