Cisco Cloud Infrastructure:

Application, Security, and Data Center

Architecture

Jalpa Patel, CCIE No. 42465

Avinash Shukla, CCIE No. 28418
Himanshu Sardana
Komal Panzade

Hivanetwork.com
Cisco Cloud Infrastructure: Application, Security, and Data Center Architecture
Jalpa Patel, Avinash Shukla, Himanshu Sardana, Komal Panzade
Copyright © 2023 Cisco Systems, Inc.
Cisco Press logo is a trademark of Cisco Systems, Inc.
Published by:
Cisco Press
All rights reserved. This publication is protected by copyright, and permission must be obtained from
the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any
form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information
regarding permissions, request forms, and the appropriate contacts within the Pearson Education Global
Rights & Permissions Department, please visit www.pearson.com/permissions.
No patent liability is assumed with respect to the use of the information contained herein. Although
every precaution has been taken in the preparation of this book, the publisher and author assume no
responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use
of the information contained herein.

ScoutAutomatedPrintCode
Library of Congress Cataloging-in-Publication Number: 2022920878
ISBN-13: 978-0-13-769012-1
ISBN-10: 0-13-769012-6

Warning and Disclaimer

This book is designed to provide information about Cisco Cloud Infrastructure for various Cisco
Products, existing Cisco technologies in the “Data Center, Security, and Applications” domain which
are available in the On-Prem environment and how the technology has evolved to fit in a Hybrid Cloud
model, which facilitates the management and operation of On-Prem deployments and provides
integration with Public Cloud. Every effort has been made to make this book as complete and as
accurate as possible, but no warranty or fitness is implied.
The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, Inc. shall
have neither liability nor responsibility to any person or entity with respect to any loss or damages
arising from the information contained in this book or from the use of the discs or programs that may
accompany it.
The opinions expressed in this book belong to the author and are not necessarily those of Cisco
Systems, Inc.

Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been
appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this
information. Use of a term in this book should not be regarded as affecting the validity of any
trademark or service mark.
Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities (which may
include electronic versions; custom cover designs; and content particular to your business, training
goals, marketing focus, or branding interests), please contact our corporate sales department at
[email protected] or (800) 382-3419.
For government sales inquiries, please contact [email protected].
For questions about sales outside the U.S., please contact [email protected].

Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each
book is crafted with care and precision, undergoing rigorous development that involves the unique
expertise of members from the professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how
we could improve the quality of this book, or otherwise alter it to better suit your needs, you can
contact us through email at [email protected]. Please make sure to include the book title and
ISBN in your message.
We greatly appreciate your assistance.
Editor-in-Chief
Mark Taub
Director, ITP Product Management
Brett Bartow
Executive Editor
James Manly
Managing Editor
Sandra Schroeder
Development Editor
Ellie C. Bru
Project Editor
Mandie Frank
Copy Editor
Bart Reed
Technical Editors
Manuel Velasco, Atul Khanna
Editorial Assistant
Cindy Teeters
Designer
Chuti Prasertsith
Composition
codeMantra
Indexer
Proofreader
Pearson’s Commitment to Diversity,
Equity, and Inclusion
Pearson is dedicated to creating bias-free content that reflects the diversity of
all learners. We embrace the many dimensions of diversity, including but not
limited to race, ethnicity, gender, socioeconomic status, ability, age, sexual
orientation, and religious or political beliefs.
Education is a powerful force for equity and change in our world. It has the
potential to deliver opportunities that improve lives and enable economic
mobility. As we work with authors to create content for every product and
service, we acknowledge our responsibility to demonstrate inclusivity and
incorporate diverse scholarship so that everyone can achieve their potential
through learning. As the world’s leading learning company, we have a duty
to help drive change and live up to our purpose to help more people create a
better life for themselves and to create a better world.
Our ambition is to purposefully contribute to a world where
• Everyone has an equitable and lifelong opportunity to succeed through
learning
• Our educational products and services are inclusive and represent the rich
diversity of learners
• Our educational content accurately reflects the histories and experiences
of the learners we serve
• Our educational content prompts deeper discussions with learners and
motivates them to expand their own learning (and worldview)
While we work hard to present unbiased content, we want to hear from you
about any concerns or needs with this Pearson product so that we can
investigate and address them.
Please contact us with concerns about any potential bias at
https://www.pearson.com/report-bias.html.
About the Authors
Jalpa Patel (CCIE No. 42465), is multidisciplinary technologist, passionate
leader with strong track record of successful engineering executions and
game-changing business achievements defining, building and growing new
products. Her domain knowledge of Data Center hardware infrastructure is
focused on Compute, Networking, Storage and Accelerators. Patel holds an
MS degree in Telecommunication Networks from NYU, a BS degree from
Government Engineering College, Gujarat, India, and an Advanced Program
Management Certificate from Stanford.
Avinash Shukla (CCIE No. 28418), Senior Leader in Cisco’s US Customer
Experience (CX) Organization, has 14 years of experience in Cisco CX roles
spanning Professional and Technical Services, and extensive expertise in
collaboration and datacenter technologies. He now leads a team of engineers
working on Cisco Data Center Technology (Cisco Unified Computing
Systems, Hyperconverged Infrastructure, Virtualization, and Datacenter
automation). He holds a B.Tech in ECE from IIIT, Hyderabad and has won
numerous Cisco awards for customer focus, and has delivered many technical
trainings for Cisco partners and customers.
Himanshu Sardana (CCNP, VCP, CKA), is a Senior Technical Consulting
Engineer in Cisco’s Customer Experience (CX) Org. He started his
professional journey with Cisco and now has 6 years of experience in Data
Center Compute and Storage space. His current area of focus is on Cisco’s
Hyperconverged business (Hyperflex) and Intersight, helping with high
escalations and creating tools like Hypercheck to make customer interactions
with Cisco Products better. He holds a BS degree in Computer Science from
Chitkara University, Punjab, India.
Komal Panzade is a Senior Technical Consulting Engineer in Cisco’s
Customer Experience (CX) organization and has 6 years of experience
working on different Data Center Technologies like Compute, Storage and
Virtualization. She currently works in the Hyperconverged Infrastructure
(HCI) domain focusing on Distributed Systems and Automation. She is a
Certified Kubernetes Administrator and helps Cisco customers with efficient
management of their infrastructure using Cisco’s SAAS platform called
Intersight. Komal holds a Bachelor of Technology degree in Information
Technology from Amity University, Noida, India.
 About the Technical Reviewers
Manuel Velasco (CCIE No. 49401) is a Customer Success Specialist, in the
Customer Experience group at Cisco Systems. In his previous role, he
worked as TAC engineer at Cisco supporting multiple datacenter
technologies, including Cisco Unified Computing System and Virtualization,
Cisco Application Centric Infrastructure (ACI) and Cisco Hyperflex. He has
over 11 years of experience in the data center technologies. Manuel Holds a
B.S. degree in Computer Engineering from CalPoly San Luis Obispo.
Atul Khanna (CCIE No. 35540) is a data center networking manager with
Cisco Customer Experience Centers Americas. He has extensive experience
in directing and leading strategies to provide optimal technical services to
Cisco customers. He has more than 10 years of experience at Cisco in
enterprise support, network operations, manage/cloud services, data center
networking, compute, and virtualization. Atul was a senior technical
consulting engineer supporting HyperFlex solutions in Richardson, Texas. He
facilitated Advanced Services (AS) team members for successful new
customer deployments and upgrades, and he cultivated relationships with
Cisco partners and customers to meet organizational demands. He also
presented a technical webinar for Cloud Services Platform 2100. He attended
Cisco Live in 2015 and 2018, interacting with Cisco customers and partners
at the TAC booth. Atul lives with his wife in Milpitas, California.

Hivanetwork.com
Dedications
Jalpa Patel: I would like to dedicate this book to my parents, Minaxi and
Babubhai Patel, for their blessings and faith on me; and to Jigisha, Falguni
and Harish, for their guidance and encouragement. I also would like to
dedicate this book to my brother, Hardik, and his wife, Dharmistha, who have
been a great support for me throughout the complete process of writing of
this book. Finally, thank you to Raj and Samaira for their love and
inspiration.
Avinash Shukla: I would like to dedicate this book to my lil’ baby girl Avira
who was born during the time of writing the book, my son Aryav, my nieces
Riddhi & Siddhi, my lovely wife Neelima, my sister Anubha, and my parents
Kanak and Anil, for their unconditional love and support. Without their
support, none of this would have been possible. I would also like to dedicate
this book to one of my earliest inspirations while growing up, my beloved
Bade Papa, Aravind Kumar Shukla (RIP). Lastly, I would like to thank
everyone in my big extended family for their motivation and encouragement.
All of you have inspired me in many ways and helped me in my professional
endeavors.
Acknowledgments
We would like to thank and acknowledge several people who have helped us
directly or indirectly with the necessary skills that enabled us to write this
book.
This book couldn’t have been possible without the support of many people in
the CiscoPress team. A thank you goes to James Manly, Eleanor Bru, and
everybody else at CiscoPress for believing in us and supporting throughout
this journey.
Also, much research for this book was done through sifting through heaps of
design guides, specifications and videos so many thanks to all of the
technology professionals.
Finally, we would like to thank our technical reviewers Manuel Velasco,
Vibhor Amrodia and Atul Khanna, for their patience, commitment, and
support in the adventure of writing this book.
Contents at a Glance
Part 1: Cisco Datacenter Networking and Infrastructure
Chapter 1: Cisco Data Center Orchestration
Chapter 2: Cisco Data Center Analytics and Insights
Chapter 3: Cisco Data Center Solutions for Hybrid Cloud
Part 2: Cisco Applications and Workload Management
Chapter 4: Application, Analytics, and Workload Performance
Management with AppDynamics
Chapter 5: Management
Chapter 6: Cisco Cloud Webex Applications
Chapter 7: Internet of Things (IoT)
Part 3: Cisco Cloud Security
Chapter 8: Cisco Cloud Security
Reader Services
Register your copy at www.ciscopress.com/title/ISBN for convenient access
to downloads, updates, and corrections as they become available. To start the
registration process, go to www.ciscopress.com/register and log in or create
an account*. Enter the product ISBN 9780137690121 and click Submit.
When the process is complete, you will find any available bonus content
under Registered Products.
*Be sure to check the box that you would like to hear from us to receive
exclusive discounts on future editions of this product.
Contents
Part 1: Cisco Datacenter Networking and Infrastructure
Chapter 1: Cisco Data Center Orchestration
IT Challenges and Data Center Solutions
Cisco Nexus Dashboard
Cisco Nexus Dashboard Orchestrator
Cisco Nexus Dashboard Fabric Controller
Third-party Applications and Cloud-based Services
Summary
References/Additional Reading
Chapter 2: Cisco Data Center Analytics and Insights
Cisco Nexus Dashboard Insights
Cisco Nexus Dashboard Data Broker
Cisco Meraki MX
Summary
References/Additional Reading
Chapter 3: Cisco Data Center Solutions for Hybrid Cloud
Cisco Cloud Application Centric Infrastructure (Cisco
Cloud ACI)
Cisco UCS Director
Cisco Workload Optimization Manager
Cisco Hyperflex – Intersight
Summary
 References/Additional Reading
Part 2: Cisco Applications and Workload Management
Chapter 4: Application, Analytics, and Workload Performance
Management with AppDynamics
What Is AppDynamics?
AppDynamics Concepts
Deployment Planning Guide
Application Monitoring
Integration with Other AppDynamics Modules
Application Security Monitoring
End User Monitoring
Database Visibility
Infrastructure Visibility
Analytics
Monitoring Cloud Applications
Cloud Monitoring with AppDynamics Cloud
Cloud Infrastructure Monitoring
Summary
References/Additional Reading
Chapter 5: Management
IT Challenges and Workload Management Solutions
Cisco Intersight Workload Optimizer
Understanding Intersight Workload Optimizer Supply
Chain
Cisco Container Platform
Cisco Intersight Kubernetes Service
Summary
 References/Additional Reading
Chapter 6: Cisco Cloud Webex Applications
Cisco Webex Features
Cisco Webex Cloud Service Architecture
Summary
References
Chapter 7: Internet of Things (IoT)
Introduction to the Internet of Things
Cisco Kinetic Platform
Introduction to Cisco IoT
Edge Device Manager
Edge Intelligence
Licensing
Summary
Part 3: Cisco Cloud Security
Chapter 8: Cisco Cloud Security
Shadow IT Challenge
Cisco Cloudlock
Cisco Umbrella
Cisco Secure Cloud Analytics
Cisco Duo Security
Summary
 Icons Used in This Book

Hivanetwork.com
Command Syntax Conventions
The conventions used to present command syntax in this book are the same
conventions used in Cisco’s Command Reference. The Command Reference
describes these conventions as follows:
• Boldface indicates commands and keywords that are entered literally
as shown. In actual configuration examples and output (not general
command syntax), boldface indicates commands that are manually
input by the user (such as a show command).
• Italics indicate arguments for which you supply actual values.
• Vertical bars (|) separate alternative, mutually exclusive elements.
• Square brackets [ ] indicate optional elements.
• Braces { } indicate a required choice.
• Braces within brackets [{ }] indicate a required choice within an
optional element.

Note
This book covers multiple operating systems, and a differentiation
of icons and router names indicate the appropriate OS that is being
referenced. IOS and IOS XE use router names like R1 and R2 and
are referenced by the IOS router icon. IOS XR routers will use
router names like XR1 and XR2 are referenced by the IOS XR
router icon.
Introduction
Almost every company is adopting hybrid cloud solutions as it provides
decreased hosting costs, agility and scalability, faster deployment ability and
security. Using a hybrid cloud might be an investment upfront, but it will
provide plenty of cost saving benefits down the road. For example,
businesses that use public cloud without a hybrid might have a difficult and
expensive time migrating information if they decide to make changes to their
internal systems. Furthermore, because a hybrid cloud is scalable, it makes
handling changes in business goals cheaper down the line. Only hybrid cloud
technology can provide a blend of benefits that come from public and private
servers. With a hybrid cloud, for instance, you can enjoy the scalability of a
public cloud environment without forfeiting all control to a third party. In
fact, with every hybrid cloud situation being different, a unique solution will
have to be applied to each hybrid system in order to fulfill specific
requirements. Because a hybrid cloud is designed around your organization’s
needs, it can be optimized with speed in mind. For example, because this
system isn’t entirely public, your IT staff will be able to minimize latency,
which will make data transfers quicker and easier. The overall level of
customization available for hybrid cloud also ensures your organization is
agile enough to handle the needs of customers or clients. Not only does it
connect old systems to new ones, but the hybrid cloud also allows businesses
to create an overarching structure that meets the unique needs of a specific
enterprise.
As we see an increasing trend in deployment of Hybrid cloud with on prem
solutions, the book will be useful to both small scale customers and large-
scale Data Centers. It can be considered as one book for all who deals with
Cisco Cloud Solutions on a daily basis. External references are provided
wherever applicable, but readers are expected to be familiar with Cloud
specific technologies, infrastructure concepts, networking connectivity, and
security policies of the customer installation. Readers can gain knowledge
about the benefits of cloud solutions, how to manage, operate and integrate
existing infrastructure in a hybrid/multi cloud environment with minimum
changes and leverage insights from the cloud for their business decisions.
Cisco doesn’t have a public cloud offering like AWS but has many products
which complement and facilitate cloud integration and use of Hybrid Cloud.
The attempt of this book is to fill the gap where a user can find a one stop
book which details all such products and architecture and provide insights on
how they can co-exist in a hybrid cloud environment.
The book helps IT professionals, CIOs and IT managers in their decision to
move into an hybrid cloud deployment vs. an on-prem deployment. It
describes in detail and from a technical and business aspect, the possible
solutions and offering from Cisco. The book also describes products such as
the Cisco Nexus Dashboard, that facilitate the orchestration and insights
about your deployment.
Last but not least, the book covers best practices and guidelines to make
readers aware of known caveats prior to specific deployment, the do’s and
don’ts while designing complex hybrid cloud networks, how and why to
design in a certain way for maximum efficiency.

Goals & Methods

CIOs and IT professionals who want to simplify their IT and Networking
environment are now challenged with the decision of whether to move fully
into the Cloud, build their own Data Centers, or go with hybrid solution.
Making such decisions depend on a lot of factors that include the scale and
complexity of their existing setup, the level of control over their own
resources, security, availability of IT and networking resources, level of
expertise, overall fixed and recurring costs and so on.
As Cloud is a new buzz word in industry and multiple vendors are
introducing products that offer various Infrastructure solutions and are
challenging the existing network design, all the new technologies are getting
confusing to IT professionals who are trying to move into next generation
architectures while maintaining a current setup that is generating revenue.
This book will walk the reader and provide a reference guide to understand
and independently implement Cloud solutions for Cisco Network, Compute,
Storage, Application and Security.
In this book we are covering Cisco Cloud Infrastructure for various Cisco
Products. This book will cover existing Cisco technologies in the “Data
Center, Security and Applications” domain which are available in the On-
Prem environment and how the technology has evolved to fit in a Hybrid
Cloud model which facilitates the management and operation of On-Prem
deployments and provides integration with Public Cloud. This gives you the
tools to ask the right questions when you embark on the transformation of
your data center into private and hybrid clouds.

Who should Read this Book?

We see an increase in hybrid cloud adoption which requires planning,
designing and execution strategy of On-Prem and Public Cloud setups. In
general IT professionals are divided in their areas of expertise. Individuals are
spread into focus areas that overlap:
• Orchestration
• Analytics
• Cloud integration
• Virtualization
• Storage Networking
• Security
• Software applications
• Automation
• DevOPs
Cisco is taking a network-centric approach to multi-cloud and hybrid
deployments. Cisco has partnerships with Azure and AWS and has expanded
a relationship with Google Cloud. Add in AppDynamics, which specializes in
application and container management, and Cisco has the various parts to
address hybrid and multi-cloud deployments. In addition, Cisco is a key
hyper-converged infrastructure player and its servers and networking gear are
staples in data centers. The audience of this book is the sum of all Solution
Architects, Deployment Engineers, Systems Engineers, Networking
engineers, software virtualization engineers, network management engineers,
Sales Engineers, Field consultants, professional services, partner engineering,
customers deploying the Cisco Cloud Solutions and anyone who would like
to know about Cisco’s presence in Cloud space. Also as the book touches on
the business aspects of pros and cons of moving from private clouds to public
clouds, IT managers and CIOs will benefit from understanding the impact of
cloud solutions on the transformation of their data centers and the speed of
deploying highly available applications.

How this book is Organized

For those who are familiar with the author’s writing style from previous book
such as the " Implementing Cisco HyperFlex Solutions", authors put big
emphasis on easy reading and making the difficult look easy. The book goes
through a smooth progression of the topics and a lot of the basic concepts are
laid out in advance so you do not miss a beat and feel comfortable
progressing through the chapters. So it is recommended to go through the
chapters in order to get the full benefit of the book.
Orchestration, analytics, management, security and automation are not easy
topics and are getting more complex every day. Boundaries between System
administrators, networking engineers and software engineers are getting
blurred day by day and expectation are increasing to be an expert in all
dimensions by a single individuals.
Authors have put a lot of effort to put you on the right track and give you the
launch pad into tackling Cloud infrastructure. Their many years of experience
in both the vendor and system integration track and across the different
technology areas makes this difficult topic sound simple. The advantages you
see from this book follow:
• An easy reading style with no marketing fluff or heavy technical
jargon
• Progression through the chapters from easy to advance
• Comprehensive coverage of the topic at both a technical and business
 level
• First book to address Cisco cloud solutions in details under one
umbrella to bridge the technology gap between the different IT
departments
• Beneficial to IT professionals trying to evaluate whether to move in the
Hybrid cloud solution
• Beneficial to IT management, CIO, CTO evaluating various cloud
applications
• Coverage of the latest cloud offerings by Cisco
• Discusses Automation and Orchestration solutions
• Compares and contrasts different implementations objectively and with
vendor neutrality

Book Structure
The book is organized into three parts.
PART 1—Cisco Datacenter Networking and Infrastructure
Chapter 1—Cisco Data Center Orchestration: This chapter talks about
Cisco’s Data center orchestration software that uses the automation of tasks
to implement processes, such as deploying new servers. Automation solutions
which orchestrate data center operations enable an agile DevOps approach for
continual improvements to applications running in the data center. Data
center orchestration systems automate the configuration of L2-L7 network
services, compute and storage for physical, virtual and hybrid networks. New
applications can be quickly deployed.
Chapter 2—Cisco Data Center Analytics and Insights: This chapter talks
about Cisco’s API-driven monitoring and assurance solutions which provides
essential insights as well as adds to an expansive and increasingly onerous
toolset. This network insight solutions are bringing ability to see the big
picture, and if something goes wrong, it shows exactly where to look instead
of poking around and hoping to get lucky. This helps preparing companies to
progressively transitioning from reactive to proactive and eventually
predictive IT operations.
Chapter 3—Cisco Data Center Solutions for Hybrid Cloud: This chapter
talks about the various Hybrid cloud management platforms like ACI, UCS
Director, CWOM and Intersight that are provided by Cisco and offer flexible
consumption for on-premises infrastructure in order to optimize workloads
across clouds, on-premises data centers, labs, and co-location facilities for
scale, performance and agility with great value.
PART 2—Cisco Applications and Workload Management
Chapter 4—Application, Analytics, and Workload Performance
Management with AppDynamics: This chapter describes Cisco’s
AppDynamics solution, Cloud migration and various monitoring such as
Application Security Monitoring, End User monitoring and Browser
monitoring. It also covers database and infrastructure visibility and cloud
platforms.
Chapter 5—Management: This chapter describes the challenges that the IT
teams face in managing the modern workloads and gives you various
systematic Workload Management Solutions such as Intersight Workload
Optimization Manager, Cisco Container Platform and Cisco Intersight
Kubernetes Service (IKS).
Chapter 6—Cisco Cloud Webex Applications: Collaboration is a key
component of any IT solution and Cisco Webex provides an ideal platform
for staying connected and collaborating with individuals, teams, and meetings
to move projects forward faster. This chapter describes Cisco Webex
Features and Cisco Webex Cloud Service Architecture in detail.
Chapter 7—Internet of Things (IoT): This chapter describes how well we
can combine the Operational Technology hardware with IT and come up with
amazing IOT Solutions which Cisco currently offers. These solutions can
really help you get the best insights and increase efficiency.
PART 3—Cisco Cloud Security
Chapter 8—Cisco Cloud Security: This chapter talks about all the Cisco
Cloud Security solutions like Cloudlock, Umbrella, Cloud Analytics and Duo
using which one can adopt the cloud with confidence and protect users, data,
 and applications, anywhere they are. Unlike traditional perimeter solutions,
Cisco Cloud Security blocks threats over all ports and protocols for
comprehensive coverage. Cisco Cloud Security also uses API-based
integrations so that the existing security investments can be amplified.

Hivanetwork.com
Part 1: Cisco Datacenter Networking
and Infrastructure
Chapter 1. Cisco Data Center
Orchestration
We are working in a multidimensional world of data and applications
accessed by a workforce shifting among work-from-home offices to
centralized campuses to work-from-anywhere setups. Data is widely
distributed, and business-critical applications are becoming containerized
microservices disseminated over on-premises, edge cloud, and public cloud
data center locations. These applications rely on agile and resilient networks
to provide the best level of experience for the workforce and customers.
It is therefore a multidimensional challenge for IT to keep applications and
networks in sync. With the ever-increasing scope of the NetOps and DevOps
roles, an automation toolset is needed to accelerate data center operations and
securely manage the expansion to hybrid cloud and multicloud.
Data center orchestration software uses the automation of tasks to implement
processes such as the deploying of new servers. Automation solutions that
orchestrate data center operations enable an agile DevOps approach for
continual improvements to applications running in the data center. Data
center orchestration systems automate the configuration of L2–L7 network
services as well as compute and storage for physical, virtual, and hybrid
networks. New applications can be quickly deployed.
The Cisco Nexus Dashboard provides a single focal point to unite the
disparate views of globe-spanning multicloud data center operations,
application deployment, and performance.
This chapter will cover following topics:
• IT challenges and data center solutions
• Cisco Nexus Dashboard
 • Cisco Nexus Dashboard Orchestrator
• Cisco Nexus Dashboard Fabric Controller
• Third-party applications and cloud-based services

IT Challenges and Data Center Solutions

Organizations are deploying applications in multiple public and private
clouds, with more applications than ever. There are also more different
classes of people and machines using these applications.
As a result of containers, which have microservices and are serverless,
developers are constructing these highly distributed application constructs
with workload tiers and data services spread across hybrid IT, spanning on-
premises data centers and multiple public clouds. Because of these trends,
multicloud data center operators are facing serious challenges, including the
following:
• Approximately 40% of skilled IT staff time is spent on troubleshooting
in break-fix mode.
• The majority of network outages are due to human error, leading to
unplanned downtime.
These issues require network operators to have a high level of domain
expertise and the ability to correlate complex IT environments to prevent or
fix issues while upholding the infrastructure uptime to honor service level
agreements (SLAs) with minimum disruptions.
Day 0 is design and procurement; Day 1 is installing, provisioning, and
segmenting; and Day 2 is running a network. Most of the challenges currently
faced by network operators are related to the Day 2 operations capabilities of
running a network.
IT needs a way to transform and get past installing, provisioning, and
segmenting. To make Day 2 operations easier, IT needs to be able to do the
following:
• Analyze every component of a data center first.
 • Ensure business intent.
• Guarantee reliability.
• Detect performance issues proactively in a network.
Figure 1-1 illustrates the main challenges in network operations.

Figure 1-1 Main challenges in network operations

To be successful, IT needs to be in a strategic partnership with business.
Without this, it’s impossible to efficiently help enable the changes necessary
to enable business growth. Cisco believes analytics enable IT professionals to
turn raw data into actionable insights that they can use to drive business
growth. When IT practitioners move to a proactive operations approach for
their data center, both sides win. Figure 1-2 illustrates the Cisco data center
solutions.
 Figure 1-2 Cisco data center solutions
Data center analytics and automation capabilities both within and across
domains help in simplifying the network operations and attain the insights
and assurance needed to continually evolve them. This is key for an intent-
based networking (IBN) strategy.
The Data center analytics and automation provides the following capabilities:
• To begin, pull critical telemetry information out of the data and control
planes and making it available to the analytics layer. Cisco has done
 this through silicon innovation, turning every networking device into a
sensor.
• Stitch together network, security, and application analytics to provide a
single source of truth for IT operations teams and a unified view across
data center, campus, WAN, branch office, and cloud environments.
• Provide artificial intelligence/machine learning–based decision support
tools for a range of common operations activities such as upgrade
planning and software release guidance, proactive service level
monitoring, and smart troubleshooting based on graph-based search.
• Extend to cloud-based analytics and mobile phone dashboard option.
The business sees the following benefits:
• Highest operational uptime and outage mitigation to meet SLAs/SLOs
• Operational expenditure (OpEx) optimization and IT strategic agility
enhancement
• Security compliance and assurance
And IT sees these benefits:
• Faster remediation of issues while increasing agility
• Engineers can focus on mission-critical work
• Greater confidence and less risk in operating the network

Cisco Nexus Dashboard

Cisco Nexus Dashboard revolutionizes operations in today’s modern data
center environments. Network operations teams are struggling to reconcile
fragmented toolchains, an inconsistent user experience (UX), and siloed
processes in order to manage complex data center environments that include
on-premises infrastructure and public cloud sites. Cisco Nexus Dashboard
specifically addresses this pain point by providing a single pane of glass from
which to manage a unified operations infrastructure based on the Cisco
Nexus Dashboard platform. Based on a horizontal, scale-out architecture,
Cisco Nexus Dashboard can unify operations from the on-premises
infrastructure (Cisco Application Centric Infrastructure [Cisco ACI] or Cisco
NX-OS with Cisco Nexus Dashboard Fabric Controller [NDFC]) to co-
locations and to the public cloud. Cisco Nexus Dashboard provides a
seamless user experience for the operator, whether it is to rapidly
troubleshoot issues or execute change window actions with a high degree of
confidence. Operators spend more time on the “logistics ladder” of
traditionally fragmented toolchains before any operational value is realized.
With the frictionless user experience of Cisco Nexus Dashboard, operators
can focus on what they do best—troubleshooting, triaging, and executing
change windows with a high degree of confidence, rather than figuring out
URLs, credentials, and access controls.
The intuitive Cisco Nexus Dashboard platform provides services such as
Cisco Nexus Dashboard Insights, Cisco Nexus Dashboard Orchestrator,
Cisco Nexus Dashboard Data Broker, and a single operational view of
geographically dispersed multicloud environments. The platform enables the
acceleration of NetOps and DevOps capabilities while scaling into the cloud,
and it aligns seamlessly with third-party ecosystem tools from HashiCorp
Terraform, ServiceNow, and Splunk, with other integrations to come.
The Cisco Nexus Dashboard Orchestrator (formerly Cisco ACI Multi-Site
Orchestrator [MSO]), Cisco Nexus Dashboard Insights (formerly Nexus
Insights [NI]), and Cisco Nexus Dashboard Data Broker (formerly Nexus
Data Broker) services are being integrated into the Cisco Nexus Dashboard as
native services in order to simplify the customer experience:
• Cisco Nexus Dashboard Orchestrator: Formerly Cisco ACI Multi-
Site Orchestrator, the Cisco Nexus Dashboard Orchestrator service
allows operators to push policies and templates and set up intersite
connectivity at scale. Besides delivering high-level policies to the local
data center controller—also referred to as the domain controller—it
enables separation of fault domains, federation of data center and cloud
networks, and business resiliency at a global scale. Nexus Dashboard
Orchestrator also enables end-to-end change management workflows,
centralized fabric management and upgrades, multi/hybrid-cloud
connectivity, normalized segmentation, and security policies across the
 data center, SD-WAN, and enterprise branch and campus networks.
For example, the SD-WAN integration provides application-aware
SLA-based routing (policy-based path selection and quality of service
[QoS] treatment) in the SD-WAN infrastructure used for
interconnecting sites.
• Cisco Nexus Dashboard Insights: Formerly Nexus Insights, the Cisco
Nexus Dashboard Insights service allows operators to consume the
entire insights and assurance stack as a unified offering but also to take
advantage of the integrated services to set up automated workflows
such as upgrade assist and automated Splunk SIEM (security
information and event management) integration. It incorporates a set of
advanced alerting, baselining, correlation, and forecasting algorithms
to provide a deep understanding into the behavior of the network. It
also analyzes flow telemetry data streamed from Cisco Nexus 9000
Series Switches to provide perfect introspection into hybrid cloud
infrastructure. The Insights service and AppDynamics are tightly
integrated to pinpoint exactly where and when an application issue
originated from a network perspective.
• Cisco Nexus Dashboard Data Broker: Formerly Nexus Data Broker,
the Cisco Nexus Dashboard Data Broker service is now a part of Cisco
Nexus Dashboard, which provides pervasive packet and network
visibility for NetOps and SecOps to programmatically manage
aggregating, filtering, and forwarding complete workflows to custom
analytics tools. It is a multitenant-capable solution that can be used
with both Nexus and Cisco Catalyst fabrics. It replaces the traditional
purpose-built network packet broker appliances with high-throughput
Cisco Nexus switches, enabling IT to create cost-effective and scale-
out packet broker fabrics.
• Third-party applications: Cisco Nexus Dashboard offers a rich suite
of services for third-party developers to build applications. REST APIs
allow third-party tools to authenticate and integrate with key services
such as Nexus Dashboard Insights and Nexus Dashboard Orchestrator.
Currently supported third-party integrations in the Nexus Dashboard
ecosystem include ServiceNow ITSM/ITOM, Splunk SIEM,
HashiCorp Terraform, and Red Hat Ansible.

Hivanetwork.com
 • Cisco Nexus Dashboard Fabric Controller: Cisco Nexus Dashboard
can also host Cisco Nexus Dashboard Fabric Controller (NDFC),
similar to the hosting of operational services. This unified capability
gives customers a single touch point on their journey from installation
to operations. This brings the controller for fabrics based on Cisco NX-
OS under the Cisco Nexus Dashboard platform and unleashes the
benefits of faster time to deploy and upgrade and an improved overall
user experience to Cisco NDFC.
The operations team now has to deal with a single stack and one operations
toolkit—whether they are running Cisco ACI or Cisco NDFC in their hybrid
cloud infrastructures. Figure 1-3 illustrates the Cisco Nexus Dashboard
graphical user interface (GUI).
 Figure 1-3 Cisco Nexus Dashboard GUI
Operational infrastructure standardization and toolchain unification directly
lead to operational excellence and savings as well as free up resources for
business innovation.

Features and Benefits

Table 1-1 lists the features and benefits of Cisco Nexus Dashboard.
Table 1-1 Features and Benefits of Cisco Nexus Dashboard
Too often the network operations team spends most of its time gathering
troubleshooting data to triage and root-cause an issue. The burden of tying
together siloed insights from a fragmented operational toolkit often lies with
the operations team. As the company’s data center footprint extends from the
on-premises data center to the cloud, and as modern application architectures
become the de-facto standard, the operations team needs a unified operations
toolchain with a seamless user experience to maintain and operate such
complex environments.
Cisco Nexus Dashboard unifies these disparate toolsets and experiences for
the operations teams to consume the rich and powerful capabilities of Day 2
operations solutions and executes multisite policies from a single pane of
glass. Unnecessary handoffs between toolchains and dealing with multiple
portals and credentials to get to troubleshooting data and insights have
become a thing of the past. An operator logs in once to Cisco Nexus
Dashboard and is able to go straight to the Discover, Analyze, Remediate,
Automate workflow from a single launchpad. Cisco Nexus Dashboard offers
a powerful and rich set of capabilities, including the following:
• Single sign-on (SSO): SSO powers the frictionless interaction between
Cisco Nexus Dashboard and the hosted services. The operator logs in
once and is able to switch seamlessly between services and also site
controllers such as Cisco APIC, Cloud APIC, and NDFC.
• Unified operations platform: The Cisco Nexus Dashboard platform is
a powerful unified platform capable of scaling out horizontally to
accommodate application needs. With a modern microservices
infrastructure services stack on a clustered architecture, the same
underlying platform can be used to co-host the entire Day 2
applications portfolio, thus reducing the burden of the underlying
software and hardware lifecycle maintenance.
Figure 1-4 illustrates Cisco Nexus Dashboard components.
Figure 1-4 Cisco Nexus Dashboard components
• Persona-based dashboard: Cisco Nexus Dashboard has two primary
personas:
• The administrator, who is able to manage all the Cisco Nexus
Dashboard platform infrastructure services and hardware from a
single pane of glass. The administrator is also able to install, upgrade,
and launch all services on the Cisco Nexus Dashboard platform. This
 role can set up common sites and services for the applications to use
from a single pane of glass. Figure 1-5 shows the Cisco Nexus
Dashboard System Overview, and Figure 1-6 shows common sites
and services from a single pane of glass.

