1 2 3 4 Previous Next

Enterprise Networks

57 posts

Attacks such as the one from WannaCry are a prime example of why companies need to complement traditional security approaches such as IDS/IPS systems and firewall appliances with Defense-In-Depth principles around Network Segmentation and Network Behavior Analysis (NBA).


WannaCry probably the most visible and dramatic, but certainly not the first or last of Day0 malware i.e. a new malware which due to the fact of not resembling any of the known malware families goes undetected by traditional IDS/IPS systems that rely on signature matching to detect malware. Sophisticated attackers are increasingly relying on such customized Day0 Malware to be able to bypass traditional security measures and exploit vulnerabilities in endpoints. Furthermore, attacks like the WannaCry ransomware are simply one of the many that have happened in the past and yet to come, given the explosion in number of connected devices and things that are vulnerable to attack, including the opportunity to exploit them for a financial benefit, as well as the easy accessibility of reference malware that have been leaked by previous attackers on the internet.


Through the use of algorithms that rely on "behavior" rather than signatures, solutions around Network Behavior Analysis are able to alert you on potentially suspect activities without relying on a malware signature match, and thereby provide a layer of visibility for day0 attacks. A fantastic write-up on how StealthWatch (from Cisco's Lancope acquisition) enables you to discover and detect instances of malware such as WannaCry is something I highly recommend you read to better understand specific functionality of Lancope StealthWatch in relation to WannaCry.


While there are quite a few solutions in the market that offer NBA capabilities, StealthWatch is one of the few that leverages NetFlow as the source of data to analyze on and detect threats; versus most of the other approaches that rely on the full network traffic replicated through an independent traffic mirroring infrastructure or happen to have to be installed inline to the traffic at various critical inspection points in the network.


The choice of using NetFlow as the source of data to derive security insights from has some profound implications. 


For starters, this certainly lowers the cost and complexity of the deployment, since NetFlow can be derived directly from the network infrastructure itself and does not need a separate network traffic capture infrastructure. Telemetry from NetFlow is a highly summarized representation of the actual traffic itself, while at the same time providing you rich information about the flows, including application-ID, user-id, path information, QoS metadata, etc. This allows the limited network bandwidth to be maximized to carry the actual traffic itself and not multiple replicas of the same traffic for different services such as security analytics, application visibility, performance monitoring, etc. 


From a security perspective, however, NetFlow being summarized information from the source, can be captured and analyzed at scale compared to solutions that rely on traffic replication. And when it comes to the efficacy of a security analytics solution, or analytics solution for that matter, there is a direct correlation between the volume & variety of data, and the insights that can be derived out of it. Which is again where using NetFlow as a source of data for security analytics really shines through.


The breadth of portfolio that supports NetFlow spanning network switching, routing, wireless, firewalls, endpoint and application agents enable the capture of traffic telemetry from a variety of points, that can then be correlated to present a detailed picture of all activity on the network, and alarm on the suspect activity on the network. For instance, in the case of the WannaCry malware, connections to a Tor network and an unusually high number of peer-to-peer SMB flow initiations from a host that also had a Tor connection established, would be tell-tale signs of potential malware activity that would trigger a security alert.




Especially when it comes to detecting network reconnaissance activity i.e. an infected endpoint that trying to discover other devices on the network to attack, capturing NetFlow from the access layer of the network is critical obtain a full picture of the endpoint activity. The network access layer is the first hop where users, devices (and things!) connect, and the network access infrastructure by capturing the full endpoint activity maximizes the efficacy of security threats in your environment. Network access infrastructure which effectively provides this includes Catalyst 3850, 3650 and 4500 series switches; and Wireless LAN Controllers 8540, 5520 and 3504. A more comprehensive listing of all the various platforms supporting Full NetFlow is below:





Lastly, using NetFlow along with a StealthWatch can provide a "time-machine" view of your network upto one year of all network activity, that lets you to replay and analyze user and application activity, providing you valuable visibility and insights to improve your security controls and defend against future attacks.


Security analysts have long been preaching demise of a "perimeter-based" security architecture and urging the community to implement and practice defense-in-depth principles also quite popularly known as a Zero-Trust Security Architecture  where everything is untrusted by default and continually inspected for threats. Attacks like WannaCry are a wake-up call to review readiness and controls in place to be able to quickly detect, contain and defend against an ever-changing threat landscape. Ensure Network Behavior Analytics is a critical capability you are leveraging towards this, and are effectively incorporating the broad visibility provided by network data into your security operations.


To learn more about securing your environment using Lancope StealthWatch and NetFlow for network behavior analysis, refer:






CSCQ416-1_Q4_CiscoChat-Apr27_Social_R1_1600x800-B - reduced size LC.jpg

On Saturday, April 22, groups and individuals around the world gathered to celebrate #EarthDay. Founded in the US in 1970, Earth Day has expanded over the last several decades into an international event observed by more than 190 nations. In light of the recent holiday, we’ve decided to host a special #CiscoChat to discuss how environmentally-conscious organizations can use smarter networks to minimize their carbon footprints, reduce energy costs and usage, and practice sustainability. During the chat, we’ll also look at some real-life examples of companies that have already implemented smarter networks and offer ideas for how you can build smarter networks that support a healthy earth.


Join us for the #CiscoChat on April 27 at 10:30am PT (1:30pm ET) and come be a part of the conversation!