Figure 1-5 Cisco Nexus Dashboard System Overview

Figure 1-6 Common sites and services from a single pane of glass
• The operator, who is able to get an aggregate view of the health of
the sites and with a single click, navigate to the Insights service, gain
more information about critical anomalies, and scroll through the
temporal view to get historical context. If the operator then needs to
make changes to policy, they can easily switch to the Cisco Nexus
Dashboard Orchestrator and roll out changes to multiple sites,
including public cloud environments, all from a single portal.
 • Common infrastructure services: Cisco Nexus Dashboard provides a
host of common infrastructure services, such as common site
onboarding, authentication domains, role-based access control
(RBAC), notification services, and API services.
• Flexible deployment options: The Cisco Nexus Dashboard portfolio
is composed of physical, virtual, and cloud form factors, giving
customers unprecedented flexibility while deploying their operations
infrastructure and at the same time ensuring a common and unified
operator experience through a single pane of glass.
• Programmable infrastructure: Third-party automation tools are
critical to improving reporting workflows and responding to issues
encountered by distributed workloads. Cisco Nexus Dashboard has
built-in integrations with many third-party services such as
ServiceNow, one of the most prevalent IT service management
platforms. With the ServiceNow integrations, NetOps and DevOps
teams can open and track tickets from within Nexus Dashboard. From
one portal, operations teams get visibility into the status of open
tickets, resulting in the automation of troubleshooting for faster
resolutions across fabrics.
• SR-MPLS with Nexus Dashboard Orchestrator: With Cisco Nexus
Dashboard Orchestrator, SR-MPLS (Segment Routing with
Multiprotocol Label Switching) policies can be centrally automated
across 5G telco cloud sites (central, regional, and edge data centers).
Cisco Nexus Dashboard with Insights and Orchestrator services is the
most comprehensive way to automate distributed data centers,
overcoming the challenges of managing the infrastructure,
applications, and data sources distributed over disparate locations.
With these services integrated into Cisco Nexus Dashboard, NetOps
teams can achieve command and control over global network fabrics,
optimizing performance and attaining insights into data center and
cloud operations.
• Cisco Nexus Dashboard One View: The Cisco Nexus Dashboard
operations infrastructure can be deployed and managed at scale via a
single pane of glass. Figure 1-7 illustrates Cisco Nexus Dashboard One

Hivanetwork.com
 View.

Figure 1-7 Cisco Nexus Dashboard One View

Hardware vs. Software Stack

Nexus Dashboard is offered as a cluster of specialized Cisco UCS (Unified
Computing System) servers (Nexus Dashboard platform) with the software
framework (Nexus Dashboard) pre-installed on it. The Cisco Nexus
Dashboard software stack can be decoupled from the hardware and deployed
in a number of virtual form factors.
Each Nexus Dashboard cluster consists of three master nodes. For physical
Nexus Dashboard clusters, you can also provision up to four worker nodes to
enable horizontal scaling and up to two standby nodes for easy cluster
recovery in case of a master node failure. For virtual and cloud clusters, only
the base three-node cluster is supported.

Cisco Data Center Networking (DCN) Licensing

Following are the licensing options for greenfield and brownfield
deployments:
• Cisco DCN Premier License (for greenfield): Provides Cisco Nexus
Dashboard, Cisco Nexus Insights (formerly Network Insights
Resources and Network Insights Advisor), and Cisco Network
Assurance Engine (NAE). Users with an existing Essentials or
Advantage subscription can transition to Premier and receive the Cisco
Nexus Insights capabilities.
• Cisco DCN Day 2 Operations or D2Ops Solution Suite (for
brownfield): This is recommended for users who already have a Cisco
DCN Advantage or Essentials license. The bundle provides Cisco
Nexus Dashboard and Cisco Nexus Insights and Network Assurance
Engine.
Figure 1-8 illustrates Cisco DCN licensing and Nexus Dashboard
orderability.
 Figure 1-8 Cisco DCN Licensing and Nexus Dashboard orderability

Available Form Factors

Cisco Nexus Dashboard is available in physical, virtual, and cloud form
factors:
• Cisco Nexus Dashboard physical appliance (.iso): This form factor
refers to the original physical appliance hardware that you purchased
 with the Cisco Nexus Dashboard software stack pre-installed on it.
• VMware ESX (.ova): A virtual form factor that allows you to deploy a
Nexus Dashboard cluster using three VMware ESX virtual machines.
• Amazon Web Services (.ami): A cloud form factor that allows you to
deploy a Nexus Dashboard cluster using three AWS instances.
• Microsoft Azure (.arm): A cloud form factor that allows you to
deploy a Nexus Dashboard cluster using three Azure instances.
After Cisco Nexus Dashboard cluster deployment, you can perform all
remaining actions using its GUI. To access Cisco Nexus Dashboard GUI,
simply browse to any one of the nodes’ management IP addresses. Figure 1-9
shows the Cisco Nexus Dashboard general view.
 Figure 1-9 Cisco Nexus Dashboard general view
With Cisco Nexus Dashboard, you get a unified operations view across all
your sites and services. Cisco Nexus Dashboard scales out based on the size,
number of sites, and the operational services used to manage them.
The Dashboard provides a wholistic view of the Cisco Nexus Dashboard.
You can use this view to monitor system health, sites, and the connectivity
status of applications. Figure 1-10 shows the Cisco Nexus Dashboard One
View GUI.

Figure 1-10 Cisco Nexus Dashboard One View GUI

Cisco Nexus Dashboard Orchestrator

More than ever, applications are critical for all global organizations.
Applications and the data they carry are at the heart of digital transformation,
providing not only essential back-office systems of record but also increasing
frontline systems of engagement. As businesses grow, it is imperative to have
agility in applications—to have the ability to move applications wherever the
business needs them and to be sure that network security policies follow.
With the unprecedented changes brought on recent years around the world,
organizations see the necessity of having a connected and secure data center,
wherever the data may exist.
Cisco Nexus Dashboard now supports on-boarding of Cisco NX-OS/DCNM
sites. Cisco Nexus Dashboard Orchestrator (formerly Cisco Multi-Site
Orchestrator-MSO) offers multisite networking orchestration and policy
management, disaster recovery and high availability, as well as provisioning
and health monitoring.
Cisco Nexus Dashboard Orchestrator (NDO) allows operators to realize a
true hybrid cloud scenario, defining and orchestrating network policy across
DCNM, ACI, cloud, and edge domains. NDO will also be the first
application to work across both Cisco ACI and DCNM sites, making Nexus
Dashboard a single pane of glass across Cisco ACI/APIC and Cisco NX-
OS/DCNM controllers. Figure 1-11 shows the Cisco Nexus Dashboard
Orchestrator.
 Figure 1-11 Cisco Nexus Dashboard Orchestrator
NDO allows you to interconnect separate Cisco ACI sites, Cisco Cloud ACI
sites, and Cisco Data Center Network Manager (DCNM) sites, each managed
by its own controller (APIC cluster, DCNM cluster, or Cloud APIC instances
in a public cloud). The on-premises sites (ACI or DCNM in the future) can be
extended to different public clouds for hybrid-cloud deployments or for
cloud-first multicloud-only deployments between cloud sites that do not have
an on-premises site.
• Cisco ACI Multi-Site: For Cisco ACI, Nexus Dashboard Orchestrator
is the intersite policy manager. It provides single-pane management,
enabling you to monitor the health-score state of all interconnected
 sites. It also allows you to define, in a centralized place, all intersite
policies, which can then be pushed to different APIC domains for
rendering them on the physical switches in those fabrics. This provides
a high degree of control over when and where to deploy the policies,
which in turn allows the tenant change domain separation that uniquely
characterizes the Cisco Multi-Site architecture. With Nexus Dashboard
Orchestrator, you can extend your policies to any site or multiple
public clouds.
• Cisco DCNM Multi-Site: Cisco Data Center Network Manager
(DCNM) is the network management platform for all NX-OS-enabled
deployments, spanning new fabric architectures, IP Fabric for Media,
and storage networking deployments. It provides automation, visibility,
and consistency within a DCNM-clustered fabric. Nexus Dashboard
Orchestrator now enables network policy consistency and disaster
recovery across multiple DCNM fabrics around the world through a
single pane of glass and scale-out DCNM leaf switches to thousands of
switches managed using one centralized policy.

Common Use Cases

This section discusses some of the several use cases of Nexus Dashboard
Orchestrator, including large-scale data center deployment, data center
interconnectivity, Cisco NDO multidomain integrations, hybrid cloud and
multicloud, and service provider/5G telco.

Large-Scale Data Center Deployment

Some users require a data center solution based on software-defined
networking (SDN) that consists of a higher number of leaf switches (for
example, 20,000) with a single management console for provisioning,
orchestration, and policy consistency. Cisco NDO can meet these
requirements to help build these large-scale data centers through the
following:
• Easy provisioning and orchestration
• Disaster recovery and high availability

Hivanetwork.com
 • Enhanced scale
• Business continuity
Figure 1-12 illustrates a Cisco NDO large-scale data center deployment.

Figure 1-12 Large-scale data center deployment

Data Center Interconnectivity

Cisco NDO extends intersite connectivity and network policy segmentation
between loosely coupled data centers across multiple geographies, enabling
agile deployment where policies and security follow the movement of virtual
machines across data centers. In addition, it enhances disaster recovery or
active-active use cases spread across multiple sites and locations. Figure 1-13
illustrates data center interconnectivity using Cisco NDO.

Figure 1-13 Data center interconnectivity

Cisco NDO Multidomain Integrations

Large and medium-sized organizations that have adopted a multisite
approach to their data centers have experienced performance degradation
with unmanaged connections between the separate data centers. To assist
customers with managing this, Cisco NDO has been integrated with Cisco’s
SD-WAN. Figure 1-14 illustrates multidomain integrations using Cisco
NDO.

Figure 1-14 Multidomain integrations

Hybrid Cloud and Multicloud

Cisco NDO expands networking functions to cloud sites and automates the
creation of overlay connectivity between all sites (on-premises and in the
public cloud).
As the central orchestrator of intersite policies, Cisco NDO allows for
pushing the same policies to multiple data centers and public clouds across
the globe in a single step.
Cisco NDO supports Cisco ACI policy extensions to the public cloud (AWS
and Azure), allowing for hybrid cloud and multicloud deployments. In both
cases, NDO enables automated and secure interconnect provisioning,
consistent policy enforcement for on-premises sites and the public cloud, and
simplified operations for end-to-end visibility. Figure 1-15 illustrates hybrid
cloud and multicloud orchestration using Cisco NDO.

Figure 1-15 Hybrid cloud and multicloud

Service Provider/5G Telco

5G transformations are challenging telecom providers to develop data center
networks of the future that can seamlessly scale, automate, and integrate their
infrastructure from the central data center to the edge and across the transport
network.
Cisco NDO provides the following:
• Automation of SR-MPLS policies that can be centrally orchestrated
across the 5G telco cloud sites (central, regional, and edge data
centers).
• Consistent SR-MPLS handoff transport and application slice
interworking between 5G telco cloud sites and the service provider’s
transport backbone.
Figure 1-16 illustrates centralized DC orchestration for 5G using Cisco NDO.
 Figure 1-16 Service provider/5G telco

Functions Provided by the Nexus Dashboard

Orchestrator
Cisco NDO provides the following main functions:
• Create and manage Cisco Multi-Site Orchestrator users and
administrators through application of RBAC rules.
• Add, delete, and modify Cisco ACI/DCNM sites.
• Use the health dashboard to monitor the health, faults, and logs of
intersite policies for all the Cisco ACI fabrics that are part of the Cisco
Multi-Site domain. The health-score information is retrieved from each
APIC domain and presented in a unified way.
Figure 1-17 shows the Cisco NDO health-score information GUI.
 Figure 1-17 Cisco NDO health-score information GUI
• Provision Day 0 infrastructure to allow the spine switches at all Cisco
ACI sites to peer and connect with each other. This feature allows the
system to establish MP-BGP EVPN control-plane reachability and
exchange endpoint host information (MAC and IPv4/IPv6 addresses).
• Create new tenants and deploy them in all the connected sites (or a
subset of them).
• Define policy templates. Each template can be associated with and
pushed to a specific set of fabrics.
Figure 1-18 illustrates the Cisco NDO schema, template, and sites.
 Figure 1-18 Cisco NDO schema, template, and sites

Note
One or more templates can be grouped together as part of a
schema, which can be considered a “container” of policies.
However, the association of policies to a given tenant is always
done at the template level (not at the schema level). This feature is
one of the most important that the Cisco Multi-Site Orchestrator
offers, together with the capability to define and provision scoped
policies for change management. When you define intersite
policies, Cisco Multi-Site Orchestrator also properly programs the
required namespace translation rules on the Multi-Site-capable
spine switches across sites. As mentioned in the previous section,
every intersite communication requires the creation of translation
entries on the spine nodes of each fabric part of the Multi-Site
domain. This happens only when the policy to allow intersite
communication is defined on the Multi-Site Orchestrator and then
pushed to the different APIC cluster managing the fabrics. As a
consequence, the best-practice recommendation is to manage the

Hivanetwork.com
 configuration of all the tenant objects [EPGs (Endpoint Group),
BDs (Bridge Domain), and so on] directly on MSO, independent
from the fact that those objects are stretched across multiple sites
or locally defined in a specific site.
• Import tenant policies from an already deployed Cisco ACI fabric (a
brownfield deployment) and stretch them to another, newly deployed
site (a greenfield deployment).

Deployment of Cisco Nexus Dashboard

Orchestrator
The Cisco Nexus Dashboard Orchestrator design is based on a microservices
architecture in which the NDO functionalities are deployed across clustered
nodes working together in an active-active fashion. The Cisco NDO services
communicate with the interface of the APIC nodes deployed in different sites.
Depending on the specific version of NDO deployed, the communication
with the APIC clusters will be established to the out-of-band (OOB)
interface, the in-band (IB) interface, or both. NDO also provides northbound
access through Representational State Transfer (REST) APIs or the GUI (that
is, HTTPS), which allows you to manage the full lifecycle of networking and
tenant policies that need to be deployed across sites. Figure 1-19 illustrates
Cisco NDO services communication with APIC nodes.
 Figure 1-19 Cisco NDO services communication with APIC nodes
With Cisco NDO 3.2, you can deploy Cisco Orchestrator using the Cisco
Nexus Dashboard platform. Figure 1-20 shows the Cisco NDO app on Nexus
Dashboard.

Figure 1-20 Cisco NDO app on Nexus Dashboard

You can view the installed NDO app on the Nexus Dashboard, as shown in
Figure 1-21.
 Figure 1-21 Cisco NDO on Nexus Dashboard

Add ACI/DCNM Sites

Use the following steps to add ACI/DNCM sites to Cisco Nexus Dashboard
Orchestrator:
Step 1. Log in to the Nexus Dashboard GUI.
Step 2. Add a new site. Figure 1-22 shows the Cisco NDO Add Site feature.
 Figure 1-22 Cisco NDO Add Site feature
1. From the left navigation menu, select Admin Console > Sites.
2. In the top right of the main pane, select Add Site.
Step 3. Provide site information, as shown in Figure 1-23.
Figure 1-23 Cisco NDO site information
For Site Type, select DCNM.
1. Provide the DCNM controller information.
2. You need to provide the hostname/IP address of the in-band (eth2)
interface as well as the username and password for the DCNM
controller currently managing your DCNM fabrics.
3. Click Select Sites to select the specific fabrics managed by the
DCNM controller.
 The fabric selection window will open.
Step 4. Select the fabrics you want to add to the Nexus Dashboard.
Figure 1-24 illustrates Cisco NDO fabric selection.
 Figure 1-24 Cisco NDO fabric selection
1. Check one or more fabrics you want to be available to the
applications running in your Nexus Dashboard.
2. Click Select.
Step 5. In the Add Site window, click Add to finish adding the sites.
At this time, the sites will be available in the Nexus Dashboard, but you still
need to enable them for Nexus Dashboard Orchestrator management, as
described in the following section. Repeat the previous steps for any
additional DCNM controllers.

Manage Sites Using Cisco Nexus Dashboard Orchestrator

Use the following steps to manage sites via Cisco Nexus Dashboard
Orchestrator:
Step 1. From the Nexus Dashboard’s Service option, open the Nexus
Dashboard Orchestrator service.
You will be automatically logged in using the Nexus Dashboard
user’s credentials.
Step 2. In the Nexus Dashboard Orchestrator GUI, manage the sites, as
shown in Figure 1-25.

Hivanetwork.com
 Figure 1-25 Cisco NDO site management
1. From the left navigation menu, select Infrastructure > Sites.
2. In the main pane, change the State from Unmanaged to Managed
for each fabric that you want the NDO to manage.
If the fabric you are managing is part of a DCNM Multi-Site
Domain (MSD), it will have a Site ID already associated with it. In
this case, simply changing the State to Managed will manage the
fabric.
However, if the fabric is not part of a DCNM MSD, you will also
be prompted to provide a Fabric ID for the site when you change
its state to Managed.

Cisco Nexus Dashboard Fabric Controller

Businesses are seeing enormous change, and to cope with this change they
have relied on IT and especially on their network environments. Networks
have had to become simpler, more agile, more proactive, and more intuitive.
Long gone are the days when a network administrator manually configured
every switch. Cisco Nexus Dashboard Fabric Controller (NDFC), formerly
Cisco Data Center Network Manager (DCNM), has helped address many of
the challenges of managing Cisco NX-OS switches. NDFC empowers IT to
move at the increasing speed required of your business. With NDFC, you get
complete automation, extensive visibility, and consistent operations for your
data center.
Cisco Nexus Dashboard Fabric Controller (NDFC) provides granular,
scalable visibility for deep-dive troubleshooting, functionality, and
maintenance operations that benefit data center operation teams. Cisco NDFC
makes fabric management simple and reliable. Also, Cisco NDFC meets
ever-growing scalability needs with the integration of Cisco Nexus
Dashboard Orchestrator (NDO).
NDFC is the comprehensive management and automation solution for all
Cisco Nexus and Cisco Multilayer Distributed Switching (MDS) platforms
powered by Cisco NX-OS. NDFC provides management, automation,
control, monitoring, and integration for deployments spanning LAN, SAN,
and IP Fabric for Media (IPFM) fabrics. SAN administrators are some of the
busiest engineers in the data center and need to manage and maintain a wide
variety of storage networking switches, directors, and storage arrays. Cisco
NDFC makes the management and maintenance of the data center easier and
less complex for the administrators.
• Management: NDFC provides fabric-oriented configuration and
operations management. It is optimized for large deployments with
little overhead, but traditional deployments are supported and can be
customized by the user to meet business needs. NDFC also provides
representational state transfer (RESTful) APIs to allow easy integration
from Cisco or third-party overlay managers and enable the automation
to meet customers’ needs.
• Automation: NDFC brings an easy-to-understand and simple
deployment approach to bootstrapping new fabrics. Cisco’s best
practices are built into the fabric builder policy templates, and
automatic bootstrap occurs with the click of a button, reducing
provisioning times and simplifying deployments.
 • Monitoring and visualization: NDFC maintains the active topology
monitoring views per fabric into the new NDFC user interface (UI).
When combined with Cisco’s Nexus Dashboard Insights (NDI),
customers can complement their solution with advanced support for
Day 2 operations. Cisco Nexus Dashboard Orchestrator (NDO) allows
operators to realize a true hybrid cloud scenario, defining and
orchestrating network policy across DCNM, ACI, cloud, and edge
domains. NDO will also be the first application to work across both
Cisco ACI and DCNM sites, making Nexus Dashboard a single pane
of glass across Cisco ACI/APIC and Cisco NX-OS/DCNM controllers.
Figure 1-26 illustrates Cisco NDFC comprehensive management.

Figure 1-26 Cisco NDFC comprehensive management

Cisco NDFC Benefits and Features

Cisco Nexus Dashboard Fabric Controller (NDFC) provides granular,
scalable visibility for deep-dive troubleshooting, functionality, and
maintenance operations that benefit data center operation teams. Cisco NDFC
makes fabric management simple and reliable.

Benefits
Cisco NDFC empowers IT to move at the increasing speed required by the
business.
• Provides complete lifecycle management and automation for Cisco
Nexus and Cisco MDS platforms
• Streamlines data center automation and centralizes applications with
Cisco Nexus Dashboard
• Reduces deployment time of VXLAN-EVPN fabrics to minutes
• Improves fabric reliability with constant monitoring of compliance and
health
• Reduces operation errors with predefined deployment models
• Monitors and alerts operators to failure conditions
• Enables visualization of multiple fabrics with intuitive topology
Figure 1-27 illustrates Cisco NDFC Platform overview.
 Figure 1-27 Cisco NDFC Platform overview

Features
With NDFC, you get complete automation, extensive visibility, and
consistent operations for your data center.
• Cisco NDFC App: Cisco NDFC is designed with an HTML-based
web UI, which is the main interface for the product. NDFC 12.0 is
fully integrated and will run exclusively as a service on the Cisco
Nexus Dashboard (ND), providing a single sign-on and simplified user
experience across the entire data center software portfolio. Scale and
performance were top of mind in the development of NDFC and, as
such, included modern architectures that incorporate microservices and
containerization of functions to help ensure reliability and allow for
 growth over time.
Figure 1-28 shows the Cisco NDFC app.

Figure 1-28 Cisco NDFC app

NDFC is now a complete microservices architecture on Nexus
Dashboard that is based on Kubernetes. By moving away from a
monolithic infrastructure to a containerized and modular one, users
 will be able to leverage this new model to enable elastic scale-out.
NDFC will also support active-active high availability with L2
reachability for three-node clusters. Along with this update, NDFC will
implement a new look and feel with an intuitive React JavaScript GUI
that aligns with Nexus Dashboard GUI and supports modernized
topology views. Figure 1-29 shows the Cisco NDFC Topology view.

Figure 1-29 Cisco NDFC Topology view

• Feature manager: With NDFC, you will no longer have to select a
mode for LAN, SAN, or IPFM at the time of installation. Instead,
 NDFC has a runtime feature installer. This feature management
capability will allow you to selectively enable or disable different
features, including Fabric Controller (LAN), SAN, IPFM, and Fabric
Discovery. Figure 1-30 illustrates enabling/disabling features from the
NDFC feature manager.

Figure 1-30 Enabling/disabling features from the NDFC feature

manager
• Nexus Dashboard Fabric Discovery capability: NDFC now includes
a base capability selection for Fabric Discovery. Fabric Discovery is a

Hivanetwork.com
 lightweight version of NDFC and, when enabled, will support
monitoring, discovery, and inventory only. Configuration provisioning
will not be supported when this option is selected. This option allows
users who are using NDFC for monitoring or Day 2 Ops to minimize
resource utilization and further customize NDFC for their specific
needs.
• Compute visibility on Fabric Topology view: NDFC integrates
VMware topology onto its dynamic topology views. You simply
“discover” a VCenter that controls the host-based networking on the
fabric to show how the virtual machine, host, and virtual switches are
interconnected. This is a great benefit for the network operator since it
gives compute visibility, which is ordinarily the purview of compute
administration. Figure 1-31 illustrates NDFC fabric view.
Figure 1-31 NDFC fabric view
• Revamped image management: Large networks need to be
maintained efficiently. NDFC has fully redesigned image management,
making upgrades easy and less time consuming. This new easy and
customizable workflow will be for device upgrades/downgrades,
patching, EPLD (Electronic Programmable Logic Device) image
upgrades, software maintenance updates (SMUs), and more. NDFC
will continue to support maintenance-mode and RMA (Return Material
Authorization) actions right on the actual topology display. You can
put a switch into maintenance mode and swap serial numbers with a
replacement unit with a few clicks.
• Smart licensing policy: Implementation of Smart Licensing Policy
(SLP) with NDFC will further enhance the current smart licensing
capabilities. SLP aims to increase ease of use by enforcing fewer
restrictions with a goal of reducing the overall license friction.
• Non-Nexus platform support (IOS-XE and IOS-XR): For Cisco IOS
XE platform Catalyst 9000 Series Switches, NDFC supports VXLAN
EVPN automation. With this new fabric builder template with built-in
best practices, you can extend your VXLAN EVPN overlay networks
for greenfield deployments of Catalyst 9K switches.
NDFC also provides additional support for IOS-XR devices, Cisco
ASR 9000 Series Aggregation Services routers, and Cisco Network
Convergence System (NCS) 5500 Series devices, to be managed in
external fabric in managed mode. NDFC is now able to generate and
push configurations to these switches, and configuration compliance
will also be enabled for these platforms.
• Granular role-based access control (RBAC) model for existing
roles: With NDFC, RBAC is orchestrated directly in the Nexus
Dashboard. The current RBAC roles will continue to be supported, but
the granularity for these roles will be increased, allowing you to assign
different roles to various users on a per-fabric level. For example, one
user could be a network administrator for one fabric while being a
network stager for another.
• Programmable reports for performance monitoring: NDFC
previously introduced programmable reports, which provided detailed
information on devices. A new template will be added to support
NDFC in generating these programmable reports for performance
monitoring. These reports can be used for LAN, IPFM, and SAN
deployments. You are also able to email these generated reports to
users.
• Multitenancy VRF: This feature brings in VRF support for NBM
deployments, where you can logically isolate multiple customers so
that they can co-exist on the same fabric. Multiple VRFs can be
enabled in IPFM NBM-active mode.
• Fabric builder for IPFM: To ease IPFM network provisioning,
NDFC supports availability of preconfigured policy templates that
were created with best practices in mind in order to build IPFM
underlay in minutes. Using IP throughout your operation relieves you
from the very rigid frame format dependency, creating a dynamic
network that allows you to allocate resources upon need and future-
proof your business!
• NDFC SAN Insights brings SAN analytics to life: One of NDFC’s
most important features is SAN Insights, which provides collection and
visualization of the MDS SAN analytics capabilities. This feature
provides insight into end-to-end flow-based metrics, custom graphing,
outlier detection, ECT analysis, summary dashboards, and anomaly
detection. Anomaly detection, the newest feature, provides a fully
customizable infrastructure that can be used to identify and alert on
issues captured by the SAN Insights capabilities. SAN Insights also
includes new infrastructure to help consume all the new streaming
telemetry data available on the new 64Gbps and 32Gbps MDS
switches from Cisco. Figure 1-32 shows NDFC SAN Insights.
Figure 1-32 NDFC SAN Insights
Figure 1-33 illustrates NDFC SAN analysis.
Figure 1-33 NDFC SAN analysis
• Dynamic ingress rate limiting: NDFC also plays an important part of
integrating some of the most modern software features Cisco has
created that help to eliminate congestion in SAN fabrics. NDFC
provides an interface to fully configure dynamic ingress rate limiting
(DIRL) so that any congestion in the fabric can be eliminated
automatically and with almost no impact on performance. DIRL can
help with both credit starvation and over-utilization situations, which
can have big implications on the SAN fabric, by controlling the rate of
frames from the culprit in the fabric while at the same time reducing
the impact to all of the victims. NDFC plays an important role in
helping to simplify the deployment of DIRL so that it can be
implemented quickly to easily solve the dreaded slow drain condition.
• Optics information for SAN interfaces: NDFC introduces a new
interface that allows customers to see trends in optics temperature and
 power over time. This is a powerful new feature that provides insight
into how optics are working across time, and it can help to reduce
individual outages that are so often due to optics failures. Figure 1-34
shows the NDFC SAN optics interface.

Figure 1-34 NDFC SAN optics interface

• New zoning interface: NDFC has reinvented the way customers will
perform SAN zoning in the future. This includes a new interface in the
web UI that focuses on managing regular and IVR zones. This is a
feature that many customers use every day, and, as such, Cisco worked
 on the look and feel and the navigation of the zoning interface to make
the data easier to use and faster to deployment correctly. Figure 1-35
shows the NDFC SAN zoning interface.

Figure 1-35 NDFC SAN zoning interface

Platform Support Information

Table 1-2 lists platform support details for Cisco Nexus switches and MDS
storage switches.
Table 1-2 Platform Support Information
 Server Requirements
Cisco NDFC Release 12.x runs on the Nexus Dashboard platform. It is
supported on:
• Virtual Nexus Dashboard for LAN, IPFM, and SAN deployments
• Physical Nexus Dashboard for LAN, IPFM, and SAN deployments

Third-party Applications and Cloud-based Services

The intuitive Cisco Nexus Dashboard platform provides services such as
Cisco Nexus Dashboard Insights, Cisco Nexus Dashboard Orchestrator,
Cisco Nexus Dashboard Data Broker, and a single operational view of your
geographically dispersed multicloud environments. The platform enables the
acceleration of NetOps and DevOps capabilities while scaling into the cloud.
Cisco Nexus Dashboard offers a rich suite of services for third-party
developers to build applications. REST APIs allow third-party tools to
authenticate and integrate with key services such as Nexus Dashboard
Insights and Nexus Dashboard Orchestrator. Currently supported third-party
integrations in the Nexus Dashboard ecosystem include ServiceNow
ITSM/ITOM, Splunk SIEM, HashiCorp Terraform, and RedHat Ansible.
With third-party services integrated in Nexus Dashboard, NetOps can achieve
command and control over global network fabrics, optimizing performance
and attaining insights into data center and cloud operations. Using Cisco
Nexus Dashboard, DevOps can improve the application deployment
experience for multicloud applications’ Infrastructure as Code (IaC)
integrations. Developers describe in code the networking components and
resources needed to run an application in a data center or cloud.

Hivanetwork.com
Table 1-3 details the Cisco Nexus Dashboard third-party ecosystem.
Table 1-3 Cisco Nexus Dashboard Third-Party Ecosystem

Cisco Nexus Dashboard Open Ecosystem with

Splunk
Cisco Nexus Dashboard, along with Nexus Dashboard Insights and Nexus
Dashboard Orchestrator, offers a rich suite of platform services, open REST
APIs, and Kafka subscription service for third-party developers to build
custom applications and integrations. Leveraging these open APIs and
platform services, Cisco has released out-of-the-box tools that unlock
valuable use cases through integration with Splunk Enterprise.
The Nexus Dashboard Insights and Splunk integration enables customers to
gain deeper insights into the operational state of their infrastructure,
accelerate troubleshooting, and improve operational efficiency. Some of the
benefits include the following:
• Get comprehensive network insights and simplified troubleshooting.
• Visualize real-time, contextually relevant network insights.
• Create automated alerts for network problems, errors, and conflicts.
• Correlate multitier and multidevice anomalies and advisories.
• Perform flexible, query-driven searches for anomalies and advisories
over time.
• Analyze trends related to anomalies and advisories over a specified
period.
• Create rules that automate the response of the network to recurring
events.
Figure 1-36 illustrates Cisco Nexus Dashboard and Splunk integration.
 Figure 1-36 Cisco Nexus Dashboard Splunk integration
The solution consists of two components: the Cisco Cloud Network Insights
add-on and the app for Splunk Enterprise. The add-on ingests rich data
related to Nexus Dashboard Insights anomalies and advisories in a Common
Information Model–compliant format that enables customers to do the
following:
• Monitor unique KPIs and compliance metrics with custom dashboard
and drilldowns to monitor specific anomalies and advisories.
• Prevent outages through custom alerting for specific anomalies and
advisories.
 • Build cross-tier correlations with the data from other tiers, such as
applications, compute, and security.

Cisco Nexus Dashboard Open Ecosystem with

ServiceNow
In monitoring service health, identifying service disruptions, and aiding
problem resolution, cloud-based service management solutions offer critical
insights and control. However, they don’t have full visibility of the
underlying network or all the variables that can cause service disruptions.
When complex network problems arise, service management solutions need
deeper insights into the intent of the network administrator to pinpoint,
characterize, or resolve them. This resolution requires arduous investigation
and troubleshooting. When the problem is identified and understood, network
administrators must create a ticket, resolve the problem, verify the fix, and
close the ticket.
What’s needed is a solution involving continuous network insights,
assurance, and analytics that can be coupled with cloud-based service-
management tools—a solution that can align service and network insights
and enable automated, closed-loop incident management, all through a single
dashboard. Cisco Nexus Dashboard Insights and ServiceNow integration is
that solution. This solution comprises two apps: namely, the ServiceNow app
on Nexus Dashboard and the Nexus Insights app on ServiceNow. Some of
the benefits of the solution are listed below:
• Comprehensive visibility across incidents over a given time span
• Automatic ticketing and downtime minimization and reduced time to
resolution
• Single pane of unified ticket management for Nexus Dashboard
operators
Cisco Nexus Dashboard Insights integrates with ServiceNow to provide
comprehensive visibility and incident management capabilities spanning IT
services as well as the underlying network. Figure 1-37 illustrates Nexus
Dashboard Insights ServiceNow integration.
 Figure 1-37 Nexus Dashboard Insights ServiceNow integration
Nexus Dashboard Insights–generated anomalies are fetched by the
ServiceNow ITOM/ITSM platform, and incident tickets are created. The
anomalies pulled can be configured by the user. Incidents include incident
number, the state of the ticket, details from the anomaly, and assignment
group/user. The application extends support for correlating multiple Nexus
Dashboard Insights on a single ServiceNow instance. Also, ticketing
information is uniform across multiple Nexus Dashboard instances.
With Cisco Nexus Dashboard Insights integration, ServiceNow
administrators can predict network outages and vulnerabilities before they
affect service performance and can accelerate changes while reducing risk.
The ServiceNow app on Nexus Dashboard (ND) helps manage ServiceNow
incidents directly from ND for single pane of glass operations and quicker
time to resolution.
Figure 1-38 illustrates the ServiceNow app on Nexus Dashboard.

Figure 1-38 ServiceNow App on Nexus Dashboard

Summary
Are your operations teams tasked with delivering security, uptime, and
business continuity on a complex data center infrastructure? Do they have the
right tools that provide proactive change management and precise
troubleshooting information tied together in a unified, easy-to-consume user
experience? Start powering the transformation of the networking operations
teams by standardizing on the Cisco Nexus Dashboard experience. Meet and
exceed critical business mandates of agility and availability as you operate
your secure, intent-based data center from Cisco Nexus Dashboard.
The new Cisco Nexus Dashboard unleashes a unified experience and
automation workflows by standardizing on the Cisco Nexus Dashboard
platform (physical/virtual/cloud). Customers can now standardize operations’
processes on a single platform, and teams can use advanced visibility,
monitoring, orchestration, and deployment services from a unified pane of
glass. The Cisco Nexus Dashboard platform can be deployed across the
hybrid cloud infrastructure in the form factor of your choosing
(physical/virtual or cloud). The Nexus Dashboard platform is extensible. The
Cisco Nexus Dashboard platform integrates with third-party services such as
ServiceNow and Splunk and also provides the central point for cross-domain
integrations.
With Cisco Nexus Dashboard, you can do the following:
• Improve experience: Reduce the time to value for powerful
operations capabilities with a consistent UX and a single pane of glass
for all native and fabric-agnostic applications.
• Increase cost savings and revenue: Reduce overall network total cost
of ownership (TCO) by scaling on a uniform operations infrastructure,
and reduce management screen sprawl across data center sites.
• Ensure business continuity and compliance: Quickly debug and
resolve root-cause issues.

References/Additional Reading
https://www.cisco.com/c/en/us/support/cloud-systems-
management/prime-data-center-network-manager/products-release-
notes-list.html
 https://www.cisco.com/c/en/us/support/cloud-systems-
management/prime-data-center-network-manager/products-device-
support-tables-list.html
https://www.cisco.com/c/en/us/support/cloud-systems-
management/multi-site-orchestrator/series.html
https://store.servicenow.com/sn_appstore_store.do#!/store/application/5
6fe817b0f4caa003ac788cce1050e4d/4.0.0?
referer=%2Fstore%2Fsearch%3Flistingtype%3Dallintegrations%25253
Bancillary_app%25253Bcertified_apps%25253Bcontent%25253Bindust
ry_solution%25253Boem%25253Butility%25253Btemplate%26q%3Da
ci&sl=sh
https://developer.cisco.com/nexusapi/#terraform
https://developer.cisco.com/nexusapi/#ansible

Hivanetwork.com
Chapter 2. Cisco Data Center
Analytics and Insights
When you have hundreds of network fabrics spread across multiple data
centers, it can be extremely challenging to get a full picture of what’s
happening with contextual details about where, when, and why it’s
happening. It is critical for IT to have a solution that provides a unified and
correlated view of its network infrastructure, endpoints, and events as well as
helps prepare companies to progressively transition from reactive to proactive
and eventually predictive IT operations.
The networking team should not spend time on understanding data like a data
science team. Cisco’s API-driven monitoring and assurance solutions provide
essential insights along with security compliance benefits. These network
insight solutions bring the ability to see the big picture, and if something goes
wrong, they show you exactly where to look instead of you poking around
and hoping to get lucky.
This chapter will cover following solutions:
• Cisco Nexus Dashboard Insights
• Cisco Network Assurance Engine
• Cisco Nexus Dashboard Data Broker
• Cisco Meraki vMX

Cisco Nexus Dashboard Insights

Intent-based policies can be extended to multiple data center sites, branches,
and the public cloud to provide centralized control. Cisco Nexus Dashboard
Insights helps with Day 2 operations of these network sites to provide
visibility, assurance, proactive detection of anomalies with correlated
network, and application view. This helps identify issues, accelerate
troubleshooting, and then remediate issues on these sites. Cisco Nexus
Dashboard Insights was designed with the following network characteristics
and architecture in mind:
• Built-in automation: The network configuration is centrally managed
by a controller; therefore, the network operators no longer need to
manage the device configuration on a box-by-box basis. With the
centralized controller method, it is easier to maintain features and
configuration consistency across the network.
• Scalable architecture: For different reasons, such as scale, disaster
avoidance, and disaster recovery, modern data centers often expand
beyond a single site to multiple geographically dispersed locations,
sometimes even to the public cloud. As data centers scale out, the
complexity of collecting and analyzing data to understand the
operational state of the networks increases. At the same time, with the
increasingly distributed application workload, a data center
infrastructure can be running anywhere from a few thousand to a few
million flows at a time. In addition, at times there may be a few
hundred messages or events being logged every second. Manually
correlating these flows and logs, switch by switch, in order to
troubleshoot issues can be very challenging and time consuming.
• Operations challenges: The challenge faced by operators is to
comprehend and correlate the data collected from each switch in the
fabric to a particular problem, such as slowness in a web application.
This implies a stringent expectation that an operator has the required
knowledge and expertise (which usually takes time to build) about
most, if not all, of what’s happening in the infrastructure.
Cisco Nexus Dashboard Insights addresses these challenges to bring about
the following benefits:
• Increased operational efficiency and network availability with
proactive monitoring and alerts: Cisco Nexus Dashboard Insights
learns and analyzes network behaviors to recognize anomalies before
 end users do and then generates proactive alerts useful in preventing
outages. Cisco Nexus Dashboard Insights also proactively identifies
vulnerability exposures of the networks to known defaults, PSIRTs
(Product Security Incident Response Teams), and field notices and
recommends the best course for proactive remediation.
• Shortened mean time to resolution (MTTR) for troubleshooting:
Cisco Nexus Dashboard Insights minimizes the critical troubleshooting
time through automated root-cause analysis of data-plane anomalies,
such as packet drops, latency, workload movements, routing issues,
ACL drops, and so on. Additionally, Cisco Nexus Dashboard Insights
provides assisted auditing and compliance checks using searchable
historical data presented in time-series format.
• Increased speed and agility for capacity planning: Cisco Nexus
Dashboard Insights detects and highlights components exceeding
capacity thresholds through fabric-wide visibility of resource
utilization and historical trends. The captured resource utilization
shows time series–based trends of capacity utilization so that the
network operation team can plan for resizing, restructuring, and
repurposing.
• Increased efficiency and reduced risks in network operations, such
as configuration change management and software upgrades:
Starting with the 6.0 release, Nexus Dashboard Insights provides a dry-
run place for network operators to test and validate their intended
configuration changes against a snapshot of the actual network,
allowing them to understand the impacts of the changes to the network
and to have the opportunity to catch and correct any errors in the
changes before entering them into the production network. It also
minimizes the risk of the network configuration changes.
Cisco Nexus Dashboard Insights is a microservices-based modern service for
network operations. It is hosted on Cisco Nexus Dashboard, where Cisco ACI
and Cisco DCNM sites are onboarded and the respective data from these sites
is ingested and correlated by Cisco Nexus Dashboard Insights.
Cisco Nexus Dashboard Insights directs operators’ attention to the significant
matters relevant to the task at hand, such as troubleshooting, monitoring,
auditing, planning, vulnerabilities, and so on. All anomalies and analytics
results in Cisco Nexus Dashboard Insights can be accessed by an external
system via its REST APIs or exported using Kafka, where the users can
subscribe to relevant topics. Users can also choose to receive email
notifications on anomalies with the option to customize which anomaly types
they want to see, along with their severity and cadence.
While network monitoring, analytics, and assurance are the core functions of
Nexus Dashboard Insights, it offers many other capabilities and tools to
increase the efficiency of and reduce the risks in network operations. The
following are the key components of Nexus Dashboard Insights:
• Network telemetry–based full visibility and analytics: Nexus
Dashboard Insights receives network telemetry data from the network
devices. It obtains fine-grained visibility through the telemetry data,
including both control-plane and data-plane operations and
performance. It analyzes and learns about the baseline behavior of the
network and detects anomalies in the network. The anomalies are
reported to the network operations team through the Insights user
interface (UI) or email notification and can be sent to other tools via
programmatic methods, such as Kafka export or direct API calls.
• Snapshot-based network assurance through mathematical
modeling: In its 6.0 release, Nexus Dashboard Insights inherited the
assurance analysis engine from the original Network Assurance Engine
(NAE) application. The NAE continuously takes full snapshots of the
network on a regular interval and then builds a mathematical model for
each snapshot that represents the network and how it operates at a
point in time. It then analyzes the network behaviors against this
model. It checks the network configuration for any errors as well as
examines the consistency between the network configuration and its
actual operational states. Any configuration issues, any inconsistencies
between the configuration and the operational states, or any incorrect
behaviors of the network components will be reported as network
anomalies. It ensures network configuration, policy space,
connectivity, and endpoint space. The assurance functions are a
comprehensive collection of automated troubleshooting processes,
developed based on the deep knowledge base accumulated through
 years of network design, deployment, and support experience.
• Centralized network insights with One View: Organizations scale
out their data centers by deploying multiple data center sites that often
are geographically dispersed. This creates a fragmented view of the
network infrastructure and creates challenges for Day 2 operations
teams, leading to slower incident detection, correlation, and resolution.
Starting with the Nexus Dashboard 2.1 release, users can link their
multiple Nexus Dashboard clusters together to operate their network
sites from this one central point and obtain an aggregated view of the
operations of all their network sites. Enabled by the “One View”
capability on Nexus Dashboard, the Insights service itself can now
provide its users with the centralized visibility across all the network
sites on the linked Nexus Dashboards and enable the smooth
navigation among the different sites on the same Insights UI.
• Pre-change analysis for risk-free configuration change
management: Network configuration change management has been
considered an operation with risks by nature due to the network team
not having a good tool to fully qualify the changes before
implementing them into the product network. Pre-Change Analysis is a
function originally offered by Cisco NAE to tackle this challenge by
giving the network team a tool to fully test-drive their intended
configuration changes. Cisco NAE is integrated into Cisco Nexus
Dashboard Insights Release 6.0. Now the Insights users can take full
advantage of the same pre-change verification capability to proactively
validate the configuration changes against the latest snapshot of the
network. This is a long-desired capability by the network operations
team. Now, they can simply submit their intended changes to the
Insights service, which will analyze the impacts of the changes to the
network, calling out any errors or potential issues if there are any. The
network team gets an opportunity to review and correct the errors and
only implement the fully qualified configuration changes to the
network. This pre-change analysis function removes the guesswork
from network configuration change management, minimizes the risks
of the change management, and thus increases the availability of the
entire network.
• Automated continuous compliance assurance: Most organizations
have some type of compliance requirements for their networks, such as
industry regulatory compliance requirements or internal requirements
for security or business functions. Additionally, the network teams
often have their own established best practices, standard configuration,
and standardized naming conventions they would like to implement or
enforce during the ongoing network operation. All these requirements
can be ensured by Nexus Dashboard Insights through its compliance
assurance functions. These capabilities were originally in the Cisco
NAE application and now are part of the Insights service, since its 6.0
release.
The compliance assurance functions in the Insights service give the
network team one more place to directly describe and submit their
intents for the network, which then automatically and continuously
verifies and validates the intents in the network for them. Any
deviation from the intents will be captured as compliance violation
anomalies and reported to the network team immediately. With the
automated, continuous security and configuration compliance analysis,
Nexus Dashboard Insights enables true intent-based network operation.
• The ability to query the network like a database using natural
language: Explorer, originally from the Cisco NAE application, is now
a part of Nexus Dashboard Insights, since its 6.0 release. It is a tool for
the network teams to conveniently explore the entire network like a
database using natural language–based queries. Explorer can answer
questions such as the following:
• Can EPG A talk to EPG B?
• How can they talk?
• What VRFs are deployed in my tenant space X?
• What endpoints are attached to the leaf switch 101 port 1/1?
This is a highly efficient way to find the objects and discover how they
are associated with one another in the network.
Network operators can easily create natural language queries to get
 their discovery tasks done efficiently. For example, they can quickly
locate a specific object, such as a particular endpoint out of thousands
of them in the entire network, or just simply get a per-device or
network-wide inventory of certain network object types in the network
or find out the communication relationship between different objects
throughout the network that either can communicate with or are
isolated from each other using past or present snapshots of the
network.
Explorer is an effective tool to assist in the troubleshooting of the
network configuration, operational states, network change planning,
and so on.
• Easier and safer network software upgrading: Starting with its 6.0
release, Nexus Dashboard Insights offers software upgrade analysis to
ease and reduce the risk of a software upgrade workflow. It can assist
the network team in choosing the right target software version for the
upgrade. Based on the pre-upgrade analysis results, the network team
can prepare for the upgrade by clearing up the identified issues or
faults in the network, if any, and thus get a clear expectation of what
issues will be solved by the update and be aware of whether the target
version will introduce any new caveats. The post-upgrade analysis
shows the network team the differences in the network state
(endpoints, routes, interface status, and so on) before and after the
upgrade so they can quickly tell if the network has come through the
upgrade without any issues or if something is missing. The pre- and
post-upgrade analysis makes the software upgrade operation easier and
safer.

Cisco Nexus Dashboard Insights Licensing

Nexus Dashboard Insights is offered through the Cisco DCN Premier tier
licenses and the Cisco DCN Day 2 Ops add-on license.
The Cisco Nexus Dashboard Insights licensing guidelines:
• For customers who have a Cisco DCN Essentials or Advantage license,
they can acquire Cisco Nexus Dashboard Insights licenses through a
 Day 2 Ops bundle.
• Cisco Nexus Dashboard Insights licenses are available in subscription
mode only.
• For Cisco ACI environments, the number of device licenses required is
equal to the sum of the leafs. The spines do not require a device
license.
• For a Cisco NX-OS/DCNM environment, device licenses are required
for all nodes. The number of device licenses required is equal to the
sum of the leafs, fixed spines, and/or modular spines.
• Cisco Intersight Nexus Dashboard Base application does not require
additional licensing. The user is required to create an account in Cisco
Intersight to use the functionality.
• Cisco Nexus Insights Cloud Connector application is included in the
Cisco APIC and Cisco DCNM software operating system (OS) as a
license-free offering.
• For a more detailed overview on Cisco licensing, go to
cisco.com/go/licensingguide.
• Download the Cisco Nexus Dashboard Insights applications in the
Cisco DC App Center.
• Try for free Cisco Nexus Dashboard Insights TAC assist feature.
• Contact your Cisco account team to learn pricing and additional
details.

Key Components of Cisco Nexus Dashboard

Insights
Cisco Nexus Dashboard Insights provides a direct view into the site-level
anomalies (issues) that need attention, all of which are calculated by Cisco
Nexus Dashboard Insights. The anomalies are consolidated into the Overview
screen and sorted by category and severity. The Insights service further

Hivanetwork.com
groups the anomalies by top nodes, timeline view, site health score, and
advisories. A node inventory by roles, and corresponding health score, allows
click access to the in-depth node-level visibility, which gives all details on
the nodes, including trends of anomalies observed.
Cisco Nexus Dashboard Insights also allows users to create custom
dashboards for any charts seen in the service:
• Analyze Alerts: Nexus Dashboard Insights users can interactively
browse, search, and analyze the anomalies and advisory alerts
generated by the service.
• Anomalies: Nexus Dashboard Insights can find issues around the
following network operations:
• Resource utilization.
• Environmental issues such as power failure, memory leaks, process
crashes, node reloads, CPU, and memory spikes.
• Interface and routing protocol issues such as CRC errors, DOM
anomalies, interface drops, BGP issues such as lost connectivity with
an existing neighbor, PIM, IGMP flaps, LLDP flaps, CDP issues, and
so on. Also provides a view into microbursts with offending and
victim flows.
• Flow drop with location and reason of drop, abnormal latency spikes
of flows using hardware telemetry and direct hardware export, flows
impacted due to events in a switch-like buffer, policer, forwarding
drops, ACL or policy drops, and so on using Flow Table Events
(FTE), which is another form of hardware telemetry.
• Endpoint duplicates, rapid endpoint movement, and rogue endpoints.
• Issues in the network configuration, which are detected and reported
as change analysis anomalies.
• Violations to the compliance requirements for compliance assurance,
which are detected and reported as compliance anomalies.
• Issues found in the network forwarding analysis and assurance, which
 are detected and reported as forwarding anomalies.
• Application issues as calculated by AppDynamics and Cisco Nexus
Dashboard Insights (AppD Integration required).
Anomalies view consists of indication of being affected by known
Cisco caveats and best practice violations at a node level.
Figure 2-1 shows the Anomalies view.

Figure 2-1 Anomalies view

Figure 2-2 shows the Analyze the Anomaly view.
Figure 2-2 Analyze the Anomaly view
• Advisories: Nexus Dashboard Insights can identify and generate
advisory alerts to the network operations team for the following:
• Field notices
• Software/hardware products’ end-of-life (EOL) and end-of-sales
(EOS) announcements
• PSIRTs that can potentially impact the network sites that it is
monitoring
The alerts consist of the relevant impacts of the identified field notices,
EOL/EOS, and PSIRTs as well as the affected devices in the network.
Nexus Dashboard Insights also performs targeted bug scanning to alert
the network operations team about the known defects relevant to their
specific network environment based on its hardware/software versions,
 features enabled in the network, and network configuration. This helps
the network team to carry out the remediation actions on the affected
switches quickly or to form a software or hardware upgrade plan
accordingly.
• Network Delta Analysis: Starting with the 6.0 release, Nexus
Dashboard Insights can run network delta analysis. This capability is
inherited from Cisco NAE. Users of the Insights service now can select
any two snapshots of the network site and ask Insights to analyze the
differences between them, including configuration differences as well
as differences in anomalies and advisories that reveal the differences in
how the network was operating at two points in time.
Understanding the differences in the network configuration and
operations is important and extremely helpful for many different
scenarios. For troubleshooting a network incidence, the differences in
the network configuration or operations can often help identify the
cause of the issue. For performing network maintenance, such as
configuration changes, software upgrade, and hardware replacement, it
is helpful to check the differences in the network before and after the
maintenance task. It can tell whether the network has converged or
restored to how it should be after the task, whether the task has
resolved the issues it is supposed to resolve, or whether it has
introduced any new issues. The Delta Analysis function increases
network operation efficiency for these maintenance tasks and helps
reduce the mean time to resolution (MTRR) for troubleshooting.
• Log Collector: Nexus Dashboard Insights can assist the network team
in collecting tech-support logs per node. It turns the tedious task into a
simple one-step automated job. These logs can be downloaded locally
and optionally uploaded to Cisco Cloud to make them available for
Cisco Support when a service request (SR) is opened.
• Connectivity Analysis: Allows users to run a quick or full analysis for
a flow within one NX-OS network site or spanning multiple NX-OS
network sites in order to do the following:
• Trace all possible forwarding paths for a given flow across source to
destination endpoints
 • Identify the offending device with the issue resulting in the flow drop
• Help narrow down the root cause of the issue, including running
forwarding path checks, running software and hardware states
programming consistencies through consistency checkers, and
providing further details related to packet walkthrough and lookup
results through packet capture
These issues are time-consuming to debug, and Connectivity Analysis
provides a quick analysis of these issues in a user-driven way. Figure 2-3
shows the possible paths a flow can traverse while running thorough
consistency checks.

Figure 2-3 Possible paths a flow can traverse while running through
consistency checks
Figure 2-4 shows the status of flow path consistency checks.
 Figure 2-4 Status of flow path consistency checks

Browsing Cisco Nexus Dashboard Insights

All anomalies observed for any of the following data sets are rolled into the
Dashboard view of the respective site to draw your attention.

Resources
It is tedious to keep track of software-verified scale per release, per resource,
and what scale the hardware in your network supports. Moreover, keeping
track of utilization of resources per node over time and setting static
thresholds for these resources to be notified on violation do not scale for
dynamically growing networks. To resolve this, Cisco Nexus Dashboard
Insights baselines utilization of resources, monitors trends, and generates
anomalies on abnormal usage of resources across nodes to help a user plan
for capacity in their networks.
Resource utilization shows time series–based trends of capacity utilization by
correlating software telemetry data collected from nodes in each site.
Persistent trends help identify burdened pieces of infrastructure and plan for
resizing, restructuring, and repurposing. Figure 2-5 shows resource
utilization.
 Figure 2-5 Resource utilization
Resource utilization categorizes capacity utilization as follows:
• Operational resources: Displays the capacity of transient resources that
are dynamic in nature and expected to change over short intervals such
as routes, MAC addresses, and security TCAM (Ternary Content-
Addressable Memory)

Hivanetwork.com
 • Configuration resources: Displays the capacity utilization of
resources that are dependent on configurations such as the number of
VRFs, bridge domains, VLANs, and endpoint groups (EPGs).
• Hardware resources: Displays port and bandwidth-capacity
utilization
Figure 2-6 shows capacity utilization.

Figure 2-6 Capacity utilization

Drilling down on any device shows the details of processes that are high
consumers of resources. Once resource utilization crosses a 70% capacity
threshold, it is color-coded yellow; beyond 80%, it is color-coded orange;
beyond 90%, it is color-coded red. This proactively alerts the network
operators about the specific resources that need their attention. It also helps
predict anomalies based on historical trends and rates of change and forecasts
resource shortages.
When it comes to policy TCAM analysis for an ACI network site, Nexus
Dashboard Insights not only monitors it but also gives the network team the
ability to analyze the per-contract/per-filter usage at the site or switch level.
This allows the network team to easily understand which contracts are using
the most TCAM (globally or at a switch level) as well as understand how
much a contract is used by real traffic. This allows the network team to
remove unused contracts or optimize the high TCAM consumption contracts.
Figure 2-7 shows the Policy CAM Analyzer.
 Figure 2-7 Policy CAM Analyzer

Environmental
Most often, environmental data is monitored using traditional applications
like SNMP, CLI, and so on. Data from these applications is difficult to post-
process, is device specific, is not historical in nature, and requires manual
checks. Hence, monitoring environmental anomalies becomes very reactive
and cumbersome. Cisco Nexus Dashboard Insights consumes environmental
data using streaming software telemetry and baselines trends, and it generates
anomalies every time the utilization exceeds pre-set thresholds. It enables the
user to determine which process is consuming CPU or hogging memory,
when storage is overfilled, when process crashes occur, and whether there are
memory leaks. All this data is provided over time with historical retention,
per node, to allow users to delve into specific anomalies while having full
visibility.
Environmental data provides anomaly-detection capabilities in hardware
components such as CPU, memory, temperature, fan speed, power, storage,
and so on. As in the other screens, components exceeding thresholds and
requiring the operator’s attention are highlighted. Figure 2-8 shows how
environmental data provides anomaly-detection capabilities.
 Figure 2-8 How environmental data provides anomaly-detection
capabilities

Statistics
Statistics is all about interfaces and routing protocols. Cisco Nexus
Dashboard Insights ingests data from each node in the fabric using streaming
software telemetry. The data is then baselined to derive trends and identify
when any of these data sets suddenly show a rapid decline, for example, in
interface utilization or rapid increase in drops or CRC errors over time.
The Dashboard view presents top nodes by interface utilization and errors,
thereby allowing the user to quickly identify interfaces to investigate errors.
Protocol statistics provide a view into what interfaces protocols are active
(such as CDP, LLDP, LACP, BGP, PIM, IGMP, and IGMP snooping),
protocol details such as neighbors, incoming and OIFs for a (*,G), (S,G)
entry, along with trends of errors such as a lost connection or neighbor, OIF
flaps, invalid packets, and so on.
Statistical data is also used for correlation in Cisco Nexus Dashboard
Insights. For instance, if there is a CRC error, Cisco Nexus Dashboard
Insights will use other data sets to find out the estimated impact (like
impacted endpoints) and provide a recommendation based on other anomalies
seen at that time (such as a DOM anomaly, which could potentially be
causing CRC errors). Figure 2-9 shows how statistical data provides an
estimated impact and recommendations.

Figure 2-9 Statistical data provides an estimated impact and

 recommendations

Flows
Application problem or network problem? This is a frequently asked question
in the data center world. If anything, it always begins with the network. The
time to innocence and mean time to resolution become imperative as we deal
with business-critical applications in the data center. The tools for network
operations today often have very limited insights into data-plane counters,
flows, latency, and drops.
Even if we can get the data-plane flow data from the network switches, how
can the data from the individual switches be pieced together to form an end-
to-end view of a flow while it is traversing the network? How can the end-to-
end network latency of a flow be extracted from the flow data ? It used to be
the network team that had to do all of these complex flow analysis tasks with
limited tools to help them, which means a lot of man hours.
With Cisco Nexus Dashboard Insights, using Flow Telemetry, the service
consumes flow records and their respective counters and then correlates this
data over time to provide end-to-end flow path and latency. Cisco Nexus
Dashboard Insights understands what the “normal” latency of each flow is.
When the latency exceeds beyond normal, Cisco Nexus Dashboard Insights
alerts the users and shows the abnormal latency increase as an anomaly on
the dashboard.
The flow analytics dashboard attracts operator attention to key indicators of
infrastructure data-plane health. Time-series data offers evidence of historical
trends, specific patterns, and past issues and helps the operator build a case
for audit, compliance, and capacity planning or infrastructure assessment.
The flow analytics dashboard provides a time series–based overview with the
capability to drill down on specific functions by clicking the graph.

Top Flows by Average Latency

Shows time series–based latency statistics. Clicking a particular flow drills
down to detailed flow data, including latency numbers, the exact path of the
flow in the fabric, and the end-to-end latency. This takes away the trial-and-
error and manual steps otherwise required to pinpoint latency hot spots in the
 infrastructure. This leads operators to focus on the root causes of the latency
and remediate them. Historical trends help operators identify persistent
problems and re-evaluate the infrastructure capacity.
Details of the flow, such as burstiness, help identify and remediate bandwidth
issues or apply appropriate quality of service (QoS) levels. Figure 2-10 shows
time series–based latency statistics.

Figure 2-10 Time series–based latency statistics

Endpoints
Shows time series–based endpoint movement in the fabric, with endpoint
details and endpoints with duplicate IPs. In virtualized data center
environments, this keeps track of virtual machine (VM) movement, which is
extremely useful to identify a VM’s current location and its historical
movements in the fabric. It provides proof points in establishing VM
movements and thus aids constructively in problem solving while working

Hivanetwork.com
with other IT teams.
Endpoint health and consistency is also monitored by Nexus Dashboard
Insights:
• The Insights service quickly detects duplicated endpoints and point the
user to the switch and port to where the duplication is present.
• The Insights service provides built-in automation to remediate a stale
endpoint situation with a single click.

Applications
With Cisco AppDynamics and Cisco Nexus Dashboard Insights integration,
users get a single pane of glass for application and network statistics and
anomalies. Cisco Nexus Dashboard Insights consumes data streamed from
the AppDynamics controller, and in addition to showing application, tier,
node health, and metrics, Cisco Nexus Dashboard Insights derives a baseline
of network statistics of these applications, such as TCP Loss, Round Trip
Time, Latency, Throughput, Performance Impacting Events (PIE), and
generates anomalies on threshold violations. For any AppDynamics flows,
Cisco Nexus Dashboard Insights also provides an in-depth end-to-end path,
latency, drops (if any), and drop reasons to help users identify if app slowness
or issues are resulting from network issues. Figure 2-11 shows the
Application Dashboard with all applications and respective statistics.
 Figure 2-11 Application Dashboard showing all applications and
respective statistics
Figure 2-12 shows application detail to view health, respective tiers, and
nodes.
 Figure 2-12 Application detail to view health, respective tiers, and
nodes
A network link is for communication between tiers. Cisco Nexus Dashboard
Insights maps links to respective flows traversing the fabric, thereby allowing
users to see flow details and paths with drops, if any.
This integration is vital to blurring the lines between silos inside the
organization, enabling operators to see the network from the application’s
point of view. The operator does not need to know which IP is associated to
which application or which application flows through which nodes at any
given time. Cisco Nexus Dashboard Insights provides all this information,
enriches the data, and correlates it for a holistic, unified operational view.
Event Analytics
Event Analytics is tuned for control-plane events in the infrastructure. It
performs the following functions:
• Data collection: Configuration changes and control-plane events and
faults.
• Analytics: Artificial intelligence (AI) and machine learning (ML)
algorithms determine the correlations between all changes, events, and
faults.
• Anomaly detection: Output of AI and ML algorithms (unexpected or
downtime-causing events).
The Event Analytics Dashboard displays faults, events, and audit logs in a
time-series fashion. Clicking any of these points in the history displays its
historical state and detailed information. Further, all these are correlated
together to identify whether deletion of a configuration led to a fault. Figure
2-13 shows the Event Analytics Dashboard.
Figure 2-13 Event Analytics Dashboard
• Audit logs: Show the creation, deletion, and modifications of any
object in Cisco ACI (subnet, IP address, next-hop, EPG, VRF, and so
on). This is useful for identifying recent changes that may be a
potential reason for unexpected behavior. It can aid in reverting
changes to a stable state and helps assign accountability. The facility of
the filters makes it convenient to narrow focus to specific changes by
severity, action, description, object, and so on. Drilling down on the
audit logs provides details for each log.
• Events: Show operational events in the infrastructure (for example, IP
detach/attach, port attach/detach on a virtual switch, interface state
changes, and so on).
• Faults: Are mutable, stateful, and persistent managed objects and
 show issues in the infrastructure (for example, invalid configurations).
This function speeds up operator action toward problem rectification,
thus reducing the time lost in root-cause analysis and rectification,
which usually requires multiple steps, expertise, correlation of
symptoms, and perhaps a bit of trial and error.
The zoom in and out function in the timeline bar helps to quickly contract or
expand the timeline under investigation.

Diagnostics, Impact, Recommendation

Cisco Nexus Dashboard Insights monitors different sets of data from all
nodes in the fabric and baselines the data to identify “normal” behavior. Any
deviation from normal is represented as an anomaly in the service dashboard.
This helps the operator spend time on resolving the issue instead of finding
where in the network the issue really arose.
With the correlation algorithms that Cisco Nexus Dashboard Insights has in
place, in addition to the anomaly, it can also point to an estimated impact of
this anomaly, helping the user identify what is the potential impact of a
problem. With the impact, the service will also generate a recommendation
depending on the nature of the anomaly, thus reducing the mean time to
troubleshoot and resolve.
For example, microbursts are complex to identify and cause a myriad of
network issues. For applications that require reliable and low-latency
networks, microbursts can pose serious issues. Since microbursts occur in a
matter of microseconds, looking at a graph of overall packets per second will
make the overall transmission appear smooth. Cisco Nexus Dashboard
Insights detects these microbursts due to its rapid cadence of gathering data
and details what flows could be impacted due to these bursts and even be
causing the bursts. It makes it easier for the operator to not only detect that a
burst occurred on a particular node, interface, or queue but also the flows
impacted, with a recommendation for how to fix this anomaly. Figure 2-14
shows a microburst anomaly.
 Figure 2-14 Microburst anomaly

Advisories
To maintain data center network availability and minimize the downtime, it is
critical for network operators to ensure that their network infrastructure is
built with up-to-date switch platforms and is running the right versions of
 software. It requires periodic and thorough audits of the entire infrastructure,
which is historically a manual and time-consuming task. Cisco Nexus
Dashboard Insights turns this task into an automated process, using digitized
signatures to determine the vulnerability exposure of the network
infrastructure at the click of a button.
Cisco Nexus Dashboard Insights scans the entire network to collect the
complete information on its hardware, software versions, and active
configuration. It then runs analysis against the digitalized database of known
defects, PSIRTs, and field notices to identify the relevant ones that can
potentially impact the particular network environment, matching on its
hardware and software versions, features and topologies, and so on.
It then proactively alerts the network operators of the identified
vulnerabilities and advises them on the right hardware and/or software
versions for remediation. It also analyzes and advises on whether the network
is running any out-of-date hardware or software based on Cisco product EOL
or EOS announcement and schedule.
For any of the discovered issues, Cisco Nexus Dashboard Insights lists the
impacted devices, vulnerability details, and mitigation steps (aka advisories).
With the advisories, it recommends the best software version for the
resolution and the upgrade path—either a single-step upgrade or through
intermediate software versions. It also reveals the impact of the upgrade,
either disruptive or nondisruptive, so that the operators can proactively plan
for the upgrade accordingly.
With the automated scanning, network-context-aware vulnerability analysis,
and actionable recommendations, the advisory function in Cisco Nexus
Dashboard Insights makes it so much easier for the operation team to
maintain an accurate audit of the entire network and avoid the downtime due
to product defects or PSIRTS by getting proactive alerts and taking
preventive remediation actions. Figure 2-15 shows an advisory for a field
notice.