To participate in the chat:

  • Make sure you’re logged into your Twitter account.
  • Search for the #CiscoChat hashtag and click on the Live tab.
  • The chat will be moderated by the Cisco Enterprise channel (@CiscoEnterprise) on Twitter. Be sure to follow the account to participate. They will begin welcoming guests at 10:30am PT (1:30pm ET) and posting questions for discussion.
  • For @ replies to specific participants in the discussion, please use a “.” at the beginning of the tweet, so that your question or comment will appear in your public twitter feed.
  • If you need multiple tweets to answer a question, please preface each tweet with “1A, 2A,” etc. in order to make it easier for others to follow along with the conversation.
  • Be sure to use the #CiscoChat hashtag at the end of each tweet, so that others can find your contributions to the discussion.

Don’t forget to bring your own questions to the discussion as well! See you there!

We have a new game for you to try! Test your knowledge about Cisco Enterprise routing, switching and mobility as you take a quick break and play this fun game. Gobble up incentives and gifts as you try to outrun the critters and answer questions along the way. Visit the Overview page in the Enterprise Networks community to play the game right within the page itself. Good luck and have fun!


Cisco is excited to announce the Cisco LTE Advanced 3.0 release is available for all ISR 4000 and ENCS 5400 series platforms running on IOS XE 16.3(2). LTE Advanced 3.0 supports all scalable multi-core ISR 4000 and ENCS 5400 series platforms with full dual carrier aggregation across all segments and regions.




Customers can expect the standard, rich feature set of Cisco Advanced LTE and Cisco IOS XE as well as:


  • Faster DL speeds Theoretical CAT6 speed of DL 300 Mbps means LTE Advanced is 2-3x faster than CAT3/CAT4 LTE and has even lower latency. Actual speeds are dependent on specific service provider live network LTE provisioning and channel bandwidth. Higher LTE performance will, in some cases, require a performance license upgrade (e.g. ISR 4221 and 4321 require a performance license upgrade to maximize LTE Advanced CAT6 DL 300 Mbps).
  • Increased scalability – Increased LTE Advanced CAT6 scalability with ISR 4000 and ENCS 5400 Series’ separate multi-core data/control planes architecture.
  • Short installation time and rapid deployment – Quick branch turn-up for instant connectivity in remote offices, ATMs, construction sites, retail stores, and small-medium businesses (anywhere there is cellular coverage). Configurable for fail-over from wired WAN in case of wire line outages.
  • Full dual carrier aggregation LTE Advanced carrier aggregation utilizes multiple frequency bands simultaneously making it possible for carriers to transmit data to a device like a wireless router through a single “aggregated data pipe”. Devices switch frequency bands in just a few milliseconds. So, even if one band drops, the device stays connected via a second band.
  • Network resiliency – through IWAN diversity with or without another wired link and full carrier aggregation.


What are the key features?

Key features include: SMS, standalone active GPS, 4G MIB (3G MIB with full 4G extension), IMS Bearer QOS, Multi-VRF, Multi-PDN, and multiple profiles as well as:


  • Primary LTE Advanced - Wireless WAN link, WWAN IWAN diversity or seamless WAN backup (e.g. for remote offices, branches, even with ENCS Network Function Virtualization (NFV) and services).
  • Multi-carrier support - Expansion to additional geographies with more FDD/TDD multi-carrier frequencies means the NIMs can be easily reprogramed to a different carrier (within the same country) using firmware image switching and provisioning (using the same LTE Advanced NIM).
  • Integration with ISR 4000 and ENCS 5400 Series – Tightly integrated with modular ISR 4000 (including the new ISR 4221) and the new ENCS 5400 series, both leveraging rich IOS-XE based security and numerous other advanced NFV functions and services.
  • Enterprise Dying Gasp – This feature can program and send SMS messaging when ISR 4000 or ENCS platform power is lost (e.g. a text message such as: “This ISR/ENCS platform in building 24 has lost power”). A visible RSSI status BAR on module faceplate to help site installation and troubleshooting is also included.
  • Dual micro SIMs – dual micro SIMs for primary and backup SIM support (within the same country) with auto SIM detection capability.


LTE Advanced NIMs are now available on CCW. Look for these PID Names:

-           NIM-LTEA-EA (for North America and EMEAR)

-           NIM-LTEA-LA (for all India, China, Japan, Australia, ASEAN, and LATAM)


For more details and NIM product specifications go to:


Cisco CSR1000V, where it's used and how does it perform

The Cisco CSR1000V can deliver up to 20Gbps of throughput on a single x86 commercially available server, delivers up to 5Gbps of encrypted traffic inside public cloud providers, and with its rich IOS-XE feature set a Cisco secured routing fabric can be extended across campus, DC, branch and public cloud platforms that cover dispersed geographical locations.


See our independent performance test report by Miercom. In the report, you will find we can achieve 20Gbps of throughput on a single x86 server by running 3 separate 2vCPU CSRs and routing traffic across them, note the 3 CSRs were running as separate routing instance (not clustered) rather than clustered. You can cluster CSR1000Vs for specific services, for example IPSEC VPN concentrator.
blog picture 3.png

The Cisco CSR1000V also provides the highest throughput capability of encrypted traffic inside Amazon AWS cloud services. With CSRs throughput capability inside public cloud we can deliver on business-oriented solutions that help deliver secure, reliable and scalable hosted application services.