Hivanetwork.com
 Figure 2-15 Advisory for a field notice

Firmware Update Analysis

Before an upgrade is performed, multiple validations need to be performed.
Similarly, after an upgrade process, multiple checks help to determine the
changes and the success of the upgrade procedure.
The Firmware Update Analysis feature suggests an upgrade path to a
recommended software version and determines the potential impact of
upgrading. It also helps with the pre-upgrade and post-upgrade validation
checks.
The Firmware Update Analysis feature offers the following benefits:
• Assists in preparing and validating a successful upgrade of the network
• Provides visibility on the pre-upgrade checks
• Provides visibility on the post-upgrade checks and the status after the
upgrade
• Minimizes the impact to the production environment
• Provides visibility as to whether the upgrade process is a single step or
multiple steps
• Displays the bugs applicable to a specific firmware version
Figure 2-16 shows a firmware upgrade recommended by Cisco Nexus
Dashboard Insights.
 Figure 2-16 Firmware upgrade recommended by Cisco Nexus
Dashboard Insights
Firmware Upgrade Analysis provides a list of intermittent upgrades to get to
the destination software, along with upgrade impact and release notes for
each release linked directly in Cisco Nexus Dashboard Insights. Figure 2-17
shows Firmware Upgrade Analysis.
 Figure 2-17 Firmware Upgrade Analysis

Pre-Change Analysis
You can access the Pre-Change Analysis page from the left navigation
column in the Cisco Nexus Dashboard Insights GUI. Navigate to Change
Management and select Pre-Change Analysis.
When you want to change a configuration for a site, this feature in Cisco
Nexus Dashboard Insights allows you to model the intended changes,
perform a Pre-Change Analysis against an existing base snapshot in the site,
and verify if the changes generate the desired results.
After you model the changes for a Pre-Change Analysis job, you can choose
Save or Save And Analyze. By choosing Save, you can save the Pre-Change
Analysis job without having to start the analysis right away. You can return
to the job later, edit the changes if required, and then run the analysis later.
The Save option is supported only for a Pre-Change Analysis job with
manual changes. If you choose Save And Analyze, the job gets scheduled and
an analysis is provided.
When you choose Save And Analyze for the job, the changes are applied to
the selected base snapshot, the analysis is performed, and results are
generated. For every Pre-Change Analysis job listed in the table, a delta
analysis is performed between the base snapshot and the newly generated
snapshot. Figure 2-18 shows Pre-Change Analysis.

Figure 2-18 Pre-Change Analysis

Once the analysis starts, the status of the job will be shown as “running.”
During this time, the specified changes will be modeled on top of the base
snapshot, and complete logical checks will be run, including Policy Analysis
and Compliance. No switch software or TCAM checks will be performed.
The status of the Pre-Change Analysis job is marked “completed” when the
entire analysis, including Delta Analysis, completes. The Delta Analysis is
automatically triggered and the associated Pre-Change Analysis job is
displayed as running during that time. The Delta Analysis is performed only
on checks supported in the Pre-Change Analysis job.
In addition to multiple tenants, you can also add multiple infrastructure
objects as part of a Pre-Change Analysis JSON or XML job. The Pre-Change
Analysis upload path allows you to add, modify, and delete multiple objects
across the policy universe. There are no additional configurations required to
use this feature. Your Pre-Change Analysis job for multiple objects will run,
based on the file (s) you upload.
The following file upload formats are accepted:
• A JSON or XML file with an IMDATA of size 1.
• An IMDATA that contains a single subtree of the intended changes.
The root of the subtree can be the UNI or any other managed object as
long as the changes are represented as a single subtree.
Use the file you had uploaded from a JSON or XML path to perform a Pre-
change Analysis. After the Pre-Change Analysis is complete, you can upload
the same file to ACI to be used to make the changes.

Cisco Nexus Dashboard Insights Features and

Benefits
Cisco Nexus Dashboard Insights for the data center stands out as the first
comprehensive technology solution in the industry developed by Cisco for
network operators to manage operations in their networks. Table 2-1 provides
list of features and their benefits.
Table 2-1 Features and Benefits
 Cisco Nexus Insights Cloud Connector
Cisco also provides a license-free version of the Cisco Nexus Insights
application, called Cisco Nexus Insights Cloud Connector, that will benefit
operators by collecting valuable information about the status and capabilities
of Cisco data center platforms.
The Cisco Nexus Insights Cloud Connector (Cisco NI Cloud Connector)
application provides customers with the benefit of faster time to remediation
with Cisco Technical Assistance Center (TAC assist) functionalities, along
with automatic, secure collection of tech-support logs. Cisco Nexus Insights
Cloud Connector will empower IT teams to provide inventory reports of
license entitlement, upcoming renewals, and proactive defect notifications,
along with lifecycle management support from integrated Cisco Customer
Experience (CX) programs. Figure 2-19 shows Cisco TAC Assist.

Figure 2-19 Cisco TAC Assist

Hivanetwork.com
Cisco Nexus Insights Cloud Connector is pre-packaged with Cisco data
center platforms to automatically connect and transmit product usage data to
Cisco. All product-usage telemetry data is transmitted to Cisco through an
encrypted channel. The categories of data collected are limited to product
usage. For details about the product usage telemetry information that is
collected, refer to Table 2-2.
Table 2-2 Product Usage Telemetry
Users can also choose to opt out of the data collection of product-usage
telemetry by switching off the device connector in their specific data center
platforms. For further information, refer to the Cisco Nexus Insight Cloud
Connector configuration guides.
Cisco Nexus Dashboard Data Broker
Every enterprise depends on the smooth running of its business applications
and the underlying infrastructure. Visibility into application traffic has
traditionally been important for infrastructure operations to maintain security,
resolve problems, and perform resource planning.
Now, as a result of technological advances and the ubiquity of the Internet,
organizations increasingly are seeking not just visibility but real-time
feedback about their business systems to more effectively engage their
customers. Essentially, traffic monitoring is evolving from a tool to manage
network operations to a tool for achieving smart business agility that can
materially affect the revenue of the business. In addition to out-of-band traffic
monitoring, migration to 40/100/400Gbps in aggregation and core network
infrastructure is presenting new challenges for inline traffic monitoring at the
perimeter of the network.
The following are the data broker controller modes:
• Centralized: The controller is deployed on a VM, server or bare metal
outside the Test Access Point (TAP) aggregation switches. In this
mode, the controller can support a multi-switch TAP aggregation
topology.
• Embedded: The controller is deployed on the TAP aggregation switch
using a guest shell. In this mode, the controller can only be used as a
single switch deployment.
• Nexus Dashboard: The controller will be supported as an application
on Cisco Nexus Dashboard.
• Cisco ACI: The controller will be supported as an application on Cisco
ACI APICs.
Using Cisco Nexus Dashboard Data Broker controller software and Cisco
Nexus switches, Cisco provides a new software-defined approach for
monitoring both out-of-band and inline network traffic.
Figure 2-20 illustrates the Cisco Nexus Dashboard and Nexus Dashboard
Data Broker.
 Figure 2-20 Cisco Nexus Dashboard and Nexus Dashboard Data
Broker
Cisco Nexus Dashboard Data Broker with Cisco Nexus switches provides a
software-defined, programmable solution to aggregate copies of network
traffic using Switched Port Analyzer (SPAN) or network TAP for monitoring
and visibility. As opposed to traditional network taps and monitoring
solutions, this packet-brokering approach offers a simple, scalable, and cost-
effective solution that is well-suited for customers who need to monitor
higher-volume and business-critical traffic for efficient use of security,
compliance, and application performance-monitoring tools.
With the flexibility to use a variety of Cisco Nexus switches and the ability to
interconnect them to form a scalable topology provides the ability to
aggregate traffic from multiple input TAP or SPAN ports as well as to
replicate and forward traffic to multiple monitoring tools, which may be
connected across different switches. Combining the use of Cisco plug-in for
OpenFlow and the Cisco NX-API agent to communicate to the switches,
Cisco Nexus Dashboard Data Broker provides advance features for traffic
management.
Cisco Nexus Dashboard Data Broker provides management support for
multiple disjointed Cisco Nexus Data Broker networks. You can manage
multiple Cisco Nexus Data Broker topologies that may be disjointed using
the same application instance. For example, if you have three data centers and
want to deploy an independent Cisco Nexus Data Broker solution for each
data center, you can manage all three independent deployments using a single
application instance by creating a logical partition (network slice) for each
monitoring network.
Using Cisco Nexus 9000 platform switches, customers can build a high-
density, 10/25/40/100/400Gbps visibility infrastructure. The Cisco Nexus
switches form the Nexus Dashboard Data Broker (NDDB) switches, which
connect to the production network to aggregate the copy traffic using TAP
and SPAN methods. The aggregated traffic is filtered and redirected to tools,
as per configuration.

Automated SPAN Configuration in Production

Network
NetOps/SecOps teams can onboard production switches in Cisco Nexus
Dashboard Data Broker and automate SPAN destination and monitoring
session configurations on them. This allows administrators to manage and
monitor copy traffic from source to destination from a single pane of glass.
The following can be automated from the controller:
• Configuring interfaces on the production switch connected to a Data
 Broker switch as a SPAN destination
• Configuring SPAN sessions on the production switch using one or
more source ports or VLANs
• Redirecting SPAN traffic to monitoring tools connected to the Data
Broker switches
The production network can be any of the following:
• Cisco NX-OS standalone fabric
• Cisco ACI fabric
• Cisco Enterprise Network

Note
Cisco NX-API needs to be enabled on the TAP aggregation
switches as a prerequisite for the controller to automate SPAN
configuration.
Figure 2-21 illustrates SPAN Automation–enabled networks.
 Figure 2-21 SPAN Automation–enabled networks

Cisco Application Centric Infrastructure (ACI)

Integration
Cisco Nexus Dashboard Data Broker integrates with Cisco Application
Centric Infrastructure (Cisco ACI) fabric through the Cisco Application
Policy Infrastructure Controller (APIC) to push SPAN configuration on Cisco
ACI leaf switches and set up SPAN sessions in Cisco ACI to monitor traffic.
You can perform all these configurations through Nexus Dashboard Data
Broker’s web-based GUI.
This integration eliminates the need for the user to separately configure
 SPAN sessions or copy the function in the APIC. Data Broker supports the
following functions through the web GUI and REST API:
• Setting up Cisco ACI leaf ports as SPAN sources and destinations for
Access span.
• Setting up Cisco ACI EPG span by configuring Cisco Nexus Data
Broker switch ports as ERSPAN tunnel destinations.
• Configuring SPAN sessions on Cisco ACI using leaf ports or EPGs as
SPAN sources without logging into the APIC.
• Automatically synchronizing SPAN session information periodically
with the APIC.
• Updating SPAN sessions automatically based on EPG port association
changes. With this feature, the motion of the endpoint VMs on the
hypervisors can be tracked for visibility.
• Redirecting SPAN traffic to monitoring tools connected to the Data
Broker on Cisco Nexus switches.
The Cisco Nexus Dashboard Data Broker performs all these configurations
through the APIC REST interface. Figure 2-22 illustrates Cisco Nexus
Dashboard Data Broker with Cisco ACI.

Hivanetwork.com
 Figure 2-22 Cisco Nexus Dashboard Data Broker with Cisco ACI

Cisco DNA Center Integration

Nexus Dashboard Data Broker Controller can push SPAN configuration onto
the access switches in an enterprise network deployment, including campus
and branch locations through DNAC. In the absence of DNAC, the Nexus
Dashboard Data Broker (NDDB) controller can push SPAN configuration
onto the selected switches in the enterprise network by individually
onboarding the switches.
Test Access Point (TAP) or Switched Port Analyzer (SPAN) can be used to
copy traffic from a Cisco Catalyst switch to a Nexus Dashboard Data Broker
switch. Figure 2-23 illustrates enterprise network SPAN automation.
 Figure 2-23 Enterprise network SPAN automation

Scalable Traffic Monitoring with Cisco Nexus

Dashboard Data Broker Inline Option
Today, with ever-increasing volumes of traffic traversing the WAN and
Internet, 10/25G bandwidth interfaces are no longer sufficient. Organizations
are migrating their aggregation and core infrastructure to
40/100/200/400Gbps and higher. In addition, today’s security needs demand
pervasive monitoring and hence the use of multiple proactive inline security
tools, such as intrusion prevention systems (IPSs), intrusion detection
systems (IDSs), and other web filtering tools, at the perimeter of the network
for strong and layered security.
Because of the high volume of traffic, these security tools/service nodes
themselves can become bottlenecks and single points of failure. To address
these concerns, customers need a solution that can adapt to increasing traffic
volumes, provide flexible connections for both production infrastructure and
inline tools, and provide cost-effective deployment options.
The Cisco Nexus Dashboard Data Broker Inline option allows you to insert
one or more Cisco Nexus 3000 Series or 9300 platform switches in your
production infrastructure to which these security tools (or service nodes) are
connected.
Using the Data Broker software, you can configure redirection policies that
can match specific traffic and redirect it through multiple security tools
before the traffic enters or exits your data center. Cisco’s Data Broker
solution also automatically adapts to failure scenarios by bypassing the
service nodes. It also provides the option to completely bypass all security
tools for any emergency troubleshooting. Figure 2-24 illustrates in-band or
inline monitoring.

Figure 2-24 In-band or inline monitoring

Cisco Nexus Dashboard Data Broker Access
Mechanisms
You can access the Cisco Nexus Dashboard Data Broker application through
the web-based GUI or REST API. The GUI is completely redesigned with the
latest and greatest GUI framework and architecture, aligned with Nexus
Dashboard and Nexus Dashboard services. This redesigned GUI framework
lays the foundation for further enhancements and alignment in the areas of
topology and other GUI screens. Figure 2-25 shows the new GUI for Nexus
Dashboard Data Broker Dashboard.

Figure 2-25 New GUI for Nexus Dashboard Data Broker Dashboard
Cisco Meraki MX
The Cisco Meraki MX appliances are multifunctional security and SD-WAN
enterprise appliances with a wide set of capabilities to address multiple use
cases—from an all-in-one device. Organizations of all sizes and across all
industries rely on the MX to deliver secure connectivity to hub locations or
multicloud environments, as well as application quality of experience (QoE),
through advanced analytics with machine learning.
The MX is 100% cloud-managed, so installation and remote management is
truly zero touch, making it ideal for distributed branches, campuses, and data
center locations. Natively integrated with a comprehensive suite of secure
network and assurance capabilities, the MX eliminates the need for multiple
appliances. These capabilities include application-based firewalling, content
filtering, web search filtering, SNORT-based intrusion detection and
prevention, Cisco Advanced Malware Protection (AMP), site-to-site Auto
VPN, client VPN, WAN and cellular failover, dynamic path selection, web
application health, VoIP health, and more.
SD-WAN can be easily extended to deliver optimized access to resources in
public and private cloud environments with virtual MX appliances (vMX).
Public clouds supported with vMX include Amazon Web Services (AWS),
Microsoft Azure, Google Cloud Platform, and Alibaba Cloud and private
cloud support through Cisco Network Function Virtualization Infrastructure
Software (NFVIS).
Cisco Enterprise Network Function Virtualization Infrastructure Software
(Cisco Enterprise NFVIS) is Linux-based infrastructure software designed to
help service providers and enterprises dynamically deploy virtualized
network functions, such as a virtual router, firewall, and WAN acceleration,
on a supported Cisco device. There is no need to add a physical device for
every network function, and you can use automated provisioning and
centralized management to eliminate costly truck rolls.
Cisco Enterprise NFVIS provides a Linux-based virtualization layer to the
Cisco Enterprise Network Functions Virtualization (ENFV) solution. Figure
2-26 illustrates the Cisco SD-WAN extensions.
 Figure 2-26 Cisco SD-WAN extensions
Some of the many highlights of using Meraki MX are as listed below:
• Advanced quality of experience (QoE) analytics
• End-to-end health of web applications at a glance across the LAN,
WAN, and application server.
• Machine-learned smart application thresholds autonomously applied
to identify true anomalies based on past behavioral patterns.
• Monitoring of the health of all MX WAN links, including cellular,
across an entire organization.
• Detailed hop-by-hop VoIP performance analysis across all uplinks.
• Agile on-premises and cloud security capabilities informed by
Cisco Talos
• Next-gen Layer 7 firewall for identity-based security policies and
application management.
• Advanced Malware Protection with sandboxing; file reputation-based
protection engine powered by Cisco AMP.
• Intrusion prevention with PCI-compliant IPS sensor using industry-
leading SNORT signature database from Cisco.
• Granular and automatically updated category-based content filtering.
• SSL decryption/inspection, data loss prevention (DLP), cloud access
security broker (CASB), SaaS tenant restrictions, granular app
control, and file type control.
• Branch gateway services
• Built-in DHCP, NAT, QoS, and VLAN management services.
• Web caching accelerates frequently accessed content.
• Load balancing combines multiple WAN links into a single high-
speed interface, with policies for QoS, traffic shaping, and failover.
• Smart connection monitoring provides automatic detection of Layer 2
and Layer 3 outages and fast failover, including the option of
integrated LTE Advanced or 3G/4G modems.
• Intelligent site-to-site VPN with Cisco SD-WAN powered by
Meraki
• Auto VPN allows automatic VPN route generation using
IKE/IKEv2/IPsec setup; runs on physical MX appliances.
• Virtual instance in public and private clouds.
• SD-WAN with active-active VPN, policy-based routing, dynamic
VPN path selection, and support for application-layer performance
 profiles to ensure prioritization of application types that matter.
• Interoperation with all IPsec VPN devices and services.
• Automated MPLS to VPN failover within seconds of a connection
failure.
• L2TP IPsec remote client VPN included at no extra cost with support
for native Windows, macOS, iPad, and Android clients.
• Support for Cisco AnyConnect remote client VPN (AnyConnect
license required).
• Industry-leading cloud management
• Unified firewall, switching, wireless LAN, and mobile device
management through an intuitive web-based dashboard.
• Template-based settings scale easily from small deployments to tens
of thousands of devices.
• Role-based administration, configurable email alerts for a variety of
important events, and easily auditable change logs.
• Summary reports with user, device, and application usage details
archived in the cloud.

Meraki Virtual MX Appliances for Public and

Private Clouds
Virtual MX (vMX) is a virtual instance of a Meraki security and SD-WAN
appliance dedicated specifically to providing the simple configuration
benefits of site-to-site Auto VPN for organizations running or migrating IT
services to public or private cloud environments. An Auto VPN tunnel to a
vMX is like having a direct Ethernet connection to a private data center.
Figure 2-27 illustrates an overview of Meraki vMX integration with cloud.

Hivanetwork.com
 Figure 2-27 An overview of Meraki vMX integration with cloud

Features and Functionality of the vMX Appliance

vMX functions like a VPN concentrator and includes SD-WAN functionality
like other MX devices. For public cloud environments, a vMX is added via
the respective public cloud marketplace and, for private cloud environments,
a vMX can be spun up on a Cisco UCS running NFVIS. Setup and
management in the Meraki dashboard is just like any other MX, including the
following features:
• Seamless cloud migration. You can securely connect branch sites with
a physical MX appliance to resources in public cloud environments in
three clicks with Auto VPN
• Secure virtual connections. You can extend SD-WAN to public cloud
environments for optimized access to business-critical resources.
• Only a Meraki license is required.
• 500Mbps of VPN throughput. vMX is available in three VPN
throughput-based sizes to suit a wide range of use cases: small,
medium, and large.
• Easy deployments, which support for private cloud environments
through the Cisco NFVIS Meraki dashboard
Figure 2-28 illustrates Meraki vMX functioning like a VPN connector.
 Figure 2-28 Meraki vMX functioning like a VPN connector

vMX Setup for Microsoft Azure

Refer to the document “vMX Setup Guide for Microsoft Azure” (see the
“References/Additional Reading” section at the end of this chapter) for a
walkthrough of setting up a virtual MX (vMX) appliance in the Azure
Marketplace. After completing the steps outlined in this document, you will
have a virtual MX appliance running in the Azure Cloud that serves as an
Auto VPN termination point for your physical MX devices.

vMX Setup for Google Cloud Platform

Refer to the document “vMX Setup Guide for Google Cloud Platform
(GCP)” (see the “References/Additional Reading” section at the end of this
chapter) for a walkthrough of setting up a virtual MX appliance in the Google
Cloud Marketplace. After completing the steps outlined in this document,
you will have a virtual MX appliance running in Google Cloud that serves as
an AutoVPN termination point for your physical MX devices.

vMX Setup for Alibaba Cloud

Refer to the document “vMX Setup Guide for Alibaba Cloud” (see the
“References/Additional Reading” section at the end of this chapter) for a
walkthrough of setting up a virtual MX appliance in the Alibaba Cloud
Marketplace. After completing the steps outlined in this document, you will
have a virtual MX appliance running in Alibaba Cloud that serves as an Auto
VPN termination point for physical MX devices.

Note
On November 5, 2020, the existing vMX offer on the AWS
Marketplace was discontinued. For any issues that are not
firmware-related, AWS will not provide support for the old
vMX100 offer (as of February 3, 2021).

Summary
Network Insights builds a knowledge base by collecting software and
hardware telemetry data. It has an in-depth understanding of protocols and
features that run on the environment and can correlate and differentiate
between expected versus unexpected behavior. It builds a relationship
between behavior, symptoms, logs, and solutions and can derive root causes
of the problem. A virtual assistant or an automated SME always has your
back.
Network Insights detects any root-cause data-plane issues. It is the industry’s
first detailed end-to-end packet path with information about flow, such as 5-
tuple, latency, tenant, VRF, endpoint groups, packets, drops, and more.
Network Insights provides advisories customized to the customer
environment on maintenance issues that require their immediate attention so
that the end user doesn’t have to plow through oceans of data. You can
troubleshoot across the data center with the help of connected TAC,
notification of known issues, and steps toward fast remediation.

References/Additional Reading
vMX Setup Guide for Microsoft Azure:
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_
Setup_Guide_for_Microsoft_Azure
vMX Setup Guide for Google Cloud Platform (GCP):
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_
Setup_Guide_for_Google_Cloud_Platform_(GCP)
vMX Setup Guide for Alibaba Cloud:
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_
Setup_Guide_for_Alibaba_Cloud
Chapter 3. Cisco Data Center
Solutions for Hybrid Cloud
The applications and data that run today’s businesses aren’t just on-premises
anymore. They’re spread across the entire multicloud domain, in private and
public clouds and in SaaS environments. Your organization may have
embraced this distributed model on purpose or arrived there by default. Either
way, the hybrid cloud has a clear advantage: flexibility. You can move data
and applications where they need to be, quickly and effortlessly.
Because of that flexibility, a hybrid cloud network can also be complicated to
maintain. But by following the principles of simple, seamless hybrid network
management, your business can harness the benefits of hybrid cloud and run
more efficiently.
Cisco is making this possible—and making it easier every day. Imagine one
hybrid cloud platform that provides the automation, observability, and cloud-
native capabilities necessary to keep business, technology, and teams
connected and moving as fast as the market demands. That’s what being
“cloud smart” is about.
Cisco’s hybrid cloud offerings give you flexible consumption for your on-
premises infrastructure so you can optimize workloads across clouds, on-
premises data centers, labs, and co-location facilities for scale, performance,
and agility with great value.
Cisco has a series of innovations across its portfolio of SaaS-delivered
capabilities and cloud-optimized infrastructure to turn its cloud smart vision
into a reality for its customers.
This chapter will cover following solutions:
• Cisco Cloud Application Centric Infrastructure
 • Cisco UCS Director
• Cisco Workload Optimization Manager
• Cisco Hyperflex-Intersight

Cisco Cloud Application Centric Infrastructure

(Cisco Cloud ACI)
In today’s world, enterprises are undergoing increasing pressure to innovate
rapidly, to keep up with competition, and to increase IT agility to meet
customer demands. To achieve these goals, businesses are choosing different
infrastructure environments for deploying different types of applications.
Some applications may be best suited to be hosted on the premises, whereas
other applications may be best suited to be hosted in a public cloud, and yet
others may benefit from hybrid deployments. In fact, hybrid cloud is
becoming the new normal for many businesses.

Challenges in Hybrid Cloud Environments

In a hybrid cloud environment, it is becoming more and more challenging to
maintain a homogeneous enterprise operational model, comply with
corporate security policies, and gain visibility across hybrid environments.
The following are the main challenges in building and operating a hybrid
cloud environment:
• Automating the creation of secure interconnects between on-premises
and public clouds
• Dealing with the diverse and disjoint capabilities across on-premises
private cloud and public cloud
• Multiple panes of glass to manage, monitor, and operate hybrid cloud
instances
• Inconsistent security segmentation capabilities between on-premises
and public clouds
 • Facing the learning curve associated with operating a public cloud
environment
• Inability to leverage a consistent L4–L7 services integration in hybrid
cloud deployments
Cisco Cloud Application Centric Infrastructure (Cisco Cloud ACI) is a
comprehensive solution for simplified operations, automated network
connectivity, consistent policy management, and visibility for multiple on-
premises data centers and public clouds or multicloud environments.
The solution captures business and user intents and translates them into
native policy constructs for applications deployed across various cloud
environments. It uses a holistic approach to enable application availability
and segmentation for bare-metal, virtualized, containerized, or microservices-
based applications deployed across multiple cloud domains. The common
policy and operating model will drastically reduce the cost and complexity of
managing hybrid and multicloud deployments. It provides a single
management console to configure, monitor, and operate multiple disjointed
environments spread across multiple clouds.
The Cisco Cloud ACI solution extends the successful capabilities of Cisco
ACI in private clouds into public cloud environments (AWS, Microsoft
Azure, and now on Google Cloud). This solution introduces Cisco Cloud
APIC, which runs natively in public clouds to provide automated
connectivity, policy translation, and enhanced visibility of workloads in the
public cloud. This solution brings a suite of capabilities to extend your on-
premises data center into true multicloud architectures, helping to drive
policy and operational consistency regardless of where your applications or
data reside. Figure 3-1 illustrates Cisco Cloud ACI.

Hivanetwork.com
 Figure 3-1 Cisco Cloud ACI
Cisco Nexus Dashboard offers a centralized management console that allows
network operators to easily access applications needed to perform the
lifecycle management of their fabric for provisioning, troubleshooting, or
simply gaining deeper visibility into their network. It’s a single launch point
to monitor and scale across different fabric controllers, whether it is Cisco
Application Policy Infrastructure Controller (APIC), Cisco Data Center
Network Manager (DCNM), or Cisco Cloud APIC.
The Cisco Nexus Dashboard Orchestrator, which is hosted on the Cisco
Nexus Dashboard, provides policy management, network policy
configuration, and application segmentation definition and enforcement
policies for multicloud deployments. Using the Cisco Nexus Dashboard
Orchestrator, customers get a single view into the Cisco APIC, Cisco DCNM,
and Cisco Cloud APIC policies across AWS, Microsoft Azure, and Google
Cloud environments.
In an on-premises Cisco ACI data center, Cisco Application Policy
Infrastructure Controller (APIC) is the single point of policy configuration
and management for all the Cisco ACI switches deployed in the data center.
When there is a need to seamlessly interconnect multiple Cisco ACI–
powered data centers and selectively extend Cisco ACI constructs and
policies across sites, Cisco Nexus Dashboard Orchestrator is the solution.
Cisco Nexus Dashboard Orchestrator can manage policies across multiple on-
premises Cisco ACI data centers as well as public clouds. The policies
configured from Orchestrator can be pushed to different on-premises Cisco
ACI sites and cloud sites. Cisco APIC running on the premises receive this
policy from Orchestrator and then render and enforce it locally.
When extending Cisco ACI to the public cloud, a similar model applies.
However, public cloud vendors do not understand Cisco ACI concepts such
as endpoint groups (EPGs) and contracts. Orchestrator policies therefore need
to be translated into cloud-native policy constructs. For example, contracts
between Cisco ACI EPGs need to be translated into security groups on AWS
first and then applied to AWS cloud instances.
This policy translation and programming of the cloud environment is
performed using a new component of the Cisco Cloud ACI solution called
Cisco Cloud Application Policy Infrastructure Controller (Cisco Cloud APIC
or Cloud APIC).
The Cisco Cloud ACI solution ensures a common security posture across all
locations for application deployments. The Cisco Cloud APIC translates ACI
policies into cloud-native policy constructs, thus enabling consistent
application segmentation, access control, and isolation across varied
deployment models.
Cisco Cloud APIC runs natively on supported public clouds to provide
automated connectivity, policy translation, and enhanced visibility of
workloads in the public cloud. Cisco Cloud APIC translates all the policies
received from Multi-Site Orchestrator (MSO) and programs them into cloud-
native constructs such as virtual private clouds (VPCs), security groups, and
security group rules.
This new solution brings a suite of capabilities to extend your on-premises
data center into true hybrid cloud architectures, helping drive policy and
operational consistency regardless of where your applications reside. It
provides a single point of policy orchestration across hybrid environments,
operational consistency, and visibility across clouds. Figure 3-2 illustrates
Cisco Cloud ACI capabilities.

Figure 3-2 Cisco Cloud ACI capabilities

Figure 3-2 shows the overall high-level architecture of Cisco Cloud ACI with
Cisco ACI Multi-Site Orchestrator acting as a central policy controller,
managing policies across multiple on-premises Cisco ACI data centers as
well as hybrid environments, with each cloud site being abstracted by its own
Cloud APICs.

High-Level Architecture of Cisco Cloud ACI on

AWS
An instance of MSO orchestrates multiple independent sites using a
consistent policy model and provides a single pane of glass for centralized
management and visibility. The sites can be either on-premises Cisco ACI
fabric sites with their own site-local APIC clusters or cloud sites in AWS
with Cloud APIC to manage them.
Just as with a normal Cisco ACI multisite architecture, all the sites are
interconnected via a “plain” IP network. There’s no need for IP multicast or
Dynamic Host Configuration Protocol (DHCP) relay. You provide IP
connectivity, and MSO will be responsible for setting up the intersite overlay
connectivity. Figure 3-3 illustrates Cisco Cloud ACI on AWS architecture.

Figure 3-3 Cisco Cloud ACI on AWS architecture

The following are the key building blocks of the Cisco Cloud ACI
architecture:
• An on-premises Cisco ACI site running Cisco ACI software and
equipped with at least one second-generation spine model (EX, FX, C
or GX)
• Cisco ACI Nexus Dashboard Orchestrator (NDO)
• Cisco Cloud APIC
• Intersite connectivity between the on-premises and cloud sites
• Network policy mapping between the Cisco ACI on-premises and
cloud sites

Cisco ACI Nexus Dashboard Orchestrator

In a Cisco ACI multisite architecture, the Cisco ACI Nexus Dashboard
Orchestrator (NDO) is the single pane of glass for management of all the
interconnected sites. It is a centralized place to define all the intersite policies
that can then be published to the individual Cisco ACI sites where the site-
local APICs render them on the physical switches that build those fabrics.
With the Cisco Cloud ACI, NDO’s orchestration functions expand to the
cloud sites. It is responsible for site registration of both on-premises Cisco
ACI data center sites and the cloud sites. It automates the creation of overlay
connectivity between all the sites (on-premises and cloud). Continuing to be
the central orchestrator of intersite policies, NDO publishes policies to on-
premises Cisco ACI data center sites as well as pushes the same policies to
cloud sites in AWS.
It is also capable of instrumenting the policy deployment among different
sites by selectively distributing the policies to only the relevant sites. For
instance, NDO can deploy the web front tier of an application into the cloud
site in AWS while keeping its compute and database tiers in the on-premises
site. Through the NDO interface, network administrators can also regulate the
communication flow between the on-premises site and AWS as required by
applications.
Cisco Cloud APIC on AWS
Cisco Cloud APIC is an important new solution component introduced in the
architecture of Cisco Cloud ACI. It plays the equivalent of APIC for a cloud
site. Like APIC for on-premises Cisco ACI sites, Cloud APIC manages
network policies for the cloud site that it is running on, by using the Cisco
ACI network policy model to describe the policy intent.
Cloud APIC is a software-only solution that is deployed using cloud-native
instruments such as Cloud Formation templates on AWS. Network and
security policies could be locally defined on the Cloud APIC for the cloud
site, or they could be locally defined globally on NDO and then distributed to
the Cloud APIC. While the on-premises APIC renders the intended policies
onto Cisco ACI switches of the site, Cloud APIC renders the policies onto the
AWS cloud network infrastructure.
It accomplishes the task by translating the Cisco ACI network policies to the
AWS-native network policies and uses the AWS-native policy API to
automate the provisioning of the needed AWS-native cloud resources, such
as VPCs, cloud routers, security groups, and security group rules.
The key functionalities of Cloud APIC include the following:
• Providing a northbound REST interface to configure cloud
deployments
• Accepting Cisco ACI Policy Model and other cloud-specific policies
directly or from MSO
• Performing endpoint discovery in the cloud site
• Performing Cisco ACI Cloud Policy translation
• Configuring the cloud router’s control plane
• Configuring the data-path between the Cisco ACI fabric and the cloud
site
Cisco Cloud APIC is a microservices-based software deployment of APIC.
Cisco Cloud APIC on AWS is deployed and runs as an Amazon Elastic
Compute Cloud (Amazon EC2) instance using persistent block storage
volumes in Amazon Elastic Block Store (Amazon EBS). The Amazon
Machine for Cisco Cloud APIC is available at the AWS marketplace and uses
a bring-your-own-license (BYOL) model.
As ACI APIC is for an on-premises ACI fabric, ACI Cloud APIC contains
only policies and is not in the data-forwarding path. Any downtime of the
Cloud APIC will not impact network forwarding functionality or
performance in the cloud site. The Amazon EC2 instance of the Cloud APIC
takes advantage of Amazon EBS built-in storage volume redundancy, high
availability, and durability.
Upon a failure in the Amazon EC2 instance, it can always relaunch or restore
to the previous state by rebuilding the configuration and states from persistent
storage and provide seamless Cloud APIC functionalities. Therefore, for
simplicity and cost effectiveness, Cloud APIC is deployed as a single
Amazon EC2 instance in the initial release of Cisco Cloud ACI on AWS. In
the future, clustering of multiple virtual instances will be introduced for
Cloud APIC to achieve higher scalability and instance level redundancy.
Both Cisco ACI and AWS use group-based network and security policy
models. The logical network constructs of the Cisco ACI network policy
model consist of tenants, bridge domains (BDs), bridge-domain subnets,
endpoint groups (EPGs), and contracts. AWS uses slightly different
constructs: user accounts, virtual private cloud (VPC), and security groups,
plus security group rules and network access lists.
Cisco ACI classifies endpoints into EPGs and uses contracts to enforce
communication policies between these EPGs. AWS uses security groups
(SGs) and security group rules for classification and policy enforcement.