One example of a business-oriented solution is our “Cisco Transit VPC” inside Amazon AWS. The solution addresses a known transit routing limitation in AWS that limits the scaling up of VPC’s. Using the CSR1000V, in conjunction with AWS automation tool, a user is able to create a dedicated VPC running dedicated high throughput CSRs, clustered in HA mode, and provide interconnection between VPCs that need to route between each other, secure VPCs that should be isolated, and provide secure connectivity to on-prem locations. For more detailed information on Transit VPC go here.

blog picture 4.png

The Cisco CSR1000V follows the same architecture of its hardware predecessor Cisco ASR 1000. The virtual appliance consists of separate control plane and separate data plane processing roles. If the CSR VM is defined as a 1vCPU VM, then the 1vCPU is shared between control plane and data plane. As more cores are added to the CSR VM the extra cores are allocated to the data plane in order to accelerate the processing and forwarding of packets. For example, on a 4vCPU VM a CSR would allocate 1 core to control plane functions and 3 cores to data plane functions, in an 8vCPU VM it would be 1 control plane core and 7 data plane core.


The core allocation model suits most network use cases where the important service is bandwidth. The control plane is simply handling a few hundred or low thousand routes, network policies and low to medium connection rates. For services that rely on control plane processing, for example vRoute Reflector where millions of routes are stored and processed, vIWAN Master Controller Hub managing up to 2000 PfR border routers or IPSEC VPN Concentrator maintaining state of thousands of IPSEC tunnel sessions, the CSR delivers the ability to dynamically assign an extra core of the data plane to the control plane. This allows for an 8vCPU CSR to allocate 2 cores to the control plane and 6 cores to the data plane in order to help scale the control plane capabilities.


The CSR1000V has come a long way since its launch almost 5 years ago, and we improve the feature set as well as performance on each release. The CSR1000V carries the same feature set as the Cisco ASR 1000 series and the Cisco ISR 4000 series, so it can meet almost every networking requirements across different points in the network. It provides flexible throughput options that range between 10Mbps thru 10Gbps, and is supported on RHEL KVM , Ubuntu KVM, VMware ESXi, Microsoft Hyper-V, Citrix XEN hypervisors as well as Microsoft Azure and Amazon AWS cloud provider platforms.


You can obtain a CSR1000V directly from www.cisco.com and obtain 60-day trial licenses, or launch it directly from Amazon AWS or Microsoft Azure and run CSR on these cloud platform within trial period limits.

blog picture 5.png


If you'd like to know more, please register for our upcoming Enterprise Networks Customer Connection Program on March 21 from 8:00-9:30am PT on the topic of the Cisco Cloud Services Router next generation forwarding plane. (Registration for the Enterprise Network Customer Connection Program is required.  Registration is quick and easy to complete)


The Cloud Services Router is used across all different points within a network. From a feature perspective, it delivers on the promise of rich “enterprise-class” networking services and from a performance perspective it can achieve throughput of 10Gbps. But, datacenter edge and public cloud edge use cases demand throughput capabilities that are above 10Gbps with services enabled. Learn how Cisco engineering is re-architecting and enhancing the Cloud Services Router dataplane to achieve “40Gbps” of throughput.

In the stores of tomorrow, phones will replace cashiers. In the fields of tomorrow, connected crops will solve global food challenges. In the factories of tomorrow, robots will work together autonomously.


Tomorrow is closer than you think. These examples aren’t from the distant future, in some cases, these activities are reality. Delivering these innovations and new experiences requires a strong digital foundation. That means connecting people, processes, and things.


Today, we’re introducing Cisco Umbrella Wireless LAN (WLAN), a new security service  that combines the power of the network with advanced cloud security—allowing you to securely thrive in the era of digital transformation.

blog picture 1.png

What does Umbrella WLAN do for you?

According to Cisco VNI, 49% of global traffic in 2020 will be Wi-Fi based.  For a digital organization, digital success is realized or lost at the first line of defense for connecting things and data.


That means it’s all about granularity for the Wi-Fi network and visibility—as in identifying the internet threats and their evolution.  Umbrella WLAN provides highly detailed enforcement and reporting at the SSID, client location, client user role, and WLC level. It’s not a cookie-cutter solution, you can tailor acceptable use policies at a level that makes sense for your business.


How does it work?

Umbrella WLAN enforces security at the Domain Name System (DNS) layer, which means you can block requests to malicious domains and IPs before a connection is ever made.

blog picture 2.pngUmbrella WLAN learns from Internet activity patterns to uncover and predict threats. The huge volume of DNS requests from millions of users around the world—that’s over 100+ billion requests per day—that Cisco resolves provides a very diverse data set. Umbrella WLAN applies statistical models to that data set which allows Cisco to identify where current and future attacks are staged on the iInternet.


Whether you’re seeking to secure the  internet at one hotspot or several thousand, Umbrella WLAN can be deployed quickly and managed easily through a centralized web-based dashboard. The ability to map business functions to policies is easy and intuitive, enabling the network to evolve rapidly to changing business needs. Security is enforced without added latency so the end user experience is not impacted.


For more information:

Visit the Umbrella web page and take a look at the At-A-Glance.

Join us on March 7, 2017 for an Enterprise Networks Customer Connection briefing on Cisco Umbrella WLAN - Combining the power of the network with advanced security.  (Registration for the Enterprise Networks Customer Connection Program is required.  Registration is quick and easy to complete)


During the briefing we'll discuss Cisco Umbrella WLAN, the latest addition to the EN portfolio bringing Cisco Umbrella integration to the Cisco Wireless Lan Controller portfolio. With the ability to closely align policies (e.g. appropriate usage) with business functions, and granular enforcement and reporting aligned with SSID, AP and WLC, the overall solution brings unique cisco value to the market place.