Cisco Cloud APIC’s First Time Setup Wizard

The first time you connect to Cisco Cloud APIC UI, the First Time Setup
Wizard automatically kicks off. This wizard helps you configure some of the
Cisco Cloud APIC required settings, such as DNS, the TEP (Tunnel End
Point) pool, the regions to be managed, and IPsec connectivity options.
At the end of the First Time Setup Wizard, Cisco Cloud APIC configures the
AWS infrastructure needed to become fully operational, such as a pair of
Cisco CSR 1000V Series routers. The provisioning of the AWS infrastructure
 is fully automated and carried out by Cisco Cloud APIC. After this step, you
will be able to start deploying your Cisco ACI policy on AWS. Figure 3-4
shows the First Time Setup Wizard of Cisco Cloud APIC.

Figure 3-4 First Time Setup Wizard of Cisco Cloud APIC

Hivanetwork.com
Registering a Cisco ACI Cloud Site in NDO
Each Cisco Cloud APIC represents a Cisco ACI site. To extend policy across
sites, Cisco ACI uses the Cisco ACI Nexus Dashboard Orchestrator (NDO).
When you register a Cisco Cloud APIC in NDO, it will appear as a new site
and will allow you to deploy existing or new schemas to AWS. NDO ensures
that you specify the required site-specific options, such as subnets and EPG
membership classification criteria, which are different for each site. Figure 3-
5 shows how to register a Cisco ACI cloud site in NDO.

Figure 3-5 Registering a Cisco ACI cloud site in NDO

Cisco Cloud APIC also provides a view of the AWS-native constructs used to
represent the Cisco ACI policy. This allows network administrators to
gradually familiarize themselves with AWS networking constructs. Figure 3-
6 shows the native cloud resources view on the Cloud APIC UI.

Figure 3-6 Native cloud resources view on the Cloud APIC UI

Deploying a Multitier Application in a Hybrid Scenario
To deploy a three-tier application, consisting of Database (DB), App, and
Web tiers, across an on-premises data center and the AWS cloud using Cisco
Cloud ACI integration, you will need to configure a schema on NDO that
represents this policy. It should contain at least one VRF, one application
profile, and three EPGs (one EPG for each tier of the application) as well as
contracts between the tiers.
For example, the App and DB tiers can be deployed on the premises and the
Web tier in AWS—or you can use any permutation of this set as you see fit.
Figure 3-7 shows a three-tier application schema on MSO.
 Figure 3-7 Three-tier application schema on NDO
The schema can then be associated with the on-premises site and the Cisco
Cloud ACI site. Once the association is made, you then define the subnets to
be used for the VRF on AWS. Cisco Cloud APIC model associates subnets to
VRF because, in AWS, VRFs are mapped to VPCs and subnets are mapped
to an availability zone (AZ) inside a VPC. Figure 3-8 illustrates how to
deploy an application to on-premises and cloud sites in AWS.
 Figure 3-8 Deploying an application to on-premises and cloud sites in
AWS
Cisco Cloud ACI ensures that the AWS cloud and on-premises ACI are
configured appropriately to allow communication between the App EPG and
the Web EPG residing on AWS. Figure 3-9 illustrates the three-tier
application deployed across on-premises and cloud sites in AWS.
 Figure 3-9 Three-tier application deployed across on-premises and
cloud sites in AWS
You can now deploy new Web instances on AWS to accommodate your
needs.

Cisco UCS Director

Cisco UCS Director focuses on delivering Infrastructure as a Service (IaaS)
through a highly secure, end-to-end management, orchestration, and
automation solution for a wide array of Cisco and non-Cisco data center
infrastructure components. Cisco UCS Director can deliver IaaS for
individual components and for converged infrastructure solutions based on
the Cisco Unified Computing System (Cisco UCS) and Cisco Nexus
platforms.
With Cisco UCS Director, you can manage, automate, and orchestrate your
physical and virtual compute, network, and storage resources. In addition,
through the End User Portal, you can use those infrastructure components to
deploy the desired virtual machines to support applications in cloud
environments. To support this functionality, Cisco UCS Director enables you
to do the following:
• Manage and support heterogeneous data centers that include compute,
network, storage, and virtualization resources from multiple vendors.
• Provision physical and virtual compute, Layer 4–7 network services,
and storage resources.
• Create and implement single and multitier application profiles.
• Define application containers that describe a set of tiers that include
physical and/or virtual compute resources, their connectivity policy,
and their communication policy. You can further define those
application containers with network services, such as load balancing
and firewalls, across these tiers.
• Establish secure multitenant environments so that users, whether
internal to your company or external, can work only within the secure
 constraints of their own resource pool. With the policies and user roles
that you establish, your users can view, manage, and use only the
infrastructure components appropriate for their roles.
• Automate the IT processes necessary to accomplish infrastructure
provisioning and decommissioning using a role and policy-based
model that limits administrator and user capabilities.
• Implement a process-oriented approach to infrastructure orchestration
that automates the processes you define using built-in workflows or
customized workflows created from Cisco UCS Director task library or
from tasks you create yourself.
• Implement metering, chargeback, and showback features so your
organization can be properly compensated for the IT services you
provide.
Cisco UCS Director connects all the elements of the data center
infrastructure, including the users and the physical and virtual infrastructures.
You can provision, configure, monitor, and automate your data center
management, along with Cisco UCS Director REST API or Open
Automation Framework, to extend the out-of-the-box functionality. Figure 3-
10 provides an overview of the Cisco UCS Director System.

Hivanetwork.com
 Figure 3-10 Cisco UCS Director System Overview

Infrastructure Configuration and Management

Cisco UCS Director extends the unification of compute, network,
virtualization, and storage layers and provides comprehensive visibility into
the data center infrastructure.
Cisco UCS Director can be a single appliance to manage all your
infrastructure by communicating with the domain managers or domain
controllers. This central management capability enables operations teams to
configure, administer, manage, and monitor supported Cisco and non-Cisco
physical and virtual compute, network, and storage components.
Cisco UCS Director provides out-of-the-box integration with virtual and
physical components, including the following:
• Hypervisors, such as VMware vSphere, Microsoft Hyper-V, and
RedHat KVM
• Compute servers and devices, such as Cisco UCS, HP, and Dell servers
• Network devices, such as Cisco Nexus and Brocade
• Storage components, such as NetApp, EMC, and IBM Storwize
• Hyperconverged storage solutions, such as VMware Virtual SAN
(VSAN)
Figure 3-11 illustrates systems and hypervisors supported by UCS Director.

Figure 3-11 Systems and hypervisors supported by UCS Director

Cisco UCS Director is supported by a broad, well-established ecosystem.
Third-party hardware and solution vendors support the platform using a
publicly available SDK with open southbound application programming
interfaces (APIs) that are downloadable. The SDK contains all of the required
APIs and management functions for the third-party hardware or solution to be
added into the Cisco UCS Director management model. Similarly, the
northbound API is supported by the broader Cisco UCS ecosystem of
DevOps and IT operations management (ITOM) tools, meaning you can
transition to the cloud using existing tools as you adopt new automation and
continuous delivery processes.

Cisco UCS Management Through Cisco UCS

Director
Cisco UCS Director is not a replacement for Cisco UCS Manager. Rather,
Cisco UCS Director uses orchestration to automate some of the steps required
to configure a Cisco UCS domain. In this way, Cisco UCS Director provides
a statistical analysis of the data and a converged view of each pod.
After you add a Cisco UCS domain to Cisco UCS Director as a Cisco UCS
Manager account, Cisco UCS Director provides you with complete visibility
into the Cisco UCS domain. In addition, you can use Cisco UCS Director to
manage and configure that Cisco UCS domain.

Cisco UCS Management Tasks You Can Perform in Cisco UCS

Director
You can use Cisco UCS Director to perform management, monitoring, and
reporting tasks for physical and virtual devices within a Cisco UCS domain.

Configuration and Administration

You can create and configure the following Cisco UCS hardware and
software components in Cisco UCS Director:
• Fabric interconnects, including ports
• Chassis, blade servers, and rack-mount servers, including auto-
discovery
• I/O modules and fabric extenders (FEXes)
 • Network connections
• Storage connections
• Pools
• Policies
• Service profiles

Monitoring and Reporting

You can also use Cisco UCS Director to monitor and report on your Cisco
UCS domains and their components, including:
• Power consumption
• Temperature
• Server availability
• Service profile association
Table 3-1 details the UCS Director orchestration components.
Table 3-1 UCS Director Orchestration Components
Orchestration and Automation
Cisco UCS Director provides model-based orchestration through workflows.
These workflows can include complex logic, can be imported into or
exported from Cisco UCS Director, and can be configured to resume from the
point of last failure. You can also include advanced orchestration features that
provide agility, such as rollback of workflows, and enable you to automate
the provisioning and de-provisioning of resources. This functionality is
possible because Cisco UCS Director is model-aware and state-aware.
Cisco UCS Director enables you to build workflows that provide automation
services and to publish those workflows and extend their services on demand.
The Workflow Designer is a drag-and-drop orchestration editor that includes
a large library of out-of-the-box workflow tasks and workflows.
Depending on your business needs, you can use or modify the out-of-the-box
workflows and workflow tasks or you can develop your own custom
workflows or workflow tasks. Custom workflow tasks can use Cloupia
Script, a Java script-like programming language, REST APIs, or PowerShell
cmdlets. In the workflows, you can combine your custom tasks with out-of-
the-box generic tasks.
You may embed approvals inside a workflow to ensure that resources are not
provisioned until they have been approved. Once built and validated, these
workflows perform the same way every time, no matter who runs them or
where they are run.

Infrastructure as a Service
Cisco UCS Director delivers Infrastructure as a Service (IaaS) for both virtual
and physical infrastructure. With Cisco UCS Director, you can create an
application container template that defines the infrastructure required for a
specific application or how a customer or business unit is expected to use that
application. Cisco UCS Director helps IT teams to define the rules for the
business’s infrastructure services:
• Either you can first onboard tenants and then define the boundaries of
the physical and virtual infrastructure that they can use, or you can
 allow your onboarded tenants to define the infrastructure boundaries.
• Create policies, orchestration workflows, and application container
templates in Cisco UCS Director that define the requirements for a
specific type of application that can be used by a tenant, such as a web
server, database server, or generic virtual machine (VM).
• Publish these templates as a catalog in the End User Portal.
Users can go to the End User Portal, select the catalog that meets their needs,
and make a service request for that particular application or VM. Their
service request triggers the appropriate orchestration workflow to allocate the
required infrastructure and provision the application or VM.
If the service request requires approvals, Cisco UCS Director sends emails to
the specified approver(s). Once the service request is approved, Cisco UCS
Director assigns the infrastructure to those users, creating a virtual machine if
necessary, and doing the base configuration, such as provisioning the
operating system. You can also configure an orchestration workflow to ask
questions before allowing a user to choose a catalog item. Here are some
points to keep in mind:
• You can configure the workflow to ask the user what type of
application they plan to run and automatically select a catalog for them
based on the answers to those questions.
• The end user does not have to worry about whether to request a
physical server or a VM, what kind of storage they require, or which
operating system to install. Everything is predefined and prepackaged
in the catalog.
For example, you can create policies, orchestration workflows, and an
application container template for an SAP application that uses a minimum
level of infrastructure, requires approvals from a director in the company, and
has a chargeback to the department. When an end user makes a service
request in the End User Portal for that catalog item, Cisco UCS Director does
the following:
1. Sends an email to the director, who is the required approver.
 2. When the approval is received, Cisco UCS Director creates a VM in the
appropriate pod with four CPUs, 10GB of memory, and 1TB of storage.
3. Installs an operating system (OS) on the VM.
4. Notifies the end user that the VM is available for them to use.
5. Sets up the chargeback account for the cost of the VM.
With the available APIs from Cisco UCS Director, you can also script custom
workflows to pre-install the SAP application in the VM after the OS is
installed.
Cisco UCS Director enables you to automate a wide array of tasks and use
cases across a wide variety of supported Cisco and non-Cisco hardware and
software data center components, including physical infrastructure
automation at the compute, network, and storage layers. A few examples of
the use cases that you can automate include, but are not limited to, the
following:
• VM provisioning and lifecycle management
• Network resource configuration and lifecycle management
• Storage resource configuration and lifecycle management
• Tenant onboarding and infrastructure configuration
• Application infrastructure provisioning
• Self-service catalogs and VM provisioning
• Bare-metal server provisioning, including installation of an operating
system
For each of the processes that you decide to automate with orchestration
workflows, you can choose to implement the processes in any of the
following ways:
• Use the out-of-the-box workflows provided with Cisco UCS Director.
• Modify the out-of-the-box workflows with one or more of the tasks
provided with Cisco UCS Director.

Hivanetwork.com
 • Create your own custom tasks and use them to customize the out-of-
the-box workflows.
• Create your own custom workflows with custom tasks and the out-of-
the-box tasks.
Beginning with version 6.6, Cisco UCS Director can be claimed as a
managed device in Intersight, so usage data, license usage, and so on can be
collected. UCS Director administrators can update UCS Director southbound
connectors that are used to communicate with supported devices, including
networking and storage platforms, during a maintenance window for rapid
delivery of new features and functionality. This will enable users to leverage
endpoint capabilities and APIs faster through UCS Director by enabling the
update of device libraries. Figure 3-12 illustrates Cisco UCS Director
Intersight integration.

Figure 3-12 Cisco UCS Director Intersight integration

The benefits of SaaS and CI/CD (continuous integration/continuous delivery)
can be achieved by claiming on-premises UCS Director instances in
Intersight. Once these are claimed, the traditional on-premises software is
transformed into a secure hybrid SaaS setup that delivers ongoing new
capabilities:
 • Automatic downloads of software enhancements upgrades, bug fixes,
and updates for the following:
• UCS Director Base Platform Pack
• System Update Manager
• Infrastructure specific Connector Packs (EMC storage, F5 load
balancers, RedHat KVM)
• Enhanced problem resolution with Cisco Support through Intersight
• Proactive notifications and streamlined “one-click” diagnostics
collection
Figure 3-13 illustrates Cisco UCS Director Intersight integration benefits.

Figure 3-13 Cisco UCS Director Intersight integration benefits

UCS Director–specific dashboard widgets can be added to provide useful
summary information for the following:
• Instance summary
• Service status summary
• Last backup status
• Trends for last 10 backups
Figure 3-14 shows the UCS Director dashboard widgets in Intersight.

Figure 3-14 UCS Director dashboard widgets in Intersight

It is possible for an Intersight workflow to call a UCSD workflow, if desired,
which can allow an organization to gradually migrate to Intersight as the
primary orchestrator. However, the UCS Director and Intersight workflows
are not compatible, and they cannot be directly imported from UCS Director
into Intersight.
With Cisco ACI, you can create application infrastructure containers that
contain the appropriate network services as well as support infrastructure
components for each respective application. Figure 3-15 illustrates UCS
Director integration with ACI.

Figure 3-15 UCS Director integration with ACI

The following are the business benefits of Cisco UCS Director and Cisco
ACI integration:
 • Cisco UCS Director and Cisco ACI integrate through native tasks and
prebuilt workflows.
• This integration supports IaaS with three main features:
• Secure multitenancy
• Rapid application deployment
• Self-service portal

Secure Multitenancy
The integrated solution provides consistent delivery of infrastructure
components that are ready to be consumed by clients in a secured fashion.
Here are some key points concerning secure multitenancy:
• The solution optimizes resource sharing capabilities and provides
secure isolation of clients without compromising quality of service
(QoS) in a shared environment.
• To provide IaaS, secure multitenancy reserves resources for exclusive
use and securely isolate them from other clients.
• Cisco ACI supports multitenancy by using Virtual Extensible LAN
(VXLAN) tunnels internally within the fabric, inherently isolating
tenant and application traffic.
• Cisco UCS Director manages the resource pools assigned to each
container. Only Cisco supports secure multitenancy that incorporates
both physical and virtual resources.

Rapid Application Deployment

The combination of Cisco UCS Director and Cisco ACI enhances your
capability to rapidly deploy application infrastructure for you and your
clients. With the increasing demands of new applications and the elastic
nature of cloud environments, administrators need to be able to quickly
design and build application profiles and publish them for use by clients.
Cisco UCS Director, in conjunction with Cisco ACI, gives you the ability to
quickly meet the needs of your clients. Here are some key points concerning
rapid application deployment:
• Cisco UCS Director interacts with Cisco ACI to automatically
implement the networking services that support applications. In Cisco
UCS Director, you can specify a range of Layer 4 through Layer 7
networking services between application layers that are deployed with
a zero-touch automated configuration model.
• You can dynamically place workloads based on current network
conditions so that service levels are maintained at the appropriate
level for the applications being supported by the client.
• You can use resource groups to establish tiers of resources based on
application requirements, including computing, networking, and
storage resources, with varying levels of performance. For example, a
bronze level of service might be used for developers and include
resources such as thin-provisioned storage and virtualized computing
resources. In contrast, a gold level of service might be used for
production environments and include thick-provisioned storage and
bare-metal servers for performance without compromise.
• After your resources and services are deployed, you can monitor your
application infrastructure with real-time health scores, dynamically
reconfigure your network if necessary to meet your performance goals,
and obtain resource consumption information that can be used for
charging clients.
• Cisco UCS Director in conjunction with Cisco ACI also provides
complete application infrastructure lifecycle management, returning
resources to their respective free pools and eliminating stranded
resources.

Self-Service Portal
After you have defined or adopted a set of application profiles, you can make
them available to clients in a service catalog visible in the self-service portal.
Your clients can log in to Cisco UCS Director’s self-service portal, view the
service catalog published by your organization, and order the infrastructure as
desired.
The application profiles you define can be parameterized so that clients can
provide attributes during the ordering process to customize infrastructure to
meet specific needs.
For example, clients can be allowed to specify the number of servers
deployed in various application infrastructure tiers or the amount of storage
allocated to each database server. After your clients have placed their orders,
they can monitor the status of application infrastructure orders, view the
progress of application infrastructure deployment, and perform lifecycle
management tasks.

Cisco Workload Optimization Manager

Data centers and applications are getting more complex and distributed. The
result is a dizzying array of monitoring, orchestration, and management
solutions that have not been able to ensure workload performance. In
addition, applications are becoming more distributed and complex as
enterprises build them on containers and microservices in multicloud
environments. The ability to continuously deliver application performance
while minimizing costs is critical. It enables development teams to innovate
and run applications efficiently. It ensures that end users and customers have
great digital experiences. It drives revenue. However, workload management
is now so complex that it is moving beyond human capabilities.
Cisco Workload Optimization Manager (CWOM) is a real-time decision
engine that drives continuous health in the IT environment. Its intelligent
software constantly analyzes workload consumption, costs, and compliance
constraints. It ensures application performance by giving workloads the
resources they need, when they need them. Figure 3-16 illustrates today’s
workload management.
 Figure 3-16 Today’s workload management
Cisco Workload Optimization Manager is an easy-to-install, agentless
technology that detects relationships and dependencies between the
components in your environment, from applications through the
infrastructure layers. Within one hour of deployment, Cisco Workload
Optimization Manager delivers a global topological mapping of your
environment (local and remote, and across private and public clouds) and the
interdependent relationships within the environment, mapping each layer of
the full infrastructure stack to application demand. Figure 3-17 illustrates
closed-loop infrastructure optimization using CWOM.

Hivanetwork.com
 Figure 3-17 Closed-loop infrastructure optimization using CWOM
Cisco Workload Optimization Manager provides specific real-time actions
that ensure workloads get the resources they need when they need them,
enabling continuous placement, resizing, and capacity decisions that can be
automated, driving continuous health in the environment. Once Cisco
Workload Optimization Manager is deployed, you connect to your browser of
choice, add the license key, and select your targets. After you have selected
your targets, you then add IP addresses, usernames, and password credentials.
Targets include hypervisors, cloud platforms, applications, storage, network,
and more. Cisco Workload Optimization Manager uses these targets to
discover your environment and determine the specific actions that will drive
continuous health in your environment.

Create More Effective Teams

Cisco Workload Optimization Manager enables your application and IT team
to ensure application performance on virtual machine or container platforms
without the need for IT involvement. Integration with ServiceNow workflows
enables agility and speed without relinquishing control. Your teams have the
freedom to create application environments quickly and efficiently, so your
IT staff can focus on strategic business initiatives. Cisco Workload
Optimization Manager application resource management works with the
industry’s top platforms, including VMware vSphere, OpenStack, Citrix
XenServer, and Microsoft Hyper-V hypervisors as well as Kubernetes,
RedHat OpenShift, and Cloud Foundry, to create self-managing and
optimized container environments that can do the following:
• Minimize human intervention
• Enable automated scheduling of pods to ensure performance
• Provide intelligent cluster scaling to reduce outages
• Ensure full-stack control to unite DevOps teams and infrastructure

Optimize Your Multicloud Environment

Cisco Workload Optimization Manager can ensure application performance
across your data centers and into public clouds. The software does the
following:
• Automates workload placement, scaling, and capacity to ensure
performance while maximizing efficiency
• Quickly models what-if scenarios based on the real-time environment
to accurately forecast capacity needs
• Continuously ensures performance for VMware Horizon virtual
desktop users
• Tracks, reports, and views trends for compute, storage, and database
consumption metrics, such as CPU, memory, IOPs, latency, and
database transaction unit (DTU), across regions and zones

Optimize Public Cloud Costs

Performance cost optimization takes into account your Microsoft Azure and
Amazon Web Services (AWS) subscriptions to better utilize these resources
in the following ways:
• Scale down AWS instances or Azure virtual machines, storage tiers,
and database tiers, reducing costs without impacting performance
• Understand advanced reserved instance (RI) calculations to both
purchase new RIs (coverage) and efficiently use existing RIs
(utilization)
• Identify ghost and unattached storage instances
• Suspend or terminate unused instances
• Project actual cost of workloads by calculating compute, licensing
(OS), IP address, and storage costs
• Aggregate monthly bills across services, regions, accounts, specific
workloads, and lines of business
Optimize Hyperconverged Workloads
Cisco Workload Optimization Manager works with many third-party
solutions to ensure your applications get the resources they need. However,
its deep integration with the entire Cisco environment greatly enhances your
Cisco deployments to optimize your data centers. It helps you safely
maximize cloud elasticity in Cisco UCS server environments and Cisco
Hyperflex systems to gain better performance and efficiency. With Cisco
Tetration network awareness, you can confidently re-platform to application
architectures that have increased network complexity. Cisco Cloud Center
can help you intelligently deploy new workloads anywhere, anytime. Cisco
Workload Optimization Manager optimizes initial cloud placement for
performance, cost, and compliance. Figure 3-18 illustrates CWOM meeting
changing demands.
 Figure 3-18 CWOM meeting changing demands

Ensure Application Performance

Application awareness with AppDynamics metrics complements Cisco
Workload Optimization Manager and enables you to do the following:
• Continuously ensure application performance and eliminate application
performance risk due to infrastructure
• Show your IT organization’s value to the business when infrastructure-
resource decisions are directly tied to the performance of business-
critical applications
• Bridge the application-infrastructure gap with full-stack control that
elevates teams and provides a common understanding of application
dependencies
• Accelerate and de-risk application migration with a holistic
understanding of application topology, resource utilization, and the
data center stack
Figure 3-19 illustrates CWOM meeting AppDynamics.
 Figure 3-19 CWOM meeting AppDynamics
Cisco AppDynamics and Cisco Workload Optimization Manager provide
complete visibility and insight into application and infrastructure
interdependencies and business performance. The result is application-aware
IT infrastructure that is continuously resourced to deliver business objectives.
Figure 3-20 illustrates the CWOM and AppDynamics benefits.
 Figure 3-20 CWOM and AppDynamics benefits

Cisco Workload Optimization Main Features

Workload Optimization Manager continuously analyzes workload
consumption, costs, and compliance constraints and automatically allocates
resources in real time. It helps ensure performance by giving workloads the
resources they need, when they need them. When fully automated, the self-
managing platform promotes a continuous state of health in the environment
by making placement, scaling, and capacity decisions in real time. It
empowers data center and cloud operators to focus on innovation—on
bringing new products and services to market that promote digital
transformation.

Target Integration
A target is a service that performs management in your virtual environment.
Workload Optimization Manager uses targets to monitor workloads and to
perform actions in your environment. The target configuration specifies the
ports that Workload Optimization Manager uses to connect with these
 services. You must install Workload Optimization Manager on a network that
has access to the specific services you want to set up as targets. For each
target, Workload Optimization Manager communicates with the service
through the management protocol that it exposes: the Representational State
Transfer (REST) API, Storage Management Initiative Specification (SMI-S),
XML, or some other management transport mechanism. Workload
Optimization Manager uses this communication to discover the managed
entities, monitor resource utilization, and perform actions.
Use the steps that follow to configure target integration:
Step 1. In the New User interface, click Try It Now. Another login page will
open.
Step 2. Enter a username and password to log in.
Figure 3-21 shows the CWOM login page.

Hivanetwork.com
 Figure 3-21 CWOM login page
Step 3. Click Settings and select Target Configuration (see Figure 3-22).
 Figure 3-22 CWOM Target Configuration
You are now ready to add targets.

View Your Global Environment

When you log in to Workload Optimization Manager after setup, the Home
page is the first view you see. By default, the Home page gives you a global
view of your environment. From the Home page, you can do the following:
• Use the Supply Chain Navigator to set the Home page focus and see
details about your environment.
• Display an overview of your environment’s supply chain.
• Display an overview and details about the entities in your environment.
• Navigate to other areas of Workload Optimization Manager, including:
 • Search: Set the session scope.
• Plan: Plan deployments and model what-if scenarios.
• Place: Place a consumer on a different provider.
• Settings: Configure Workload Optimization Manager.
• Whenever you are in a Workload Optimization Manager session, you
can always click the Cisco Home icon to return to the Home page.
Figure 3-23 illustrates CWOM Global Environment view.

Figure 3-23 CWOM Global Environment view

Automate Actions
The visibility into the entities that exist in your environment and the
relationships among them underlies Workload Optimization Manager’s core
value: real-time decision automation in the data center and cloud. To make
the right placement, scaling, and capacity decisions, the platform needs to
understand the entire environment. Workload Optimization Manager models
your environment as a market of buyers and sellers linked together in a
supply chain. This supply chain represents the flow of resources—from the
data center, through the physical tiers of your environment, to the virtual tier,
and to the cloud. By managing relationships between these buyers and sellers,
Workload Optimization Manager provides closed-loop management of
resources—from the data center through to the application. You see the
supply chain and use detail across entities, and the platform sees what needs
to be done to achieve continuous health in the environment.
Workload Optimization Manager actions can be implemented manually (with
a mouse click) by an operator, on command (for example, based on a change
management process), or automatically as events arise. Users can define the
level of automation by action type and at multiple levels of detail; for
example, you can automate actions for individual virtual machines, for a
cluster, or for a data center.
To configure the level of automation for actions, use the steps that follow.
Step 1. In Home menu, select Actions.
Step 2. Click to check the box for the entity for which you want to automate
the action (for example, select a virtual machine).
Step 3. Click Configure Automation.
Figure 3-24 illustrates CWOM automation.
 Figure 3-24 CWOM automation
Step 4. On the Setup Automation screen, open the Action Type menu and
choose a type. Workload Optimization Manager performs many
general types of actions, such as the following:
Provision: Add resource capacity, usually by adding an entity.
Decommission: Stop, suspend, or remove an entity.
Place: Place a consumer on a different provider.
 Right size: Change the allocation of resources for an entity.
Step 5. Choose the scope and the action execution level.
Figure 3-25 shows CWOM automation execution.

Figure 3-25 CWOM automation execution

Step 6. Click Save.

Plan for the Future

Workload Optimization Manager can simulate certain scenarios in the
environment before the changes are implemented. It uses the same underlying
common data model (the supply chain market) for both real-time
performance assurance and simulation. This unique capability helps ensure
that simulations can be performed seamlessly in the environment and that
real-time workload resource demands and infrastructure resource availability
are taken into account. Table 3-2 details the plan types in Cisco Workload
Optimization Manager
Table 3-2 Plan Types in Cisco Workload Optimization Manager
Hivanetwork.com
Set Policies and Service Level Agreements
Typically, in data center environments, tiers of resources are made available
for various groups. By creating policies to match applications to the
appropriate resources, organizations can help ensure that lower-tier
applications are not using very costly resources. Workload Optimization
provides the capability to create and customize policies, enabling you to set
the way that Workload Optimization Manager analyzes resource allocation,
displays resource status, and displays or performs actions. Figure 3-26 shows
the CWOM settings detailed in the following list:

Figure 3-26 CWOM settings

 • Groups: Groups assemble collections of resources for Workload
Optimization Manager to monitor and manage.
• User Management: As an administrator, you can specify accounts that
grant specific users access to Workload Optimization Manager.
• Budget Management: A budget group specifies the monthly
expenditure you want to devote to keeping your workload on the
public cloud.
• Updates: You can check Cisco Workload Optimization Manager
version details and the availability of more recent versions.
• Maintenance Options: You can configure HTTP proxy, export state,
configuration files, and logging levels.
• Templates: You can view a variety of templates, including virtual
machine, Cisco UCS, and public cloud templates.
• License: You can view the total number host licenses, license features
in use, and license expiration dates.

Cisco Intersight Workload Optimizer

Cisco Intersight Workload Optimizer is another consumption model for
CWOM. Cisco Intersight Workload Optimizer offers the same capabilities as
today’s CWOM on-premises offering in a SaaS model. Customers interested
in workload optimization capabilities can purchase the CWOM standalone
version and, if they choose, can transition to the SaaS-based Intersight
Workload Optimizer offering.
Cisco Intersight Workload Optimizer is available as an option with Cisco
Intersight. It extends the capabilities of Cisco Intersight with multidomain
visibility across the full stack of applications and infrastructure, from on-
premises to the cloud. The Cisco Intersight Workload Optimizer analytics
engine matches real-time workload demand to the underlying infrastructure
supply. The supply includes public cloud, virtual machines, containers, third-
party hardware, and Cisco infrastructure resources.
The optimization functionality is engineered for limitless scale and true SaaS
multitenancy. It is architected to enable scaling to support the entirety of
Cisco’s UCS and Hyperflex portfolio and third-party systems. Finally, it is a
singular platform with common credentials, common accounting, and a
common user experience.
Cisco Intersight Workload Optimizer, when combined with AppDynamics,
correlates business, application-performance, and infrastructure metrics to
provide full-stack visibility and common data for a single source of truth.
Cisco Intersight Workload Optimizer applies machine intelligence to drive
automation of physical and virtual resources. It dynamically optimizes the
infrastructure in a cost-effective manner while ensuring the user experience.
This enables a top-to-bottom closed-loop system—all the way from the
business logic, across a hybrid cloud, to DIMMs on a server or links on a
network.

Cisco Hyperflex – Intersight

The “new normal” is causing most IT departments to work remotely. Even
when organizations determine they are ready to resume admitting staff onsite,
IT operations are going to look different. You still need the ability to manage
and support your infrastructure remotely, and you’ll want a simple,
convenient, and secure way to do that. Cisco has been on the forefront of
empowering teams to work from anywhere, through innovative systems
management and support capabilities designed to meet the needs of more
than 14,000 Cisco data center customers—a number that is rapidly growing.
A cloud-based management platform provides unified access to applications
and to infrastructure monitoring, configuration, and orchestration, which
helps reduce IT management complexity and unify the deployment and
management of many edge devices. Cisco Intersight is a Software as a
Service (SaaS) hybrid cloud operations platform that delivers intelligent
automation, observability, and optimization to customers for traditional and
cloud-native applications and infrastructure. It supports Cisco Unified
Computing System (Cisco UCS) and Cisco Hyperflex hyperconverged
infrastructure, other Intersight-connected devices, third-party Intersight-
connected devices, cloud platforms and services, and other integration
endpoints. Because it’s a SaaS-delivered platform, Intersight functionality
increases and expands with weekly releases. Figure 3-27 shows the Cisco
Intersight login page.

Figure 3-27 Cisco Intersight login page

With Intersight, you get all the benefits of SaaS delivery and full lifecycle
management of distributed infrastructure and workloads across data centers,
remote sites, branch offices, and edge environments. This empowers you to
analyze, update, fix, and automate your environment in ways that not
previously possible. As a result, your organization can achieve significant
total cost of ownership (TCO) savings and deliver applications faster in
support of new business initiatives.
For Cisco infrastructure, the Intersight platform works in conjunction with
Cisco UCS Manager, Cisco Integrated Management Controller (IMC), and
Cisco Hyperflex Connect. In addition, Intersight integrates with third-party
storage, cloud services, virtualization, and container platforms. You can
simply associate a model-based configuration to provision servers and
associated storage and fabric automatically, regardless of form factor. Using
profiles, IT staff can consistently align policy, server personality, and
workloads. These policies can be created once and used to simplify server
deployments, resulting in improved productivity and compliance as well as
lower risk of failures due to inconsistent configuration. In addition, Cisco
provides integrations to third-party operations tools, starting with
ServiceNow, to allow customers to use their existing solutions more
efficiently. Figure 3-28 illustrates Cisco Intersight Management as a Service
(MaaS).
 Figure 3-28 Cisco Intersight MaaS

Deployment Options
Cisco Intersight is a SaaS-delivered cloud operations platform with the
flexibility of advanced deployment options. You can take advantage of new
features as they become available from Cisco without the challenges and
complexity of maintaining your management tools. The majority of Cisco
users enjoy the benefits of SaaS; however, if you have data locality or
security needs for managing systems that may not fully meet a SaaS
management model, you can leverage the Cisco Intersight Virtual Appliance
software on your premises to connect your servers through Intersight.com.
Alternatively, the Cisco Intersight Private Virtual Appliance provides an easy
way to deploy a VMware Open Virtual Appliance (OVA), which can be
configured, deployed, and run off-premises. The Private Virtual Appliance
allows you to still take advantage of much of the SaaS functionality without
connectivity back to Intersight.com. Both the Intersight Virtual Appliance
and Private Virtual Appliance provide advantages over conventional on-
premises management tools.

Benefits of Using Cisco Intersight

The following list and Figure 3-29 explains some of the benefits of Cisco
Intersight Customer:
• Reduces complexity and manual effort to deploy, maintain, and
upgrade Cisco Intersight–connected devices
• Delivers proactive support and Return Materials Authorizations
(RMAs) through tight integration with Cisco Technical Assistance
Center (TAC)
• Shifts the burden of building, maintaining, and securing your
management environment to Cisco
• Learns and evolves to deliver greater capabilities and improved
insights to help you proactively manage your environment
• Is fully programmable and can be integrated with third-party systems
and tools
• Can add workload optimization and Kubernetes services seamlessly
• Has a choice of deployment options
 Figure 3-29 Cisco Intersight Customer benefits
Figure 3-30 illustrates Cisco Intersight seamless scalability.

Hivanetwork.com
 Figure 3-30 Cisco Intersight seamless scalability
Figure 3-31 illustrates Cisco Intersight Device Connector.
 Figure 3-31 Cisco Intersight Device Connector

Hyperconverged Infrastructure (HCI): Hyperflex

Hyperflex is Cisco’s hyperconverged infrastructure (HCI) platform.
Hyperflex systems combine software-defined storage and data services
software with Cisco UCS (Unified Computing System), a converged
infrastructure system that integrates computing, networking, and storage
resources to increase efficiency and enable centralized management.
Cisco Hyperflex systems with Intel Xeon Scalable processors deliver
hyperconvergence with power and simplicity for any application, anywhere.
Engineered with Cisco UCS technology and managed through the Cisco
Intersight cloud operations platform, Cisco Hyperflex systems can power
your applications and data anywhere, optimize operations from your core
data center to the edge and into public clouds, and increase agility by
accelerating DevOps practices.
In today’s world, this adaptable platform acts as your on-premises and edge
infrastructure that complements and integrates with the workloads you deploy
into public clouds. Tight integration with Cisco Intersight cloud operations
platform enables full lifecycle management of your workloads wherever you
want to deploy them—locally, at the edge, and into the cloud. With
management hosted in the cloud, you have access to unlimited deployment
locations and scale.
Cisco Hyperflex systems help you bridge the gap by providing the IT
capabilities you need to thrive in an always-on world:
• App-centric platform: You can deliver any app, to any location, at
any scale, both predictably and securely. Cisco’s infrastructure
provides cloud-like resource delivery that complements what you get
from the cloud, so you can differentiate your services from the
competition.
• Cloud operations platform: A cloud operating model helps you
manage distributed operations at scale—from physical and virtual
infrastructure deployment to workload placement and resource
optimization based on real-time analysis of application performance.
With true IT as a Service, your business can deliver more applications
in more locations.
• Adaptable infrastructure: An open, futureproof infrastructure
supports your applications. A hyperconverged application platform is
optimized to deliver cloud-native apps as microservices. Traditional
application hosting supports both VMware vSphere and Microsoft
Windows Server Hyper-V virtual machines. Together, these
capabilities support the DevOps processes your teams are embracing
and opens the door to more growth opportunities.
Figure 3-32 illustrates Cisco Hyperflex systems supporting the data center
core, cloud, and edge.
Figure 3-32 Cisco Hyperflex systems supporting the data center core,
cloud, and edge
Cisco UCS provides a single point of connectivity and hardware management
that integrates Cisco Hyperflex nodes into a single unified cluster. The
system is self-aware and self-integrating so that when a new component is
attached, it is automatically incorporated into the cluster. Rather than
requiring you to configure each element in the system manually through a
variety of element managers, every aspect of a node’s personality,
configuration, and connectivity is set through management software. You can
choose the combination of CPU, flash memory, graphics acceleration, and
disk storage resources you need to deliver an optimal infrastructure for your
applications. Also, incremental scalability allows you to start small and scale
up and out as your needs grow. Figure 3-33 illustrates Cisco Hyperflex
systems architecture.

Figure 3-33 Cisco Hyperflex systems’ architecture

Deploying Hyperflex Anywhere with Intersight
With Intersight, you can deploy and manage all your Hyperflex clusters from
anywhere. The new Hyperflex Installer makes it easy to deploy clusters
automatically.
The new Hyperflex Installer for Intersight is consumed as a service,
eliminating the need for an on-premises infrastructure, along with the lengthy
download and setup of a static virtual installer appliance. The intuitive wizard
includes reusable policies for rapid and consistent deployment. Figure 3-34
compares Cisco Hyperflex on-prem installer and Intersight.

Figure 3-34 Cisco Hyperflex on-prem installer versus Intersight

Hyperflex cluster profiles can be cloned and then executed on-demand for
fast and easy scaling. There are three levels of built-in validation to ensure
the deployment runs smoothly from start to finish. Intersight is always up to
date, securing the latest features and improvements to the platform
automatically without any user intervention. Figure 3-35 shows Cisco
Intersight Hyperflex cluster profiles.

Figure 3-35 Cisco Intersight Hyperflex cluster profiles

Figure 3-36 shows Cisco Intersight Hyperflex policy management.
 Figure 3-36 Cisco Intersight Hyperflex policy management
Once deployment is complete, you can seamlessly launch Hyperflex Connect
in context from Intersight to drill down for more detailed monitoring and
analysis. All these capabilities are available in Cisco Intersight Base, so they
are included for free with every Hyperflex cluster!
A major pain point for traditional hyperconverged infrastructure (HCI)
offerings is how to deploy at scale. In the old operational model, HCI
appliances are typically shipped to a staging site, partially checked and
configured, boxed up, shipped to the final site, and then installed by skilled
IT administrators who help set up the solution on site. Figure 3-37 shows
some of the benefits of Cisco Intersight Hyperflex.

Hivanetwork.com
 Figure 3-37 Cisco Intersight Hyperflex benefits
With Intersight, this model is completely transformed. The Hyperflex
appliances can be shipped directly to the final site, bypassing the expensive
and complex staging process. The gear is racked, connected to power and the
network, and then all appliances automatically connect to Intersight and are
securely claimed. The rest of the deployment can now be completed by the
centralized IT staff. It is all done remotely and from anywhere. To top it all
off, the Hyperflex Installer for Intersight can run multiple deployment jobs in
parallel, enabling quick ramp-up of even the largest HCI projects.
Cisco can now deliver deployment and lifecycle management benefits at
scale as well as deliver this remotely from the cloud. In addition to this,
Hyperflex Edge and Intersight also allows ROBO and edge customers to do
the following:
• Meet aggressive cost envelopes for infrastructure deployment at scale
for edge and branch locations
• Deploy clusters as small as two nodes and up to four nodes—a form
factor that fits the needs of edge sites
 • Drive data resiliency without the expense (through industry-leading
innovations around an invisible cloud-based witness resident in
Intersight)
• Simplify operations through centralized lifecycle management and
actionable intelligence from Intersight
Figure 3-38 illustrates Cisco Intersight Innovations for Hyperflex.

Figure 3-38 Cisco Intersight Innovations for Hyperflex

Cisco Intersight Workload Engine at a Glance

Cisco Intersight Workload Engine (IWE) is a next-generation private cloud
architecture for modern cloud-native workloads. With Cisco IWE, customers
no longer need to cobble together open source distributions, excessive
virtualization licenses, multiple management panes, and disparate hardware
to support their enterprise service applications on the premises. The seamless
integration of Cisco Intersight, Intersight Workload Engine, Intersight
Kubernetes Service, and Hyperflex Data Platform (HXDP) eliminates the
complexity and risk associated with integration at different layers of the
infrastructure and application. This makes the cloud-native journey for
enterprise applications faster, more predictable, and more cost-effective.
Customers also get full stack support SLAs from Cisco’s industry-leading
Technical Assistance Center (TAC) teams.
The Intersight Workload Engine provides the software infrastructure to run
Intersight Kubernetes Service either virtualized or on bare-metal servers in a
Cisco Hyperflex cluster. The result is a ready-to-consume Kubernetes
Containers as a service (CaaS) platform that balances the need for increased
application release velocity with the traditional IT needs for reduced cost and
complexity. It is a fully integrated solution that supports every infrastructure
layer needed to support modern microservices-based applications—from the
physical layer to the software stack. Figure 3-39 illustrates Cisco IWE full
stack integration.

Figure 3-39 Cisco IWE full stack integration

Benefits
The Intersight Workload Engine (IWE) is used to create and operate a cluster
of UCS servers. The IWE OS is installed and runs on those servers, and IWE
contains all the software needed to operate the IWE cluster, including the
operating system, hypervisor, clustering software, and storage software. The
following list explains some of the benefits of using IWE:
 • Simplify operations: Address any application workload with an all-in-
one integrated platform, including hypervisor, operating system,
Kubernetes clustering, and storage.
• Unify VM and container management: Manage clusters from the
cloud using one control point for upgrades, capacity expansion, repairs,
and security with Cisco Intersight Cloud Operations Platform.
• Reduce costs: Utilize infrastructure efficiently with a purpose-built
hypervisor without adding the cost of third-party virtualization
solutions.
• Intersight Kubernetes Service integration: Automate balancing and
optimization according to Kubernetes best practices.
• Full-stack cloud management: Simplify Day 2 upgrades and enable
faster resolution of issues with full stack visibility.

Key Features
The IWE management UI and equivalent APIs are used to deploy and
manage your cluster, including cluster lifecycle tasks such as upgrades,
expansion, repair, security patching, and software or firmware upgrades.
Your app or DevOps teams can use your IWE clusters to run the Cisco
Intersight Kubernetes Service (IKS) and manage Kubernetes clusters. The
following list mentions some features of IWE:
• Fully automated installer integrated in Cisco Intersight
• Operating system software maintained in Cisco Intersight repositories
and automatically deployed on Intersight Workload Engine nodes
• Hypervisor with support for features like VM scheduling, VM
migration, and CPU oversubscription
• Clustering software deployed with multiple control nodes to deliver
system resiliency
• Automatically configured resilient network connectivity and
segmented virtual networking for separation of system, user, and
 storage traffic
• Persistent enterprise storage based on Cisco Hyperflex deployed within
Intersight Workload Engine nodes
• Unified Intersight management, including inventory viewing,
monitoring, and alerting at the node, storage, and VM levels
• Connected TAC and secure access shells for cluster administration and
support
• Node maintenance mode to allow for the replacement of defective
node components

Summary
Application innovation is at the heart of the digital economy. A new era of
apps is redefining what data centers are and need to be capable of supporting.
Today, the data center is no longer a fixed place. It exists wherever data is
created, processed, and used. “Enterprises should be able to deploy
applications based on the needs of their business, not the limitations of their
technology,” according to Roland Acra, senior vice president and general
manager of the Data Center Business Group at Cisco. “Customers want to
deploy applications and manage data across a range of diverse platforms,
from on-premises to cloud-based. That is why we are taking the ‘center’ out
of the data center. Today, Cisco is helping our customers expand their reach
into every cloud, every data center, and every branch.”
ACI Anywhere and Hyperflex Anywhere are the major innovations that
remove data center boundaries.
With Cisco Workload Optimization Manager, data center operators can
deliver differentiated performance while making the best use of the
environment. When used in combination with Cisco UCS Manager and Cisco
UCS Director, it can help organizations achieve elastic computing with cloud
economics. Full automation can empower data center operators to focus on
innovation: to deliver new products and services that enable the digitization
of their organization and provide competitive advantage for their business.
References/Additional Reading
https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-
virtualization/unified-computing/cwom-setup.pdf
Part 2: Cisco Applications and
Workload Management
 Chapter 4. Application, Analytics,
and Workload Performance
Management with AppDynamics
Monitor, correlate, analyze, and act on application and business performance
data in real time with AppDynamics.
This chapter covers the following topics:
• What is AppDynamics?
• Application Monitoring
• End User Monitoring
• Database Visibility
• Infrastructure Visibility
• Analytics
• Monitoring Cloud Applications
• Cloud monitoring using AppDynamics Cloud

What Is AppDynamics?
Cisco AppDynamics is an Application Performance Management (APM)
solution that enhances application performance and visibility in the
multicloud world. Cisco AppDynamics can help your organization make
critical, strategic decisions. It uses artificial intelligence (AI) to solve
application problems and prevent them from occurring in the future, and it

Hivanetwork.com
enhances the visibility into your IT architecture.

Note
This book will not cover deployment of AppDynamics. It will only
focus on key concepts and fundamentals of AppDynamics without
going into configuration details.

AppDynamics Concepts
The AppDynamics APM platform enables management and monitoring of
your application delivery ecosystem, ranging from mobile/browser client
network requests to backend databases/servers and more. This global view
across your application landscape allows you to quickly navigate through the
distributed application into the call graphs and exception reports generated on
individual hosts.

User Interface
AppDynamics provides a tenant to collect, store, analyze, and baseline the
performance data collected by agents as well as a user interface (UI) to view
and manage the information. You access the AppDynamics Tenant UI
through a URL that uses your account name. Each tenant has a distinct set of
users, reporting agents, and application-monitoring configurations.
AppDynamics can host one or more accounts, where each account represents
one tenant. The AppDynamics cloud-based Software as a Service (SaaS)
deployment is a multi-tenant environment that allows you to access multiple
tenants independently.

Note What Is a Tenant?

Each AppDynamics customer account is a tenant of the
AppDynamics cloud-based SaaS platform. AppDynamics can host
one or more accounts, where each account represents one tenant.
The tenant collects, stores, analyzes, and baselines performance
data collected by agents. The SaaS deployment is a multi-tenant
 environment that allows you to access multiple tenants
independently. You can manage users through the Tenant UI.
Once everything is set up, you can add user accounts, allowing
other users to access the UI and configure AppDynamics.

Application Performance Monitoring

At the tier level, AppDynamics provides a view of the runtime operation of
your code via an AppDynamics app server agent. The agent detects calls to a
service entry point at the tier and follows the execution path for the call
through the call stack. It sends data about usage metrics, code exceptions, exit
calls to backend systems, and error conditions to your tenant. Figure 4-1
illustrates application performance monitoring in AppDynamics.

Figure 4-1 Application performance monitoring

Most application environments contain more than one application server.
They may contain distributed, interconnected servers and processes that
participate in fulfilling a given user request. In this context, AppDynamics
tracks transactions across distributed, heterogeneous services.
Infrastructure Visibility with Database Visibility
For greater visibility into your application delivery environment, you can add
AppDynamics Database Visibility to the deployment. App agents provide
information about calls to backend databases, including errors and call
counts. The Database Visibility module extends your visibility into the
workings of the database server itself by providing you with information
about query execution and performance with an agentless profile.
AppDynamics Infrastructure Visibility contributes to your view of the data
center by adding valuable information on the performance of the machines
and networks in your environment. Figure 4-2 illustrates Infrastructure
Visibility with Database Visibility in AppDynamics.
 Figure 4-2 Infrastructure Visibility with Database Visibility
In this deployment, the database agent collects information from the database
servers and sends it to the tenant, which persists some of that information in
the Events Service. Database Analytics features may use the Events Service,
which is the document storage component of the platform that AppDynamics
has optimized for searching and storing high volumes of information.
 Note
A database agent is a standalone Java program that collects
performance metrics about your database instances and database
servers. You can view these performance metrics in the Metric
Browser of the AppDynamics Controller UI.

End User Monitoring for Client Experience

While server-side monitoring provides insight into the end user’s experience
with application performance and suggests performance improvements to the
server, end-user monitoring extends those insights from the initial client
request to the client device response. AppDynamics End User Monitoring
(EUM) allows you to collect the information about where your requests are
coming from, what devices/channels your users are using, and your code
performance once deployed on your users’ devices. Additionally,
AppDynamics provides you with the visibility you need to investigate mobile
crashes by displaying stack traces and other contextual data at the time of the
crash and tying that to the business transaction data from the server.

Business iQ and Analytics for Business Impact

How does the overall performance of your application environment affect
your business? Business iQ, powered by AppDynamics Analytics, helps you
understand how the performance of your application environment and end-
user applications ties to the business data of the transactions. It lets you sort,
order, and understand the data that composes the business transactions. It also
enables you to drill into the varieties of log data that your environment
generates. See Using Analytics Data
(https://docs.appdynamics.com/appd/21.x/21.3/en/analytics/using-analytics-
data) for information about how to install and use AppDynamics Analytics.

Use Metrics
A metric is a particular class of measurement, state, or event in the monitored
environment. Many defaults relate to the overall performance of the
application or business transaction, such as request load, average response
time, and error rate. Others describe the state of the server infrastructure, such
as percentage CPU busy and percentage of memory used.
Agents register the metrics they detect with the tenant. They then report
measurements or occurrences of the metrics (depending on the nature of the
metric) to the tenant at regular intervals. You can view metrics using the
Metric Browser in the Tenant UI.
An information point is a particular type of metric that enables you to report
on how your business (as opposed to your application) is performing. For
example, you could set up an information point to total the revenue from the
purchase on your website of a specific product or set of products. You can
also use information points to report on how your code is performing; for
example, how many times a specific method is called and how long it is
taking to execute.
You can create extensions that use the machine agent to report custom
metrics that you define. These metrics are baselined and reported in the
tenant, just like the built-in AppDynamics metrics. As an alternative to using
the Tenant UI, you can access metrics programmatically with the
AppDynamics APIs.

Baselines and Thresholds

The AppDynamics platform uses both self-learned baselines and configurable
thresholds to help identify application issues. A complex, distributed
application has many performance metrics, and each metric is important in
one or more contexts. In such environments, it is difficult to do the following:
• Determine the values or ranges that are normal for a particular metric.
• Set meaningful thresholds on which to base and receive relevant alerts.
• Determine what is a “normal” metric when the application or
infrastructure undergoes change.
For these reasons, anomaly detection based on dynamic baselines or
thresholds is one of the essential features of the AppDynamics platform.
The AppDynamics platform automatically calculates dynamic baselines for
your metrics, defining what is “normal” for each metric based on actual
usage. Then the platform uses these baselines to identify subsequent metrics
whose values fall outside this normal range. Static thresholds that are tedious
to set up and, in rapidly changing application environments, error-prone are
no longer needed.
You can create health rules with conditions that use baselines, allowing you
to trigger alerts or kick off other types of remedial actions when performance
problems are occurring or may be about to happen. See Alert and Respond
(https://docs.appdynamics.com/appd/21.x/21.3/en/appdynamics-
essentials/alert-and-respond) and Health Rules
(https://docs.appdynamics.com/appd/21.x/21.3/en/appdynamics-
essentials/alert-and-respond/health-rules) and Dynamic Baselines
(https://docs.appdynamics.com/appd/21.x/21.3/en/application-
monitoring/business-transactions/business-transaction-performance/dynamic-
baselines).
AppDynamics thresholds help you to maintain service level agreements
(SLAs) and ensure optimum performance levels for your system by detecting
slow, very slow, and stalled transactions. Thresholds provide a flexible way
to associate the right business context with a slow request to isolate the root
cause.

Health Rules, Policies, and Actions

AppDynamics uses dynamic baselining to establish what is considered
normal behavior for your application automatically. Then you can set up
health rules against those standard baselines (or use other health indicators) to
track non-optimal conditions. A health rule might be, for example, to create a
critical event when the average response time is four times slower than the
baseline.
Policies that allow you to connect such problematic events (such as the health
rule critical event) with actions that can trigger alerts/remedial behavior
addresses the system’s issues long before your users will be affected.
AppDynamics supplies default health rules. You can customize the default
health rules and create new rules specific to your environment.
 The out-of-the-box health rules test business transaction performance as
follows:
• Business Transaction response time is much higher than normal:
Defines a critical condition as the combination of an average response
time higher than the default baseline by three standard deviations and a
load greater than 50 calls per minute. This rule defines a warning
condition as the combination of an average response time higher than
the default baseline by two standard deviations and a load greater than
100 calls per minute.
• Business Transaction error rate is much higher than normal:
Defines a critical condition as the combination of an error rate greater
than the default baseline by three standard deviations and an error rate
higher than ten errors per minute and a load greater than 50 calls per
minute. This rule defines a warning condition as the combination of an
error rate greater than the default baseline by two standard deviations
and an error rate greater than five errors per minute and a load greater
than 50 calls per minute.

Infrastructure Monitoring
While Business Transaction performance is typically the focus of a
performance monitoring strategy, monitoring infrastructure performance can
add insight into underlying factors about performance. AppDynamics can
alert you of the problem at the Business Transaction and infrastructure levels.
AppDynamics provides preconfigured application infrastructure metrics and
default health rules to enable you to discover and correct infrastructure
problems. You can also configure additional persistent metrics to implement
a monitoring strategy specific to your business needs and application
architecture.
In addition to health rules, you can view infrastructure metrics in the Metric
Browser. In this context, the Correlation Analysis and Scalability Analysis
graphs are useful to understand how infrastructure metrics can correlate or
relate to Business Transaction performance.

Hivanetwork.com
Integrate and Extend AppDynamics
AppDynamics provides many ways for you to extend AppDynamics Pro and
integrate metrics with other systems. The AppDynamics Exchange contains
many extensions that you can download, and if you cannot find what you
need, you can develop your own.
AppDynamics extensions are available in the following categories:
• Monitoring extensions add metrics to the existing set of metrics that
AppDynamics agents collect and report to the tenant. These can
include metrics that you obtain from other monitoring systems. They
can also include metrics that your system extracts from services that
are not instrumented by AppDynamics, such as databases, LDAP
servers, web servers, and C programs. To write specific monitoring
extensions, see Extensions and Custom Metrics
(https://docs.appdynamics.com/appd/21.x/21.3/en/infrastructure-
visibility/machine-agent/extensions-and-custom-metrics)
• Alerting extensions let you integrate AppDynamics with external
alerting or ticketing systems and create custom notification actions. To
learn how to write specialized custom notifications, see Build a
Custom Action
(https://docs.appdynamics.com/appd/21.x/21.3/en/appdynamics-
essentials/alert-and-respond/actions/custom-actions/build-a-custom-
action). Also, see Email Templates
(https://docs.appdynamics.com/appd/21.x/21.3/en/appdynamics-
essentials/alert-and-respond/actions/notification-actions/email-
templates) and HTTP Request Actions and
Templates(https://docs.appdynamics.com/appd/21.x/21.3/en/appdynam
ics-essentials/alert-and-respond/actions/http-request-actions-and-
templates).
• Performance testing extensions consist of performance-testing
extensions.
• Built-in integration extensions are bundled into the AppDynamics
platform and only need to be enabled or configured. These include the
following:
 • Integrate AppDynamics with Splunk
(https://docs.appdynamics.com/appd/21.x/21.3/en/extend-
appdynamics/integration-modules/integrate-appdynamics-with-
splunk)
• Integrate AppDynamics with DB CAM
(https://docs.appdynamics.com/appd/21.x/21.3/en/extend-
appdynamics/integration-modules/integrate-appdynamics-with-db-
cam)
In the next section, we will cover deployment models and how to plan an
AppDynamics installation.

Deployment Planning Guide

This section describes the best practice and guidelines for deploying the
AppDynamics Application Performance Management (APM) platform.
Once you install the necessary agents, AppDynamics automatically builds an
environment of the chosen applications.
The tenant performs the following functions:
• Monitors your application workload
• Uses machine learning to determine what is normal for your
environment
• Applies sensible defaults for detecting abnormal activity and
application errors
You can start using AppDynamics dashboards, flow maps, and monitoring
tools in the Tenant UI immediately without instrumentation and
configuration. Later, you can customize the configuration for your specific
environment and requirements.

Deployment Models
An AppDynamics deployment uses installed agents to collect data from a
monitored environment. The AppDynamics UI provides the access to view,
understand, and analyze the data.
The AppDynamics SaaS deployment is a cloud-based solution that enables
real-time visibility into the health and performance of your instrumented
environment, with significantly reduced cost and maintenance. A SaaS
deployment provides these benefits:
• No need to install the tenant.
• AppDynamics manages the server-side components of the
AppDynamics platform, including its installation and upgrades.
• Lower total costs, guaranteed availability, data security, significantly
reduced maintenance, and automatic upgrades.

Installation Overview
Before you install the platform, review the requirements for the components
you plan to install and prepare the host machines. The requirements vary
based on the components you deploy and the size of your deployment.
For the Controller and Events Service, you first need to install the
AppDynamics Enterprise Console. You then use the application to deploy the
Controller and Events Service. Note that the Events Service can be deployed
as a single node or a cluster. The Enterprise Console is not only the installer
for the Controller and Events Service; it can manage the entire lifecycle of
new or existing AppDynamics Platforms and components.
You cannot use the Enterprise Console to perform the End User Monitoring
(EUM) Server installation. Instead, you must use a package installer that
supports interactive GUI or console modes, or you can use a silent response
file installation.

Platform Components and Tools

An on-premises AppDynamics platform installation consists of several,
separately installed and configured components. These include the
Controller, MySQL database, Events Service, and optionally the EUM
Server.
The AppDynamics Enterprise Console is a GUI- and command-line-based
application that can manage the installation, configuration, and administration
of the Controller and Events Service.
For the EUM Server, you must continue to use the package installer to deploy
the EUM Cloud.
After you install the platform, you can configure and manage different
components with component-specific scripts. Based on how you deploy the
platform, you might use a combination of the Enterprise Console and
package installers to install and manage the various components of the
platform.

On-Premises Deployment Architecture

Figure 4-3 depicts the components of a complete on-premises AppDynamics
APM platform deployment. It shows how the components interact to fulfill
application, database, infrastructure, end-user monitoring, and more.
 Figure 4-3 Components of a complete on-premises AppDynamics APM
platform deployment
Depending on the scale of your deployment, your requirements, and the
products you are using, your own deployment is likely to consist of a subset
of the components shown in the diagram.

Platform Components
Table 4-1 describes how the components work together in the AppDynamics
platform.
Table 4-1 Platform Components
 Platform Connections
Table 4-2 lists and describes the traffic flow between AppDynamics platform
components.
Table 4-2 Platform Connections

Hivanetwork.com
 Note
AppDynamics End User Monitoring (EUM) gives you visibility
into the performance of your application from the viewpoint of the
end user.

Data Storage Location

Data is stored in the following locations:
■ • APM configuration and metric data is stored in the on-premises
Controller MySQL database.
■ • EUM event data is stored in the Events Service.
■ • Transaction and log analytics data is stored in the Events Service.
■ • EUM Geo Resolution data is stored in the on-premises
GeoServer.
■ • EUM Synthetic data is stored in the on-premises Synthetic Server.

SaaS Deployment Architecture

In this scenario, all AppDynamics services run as SaaS, and agents are
configured to talk to the public SaaS endpoints. For EUM, by default, we
resolve end-user locations using public geographic databases.
Although not strictly required, we recommend using a reverse proxy such as
NGINX or Apache for all server-side components.

Note
Components must be licensed separately.
Figure 4-4 illustrates a SaaS AppDynamics deployment architecture.
 Figure 4-4 SaaS AppDynamics deployment architecture
Figure 4-5 illustrates the connections, datastores, and key for the SaaS
deployment architecture.

Figure 4-5 Understanding SaaS deployment architecture

In the next sections, we review the various monitoring capabilities in
AppDynamics.

Application Monitoring
AppDynamics Application Performance Monitoring (APM), a component of
the AppDynamics platform, provides end-to-end visibility into the
performance of your applications.
AppDynamics works with popular programming languages such as Java,
.NET, Node.js, PHP, Python, C/C++, and more, enabling you to do the
following:
• Troubleshoot problems such as slow response times and application
errors.
• Automatically discover an application’s topology and how components
in the application environment work together to fulfill key business
transactions for its users.
 • Measure end-to-end business transaction performance, along with the
health of individual application and infrastructure nodes.
• Receive alerts based on custom or built-in health rules, including rules
against dynamic performance baselines that alert you to issues in the
context of business transactions.
• Analyze your applications at the code execution level using snapshots.

Overview of Application Monitoring

After you understand the basics of AppDynamics, you can learn how
AppDynamics models application environments. The model serves as the
framework around which AppDynamics organizes and presents performance
information.
A typical application environment consists of the following different
components, which interact in a variety of ways to fulfill requests from the
application’s users:
• Web applications served from an application server
• Databases or other datastores
• Remote services such as message queues and caches
AppDynamics app agents automatically discover the most common
application frameworks and services. Using built-in application detection and
configuration settings, agents collect application data and metrics to build
flow maps.
A flow map visually represents the components of your application to help
you understand how data flows among the application components. For
example, the business transaction flow map for a simple e-commerce
application shows data flowing between web services, message queues, and
databases Figure 4-6 shows the Business Transaction flow map.
 Figure 4-6 Business Transaction flow map
Automatic detection lets you start exploring AppDynamics features quickly.
As your understanding of AppDynamics matures and you identify areas
unique to your environment, you can refine your application model.

Business Transactions
In the AppDynamics model, a business transaction represents the data
processing flow for a request, most often a user request. In real-world terms,
many different components in your application may interact to provide
services to fulfill the following types of requests:
• In an e-commerce application, a user logging in, searching for items or
adding items to a cart
• In a content portal, a user requesting content such as sports, business,
or entertainment news
• In a stock trading application, operations such as receiving a stock
quote, buying a stock, and selling a stock
AppDynamics app agents discover requests to your application as entry
points to a business transaction. Similar requests, such as user login, are
treated as multiple instances of the same business transaction. The agents tag
the request data and trace the request path as it passes from web servers to
databases and other infrastructure components. AppDynamics collects
performance metrics for each tier that processes the business transaction.
Because AppDynamics orients performance monitoring around business
transactions, you can focus on the performance of your application
components from the user perspective. You can quickly identify whether a
component is readily available or if it is having performance issues. For
instance, you can check whether users are able to log in, check out, and view
their data. You can see response times for users as well as the causes of
problems when they occur.

Business Applications
A business application is the top-level container in the AppDynamics model.
A business application contains a set of related services and business
transactions.
In a small AppDynamics deployment, only a single business application may
be needed to model the environment. In larger deployments, you may choose
to divide the model of the environment into several business applications.
The best way to organize business applications for you depends on your
environment. A leading consideration for most cases, however, is to organize
business applications in a way that reflects work teams in your organization,
 since role-based access controls in the Controller UI are oriented by business
application.

Nodes
A node in the AppDynamics model corresponds to a monitored server or Java
virtual machine (JVM) in the application environment. A node is the smallest
unit of the modeled environment. Depending on the agent type, a node may
correspond to an individual application server, JVM, CLR (Common
Language Runtime), PHP application, or Apache Web server.
Each node identifies itself in the AppDynamics model. When you configure
the agent, you specify the name of the node, tier, and business application
under which the agent reports data to the Controller.

Tiers
A tier is a unit in the AppDynamics model composed of a grouping of one or
more nodes. How you organize tiers depends on the conceptual model of
your environment.
Often, a tier is used to a group of a set of identical, redundant servers. But
that is not strictly required. You can group any set of nodes, identical or not,
for which you want performance metrics to be treated as a unit into a single
tier.
The single restriction is that all nodes in a single tier must be the same type.
That is, a tier cannot have mixed types of agents, such as both .NET and Java
nodes.
The traffic in a business application flow between tiers, as indicated by lines
on the flow map, which are annotated with performance metrics.
In the AppDynamics model, there is no interaction among nodes within a
single tier. Also, an application agent node cannot belong to more than one
tier.

Entities

Hivanetwork.com
An entity is any object that AppDynamics monitors, such as an application,
tier, node, or even a business transaction. Entities typically have associated
metrics, events, and a health status.

Historical and Live Entity Data

The Controller has an entity liveness module that tracks the “live” or
“historical” status of the four entity types—application, tier, node, and
business transaction—for 365+ days.
• Historical: Oldest time (a year before the latest Controller restart) to
the latest Controller restart time
• Live: Latest Controller restart time until the current time

Anchor Metrics for Entities

The entities have special metrics called anchor metrics that are used to
determine the liveness of the entity. Table 4-3 lists the anchor metrics for
each of the entities.
Table 4-3 Anchor Metrics for Entities

Liveness Status
The liveness of an entity affects the associated entities, as the liveness is
rolled up the hierarchy. If the entity type in Table 4-4 is live, you can
determine the liveness of the associated entities in the right column.
Table 4-4 Liveness Status
How the Controller Displays Live Entities
Based on entity liveness status of the selected time range, the Controller
determines whether to count and display entities in these places:
• Flow map.
• Tier and Node list pages. This is also determined by the Performance
Data checkboxes. See Live Entity Data in Flowmaps.
(https://docs.appdynamics.com/appd/21.x/21.3/en/application-
monitoring/business-applications/flow-maps)
• Metric tree of the Metric Browser.
• Custom dashboards.
• AppDynamics REST APIs related to topology such as the Application
Model API.

Backends
A backend is a component that is not instrumented by an AppDynamics agent
but one that participates in the processing of a business transaction instance.
A backend may be a web server, database, message queue, or another type of
service.
The agent recognizes calls to these services from instrumented code (called
exit calls). If the service is not instrumented and cannot continue the
transaction context of the call, the agent determines that the service is a
backend component. The agent picks up the transaction context at the
response at the backend and continues to follow the context of the transaction
from there.
Performance information is available for the backend call. For detailed
transaction analysis for the leg of a transaction processed by the backend, you
need to instrument the database, web service, or other application.

Integration with Other AppDynamics Modules

This section describes how other AppDynamics APM platform products
work with Application Monitoring to provide complete, full visibility on
application health and user experience.