With simple and intuitive management, Cisco Umbrella WLAN can be deployed in minutes and leverage the extensive internet visibility from a security perspective to protect the end users and enterprise.  Umbrella WLAN lets you simply secure your wireless environment by providing a first line of defense for all your users.

In the beginning (circa 2001), mankind lived in caves and lit fires with a flint. We also built towering monuments to the gods of Information Technology. Offices, retail stores, banks, centers of commerce – anywhere that people gathered – dedicated large metal racks, sometimes entire rooms, to appease these deities in hopes for blessings of uninterrupted up-time and peaceful service levels. These were the days of dedicated appliances and they spread a deep dread across the land.


Then one day off in the distant land of the Data Center a new way of thinking was born: Virtualization. With it came unknown levels of efficiencies and responsiveness. Uptimes and flexibility reached higher than anyone thought possible. There was great rejoicing throughout the land; except for those responsible for the remote offices.


The remote branch office continued to be the domain of the dedicated appliance. Purpose-built devices performed one and only one function. The router was a router and the switch a switch. Servers served and firewalls firewalled. Wireless Controllers controlled and WAN optimizers optimized. There was a purity, even an innocence, of purpose, but the bean-counter overlords were not happy. “Why could the same weapons used to destroy the Deities of the Data Center not be used here?” they would ask. “Things are different and more complex here! We have support tools and trained staff” the IT managers would exclaim before they were summarily sacked to make the quarter’s numbers.


The Problem with Virtualization in the Branch

Virtualization in a data center is a very different prospect than virtualization in the branch. The functional differences between the two locations is fundamentally different in most IT organizations.


Data Center

Branch/Remote Office

IT Staff

Manned 24/7

Normally Remote

Network Type


Ethernet, T1, DSL, LTE, etc…

WAN Reliance

Isolated failures if WAN links fail.

Entire location down when WAN down.

Hardware Refresh

<3 Years

>5 Years

Power Concerns

Big savings through lower power.

Power needs not generally a concern.

Space Concerns

Rack Space is Expensive.
Deep is better than RU.

Rack space for most needs.

No depth for most DC servers.


Make all the noise you want.

Zero sound. People working here.


Most of the differences between a data center and remote office can be distilled down to the fact that these are two areas where IT staff have very different business requirements even though they might be trying to do similar things. The 30” server designed for the noisy Ethernet-only data center has a hard time in the space constrained back room of a small store or office where noise is a concern and various WAN interfaces the norm.


A Different Way – Enterprise NFV

Various companies have been trying to shoe-horn those data center designs into network function virtualization (NFV) in the branch office with varying levels of success. Cisco took some time designing their entry to the branch NFV because of customer feedback that any solution for the branch needed to provide the advantages they were seeing in the data center while being familiar enough that they would not have to completely retrain their entire IT staff.


Cisco Enterprise NFV does exactly that. Building on a solid foundation of open source Linux virtualization, the Network Function Virtualization Infrastructure Software (NFVIS) provides an open sandbox for network or application functions from Cisco or any developer to be hosted. Speaking of those Virtualized Network Functions (VNFs). Cisco has been quietly developing the strongest portfolio of virtual functions over the years which are now tested and certified as part of the Enterprise NFV solution. The latest of these functions is the Virtual Next Generation Firewall (NGFWv) bringing the latest firewall technology into the virtual world.


Finally, what might be the most important piece, is the orchestration and management of the entire solution. This takes the form of Cisco Enterprise Service Automation which provides a single point of control for managing VNFs across all remote sites.


ENCS 5400 Series – One Box to Rule Them All

While NFVIS is terrific, it isn’t the whole story for the branch office. NFVIS is fully supported on Cisco UCS servers, including the C-Series and E-Series which could both be used in a branch. However, one thing that customers told us repeatedly was that they needed hardware designed for the unique requirements in the remote office. Enter the Enterprise Network Compute System or ENCS.

The ENCS 5400 looks like a Cisco router. That’s intentional as it was designed by the same engineers that have been building the Integrated Services Routers (ISRs) for decades. This group knows how to build hardware that works in a remote office.


What makes the ENCS unique?

  1. Physically designed to fit into the tight space of a remote office. 1RU high and 12” deep.
  2. Network Interface Module (NIM) support for LTE, T1, DSL etc.
  3. Dual-Phy Gigabit Ethernet WAN supporting both copper and fiber connections
  4. 8-port GE Switch with UPoE
  5. Hardware for VNF network acceleration (SR-IOV)
  6. Internal (M.2) SSD and External (2.5”) SSD options
  7. 6, 8 & 12 core CPU options
  8. Memory options up to 64GB
  9. Redundant silent-running fans
  10. Lights-out management with Cisco Integrated Management Controller


Would you like to know more?

Bringing virtualization to the branch is a complex case. There’s a lotta ins, a lotta outs, a lotta what-have-yous that can’t be covered in a single blog post. If this introduction has piqued your curiosity, fear not, there’s loads more information for you to consume. Online, the best starting point for information is the Enterprise NFV home on Cisco.com.


Please join me on March 14, 8:00-9:30am PT for an Enterprise Network Customer Connection briefing on Network Function Virtualization - Reality in the Branch.  (Registration for the Enterprise Network Customer Connection Program is required.  It's quick and easy to do)


This session will introduce the E-NFV Solution along with the new hardware and software that brings this new level of flexibility to your branch. 


You will learn from the product team how the introduction of the Cisco Enterprise NFV solution including the new Enterprise Network Computing System (ENCS) can virtualize many of the physical devices in your branch. One reliable, purpose-built platform can host your router, firewall, wireless LAN controller, WAN optimizer and more along with other traditional applications needed in the branch.

For folks attending Cisco Live in Berlin this week there are loads of options for them to learn more live:


BRKARC-2014, Tuesday, 3PM:

Branch Virtualization – The Evolving NFV Landscape
In this session I’ll be walking through virtualization options in the Enterprise branch including Enterprise NFV.


CCP-1002, Wednesday, 1:15PM:            

Evolution of Routing in the Enterprise Branch
This NDA session for CCP members only will walk through the public face of Enterprise NFV as well as taking you behind the scenes for a peek at our plans for how this solution evolves to bridge the IT organization from the traditional to the NFV world.

The Cisco Integrated Services Router is a routing platform designed to provide connectivity and hosting of network services consumed by branch offices. As the product name implies, this platform can run additional or third party network services without the need of deploying new hardware. This is possible thanks to an integrated virtualization environment based on KVM (Kernel-based Virtual Machine).



A KVM machine running on a Cisco ISR is called virtual service. If you are interested in building a generic virtual service for a Cisco ISR, the process is fairly straightforward and well documented in this service containers tutorial (see page 25).


In the past few weeks, I have spent some time building a virtual machine for the NetBeez monitoring agent. Here I would like to highlight some benefits of running a virtual services, like a NetBeez agent, on the Cisco ISR platform.


Once upon a time …

Before this option, a network administrator who wanted to install a network monitoring agent at a remote office, but didn’t have an on-site dedicated workstation, or any other type of hosting environment (e.g. hypervisor), was out of luck. At NetBeez, to overcome this problem, we decided from the get-go to include the hardware appliance (e.g. Raspberry Pi), if needed, with the NetBeez subscription at no extra cost. This spared the network administrator from having to procure, configure, and maintain the hardware needed to run the NetBeez monitoring agent.



Problem solved

Now, the Cisco ISR platform is making this task even simpler, further facilitating and accelerating deployment and management of remote network monitoring agents.


I tested the NetBeez virtual service that I built, and it took me less than ten minutes to have the service up and running (excluding the time needed to download the image from the repository). If you have an Integrated Service Router at a remote branch office, you can easily test it yourself. Just take a look at the documentation for installing a NetBeez agent on a Cisco ISR.


High-level ISR configuration

Here is a simplified network diagram of the router configuration that I applied during the installation process.


In the configuration that I applied when I tested the NetBeez virtual service, I configured:


  • A virtual port group to provide network connectivity to the interface eth0 of the NetBeez virtual service
  • A DHCP pool to give a dynamic IP to the interface eth0 of the NetBeez virtual service (this can also be assigned statically)
  • A static NAT association to the IP assigned to the interface eth0 of the NetBeez virtual service


A few commands later, I was able to activate the virtual service and console in the virtual machine. From there, I just followed the NetBeez installation guide for virtual agents.



The Cisco ISR is a great solution for remote office because it enables network administrators to install a variety of network services and applications in a short amount of time. On top of that, network administrators have also a simple and accessible way to build and deploy a custom image, improving performance and security of the overall network. If you want to test the NetBeez virtual-server on your Cisco ISR router, submit your request here.

During the last few years, digital technologies have been woven into every aspect of business - accelerating, streamlining, and automating the way we get work done. As digital transformation continues to top the list of business priorities, the enterprise network, which supports these digital initiatives, has also become a central focus. What are the networking architectures that are needed to support digital transformation today? How can IT teams more effectively deploy cloud and software-defined network (SDN) solutions that power businesses’ digital missions?


On January 27th at 10:30am PST (1:30pm EST), we’re hosting a #CiscoChat to discuss these questions and more. During the chat, we’ll be joined by industry experts Nolan Greene (@ngreeneIDC), Enterprise Networking Analyst, IDC, and Matthew Marden (@mmarden_IDCBV) Analyst, IDC, who will help offer insights into enterprise networking and what’s on the horizon for the future.

RSVP and get reminders for the Cisco Chat here


To participate in the chat:

  • Make sure you’re logged into your Twitter account.
  • Search for the #CiscoChat hashtag and click on the Live tab.
  • The chat will be moderated by Julie McPherson and Lauren Colson on the Cisco Enterprise Networks handle (@CiscoEnterprises) on Twitter. Be sure to follow the account to participate. They will begin welcoming guests at 10:30am PST (1:30pm EST) and posting questions for discussion.
  • For @ replies to specific participants in the discussion, please use a “.” at the beginning of the tweet, so that your question or comment will appear in your public twitter feed.
  • If you need multiple tweets to answer a question, please preface each tweet with “1A, 2A,” etc. in order to make it easier for others to follow along with the conversation.
  • Be sure to use the #CiscoChat hashtag at the end of each tweet, so that others can find your contributions to the discussion.

Don’t forget to bring your own questions to the discussion as well! See you there!


No matter where we go, we’ve come to expect a seamless wireless internet connection at our fingertips — and this is especially true for hotels, casinos, cruises, convention centers, and the like. What’s more, we don’t want just any Wi-Fi connection: We want the best, fastest Wi-Fi connection possible. Little surprise, then, that excellent Wi-Fi is one of the most visible services those in the competitive hospitality industry can provide.