Application Monitoring and Infrastructure

Visibility
Infrastructure Visibility provides end-to-end visibility into the hardware and
networks on which your applications run. You can use Infrastructure
Visibility to identify and troubleshoot problems that affect application
performance such as server failures, JVM crashes, and hardware resource
utilization.
You use the Machine Agent to collect basic hardware metrics. One Machine
Agent license is included with each App Agent license that you purchase.
You can deploy this Machine Agent only on the same machine where the
App Agent is installed. The following functionality is provided by the
Machine Agent:
• Basic hardware metrics from the server OS (for example, %CPU and
memory utilization, disk and network I/O).
• Custom metrics passed to the Controller by extensions.
• Run remediation scripts to automate your runbook procedures. You
can optionally configure the remediation action to require human
approval before the script is started.
• Run JVM Crash Guard to monitor JVM crashes and optionally run
remediation scripts.
If you have a Server Visibility license, the Machine Agent provides this
additional functionality:
• Extended hardware metrics such as machine availability,
disk/CPU/virtual memory utilization, and process page faults.
• Monitor application nodes that run inside Docker containers and
identify container issues that impact application performance.
• Tier Metric Correlator, which enables you to identify load and
performance anomalies across all nodes in a tier.
• Monitor internal or external HTTP and HTTPS services.
• Group servers together so that health rules can be applied to specific
server groups.
• Define alerts that trigger when certain conditions are met or exceeded
based on monitored server hardware metrics.
Network Visibility monitors traffic flows, network packets, TCP connections,
and TCP ports. Network Agents leverage the APM intelligence of App
Server Agents to identify the TCP connections used by each application.
Network Visibility includes the following functionality:
• Detailed metrics about dropped/retransmitted packets, TCP window
sizes (Limited / Zero), connection setup/teardown issues, high round-
trip times, and other performance-impacting issues
• Network Dashboard that highlights network key performance
indicators (KPIs) for tiers, nodes, and network links
• Right-click dashboards for tiers, nodes, and network links that enable
quick drill-downs from transaction outliers to network root causes
• Automatic mapping of TCP connections with application flows
• Automatic detection of intermediate load balancers that split TCP
connections
• Diagnostic mode for collecting advanced diagnostic information for
individual connections
Application Monitoring and Browser Real User
Monitoring
When you add End User Monitoring to Application Performance
Management, you can correlate business transaction performance to the user
experience for those transactions.
If app server agents run on the applications that serve your browser
applications, you can further configure the app server agents to inject the
JavaScript Agent into the code that runs on the browser. You can access the
settings to configure injection in the Applications Configuration page.

Application Monitoring and Database Visibility

In Application Monitoring, a database called by an instrumented node is
considered a remote service. You can get a significant amount of information
on the interaction between the application node and database, but not from
the database server perspective. When using Database Visibility with
Application Monitoring, you can drill down to detailed database performance
information directly from application flow maps.

Application Monitoring and Analytics

For those times when tracing application code does not provide enough clues
to track down the cause of a problem, AppDynamics provides visibility into
the transaction logs that can be correlated to specific business transaction
requests. Log correlation visibility requires a license for both Transaction
Analytics and Log Analytics.

Application Security Monitoring

AppDynamics with Cisco Secure Application reduces the risk of security
exposure without compromising the delivery speed for an APM-managed
application. Normally, the traditional vulnerability scanning occurs before the
application is launched to production and then continues a monthly or
quarterly cadence. As soon as the app is deployed to production, new security
gaps and zero-day exploits make the application vulnerable despite pre-
production testing. Cisco Secure Application enables continuous
vulnerability assessment and protection by scanning code execution to
prevent possible exploits.

Note
Cisco Secure Application is available for the SaaS environment
only.
Cisco Secure Application enables the following:
• The IT Operations team responsible for performance monitoring to
gain real-time access to all security events.
• Application security (AppSec) developers and application developers
to gain insights into violations of best practices and to collaborate on a
solution without friction
• AppSec and DevOps to add security into the existing automation,
which benefits the DevSecOps environment
• Businesses to operate at a faster pace with a lower risk profile due to
constant runtime protection, real-time remediation, and security
automation
To monitor the application security, you must enable the security for the
application using the Cisco Secure Application dashboard. Use the Security
Events widget on the AppDynamics Application dashboard to navigate to
the Cisco Secure Application dashboard. To view the Security Events
widget within AppDynamics Performance Monitoring (APM), enable your
SaaS account with the subscription license for Secure Application.

Supported APM Agents

The Cisco Secure Application features are built into these AppDynamics
APM Agents:
• Java Agent
 • .NET Agent

Cisco Secure Application Components

Cisco Secure Application uses the combination of the supported APM Agent,
Controller, and Cisco Secure Application dashboard to monitor the security
of the applications. The following list explains what each does:
• APM Agent: The Cisco Secure Application library is bundled with the
Java and .NET Agents. The agent communicates with the Cisco Secure
Application service within the Controller, which is maintained in the
cloud.
• AppDynamics Controller: The Cisco Secure Application service is
maintained in the cloud by AppDynamics. The APM Agent sends data
to the service within the Controller. The service analyzes the data to
protect against different types of attacks and vulnerabilities and then
the service provides the analysis to the dashboard.
It uses external feeds along with internal data to analyze the behavior
of the application. It analyzes the CVEs (Common Vulnerabilities and
Exposures) against a curated vulnerability feed. The service can detect:
• A vulnerability when it is enabled in the policy and when the
associated behavior and the library used are considered vulnerable.
• An attack when it is enabled in the policy and abnormal behavior is
detected.
• Cisco Secure Application dashboard: A graphical representation of
all the analyzed data. You can view this dashboard based on the role
defined in the AppDynamics Controller. The data is updated on the
dashboard when the service within the Controller sends the analyzed
data to the dashboard.

Cisco Secure Application Architecture

Figure 4-7 illustrates the high-level architecture of Cisco Secure Application.
 Figure 4-7 High-level architecture of Cisco Secure Application

Note
The APM Agent (Java Agent) communicates to the Cisco Secure
Application service through the AppDynamics Controller.
The high-level architecture works as follows:
• You install the supported APM Agent and then add the Cisco Secure
Application license.
• The APM-managed application runs and the APM Agent retrieves the
data to send to the Controller.

Hivanetwork.com
 • The Cisco Secure Application service retrieves the application, tiers,
and nodes data from the Controller.
• The APM Agent communicates with the Cisco Secure Application
service to check if the security is enabled for the application.
• If the security is enabled, the agent downloads the configuration along
with the policies from the Cisco Secure Application service.
• Based on the configured policies, the agent sends the security events to
the Cisco Secure Application service.
• The service collects all the data, analyzes the application behavior, and
then provides the analyzed data to the Cisco Secure Application
dashboard.

Monitor Application Security Using Cisco Secure

Application
Cisco Secure Application offers a real-time dashboard that provides visibility
into the security health of your applications. This dashboard is available
when an application is registered with an APM Agent and has the appropriate
licensing. The agent sends the security events to Cisco Secure Application
through the Controller.
The Security Events widget on the AppDynamics Application dashboard
provides high-level information about the security of a registered application.
This widget displays the number of critical, warning, and normal security
events. To view the details of security for the selected application on Cisco
Secure Application, click the Security Events widget. Figure 4-8 illustrates
the AppDynamics Application flow map.
 Figure 4-8 AppDynamics Application flow map

Select Scope for the Dashboard

Cisco Secure Application dashboard provides a filter to select the required
application and tier scope that is applied across all views within this
dashboard, except for Policies. By default, the application scope is the
selected application on the AppDynamics dashboard prior to navigating to
Cisco Secure Application.
Perform the following steps to view the data on the dashboard for a specific
application:
Step 1. Click the filter icon application name/tier name on the top right
corner of the dashboard.
Step 2. In the Applications tab, search for the specific application.
Step 3. Select the application.
Step 4. (Optional) In the Tiers tab, search for the required tier.
If you do not select any specific tier, data is displayed for all the tiers.
Step 5. Click Apply Changes.
Figure 4-9 shows an example of the application/tier filter.
Figure 4-9 Application/Tier Filter
To return to the default view of all applications, click application name/tier
name > Applications > Remove App Filter. Similarly, click application
name/tier name > Tiers > Remove Tier Filter to return to the default view
of all tiers.

Navigate to AppDynamics Application or Tier Flow

Map
To navigate from the Cisco Secure Application dashboard to the
AppDynamics flow map, click the flow map icon at the top-right corner of
the Cisco Secure Application dashboard. The flow map icon is associated
with the selected scope for the Cisco Secure Application dashboard.
For example, in Figure 4-10, the tier scope is awsApp-sametier1. You can
click the flow map icon to launch the awsApp-sametier1 flow map on the
AppDynamics dashboard.
Figure 4-10 illustrates how to navigate to the AppDynamics dashboard.

Figure 4-10 Navigating to the AppDynamics dashboard

Figure 4-11 shows the AppDynamics dashboard.
 Figure 4-11 AppDynamics dashboard

View Data Using Search Filter

The Cisco Secure Application provides a search filter on various pages in the
dashboard. This filter helps in getting the required data quickly. The search
filter allows you to search based on the selected category. For example, in
Figure 4-12, these are the categories:
• Vulnerability
• Severity
• Affected Services/Tiers
• Status
Figure 4-12 shows an example of the Vulnerability search filter.
 Figure 4-12 Vulnerability search filter
You can select the required search category from the drop-down list and then
click the Search field to view the list of values corresponding to the category.
You can also find the required value as you type.
If you do not require an exact match, you can enter the required generic value
in the Search field. For example, consider that you want to search for all
applications that start with a specific prefix, AD. You can select the search
category as Application and enter AD in the Search field.

Note
You can search using one or all the categories, but each category
can have a single search value. A category is disabled when you
specify a search value for that category, but you can continue to
select another available category and specify its search value.
These search values act as filters. You can remove the search
values to remove the search filter.
Cisco Secure Application provides a real-time dashboard that displays these
pages:
• Home: This page provides an overview of attacks and vulnerabilities
of monitored applications.
• Applications: This page provides the details of monitored nodes that
are registered with Cisco Secure Application for the managed
applications.
• Libraries: This page provides details of the existing libraries that
require remediation.
• Vulnerabilities: This page provides information about all discovered
 vulnerabilities.
• Attacks: This page provides information about all detected attacks.
• Policies: This page allows you to create or customize the policies for
vulnerabilities and attacks.

End User Monitoring

AppDynamics End User Monitoring (EUM) provides end-to-end visibility on
the performance of your web and mobile applications. EUM helps you
troubleshoot problems such as slow web responses, Ajax errors, mobile
network requests, and IoT application errors. EUM provides metrics on
application performance and user activity, such as:
• How server performance impacts your web, mobile, and device
performance
• How third-party APIs impact your web, mobile, and device
performance
• Where your heaviest loads originate
• How your users connect to and navigate your application

Overview of End User Monitoring

AppDynamics EUM gives you visibility into the performance of your
application from the viewpoint of the end user.
Whereas Application Performance Monitoring (APM) measures user
interaction starting at the web server or application server entry point, EUM
extends that visibility all the way to the web browser, mobile, or IoT
application. As a result, EUM reveals the impact the network and browser
rendering times have on the user experience of your application.
Figure 4-13 provides an overview of the different components, deployment
models (SaaS/on-premises), and the Controller UI as seen by AppDynamics
end users. The SaaS deployment employs services (Controller Service,

Hivanetwork.com
Events Service, EUM Service, EUM Synthetic Monitoring Service) to
collect, store, and process data, whereas the on-premises deployment requires
customers to install discrete components such as the Controller and servers
(Events Server, EUM Server, and so on) that run processes to collect, store,
and process data.

Figure 4-13 Overview of End User Monitoring

AppDynamics users can go to the AppDynamics Controller UI to view and
analyze RUM metrics as snapshots, pages, Ajax requests, sessions, network
requests, or in the form of charts and graphs. Table 4-5 provides details of the
components and their description used in End User Monitoring.
Table 4-5 Overview of End User Monitoring

Understand End User Activity

Using EUM, you can determine the following:
 • Where geographically your heaviest application load is originated.
• Where geographically your slowest end-user response times occur.
• How performance varies by the following:
• Location
• Client type, device, browser and browser version, and network
connection for web requests
• Application and application version, operating system version,
device, and carrier for mobile requests
• What your slowest web/Ajax requests are, and where the problem may
lie.
• What your slowest mobile and IoT network requests are, and where the
problem may lie.
• How application server performance impacts the performance of your
web and mobile traffic.
• Whether your mobile or IoT applications are experiencing errors or
crashes and the root cause of the issues. For example, for mobile
applications, EUM provides stack traces and event trails for the crash
or error, helping you troubleshoot and optimize mobile applications.

View EUM Data

The performance information generated by EUM is distinct from the
application monitoring data generated by app server agents.
EUM data appears in various locations in the Controller UI, including in the
User Experience dashboard, Metric Browser, and AppDynamics Analytics
pages.
When linked to application business transactions, EUM data gives you a
complete view of your end users’ experience—from the client request,
through to the application environment, and back to the client as the user
response.
You can view EUM performance data in the Controller UI in the User
Experience tab. From there, you can access information specific to browser
applications, mobile applications, or connected devices (IoT applications).

On-Premises EUM Deployments

By default, EUM is configured to use an AppDynamics-hosted component
called the EUM Cloud. For a fully on-premises installation, the EUM Server
provides the functionality of the EUM Cloud.
Some functionality for EUM depends on the AppDynamics Platform Events
Service. In a SaaS environment, this is managed by AppDynamics, but it is
also possible to use this functionality in an on-premises form.
If you are adding EUM to an existing on-premises Controller installation, you
should evaluate your current configuration’s ability to handle the additional
load imposed by EUM.

Access the SaaS EUM Server

The SaaS EUM Server consists of the following components. Each
component may have different endpoints, depending on the region of your
Controller.
• EUM Services: The Mobile Agents, JavaScript Agent, and IoT SDKs
send data to the EUM Services. The Controller fetches data from the
EUM Server.
• Events Service: The EUM Server sends analytics data to the Events
Service. The Controller also queries the Events Service.
• Synthetic Services: The Synthetic Private Agent and Synthetic Hosted
Agent send data to the Synthetic Services.
If your SaaS or on-prem deployment requires access to any of these
components on the Internet, make sure the URLs given in SaaS domains and
IP ranges are accessible from your network.
How EUM Works with Other AppDynamics
Products
This section describes how other App iQ Platform products work with EUM
to provide complete, full visibility on application health and user experience.

EUM and Application Performance Monitoring

Using APM with EUM provides you with greater insight into how the
performance of your business application affects the end-user experience. To
integrate APM with EUM, you correlate business transactions with browser
snapshots. This enables you to trace bad user experiences to issues with your
backends such as an unresponsive web service, bad database query, or slow
server response.
You can also use the app server agents running on business applications that
serve your browser applications to inject a JavaScript Agent into the code
that runs on the browser. This obviates the need to manually inject the
JavaScript Agent.

Note
You must assign unique names to EUM applications and business
applications. For example, if you created a business application
called “E-Commerce,” you cannot create a browser, mobile, or IoT
application with that same name, and vice versa.

EUM and Application Analytics

AppDynamics Application Analytics enables you to use the powerful
AppDynamics Query Language (ADQL) to analyze different types of EUM
data through complex queries. The Analytics components are based on the
Events Service, which is also the source of data for Browser Analyze, Crash
Analyze, Network Requests Analyze, and all IoT data. Analytics requires a
license separate from the EUM licenses, except for IoT Monitoring.

Experience Journey Map

Experience Journey Map provides real-time insights into business and
application performance, visualizing key user journeys and the correlation
between performance and traffic. This perspective unifies all application
stakeholders: application owners, developers, and IT operations.
Experience Journey Map visualizes the following:
• Performance metrics for each step in a user journey
• Top incoming and outgoing traffic data for each step
• Drop-off rates
To use Experience Journey Map, you need the following:
• SaaS: Controller >= 20.6.0
• On-premises: Controller >= 20.7.0
• EUM Peak license (RUM Peak, Browser RUM Peak, or Mobile RUM
Peak)
• Instrumented browser or mobile application
To access Experience Journey Map, follow these steps:
Step 1. Under the User Experience tab, go to a browser or mobile app.
Step 2. In the left application panel, click Experience Journey Map.

Experience Journey Map UI

The following sections provide an overview of the Experience Journey Map
UI. In the Controller, click on the Legend for key terms.

Experience Journey Map Dashboard

The Experience Journey Map dashboard displays the top user journeys, or the
most trafficked parts of an app. The default time frame is set to one hour, but
you can adjust the time, and the dashboard automatically updates the user
journeys and data for that time frame. Figure 4-14 shows an example of a
Browser Application Journey Map.
 Figure 4-14 Browser Application Journey Map

End User Events

Each step in an Experience Journey Map user journey is visualized by end
user events (browser pages, iOS views, or Android activities). Experience
Journey Map displays the user journeys with the most traffic.
Click an end user event to see the following information:
• Total user visits (all incoming traffic) to an end user event
page/view/activity
• Where users are “journeying” through your app
• How each user journey is performing over time
• When users drop off your app
Figure 4-15 shows an example of the End User Event (Browser).

Hivanetwork.com
 Figure 4-15 End User Event (Browser)

Traffic Segments
A traffic segment connects two end-user events in a journey and contains
data about what users experience in that journey. If the journey exceeds
health performance metrics, a health status icon will appear on the traffic
segment with more details on the user impact of poor performance.
Click a traffic segment to see the following information:
• Number of users who journeyed from one end-user event to the next
• Performance metrics for users within a journey
• Option to analyze individual browser or mobile sessions within a
journey
Figure 4-16 shows an example of Traffic Segment (Browser).
 Figure 4-16 Traffic Segment (Browser)

Refresh Loops
A refresh loop is a type of traffic segment and contains data for users who
refresh an end-user event.
Click a refresh loop to see the following information:
• How many users needed to hit Refresh because of poor app
performance
• Insights into what causes poor app performance
• Location and hardware of users impacted by poor app performance
Figure 4-17 shows an example of Refresh Loop (Browser).

Figure 4-17 Refresh Loop (Browser)

Browser Monitoring
In this section, we will look at Browser Monitoring and options available to
track application performance. AppDynamics offers two products to monitor
browser applications:
• Browser Real User Monitoring (Browser RUM): Monitors how your
web application is performing, using real user data to analyze
application performance and user experience
• Browser Synthetic Monitoring: Analyzes application availability and
performance, using scheduled testing to analyze website availability

Overview of the Controller UI for Browser Monitoring

Browser RUM and Browser Synthetic Monitoring share two dashboards:
Browser App Dashboard and Resource Performance Dashboard. Figure 4-18
shows an example of Browser Monitoring.

Figure 4-18 Browser Monitoring

Browser App Dashboard

The Browser App Dashboard provides a high-level understanding of your
application’s overall performance. When you first navigate to a browser
application, you are defaulted to the Browser App Dashboard’s Overview
tab. The Overview tab contains widgets for both browser and synthetic data.

Overview Tab
The Overview tab displays a set of configurable widgets. The default widgets
contain multiple graphs and lists featuring common high-level indicators of
application performance. Figure 4-19 shows an example of a Browser
Application Dashboard.
 Figure 4-19 Browser Application Dashboard

Geo Tab
The Geo tab displays key performance metrics by geographic location based
on page loads. If you are using Browser Synthetic Monitoring for an
application, you can view either “real user” or “synthetic” data using the
View drop-down.
The metrics displayed throughout the dashboard are for the region currently
selected on the map or in the grid. For example, on the map, if you click
France, the widgets and trend graphs update to display data for France.
Figure 4-20 shows an example of a Geo Dashboard.
 Figure 4-20 Geo Dashboard

Resource Performance Dashboard

The Resource Performance Dashboard provides a high-level understanding of
how your resources affect the performance of your browser application. You
can use this dashboard to pinpoint resource-related performance issues
affecting the user experience, such as the following:
• A prioritized list of resource performance issues generated by
comparing their performance against thresholds.
• Changes in the number of resources.
• Large resources (images, JavaScript, CSS, and so on).
• Size increase of resources impacting performance. For example, a page
banner might be replaced with an uncompressed image, thus slowing
down the page load.
• Slow CDNs.
• Resources that haven’t been compressed.
• Comparison of real user and synthetic resource performance.

Overview of the Resource Performance Dashboard UI

Once you navigate to a browser application, the Resource Performance
Dashboard is located on the left-side panel. Figure 4-21 shows the Resource
Performance Dashboard.

Hivanetwork.com
 Figure 4-21 Resource Performance Dashboard

Overview Tab
The Overview tab displays widgets providing high-level indicators of
resource performance over a specified time period. The dashboard can be
filtered to real user or synthetic data. The widgets only show a small number
of resources, but you can click See More to view up to 100 resources per
widget. Figure 4-22 shows Overview under Resource Performance.

Figure 4-22 Overview tab

Violations Tab
The Violations tab shows a list of pages, resource types, and domain or
resource violations that have exceeded performance thresholds. You can use
the Violations tab not to only find problematic resources but also to become
aware of sudden changes that negatively impacted the performance of a
resource. Clicking a specific violation leads to the Resources tab, and the data
is filtered with that violation for further diagnostics. The configured violation
rules are evaluated every 10 minutes for the last 30 minutes. Figure 4-23
shows Violations under Resource Performance.
 Figure 4-23 Violations tab
The supported violation types include the following:
• Median Domain Load Time
• Average Domain Size
• Average Page Size
• Median Resource Load Time
• Average Resource Size
• Median Resource Type Load Time
• Average Resource Type Size

Resources Tab
You can use the Resources tab to diagnose a problematic resource. You can
also add criteria as a filter to the widgets. All use cases to troubleshoot a
resource lead to the Resources tab, where you can learn more about an
individual resource’s impact on an application. Figure 4-24 illustrates
Resource under Resource Performance.
 Figure 4-24 Resources tab

Additional Resource Performance Data Information

For the Resource Performance Dashboard to be effective, it is highly
recommended that you set the Timing-Allow-Origin HTTP header in all of
your CORS (Cross-Origin Resource Sharing) domains to enable access to
resource timing information. Without this header, the JavaScript Agent
cannot capture the resource size, and, of the supported Resource Timing
Metrics, only the resource load time can be calculated.

IoT Monitoring
AppDynamics IoT Monitoring enables you to track and understand the
transactions of your IoT applications. Because IoT devices are diverse, both
in terms of the platforms they use and their business functions, AppDynamics
has developed a REST API in addition to language SDKs to provide the
maximum flexibility for reporting IoT data. This API can be used from any
device that supports HTTPS and is connected to the Internet.
IoT Monitoring requires application developers to instrument their code. To
make this process easier, AppDynamics has developed C/C++ and Java
SDKs so that developers using the platforms supporting these languages can
leverage the features of the SDK instead of using the REST API.

The IoT SDKs use the REST APIs to report IoT data to the EUM

Server , where the data is aggregated and made available to the

AppDynamics Controller and the Events Service , as shown in

Figure 4-25.
 Figure 4-25 IoT Monitoring architecture diagram

Mobile Real User Monitoring

Mobile Real User Monitoring (Mobile RUM) allows you to understand your
native (iOS, Android) and hybrid (Xamarin, Cordova-based, React Native,
Flutter) mobile application as your end users actually use them.
 Mobile RUM provides you with visibility into the functioning of the
application itself and the application’s interactions with the network it uses
and any server-side applications it may talk to.

Database Visibility
Database Visibility in AppDynamics provides end-to-end visibility on the
performance of your database, helps you troubleshoot problems such as slow
response times and excessive load, and provides metrics on database
activities such as the following:
• SQL statements or stored procedures that are consuming most of the
system resources
• Statistics on procedures, SQL statements, and SQL query plans
• Time spent on fetching, sorting, or waiting on a lock
• Activity from the previous day, week, or month
Once Database Visibility is available, you can create collectors that run on
the Database Agent to monitor any of the supported databases or operating
systems included in Table 4-6 and Table 4-7.
Table 4-6 Supported Database and Versions

Hivanetwork.com
 Table 4-7 Supported Operating Systems and Versions

Infrastructure Visibility
AppDynamics Infrastructure Visibility provides end-to-end visibility into the
performance of the hardware running your applications. You can use
Infrastructure Visibility to identify and troubleshoot problems that can affect
application performance such as server failures, JVM crashes, and network
packet loss.
Infrastructure Visibility provides the following metrics:
• CPU busy/idle times, disk and partition reads/writes, and network
interface utilization (Machine Agents)
• Packet loss, round-trip times, connection setup/tear down errors, TCP
window size issues, and retransmission timeouts (Network Visibility,
additional license required)
• Disk/CPU/memory utilization, process, and machine availability
(Server Visibility, additional license required)

Overview of Infrastructure Visibility

You can determine the root cause of application issues by looking at
application, network, server, and machine metrics that measure infrastructure
utilization. For example, the following infrastructure issues may slow down
your application:
• Too much time spent in garbage collection of temporary objects
(application metric)
• Packet loss between two nodes that results in retransmissions and slow
calls (network metric)
• Inefficient processes that result in high CPU utilization (server metric)
• Excessively high rates of reads/writes on a specific disk or partition
(hardware metric)
Infrastructure Visibility enables you to isolate, identify, and troubleshoot
these types of issues. Infrastructure Visibility is based on a Machine Agent
that runs with an App Server Agent on the same machine. These two agents
provide multi-layer monitoring, as follows:
 1. The App Server Agent collects metrics about applications and identifies
applications, tiers, and nodes with slow transactions, stalled
transactions, and other application-performance issues.
2. The Network Agent monitors the network packets sent and received on
each node and identifies lost/retransmitted packets, TCP bottlenecks,
high round-trip times, and other network issues.
3. The Machine Agent collects metrics at two levels:
• Server Visibility metrics for local processes, services, and resource
utilization.
• Basic machine metrics for disks, memory, CPU, and network
interfaces.
This multilayer monitoring enables you to determine possible correlations
between application issues and service, process, hardware, network, or other
issues on the machine. Figure 4-26 illustrates the Agent Monitoring Metrics.
 Figure 4-26 Agent Monitoring Metrics

Network Visibility
Network Visibility monitors traffic flows, network packets, TCP connections,
and TCP ports. Network Agents leverage the APM intelligence of App
Server Agents to identify the TCP connections used by each application.
Network Visibility includes the following items:
• Detailed metrics about dropped/retransmitted packets, TCP window
sizes (Limited/Zero), connection setup/tear down issues, high round-
trip times, and other performance-impacting issues
• Network Dashboard that highlights network KPIs for tiers, nodes, and
network links
• Right-click dashboards for tiers, nodes, and network links that enable
quick drill-downs from transaction outliers to network root causes
• Automatic mapping of TCP connections with application flows
• Automatic detection of intermediate load balancers that split TCP
connections
• Diagnostic mode for collecting advanced diagnostic information for
individual connections
Network Visibility extends the application intelligence of AppDynamics
APM down the stack from the application to the network. With “app-only”
visibility, it can be easy to mistakenly blame (or not blame) the network
when an application issue arises. Network Visibility can help reduce or
eliminate the guesswork involved in identifying root causes. Network Agents
and App Agents, working together, automate the work of mapping TCP
connections to the application flows that use them. Network Agents can
identify intermediate load balancers (which often split TCP connections) and
correlate the connections on either side of these devices. Figure 4-27
illustrates the agent-based Network Visibility approach.
 Figure 4-27 Agent-based Network Visibility approach
The agent-based approach of Network Visibility provides these advantages
over standard approaches to network monitoring:
• More cost-efficient than using network monitoring appliances, which
often view traffic from a few central locations
• Especially useful for distributed environments and multitier
applications that span multiple network segments
• Works in cloud and hybrid networks, unlike most network-monitoring
solutions

Drill Down to the Root Cause

If network issues are affecting your application, Network Visibility can help
you determine the cause:
• You see a spike in transaction outliers in the Application Dashboard.
Are network issues to blame?
• Switch over to the Network Dashboard. Each tier, node, and link
shows network KPIs that measure the network health of that element.
Use baselining to highlight network elements with KPIs outside the
baseline.
• To diagnose a tier, node, or network link, right-click and select View
Metrics. In the right-click dashboard, look for network metrics with
spikes that correlate with the spikes in your transaction outliers. This
 often provides direction to the network root cause.
• If a network element requires more in-depth troubleshooting, configure
the relevant Network Agents to collect metrics on the individual
Connections used by that element. You can then do the following:
• Click a node or link and view KPIs for the Connections used by the
relevant nodes.
• Right-click a Connection and view detailed metrics in a right-click
dashboard or in the Metric Browser.

Network Visibility Metrics

Network Visibility collects and displays these metric types:
• Network KPIs provide high-level, at-a-glance measures of whether the
network is affecting the performance of the monitored application. The
Network flow map shows KPIs for each tier, node, and link.
• The PIE (Performance Impacting Events) metric enables you to see
immediately if there are any such events on a connected client, server,
or network link.
Figure 4-28 shows an example of a PIE metric.
 Figure 4-28 PIE metric
• If the KPI metrics indicate an issue with a specific element, you can
view additional metrics for that element to identify root causes. Right-
click an element and select View Metrics. The metrics and charts in
the right-click dashboard are all designed to answer the question, are
there any bottlenecks on this element that are affecting my
applications?
Figure 4-29 shows an example of a KPI metric.

Hivanetwork.com
 Figure 4-29 KPI metric
• To perform in-depth analysis, you can view detailed TCP Flow metrics
in the Metric Browser.
• You can view node metrics to evaluate the health of TCP sockets and
network interfaces.
Network Agents can also monitor multiple nodes that are associated with the
same IP address because they run on the same physical or virtual server. The
agent monitors each node individually and calculates network metrics for
each node. These metrics are based on the ingress/egress traffic for each
individual node, not aggregate traffic for the IP address of the host on which
the node is running. Figure 4-30 illustrates an example of Network Visibility
for multiple app nodes.
 Figure 4-30 Network Visibility for multiple app nodes

Server Visibility
Server Visibility monitors local processes, services, and resource utilization.
You can use these metrics to identify time windows when problematic
application performance correlates with problematic server performance on
one or more nodes.
Server Visibility is an add-on module to the Machine Agent. With Server
Visibility enabled, the Machine Agent provides the following functionality:
• Extended hardware metrics such as machine availability,
disk/CPU/virtual-memory utilization, and process page faults
• Monitor application nodes that run inside Docker containers and
identify container issues that impact application performance
• The Tier Metric Correlator, which enables you to identify load and
performance anomalies across all nodes in a tier
• Import and define server tags used to query, filter, and compare related
servers using custom metadata
• Monitor internal or external HTTP and HTTPS services
• Support for grouping servers so you can apply health rules to specific
server groups
• Support for defining alerts that trigger when certain conditions are met
or exceeded based on monitored server hardware metrics

Using the Server Visibility UI

The Server Visibility user interface uses many of the same mechanisms that
are common to the various panels of the Controller UI, as shown in Figure 4-
31.
 Figure 4-31 Server Visibility UI

Basic Machine Metrics

The Machine Agent collects basic hardware metrics from the server’s OS and
provides the following functionality:
• Basic hardware metrics from the server’s OS, such as CPU and
memory utilization, throughput on network interfaces, and disk and
network I/O.
• Support for creating extensions to generate custom metrics.
• Support for running remediation scripts to automate your runbook
procedures. You can optionally configure the remediation action to
require human approval before starting the script.
 • JVM Crash Guard for monitoring JVM crashes and optionally running
remediation scripts.

Java and .NET Infrastructure Monitoring

Infrastructure Visibility uses different agents to monitor Java and .NET
environments:
• The Java Agent collects metrics for business applications and JVMs.
The Machine Agent collects Server Visibility and hardware/OS
metrics.
• The .NET Agent collects metrics for business applications and
instrumented CLRs. The .NET Agent includes a .NET Machine Agent
that collects IIS and hardware/OS metrics. The Machine Agent collects
Server Visibility metrics.
Figure 4-32 illustrates Java and .NET Monitoring metrics.

Figure 4-32 Java and .NET Monitoring metrics

Infrastructure Visibility Strategies

You can use these strategies to locate infrastructure issues that affect
application performance:
• Use transaction snapshots to correlate infrastructure metrics for the
specific node so that you can identify the root cause of slow or stalled
transactions.
• Use the Tier Metric Correlator, which enables you to identify load and
performance anomalies in a tier composed of a cluster of nodes
running on containers or servers.
• Configure health rules on metrics such as garbage collection time,
connection pool contention, and CPU usage to catch issues early in the
cycle before any impact on your business transactions.
• Use infrastructure rules, policies, and alerts:
• Define policies that trigger actions (such send an email, start
diagnostics, or perform a thread dump) when infrastructure metrics
report a critical level.
• Configure alerts for JVM and CLR crashes using JVM Crash Guard
and the .NET Machine Agent, respectively.
• Configure the agent to run scripts in response to critical events (for
example, restart an application or JVM in response to a crash).
• Use metric correlation:
• The Network Dashboard includes right-click dashboards for tiers,
nodes, and network links. Use these dashboards to find correlations
between application issues and network root causes.
• One example workflow is to open the Node Dashboard for a mission-
critical server with a machine agent installed and then cross-compare
data in the following tabs:
• JVM (application performance)
• JMX (server performance)
• Server (hardware resource consumption)
With the right monitoring strategy in place, you can be alerted to problems
and fix them before user transactions are affected.

Analytics
Analytics extracts the data, generates baselines and dashboards, and provides
perspective beyond traditional APM by enabling real-time analysis of
business performance correlated with your application performance.
You can use Analytics with the APM, Browser RUM, Mobile RUM, and
Browser Synthetic Monitoring product modules for the following:
• Transaction Analytics
• Log Analytics
• Browser Analytics
• Mobile Analytics
• Browser Synthetic Analytics
• Connected Devices Analytics

Overview of Analytics
Analytics is built on the AppDynamics APM platform, which includes the
Events Service, the unstructured document store for the platform.
Analytics can answer business-oriented questions such as the following:
• How many users experienced failed checkout transactions in the last 24
hours?
• How much revenue was lost because of these failures?
• How is the lost revenue distributed across different product categories?
• What is your revenue for the day for a geographical region?
• What was the revenue impact, by product category, associated with the
 two marketing campaigns we ran last week?

Analytics Home Page

The Analytics Home page consolidates data from the transaction, browser,
and mobile events. The Home page automatically generates Transaction and
End User Monitoring Summary panels through queries that aggregate data
into widgets.

Note
To view the different widgets on the Home page, you need the
appropriate licenses and access.
You can access the AppDynamics Home page by clicking the Home icon on
the left navigation pane in Analytics. You can either use the left navigation
pane or click Home on the right pane to navigate to the Analytics modules
(Searches, Metrics, Business Journeys, Experience Levels, Alert & Respond,
and Configuration).
Figure 4-33 shows the Analytics Home view.

Hivanetwork.com
 Figure 4-33 Analytics Home view

Monitoring Cloud Applications

In cloud environments, services and components are added and removed
continuously. AppDynamics provides robust support for monitoring
applications in these dynamic environments.

Docker
In simple terms, the Docker platform is all about making it easier to create,
deploy, and run applications by using containers. Containers let developers
package up an application with all the necessary parts, such as libraries and
other elements it is dependent on, and then ship it all out as one package. By
keeping an app and associated elements within the container, developers can
be sure that the apps will run on any Linux machine no matter what kind of
customized settings that machine might have, or how it might differ from the
machine that was used for writing and testing the code. This is helpful for
developers because it makes it easier to work on the app throughout its
lifecycle.
Docker is kind of like a virtual machine, but instead of creating a whole
virtual operating system (OS), it lets applications take advantage of the same
Linux kernel as the system they’re running on. That way, the app only has to
be shipped with things that aren’t already on the host computer instead of a
whole new OS. This means that apps are much smaller and perform
significantly better than apps that are system-dependent.
AppDynamics Docker monitoring offers container monitoring for dynamic,
fast-moving microservice architectures, as covered in the following section.

Monitor Containers with Docker Visibility

Use the Machine Agent to monitor application nodes running inside Docker
containers and to identify container issues that impact application
performance. By viewing and comparing APM metrics with the underlying
container and server/machine metrics, you can easily answer the question, is
my application problem purely an application problem, or is the root cause in
the container or the server?

Note
Container monitoring requires a Server Visibility license (>=4.3.3)
for both the Controller and the Machine Agent.
You should deploy the Machine Agent inside a Docker container. The
Machine Agent collects metrics for Docker containers on the same host, and
it collects server and machine metrics for the host itself. The Controller
shows all monitored containers for each host as well as the container and host
IDs for each container.
In the BRIDGE networking mode, the containers take on the container ID as
the host name. If networking is in host mode, the containers take on the node
name of the host ID. This means every container on that node has the same
host ID. In this case, you need to use the unique host ID settings. When
you’re using Docker Visibility, if the unique host ID setting is not configured
to use container ID in host network mode, the Machine Agent automatically
registers the container using the container ID as the host ID. If you have an
older version of the Controller or Machine Agent, AppDynamics
recommends that you upgrade to Machine Agent version 20.7 or later.
With Controller version 20.11.0 or later:
• If the Machine Agent is 20.7.0 or later, the Machine Agent
automatically registers the container using the container ID as the host
ID. No further action is needed.
• If the Machine Agent is 20.6.0 or earlier and is configured incorrectly,
the Controller rejects the misconfigured containers registration.
By default, the Machine Agent only monitors containers that have a running
APM Agent. You can change this by setting the
sim.docker.monitorAPMContainersOnly property on the Controller.

Note
To deploy a Machine Agent on a host outside a Docker container,
create a symbolic link (ln -s / /hostroot) on the host. This
symbolic link enables the Machine Agent to collect host metrics
with Docker container metrics. When you deploy a Machine Agent
inside a Docker container for monitoring, the symbolic link is
automatically created when the volume mounts. To grant more
restrictive permissions, enter this command to create symbolic
links: ln -s /proc /hostroot/proc; ln -s /sys /hostroot/sys; ln -s
/etc /hostroot/etc. You can make these links read-only because the
AppDynamics Agent does not need write privileges to these
directories.
Figure 4-34 illustrates how to deploy container monitoring, as detailed in the
following list:
 Figure 4-34 How to deploy container monitoring

• Install the Machine Agent in a standalone container. The

Machine Agent collects hardware metrics for each monitored

container, as well as Machine and Server metrics for the host ,

and forwards the metrics to the Controller.

• The Machine Agent can monitor all containers that are running on that
host, subject to established limits, and will report runtime metrics and
metadata for every container. Additionally, if any of the containers

have an APM Agent installed , the Machine Agent also

correlates the container metadata and runtime metrics with the

associated APM Node.

Enable Container Monitoring

Follow these steps to enable Container Monitoring:
Step 1. On the Controller, log in to the Administration Console and verify
that sim.docker.enabled is set to true.
Step 2. On the Agent, enable Server Visibility and Docker Visibility.

Container Monitoring Setup

The quickest and easiest way to run the Machine Agent with Container
Monitoring enabled is to use one of the official images from the Docker Store
(https://store.docker.com/images/appdynamics). These images are produced
by AppDynamics, based on certified base images from the Docker
Community, and can either be run directly or used as base images for your
own application containers. For full details of how to download and run
containers based on these official images, see the documentation posted on
the Docker Store. To build your own base images, the full source code for
building these images is posted to GitHub. You can use this as a pattern for
your own builds (https://github.com/Appdynamics/appdynamics-docker-
images).
For the Machine Agent to monitor containers running on the server,
configure these settings:
• Server Visibility Enabled: Enable Server Visibility
• Docker Enabled: Enable Docker Visibility
• Volume Mounts: Specify one of the following:
• Volume mounts to allow read-only access to the underlying file
system (/proc, /etc and /sys). This allows the Server Agent to collect
host-level metrics for containers running on the server.
• The UNIX domain socket on which the Docker daemon is configured
to listen for API calls.

View Container Details

Follow these steps to view container metadata and metrics in the Controller:
Step 1. In the Applications Dashboard, go to Containers to see all monitored
containers used by the application.
Figure 4-35 shows an example of the Applications Dashboard.
 Figure 4-35 Applications Dashboard
Step 2. In the Servers Dashboard, go to Containers to see all monitored
containers on that host.
Figure 4-36 shows the Servers Dashboard.

Figure 4-36 Servers Dashboard

Step 3. To open the Container Dashboard, right-click the container name and
 choose View Details.
Figure 4-37 shows the Container Dashboard.

Figure 4-37 Container Dashboard

The Container Details view contains the following tabs, which
provide an overview of the health and resource usage for the
container:
• Overview: Container metadata, tags (name-value pairs derived from
Docker/Kubernetes) and AWS tags where applicable, and single
chart views for CPU, memory, network, and disk usage.
• CPU: CPU Usage and Throttled Time metrics.
• Memory: Memory Usage and Memory Fault metrics.

Hivanetwork.com
Step 4. The Node Dashboard also includes a Container tab for the container
in which that node is running. Figure 4-38 illustrates the Container
tab.

Figure 4-38 Container tab

View Container Metrics Using the Metric Browser

To view time-series metric data for containers, double-click one of container
metric graphs (CPU, Memory, Network, or Disk) to open the Metric Browser
with the displayed metric selected. The Metric Browser tree displays the full
set of metrics available for that container, and you can add these to the Metric
Browser display by double-clicking the metric you wish to select. Figure 4-
39 shows an example of Container Metrics.
 Figure 4-39 Container Metrics

Kubernetes
Kubernetes is a container-orchestration platform for automating deployment,
scaling, and operations of applications running inside the containers across
clusters of hosts. Open-sourced by Google in 2014, Kubernetes was built
based on the search giant’s own experience with running containers in
production. It’s now under the aegis of the Cloud Native Computing
Foundation (CNCF), which reports that Kubernetes is the most popular
container management tool among large enterprises, used by 83% of
respondents in a recent CNCF survey (https://www.cncf.io/wp-
content/uploads/2020/11/CNCF_Survey_Report_2020.pdf). And in case
you’re wondering, the name “Kubernetes” is Greek for “helmsman” or
“pilot.”
Kubernetes Monitoring with AppDynamics gives organizations visibility into
application and business performance, providing insights into containerized
applications, Kubernetes clusters, Docker containers, and underlying
infrastructure metrics.

Using Docker Visibility with Kubernetes

With AppDynamics, you can gain real-time visibility into your containerized
applications deployed to Kubernetes. Kubernetes is an open source container-
orchestration platform for automating deployment, scaling, and management
of applications running in containers.
With Container Visibility, you can enhance container-level metrics and gain
visibility into CPU, packet visibility, memory, and network utilization. These
metrics can then be baselined and have health rules associated along with
detailed resource usage statistics about your APM-monitored container
applications. By viewing and comparing APM metrics, with the underlying
container and server metrics, you quickly receive deep insights into the
performance of your containerized applications, along with potential
impediments in your infrastructure stack. For example, specific metrics can
help you identify both “bandwidth-hogging” applications and container-level
network errors.
Container visibility allows you to monitor containerized applications running
inside Kubernetes pods and to identify container issues that impact
application performance. The agent is deployed as a Kubernetes DaemonSet
in every node of a Kubernetes cluster. Deploying the Machine Agent as a
DaemonSet ensures that every Kubernetes worker node runs the Machine
Agent and that the agent collects critical resource metrics from both the node
host and the associated Docker containers.

Container Visibility with Kubernetes

Deploy the Machine Agent in Docker-enabled mode. For more information
and details on how to configure and run the Machine Agent using Docker,
see Configuring Docker Visibility
(https://docs.appdynamics.com/appd/21.x/21.3/en/infrastructure-
visibility/monitor-containers-with-docker-visibility/configure-docker-
visibility). The Machine Agent will then do the following:
• Identify the containers managed by Kubernetes.
• Determine if these containers contain App Server Agents.
• Correlate containers with App Server Agents with the APM nodes for
that application.
Figure 4-40 illustrates the following deployment scenario for Container
Visibility in Kubernetes:
 Figure 4-40 Container Visibility in Kubernetes

• Install the Machine Agent container as a DaemonSet on each

Kubernetes node.
• If you wish to collect APM metrics from any container in a pod, install

the correct APM Agent in the container before deploying the

pod.
• The Machine Agent collects resource usage metrics for each monitored

container , as well as Machine and Server metrics for the host,

and then forwards the metrics to the Controller.

• (Optional) Install the Network Agent as a DaemonSet on the

node you want to monitor. The Network Agent collects the metrics for
all network connections between application components being
monitored and sends the metrics to the Controller.
Container visibility with Kubernetes requires the following:
• The Machine Agent must run as a DaemonSet on every Kubernetes
node that you wish to monitor.
• Each node to be monitored must have a Server Visibility license.
• Docker Visibility must be enabled on the Machine Agent.
• Both App Server Agents and Machine Agents are registered by the
same account and are using the same Controller.
• If you have multiple App Server agents running in the same pod,
register the container ID as the host ID on both the App Server Agent
 and the Machine Agent.

Enable Container Visibility

Update the Controller to 4.4.3 or higher if you have not already done so. To
enable Kubernetes visibility in your environment, edit the following
parameters:
• Controller
• sim.machines.tags.k8s.enabled: The value defaults to true. The
global tag’s enabled flag has priority over this.
• sim.machines.tags.k8s.pollingInterval: The value defaults to one
minute. The minimum value you can set for the polling interval is 30
seconds.
• Machine Agent
• k8sTagsEnabled: The value defaults to true and is specified in the
ServerMonitoring.yml file.
Continue with Using Docker Visibility with Red Hat OpenShift. You can use
the example DaemonSet, the sample Docker image for Machine Agent, and
the sample Docker start script to quickly set up the Standalone Machine
Agent. You can find it here:
https://docs.appdynamics.com/appd/21.x/21.3/en/infrastructure-
visibility/monitor-containers-with-docker-visibility/use-docker-visibility-
with-red-hat-openshift

Register the Container ID as the Host ID

Install an App Server Agent in each container in a Kubernetes pod to collect
application metrics. If multiple App Server Agents are running in the same
pod (in the RedHat OpenShift platform, for example), you must register the
container ID as the unique host ID on both the App Server Agent and the
Machine Agent to collect container-specific metrics from the pod. Kubernetes
pods can contain multiple containers, and they share the same host ID. The
Machine Agent cannot identify different containers running in a pod unless
each container ID is registered as the host ID.
 To register the container ID as the host ID, follow these steps:
Step 1. Get the container ID from the cgroup:
cat /proc/self/cgroup | awk -F '/' '{print $NF}; | head -n
1

Step 2. Register the App Server Agents:

-Dappdynamics.agent.uniqueHostId=$(sed -rn '1s#.*/##;
1s/(.{12}).*/\1/p' /proc/self/cgroup)

Note
For OpenShift, run the following command:
-Dappdynamics.agent.uniqueHostId=$(sed -rn '1s#.*/##;
1s/docker-(.{12}).*/\1/p' /proc/self/cgroup)

Step 3. Register the Machine Agent:

-
Dappdynamics.docker.container.containerIdAsHostId.enabled=
true

Instrument Applications with Kubernetes

There are several approaches to instrumenting applications deployed with
Kubernetes, and which one you choose will depend on your particular
requirements and DevOps processes. In order to monitor an application
container with AppDynamics, an APM Agent must be included in that
container. This can be done in a number of ways:
• Using an appropriate base image that has the APM agent pre-installed
• Loading the agent dynamically as part of the container startup
• Loading the agent and dynamically attaching to a running process
(where the language runtime supports it)
The third option is usually applicable only to Java-based applications since
the JVM supports Dynamic Attach, which is a standard feature of the
AppDynamics Java APM Agent. For the other options, it is common practice

Hivanetwork.com
to make use of standard Kubernetes features such as Init Containers,
ConfigMaps, and Secrets.

Deploy the Machine Agent on Kubernetes

AppDynamics Machine Agent can be deployed in a single container image,
without the need for an init container. By default, the Machine Agent is
deployed to the cluster as a DaemonSet to distribute each agent instance
evenly across all cluster nodes. Where required, the DaemonSet can be
configured with node affinity rules or node anti-affinity rules to ensure that it
is deployed to a desired set of nodes and not across the entire cluster.
In order to harvest pod metadata, the service account used to deploy the
machine agent must have the cluster-reader role in OpenShift. The “cluster-
reader” role is also required for the Kubernetes extensions to the machine
agent. The following CLI command is an example of assigning the cluster-
reader role to the appd service account in OpenShift:

BASH
# assigning cluster-reader role in OpenShift oc adm
policy add-cluster-role-to-user cluster-reader -z appd-
account

If you are working with a vanilla Kubernetes distribution, it may not have a
pre-built cluster role similar to cluster-reader in OpenShift.

Resource Limits
Consider the following resource limits for applications and the Machine
Agent when deploying the AppDynamics Machine Agent on Kubernetes:
• The main application being monitored should have resource limits
defined. Provide 2% padding for CPU and add up to 100MB of
memory.
• To support up to 500 containers, the Machine Agent can be configured
with the following resource requests and limits: Mem = 400M, CPU =
"0.1" and limits: Mem = 600M, CPU = "0.2".
 Note
AppDynamics provides a Kubernetes Snapshot Extension for
monitoring the health of the Kubernetes cluster. When deploying
this extension, it is important to keep in mind that only a single
version of the extension should be deployed to the cluster. Do not
include it in the DaemonSet to avoid duplicates and potential
cluster overload. Instead, consider deploying the instance of the
Machine Agent with the extension as a separate deployment with
one replica in addition to the DaemonSet for Server Visibility. The
machine agent SIM and Docker can be disabled in this case, and
the memory request can be dropped to 250M.

ClusterRole Configuration
Refer to the sample role definition shown in Figures 4-41a and 4-41b. It
provides a wide read access to various Kubernetes resources. These
permissions are more than sufficient to enable Kubernetes extensions to the
Machine Agent as well as the pod metadata collection. The role is called
“appd-cluster-reader,” but you can obviously name it as needed. The cluster
role definition outlines various api groups that will be available for members
of this role. For each api group, we define a list of resources that will be
accessed and the access method. Because we only need to retrieve
information from these api endpoints, we only need the read-only access,
expressed by “get,” “list,” and “watch” verbs.
Figure 4-41a Sample ClusterRole
 Figure 4-41b Sample ClusterRole
Once the role is defined, you will need to create cluster role bindings to
associate the role with a service account. Refer to the example of a
ClusterRoleBinding spec in Figure 4-42, which makes the appd-cluster-
reader service account a member of the appd-cluster-reader-role in project
“myproject.” Note that the naming is purely coincidental. The names of the
service account and the cluster role do not have to match.

Figure 4-42 Sample ClusterRoleBinding

Network Visibility with Kubernetes

You can use Network Visibility to monitor applications running on
Kubernetes. Network Visibility isolates an application’s network issues from
its application issues. It monitors an application’s network interactions and
reports key performance metrics in the context of application performance
monitoring.
To monitor the communication between pods and between nodes, the agent
opens up a TCP port in each node for app containers to communicate with the
Network DaemonSet container using a REST API. The agent is deployed as a
DaemonSet in each node that has host mode enabled. Follow the steps
covered next to create a Docker image for the DaemonSet and configure the
agent.
Figure 4-43 illustrates a sample network setup between pods and nodes.
Hivanetwork.com
 Figure 4-43 Sample Network setup between pods and nodes

Note
Make sure you have at least one pod with a Java Agent (version
4.4 or higher) deployed to the same cluster as the Network Agent.
Also, ensure that TCP port 3892 is not already used by the node.
Port 3892 will be used by the application pods to communicate
with the DaemonSet.

Creating a Docker Image

To deploy Network Visibility with Kubernetes, you must first create a
Docker image for the Network Visibility DaemonSet and push the image to
your Docker Trusted Registry.
Step 1. Use the sample Dockerfile shown in Figure 4-44 in a text file and
save the file.
Figure 4-44 shows the sample code to create a Docker image.
 Figure 4-44 Sample code to create a Docker image
Step 2. Navigate to the directory where you saved the Dockerfile. Build the
Docker image by running the following command:
$ docker build --build-arg NETVIZ_ZIP_PKG=/path/to/netviz-
agent-pkg.zip -t appd-netviz .

Step 3. Push the Docker image to your Docker Trusted Registry.

Configuring Network Visibility with Kubernetes
Step 1. Use the configuration shown in Figure 4-45 in a YAML file. This
configuration file is used for deploying the Network Visibility agent.
Figure 4-45 illustrates the sample code for deploying the Network
Visibility Agent.
 Figure 4-45 Sample code for deploying the Network Visibility Agent
Step 2. In the configuration file, update these fields:
a. image (under containers): The file path to the DaemonSet image
in your Docker Trusted Registry
b. name (under imagePullSecrets): The key for your Docker
Trusted Registry
Step 3. Deploy the Network Visibility Agent for Kubernetes by running the
following command:
$ kubectl apply -f MyConfigFile.yaml

Configuring Network Visibility to Monitor Application Pods

After installing Network Visibility for Kubernetes, you’ll need to correlate
Network Visibility with a Java Agent. This allows you to map network
metrics to application flows. To do this, deploy at least one pod with a Java
Agent (version 4.4 or higher) to the same cluster as the Network Agent.
Step 1. Open the application’s deployment configuration YAML file with
Kubernetes in a text editor and set the
APPDYNAMICS_NETVIZ_AGENT_HOST and
APPDYNAMICS_NETVIZ_AGENT_PORT values, as shown in
Figure 4-46.

Figure 4-46 Sample Code for the Host and Port values
Step 2. In the Controller UI, enable socket instrumentation so that you can
map network metrics to application flows.
There are more examples for Kubernetes monitoring using Docker Visibility
with Red Hat OpenShift and Kubernetes in the cloud on EKS, AKS, and
GKE, which can be referenced as a part of online documentation and
webinars. Examples are:
https://docs.appdynamics.com/appd/21.x/21.3/en/infrastructure-
visibility/monitor-containers-with-docker-visibility/use-docker-
visibility-with-red-hat-openshift
https://aws.amazon.com/kubernetes/
https://cloud.google.com/kubernetes-engine/docs

Cloud Monitoring with AppDynamics Cloud

AppDynamics Cloud is a Software as a Service (SaaS) product that offers
cloud-native and full-stack observability for large, managed Kubernetes
deployments on public clouds (Amazon Web Services and Microsoft Azure).
It provides real-time observability across your entire technology stack—
applications, software-defined compute, storage, services, network, and other
infrastructure—through the collection and correlation of metrics, events, logs,
and traces (MELT).
Figure 4-47 provides a high-level overview of how AppDynamics Cloud
works.
 Figure 4-47 High-level view of how AppDynamics Cloud works
The AppDynamics Cloud user interface includes a Relationships map,
Interactions map, and Properties panel. Correlating application metrics and
interactions to the cloud infrastructure in a unified view, AppDynamics
Cloud enables you to do the following:
• Automatically discover service instances associated with a cloud
platform account and ingest relevant cloud platform metrics and
metadata.
• Get insights on the impact of cloud provider services on application
performance.
• Compare key performance metadata and visualize data flow based on
application entities and interactions.
• Drill down to the cloud infrastructure layer to understand how two
application service topologies intersect.
• View your application infrastructure data, service, and business
transactions in one application landscape. Determine what
infrastructure exists and where it is located.
AppDynamics Cloud visualizes and correlates metrics, events, logs, and
traces (MELT) data so you can identify, triage, and troubleshoot problems
and analyze performance issues. Additional features include the following:
• Observability for cloud-native architectures at scale
• Correlated full-stack context across domains and data types
• OpenTelemetry-based extensibility

Cloud Infrastructure Monitoring

To get started with monitoring cloud infrastructure, you must configure one
or more Cloud Connections. A Cloud Connection is associated with a cloud
account or subscription and enables AppDynamics Cloud to pull metrics for
the services associated with the account or subscription. The supported
 services that AppDynamics Cloud can monitor depend on the target cloud
platform, with AWS and Azure as the two supported cloud platforms.

AWS Cloud Infrastructure Observability

AppDynamics Cloud provides end-to-end visibility into the performance of
the infrastructure running your applications. This solution, along with the
OpenTelemetry-instrumented applications, provides full-stack observability
and simplifies deployment.
The Cloud Monitoring solution does the following:
• Ingests data from cloud services automatically. For example, Amazon
CloudWatch provides metrics for a better understanding of your
resource availability and utilization.
• Enables you to manage alerts based on infrastructure metrics and
monitors the cloud service’s health and performance.
Here are some of the cloud services you can observe:
• AWS Application, Classic, and Network Load Balancers
• Hosts
• Amazon Elastic Compute Cloud
• AppDynamics Hosts
• AWS Databases
• Amazon Relational Database Service (RDS)
• AWS Storage
• Amazon Elastic Block Storage

Azure Cloud Infrastructure Observability

AppDynamics Cloud provides end-to-end visibility into the performance of

Hivanetwork.com
the infrastructure running your applications. This solution, along with the
OpenTelemetry-instrumented applications, provides full-stack observability
and simplifies deployment.
The Cloud Monitoring solution for Azure does the following:
• Collects data from Azure monitor without using agents (that is,
agentless monitoring)
• Correlates the data to underlying infrastructure and business
applications
• Baselines performances and alerts customers when there are deviations
AppDynamics Cloud enables you to observe Azure virtual machines,
including Azure virtual machine scale sets (VMSSs).

Summary
This chapter has covered a lot of information around the AppDynamics
monitoring features, including Application Monitoring, End User
Monitoring, Database Visibility, Infrastructure Visibility, and Monitoring
Cloud Applications. It also provided basic information on App Dynamics
Cloud and its ability to provide observability into the AWS and Azure Cloud
infrastructures. There is a lot more to cover in AppDynamics, but what was
covered in this chapter should help you being to understanding App
Dynamics and how it helps in a hybrid cloud environment with its unique
monitoring capabilities.

References/Additional Reading
https://docs.appdynamics.com/appd-cloud/en/what-s-new
https://docs.appdynamics.com/appd-cloud/en/about-appdynamics-cloud
https://docs.appdynamics.com/appd/21.x/21.3/en/infrastructure-
visibility/monitor-containers-with-docker-visibility/use-docker-
visibility-with-red-hat-openshift
https://docs.appdynamics.com/appd/21.x/21.3/en/infrastructure-
visibility/monitor-kubernetes-with-the-cluster-agent
Chapter 5. Management
Cisco has been working for over three years to bring the industry-leading
Application Resource Management (ARM) capability to Cisco customers. It
started with Cisco Workload Optimization Manager (CWOM). CWOM is
powered by Turbonomic, and it enables Cisco customers to continuously
resource applications to perform at the lowest cost while adhering to policies
irrespective of where the application is hosted (that is, on the premises or in
the cloud, containers, or VMs). In January 2020, Cisco announced Intersight
Workload Optimizer (IWO), which is the integration of CWOM and
Intersight. With IWO, application and infrastructure teams can now speak the
same language to ensure that applications are automatically and continuously
resourced to perform.
Alongside the Intersight Workload Optimizer, Cisco offers Intersight
Kubernetes Service (IKS), which is a fully curated, lightweight container
management platform for delivering multicloud production-grade upstream
Kubernetes. It simplifies the process of provisioning, securing, scaling, and
managing virtualized Kubernetes clusters by providing end-to-end
automation, including the integration of networking, load balancers, native
dashboards, and storage provider interfaces.
This chapter will cover the following topics:
• IT challenges and workload management solutions
• Intersight Workload Optimization Manager
• Cisco Container Platform
• Cisco Intersight Kubernetes Service

IT Challenges and Workload Management

Solutions
Managing application resources in a dynamic, hybrid cloud world is
increasingly complex, and IT teams are struggling. With application
components running on the premises and in public clouds, end users can
suffer outages or experience slow application performance because IT teams
simply lack visibility to see how things are connected and how to manage
their dynamic environment at scale.
With more people accessing your business through a digital experience,
application performance is more critical than ever. Managing workload
placement and resources across your ever-changing IT environment is a
complex, time-consuming task that has big implications on user experience
and costs.
Cisco Intersight Workload Optimizer (CWOM) discovers how all the parts of
your hybrid world are connected and then automates these day-to-day
operations for you. Supporting more than 50 common platforms and public
clouds, it provides real-time, full-stack visibility across your applications and
infrastructure. Now you can harness the power of data to continuously
monitor supply and demand, match workloads and resources in the most
efficient way, and ensure that governance rules are always enforced. The
result? Better application performance, reduced cost, faster troubleshooting,
and more peace of mind.

Business Impact
Unchecked complexity can result in the following:
• Underutilized on-premises infrastructure: To ensure application
performance, IT teams often allocate resources modeled to peak-load
estimates and/or set conservative utilization limits.
• Public cloud overprovisioning and cost overruns: When planning
and placing workloads in public clouds, IT teams routinely
overprovision computing instance sizes as a hedge to ensure
application performance.
• Wasted time: IT teams end up chasing alerts and meeting in war
 rooms to unravel problems instead of supporting innovation.
Figure 5-1 illustrates why managing hybrid cloud resources to ensure
application performance and control costs is a complex problem.

Figure 5-1 Hybrid cloud resources for ensuring performance and cost
The following are some of the challenges of workload management in a
hybrid cloud:
• Siloed teams with different toolsets managing different layers of the
stack and multiple types of resources
• Flying blind without a unified view of the complex interdependencies
between layers of infrastructure and applications across on-premises
and public cloud environments
 • Separating the signal from the noise and prioritizing the constant flow
of alerts coming from separate tools
• Lack of visibility into underutilized capacity in public clouds and cost
overruns from unmanaged spikes in utilization
To deal with all this complexity, the only choice is to automate resource
management and workload placement operations. But how? To optimize
effectively, you need a way to collect and track streams of telemetry data
from dozens, hundreds, perhaps thousands of sources. You need a way to
correlate and continuously analyze all of this data to understand how
everything fits together and what’s important, as well as how to decide what
to do from moment to moment as things continue to change. New tooling is
required to connect all the dots and give you the insight you need to stay
ahead of demand, stay ahead of problems, and respond to new projects with
confidence. What if you could create a unified view of your environment and
continuously ensure that applications get the resources they need to perform,
all while increasing efficiency and lowering costs?

Cisco Intersight Workload Optimizer

Cisco Intersight Workload Optimizer is a real-time decision engine that
ensures the health of applications across your on-premises and public cloud
environments while lowering costs. The intelligent software continuously
analyzes workload demand, resource consumption, resource costs, and policy
constraints to determine an optimal balance. Cisco IWO is an artificial
intelligence for IT operations (AIOps) toolset that makes recommendations
for operators and can trigger workload placement and resource allocations in
your data center and the public cloud, thus fully automating real-time
optimization.
With Cisco IWO, infrastructure and operations teams are armed with
visibility, insights, and actions that ensure service level agreements (SLAs)
are met while improving the bottom line. Also, application and DevOps
teams get comprehensive situational awareness so they can deliver high-
performing and continuously available applications.
Benefits of using Cisco Intersight Workload Optimizer:
 • Radically simplify application resource management with a single tool
that dynamically optimizes resources in real time to ensure application
performance.
• Continuously optimize critical IT resources, resulting in more efficient
use of existing infrastructure and lower operational costs on the
premises and in the cloud.
• Take the guesswork out of planning for the future with the ability to
quickly model what-if scenarios based on the real-time environment.
Figure 5-2 illustrates how IWO ensures application performance with
continuous visibility, deep insights, and informed actions.

Figure 5-2 Application performance with continuous visibility, deep

insights, and informed actions

CWOM-to-IWO Migration
In June 2019, Turbonomic and CWOM became inaugural members of the
Integration Partner Program (IPP), which takes the technology partnership to
 another level by helping joint customers maximize the value of their
AppDynamics and CWOM investment. The extended integration and
partnership delivers on the vision of AIOps, where software is making
dynamic resourcing decisions and automating actions to ensure that
applications are always performing, enabling positive business outcomes and
improved user experiences. Organizations across the world are investing
heavily in developing new applications and innovating faster to deliver better,
more simplified user experiences. The partnership and the combination of
AppDynamics and CWOM ensures that applications are architected and
written well and are continuously resourced for performance.
As a full-stack, real-time decision engine, Intersight Workload Optimizer
revolutionizes how teams manage application resources across their
multicloud landscape, significantly simplifying operations. It delivers
unprecedented levels of visibility, insights, and automated actions, as
customers look to prevent application performance issues.
Figure 5-3 provides a very high-level view of IWO application management.

Hivanetwork.com
 Figure 5-3 Very high-level view of IWO application management
Simply put, IWO provides the following customer benefits:
• It bridges the gap between application and IT teams to ensure
application performance.
• It eliminates application resourcing as a source of application delay,
meaning applications can perform and continuously deliver services.
 • It helps IT departments stop overspending and delivers a modern
application hosting platform to end users.
• It enables high-value application and IT teams to focus on strategy and
innovation without jeopardizing applications.
IWO expands Intersight capabilities. All in one place, Intersight customers
can manage the health of the infrastructure and how well that infrastructure is
utilized to ensure application performance. Additionally, Intersight customers
can monitor and manage application resources on third-party infrastructure,
public cloud, and container environments.

Optimize Hybrid Cloud Infrastructure with IWO

Application resource management is a top-down, application-driven approach
that continuously analyzes applications’ resource needs and generates fully
automatable actions to ensure applications always get what they need to
perform. It runs 24/7/365 and scales with the largest, most complex
environments.
To perform application resource management, Intersight Workload Optimizer
represents your environment holistically as a supply chain of resource buyers
and sellers, all working together to meet application demand. By empowering
buyers (VMs, instances, containers, and services) with a budget to seek the
resources that applications need to perform and empowering sellers to price
their available resources (CPU, memory, storage, network) based on
utilization in real time, IWO keeps your environment within the desired state,
with operating conditions that achieve the following conflicting goals at the
same time:
• Ensured application performance: Prevent bottlenecks, upsize
containers/VMs, prioritize workload, and reduce storage latency
• Efficient use of resources: Consolidate workloads to reduce
infrastructure usage to the minimum, downsize containers, prevent
sprawl, and use the most economical cloud offerings
IWO is a containerized, microservices-architected application running in a
Kubernetes environment (or within a VM) on your network or a public cloud
VPC (Virtual Private Cloud). You assign services running on your network to
be IWO targets. IWO discovers the entities (physical devices, virtual
components, and software components) that each target manages and then
performs analysis, anticipates risks to performance or efficiency, and
recommends actions you can take to avoid problems before they occur.
Intelligent, proactive workload optimization simplifies and automates
operations. With many tools, the focus is on monitoring and alerting users
after a problem has occurred. Cisco IWO is a proactive tool that is designed
to avoid application performance issues in the first place. It continuously
analyzes workload performance, costs, and compliance rules and makes
recommendations on what specific actions to take to avoid issues before they
happen, thus radically simplifying and improving day-to-day operations.
While some tools provide visibility into applications or visibility into an
individual tier of physical or virtual infrastructure, Cisco IWO bridges all
these layers with a single tool. It creates a dynamic dependency graph that
visualizes the connections between application elements and infrastructure
throughout the layers of the stack, all the way down to component resources
within servers, networking, and storage. Figure 5-4 shows how Cisco IWO
analyzes telemetry data across your hybrid cloud environment to optimize
resources and reduce cost.
 Figure 5-4 Cisco IWO analyzes telemetry data across your hybrid cloud
environment to optimize resources and reduce cost.
Cisco IWO can optimize workloads in any infrastructure, any environment,
and any cloud, and it works with the industry’s top platforms, including
VMware vSphere, Microsoft Hyper-V, Citrix XenServer, and OpenStack. It
automatically manages compute, storage, and network resources across these
platforms, both on the premises and in the cloud. It analyzes telemetry data
from a broad ecosystem of data center and cloud technologies, with agentless
support for over 50 targets across a range of hypervisors, compute platforms
(including Cisco UCS and HyperFlex), container platforms, public clouds,
and more. Cisco IWO correlates these telemetry sources into a holistic view
to deliver intelligent recommendations and trigger actions, including where to
place workloads and how to size and scale resources.
Cisco Intersight is a cloud operations platform that delivers intelligent
visualization, optimization, and orchestration for applications and
infrastructure across public cloud and on-premises environments. It provides
an essential control point for customers to get more value from hybrid cloud
investments.
The Cisco IWO service extends these capabilities with hybrid cloud
application resource management and support for a broad third-party
ecosystem. With this powerful solution, you can have confidence that your
applications have continuous access to the IT resources they need to perform,
at the lowest cost, whether they reside on the premises or in a public cloud.
The combination of Cisco IWO and AppDynamics can break down siloes
between IT teams. This integration provides a single source of truth for
application and infrastructure teams to work together more effectively,
avoiding finger pointing and late