For guests, inconsistent signals, complicated log-in procedures, and a lack of support for new mobile devices are simply frustrating. But for hoteliers and other hospitality operators, these Wi-Fi weaknesses aren’t just an annoyance. They’re positively worrisome: They compromise the guest experience and risk customer loyalty.


How can the hospitality industry address these Wi-Fi challenges through innovation, while also ensuring a high level of data security for guests? To find out, tune into our next #CiscoChat, on Thursday, December 15th at 12 p.m. PST. There, we’ll be joined by @BlueprintRF as we’ll talk about improving the guest experience through personalization (think ordering systems, in-room media, and lighting), hospitality mobile apps, guest satisfaction analytics, and issues in cybersecurity. We’ll also provide some practical options for your Wi-Fi deployment model. Don’t miss out!



Learn how the Cisco Identity Services Engine (ISE) works with Stealthwatch to rapidly detect and contain threats throughout the network.


Watch the full TechWiseTV episode


Want more? Register for the follow-up online workshop on December 14, 2016!




Guest post by Vikramjeet Singh


For the last 5 years, Cisco has been empowering your branch IT networks with DC-class servers. 3000+ customers and growing. Our UCS E-series servers slim down your branch hardware footprint and boost application deployment flexibility with a converged network, compute, and storage platform.


Do Even More with Less

In this fast-paced digital world, the digitization of customer experiences and the Internet of Everything require you to run more mission-critical applications on the branch edge. With our new 3rd generation UCS E-series single wide blade, turbocharge your branch compute by 2x (compared to 2nd generation) without huge, power guzzling rack servers or dedicated appliance.


Figure 1: 3rd Gen. UCS E-series Single Wide 160S-M3


For example, let’s take a retail use case. In a typical deployment, a store may run a WAN optimization service such as Cisco virtual WAAS (vWAAS) and a Point-of-Sale (PoS) application on a UCS E-series within an ISR 4000 router. To accommodate guest Wi-Fi, the same blade can also run a virtual Wireless LAN controller (vWLC) to centralize wireless network visibility. And if physical security is monitored through video surveillance, then MediaSense is deployed to support recording, playback, live streaming, and storage of voice, video for business intelligence. Of course, you cannot omit the Intrusion Detection and Prevention System, e.g. FirePOWER Threat Defense either. However, there are two major concerns when deploying a multitude of applications.

  1. Limited compute resources for high performance threat detection solution such as FirePOWER IDS/IPS
  2. Lack of storage capacity which restricts high data storage applications and forces frequent cloud backups, thus further increasing costs

With the 3rd Gen UCS E-series 160S-M3, you don’t need a separate appliance for MediaSense or FirePOWER IDS/IPS. It can run on the same UCS E-series along with vWAAS and the PoS application. Additionally, you can leverage the extra higher storage capacity, up to 4TB, for print servers in large branches, security camera feeds, or any proprietary data intensive applications. By converging more apps into one blade, you reduce both OpEx and CapEx without compromising performance.


With UCS E-Series, you can take on compute-intensive applications and high-storage use-cases. See our model comparison chart below for the right specs that meet your specific IT challenges.


Now that I got you excited, checkout these resources to learn more about Cisco UCS E-series.

    1. Alaskan Bank Virtualizes Branches for Productivity Benefits
    2. Retailer Maximizes Space, Increases Resiliency with Store-in-a-Box
    3. Insurance Company Virtualizes Data Center and Desktops
    4. Swiss SP Courts Clients with Savvy, Affordable Cloud Services
    5. Navaho Partners with Cisco to Capture Virtual Image Storage Market


We are working on pretty amazing stuff. Stay tuned for more exciting updates in 2017!

One is a sport apparel retailer while the other is a software company. “What can they possibly have in common?” you may ask. Both have a common IT goal, and that is to extend their enterprise network to AWS cloud, but for very different business outcomes. And both accomplished their goal using the same solution: Cisco Cloud Services Router 1000V

Did you know? Up to 70% of CIOs stated they need cloud solutions to better respond to business needs (Source: 2015, CIO Insight). For that reason, cloud adoption between 2015 and 2016 grows exponentially with as much as 71% of organizations choosing the hybrid cloud approach. See Chart I below.

Chart I: Respondents Adopting cloud – 2016 vs. 2015

Chart 1.png

What are top 3 cloud adoption challenges?
When it comes to extending the enterprise network to the cloud, there are many factors to consider – see Chart II below.

Chart II: Cloud Challenges 2016 vs. 2015

Chart 2.png

Security, no doubt, is among the top. One out of every three organizations shared ensuring a secure connection between the on-prem enterprise network and public and private cloud environments as a top challenge. There are several reasons why.

  1. Inconsistent VPN and firewall policies between on-prem enterprise network and different cloud environment;
  2. Limited connection reliability, e.g. not all cloud solution can support high scale; and
  3. Non-unified network topologies make management and operations error-prone.

Next on the list is integration. With the LAN, WAN and data center network, each having its own set of internal and external network/IP address, management interface/tools and different quantity and set of network services, operations quickly become onerous due to lack of centralization and standardization. The complexity increases multifold when multiple types of on-prem and cloud infrastructure come into the picture. For example, do I have VMWare ESXi, RHEL KVM, Ubuntu KVM, Citrix Xen, and/or Microsoft Hyper-V? And how do they work with Amazon AWS, Microsoft Azure, or any cloud? Quick answer: it should not matter.

Last but not least is the user experience. When the network is confined within an enterprise WAN perimeter, policy enforcement can be automated based on business priorities. Once connected to the cloud, how would network services that were once innate on-prem such as QoS, WAN and application optimization, and firewall be deployed, managed and scaled?

Learn from Under Armour and Adobe
This December, two enterprise customers, Under Armour and Adobe, will share with us their cloud strategy successes in a webinar. Each will highlight its goal, network environments, desired business outcomes, and the chosen solution. Here’s an overview.

Under Armour, Inc. – a multi-billion American sports clothing and accessories company
Its goal: New IT model – a service broker for Line of Business

  • Enable the Application/Marketing/Financial team’s growth
  • Curve the organic growth of ungoverned Shadow IT resources
  • Provide an agnostic platform that facilitates Standard Operating Procedure
  • Augment application owner’s security controls
  • Have visibility to address issues proactively

Adobe Systems, Inc. – a multinational computer software company
Its goal: Adobe Digital Marketing Cloud

  • Provide a comprehensive marketing solution
  • Enable marketers to measure, personalize and optimize digital experiences
  • Attain agility and workload mobility

Tue, 6 Dec 2016 10:00 AM – 11:00 AM PT (and on-demand)
Join us and learn

  • How Cisco helped simplify Under Armour’s and Adobe’s security management while keeping connectivity costs under control
  • Best practices for monitoring and analyzing application security and performance in the cloud
  • How to implement consistent network policies across hybrid environments


Screen Shot 2016-12-01 at 9.46.06 AM.png

Nick M
atthews, Partner Solutions Architect, Amazon Web Services

Fan Yang, Technical Marketing Engineer, Cisco
Carl Coles, Network Architect, Adobe Systems
Patrick Duroseau, Sr. Director Global Infrastructure, Under Armour



Test drive the solution yourself in your own environment with a free trial for 30 days on AWS. Cisco CSR 1000V is a complete multiservice cloud networking platform for all deployment types: physical, virtual, and cloud.


Key Benefits:

  1. Consistent operations across on-prem network and multi-cloud environments with familiar Cisco IOS-XE software;
  2. Support VMware ESXi, RHEL KVM, Ubuntu KVM, Citrix Xen, Microsoft Hyper-V;
  3. Infrastructure agnostic operations means freedom of choice, no dependency on any specific server or virtual switch;
  4. Elastic scalability with licensing flexibility: throughput up to 10gbps, up to 1000+ connections, and up to 8 virtual CPUs, pay only for what you need; and
  5. Programmable with NetConf/Yang, RESTConf and SSH/Telnet for automated provisioning, management and monitoring.
Screen Shot 2016-12-01 at 9.46.23 AM.png


Screen Shot 2016-11-10 at 10.43.52 AM.png

Cisco is pleased to announce Global LTE Cisco LTE 2.5 release now available with IOS 15.6(2)T1, supporting all segments and verticals, including M2M.


Additional new key FDD and TDD LTE bands for Asia, Australia, and LATAM with Cisco LTE 2.5 platforms are now orderable.



  • Primary LTE Wireless WAN link or WWAN IWAN diversity or seamless WAN Backup, e.g. for remote offices, branches, M2M, and retail
  • Quick branch turn-up for instant connectivity of branch (remote) offices, kiosks & ATMs, construction site, retail, small & medium business, and anywhere with cellular coverage
  • Tightly integrated with modular ISR G2, ISR 4000 (including New DNA-Ready platform: ISR4221), and fixed ISR 800 (including M2M), leveraging rich IOS-based security and many other advanced services
  • Network resiliency through IWAN diversity with or without a wired link



Higher LTE scalability (CAT4), expansion to additional geographies, segments, and verticals with full, rich IOS

and advanced LTE features set

  • C819G improvements: +30% M2M improved performance with extended operating temperature range

from -20 to +50 degree Celsius (functional up to 55C)

  • Additional New FDD and TDD LTE bands: FDD band 28, 21, 19, 18, 5 and TDD bands 38, 39, 40, 41

New Antenna: 3:1 elements indoor/outdoor or 2:1 indoor low profile 2X2 MIMO antenna with (3:1) GPS in 4 different colors and ease of installation with single 5/8 inch drill hole



  • Key features including SMS, standalone active GPS (except C819GW), 4G MIB (3G MIB with full 4G extension), IMS Bearer QOS, Multi-VRF, Multi-PDN, and Multiple Profiles
  • 15-25x faster than 3G and 8x lower latency than 3G; up to theoretical CAT4 150Mbps download speeds, depending on specific SP carrier real live network LTE provisioning and channel bandwidth)
  • Short installation time and rapid deployment; configurable for fail-over from wired WAN in case of wire line outages
  • Easy firmware image switching provisioning from FLASH for fixed LTE platforms (-LA PIDs) with 15.6(2)T1 Universal IOS for all 800 LTE fixed platforms include Advanced IP Services and Dual SIMs support for all fixed platforms including M2M


LTE FeaturesDescriptionOrderability
Common CAT4 LTE bands:

Multimode Cisco LTE 2.5 for carriers that operate FDD LTE 700-MHz (band 28), 800-MHz (band 20), 850-MHz (band 5 CLR), 850-MHz (bands 18 and 19 Low), 900-MHz (band 8), 1500-MHz (band 21), 1800-MHz (band 3), 2100-MHz (band 1), or 2600-MHz (band 7) networks; the multimode Cisco LTE 2.5 routers are backward-compatible with Universal Mobile Telecommunications Service (UMTS) and Dual Carrier High-Speed Packet Access Plus (DC-HSPA)+: 800 MHz (band 19 Japan), 850 MHz (band 5), 850 MHz (band 6 Japan), 900 MHz (band 8), 1800 MHz (band 9), 2100 MHz (band 1), and TD-SCDMA 39.

Multimode LTE 2.5 for carriers that operate TDD LTE 1900-MHz (band 39), 2300-MHz (band 40), 2500-MHz (band 41), or 2600-MHz (band 38) networks.

            Multimode LTE 2.5 for carrier aggregation

            band combinations: 1+(8,18,19,21);

            3+(5,7,19,28); 7+(5,7,28); 19+21, 38+38,

            39+39, 40+40, 41+41

GE WAN, 4 LAN Switch Ports, Cisco 12:1 Smart SerialNow
GE WAN, 4 LAN Switch Ports, Cisco 12:1 Smart Serial, dual 802.11n WiFi radioNow
(-N domain, mid-Jan 2017)
2 GE WANs (SFP option), 8 LAN Switch PortsNow
1 GE WAN (SFP option), 8 LAN Switch Ports, ADSL2+/VDSL or G.SHDSLNow
ISR G2 LTE Enhanced High Speed Interface CardNow
ISR 4000 LTE Network Interface ModuleLate Dec 2016
3:1 indoor/outdoor low profile antenna with GPS (dual SMA to TNC Adapters)Now


More Resources:

Ø  LTE 2.5 C819G(W) Datasheet

Ø  ISR G2 Page

Ø  ISR 800 Page

Ø  Ordering Guide

Ø  LTE C800G HW Installation Guide


Microsoft Azure Government Cloud is an isolated and dedicated cloud platform, which enables government agencies and government approved contractors to host sensitive data. Connectivity from on-premises locations to Azure Government Cloud must be secure, scalable and dynamic.


With Cisco CSR1000v now available on Azure Government Cloud, Government Cloud customers can enjoy the same advanced routing and security benefits delivered on Azure public cloud. Cisco CSR1000v provides best in class routing capabilities that support full path encryption with the strongest cipher suites available in the market, L4-L7 firewall capabilities and L7 visibility and control. Using Cisco CSR1000v in concert with the Azure Government Cloud delivers on the value proposition of ensuring Government data receives the protection of Cisco’s security capabilities in the Azure cloud environment they trust.


Because Cisco CSR1000V runs full featured Cisco IOS-XE, management of CSR1000V simply becomes another location inside an already deployed Cisco based network and plugs in easily to existing management tools and operations. See below for some FAQs.


To launch the CSR 1000V on Azure Government Cloud there is a pre-built solution available to you.  The solution is based on templates we created to ease the deployment of the CSR 1000V on Azure.  The templates allow the solution to deploy different resources at the same time to fully support a CSR 1000V deployment.  The solution details are as follows:


  • 2 or 4 Network-Interface-Cards (NICs)
  • VNet configured with two or four subnets, one private or three private and one public
  • Routing tables on each subnet, with user-defined routes, the private subnet will use private-facing interface as the gateway so the VMs behind the router will not have direct access to the internet
  • Enables IP forwarding for each interface
  • Adds UDP port 500 (ISKAMP) and 4500 (NAT-T) in the security group on the public subnet for VPN connections
  • Azure D2 or D3 instance type compute


How to Deploy Cisco CSR in Azure Government

Go to the solution templates for 2-NIC and 4-NIC Cisco CSR1000v in Azure QuickStart Repo on Github, found at the links below. They can be found by searching for Cisco CSR1000v, or clicking below. They can be found by searching for Cisco CSR1000v, or clicking below. For step by step deployment instructions for solution templates from Github in to Azure Government Cloud, see our technical documentation.



NOTE: you will need an Azure Government Account valid in order to continue. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.


When deploying the CSR 1000V solution on Azure D2 compute specifications are 2 vCPU and 7GB of RAM. With these specifications the CSR 1000V can achieve a CEF throughput of 500Mbps and an IPSec throughput (AES 256) of 150 Mbps.


When deploying the CSR 1000V solution on Azure D3 compute specifications are 4 vCPU and 14GB of RAM. With these specifications the CSR 1000V can achieve a CEF throughput of 500Mbps and an IPSec throughput (AES 256) of 500 Mbps.


Both offers support up to 1,000 VPN tunnels.


How Does Licensing the CSR 1000V Work on Azure Government Cloud?

If you want to connect your enterprise network to Azure the CSR 1000V supports Bring Your Own License (BYOL).  This means you buy a license from Cisco or a partner and install that license to the CSR 1000V running on Azure Government Cloud.


Find your local Cisco partner here: https://locatr.cloudapps.cisco.com/WWChannels/LOCATR/openBasicSearch.do


To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.


If you want to give the CSR 1000V a try on Azure, Cisco offers 60-day demo licenses to all CCO account holders.  If you don’t have an account, you go to this link, and create a guest account.  Once you have a guest account, follow the instructions here for temporarily licensing you CSR 1000V on Azure.


You can access this whitepaper to learn more about the integration of Cisco CSR 1000V with Microsoft Azure.


To launch the CSR 1000V for Microsoft Azure, please visit the Azure Government Marketplace and search for Cisco CSR 1000V.


We welcome your comments and suggestions to help us continually improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails, click "Subscribe by Email!" on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.

Filter Blog

By date:
By tag: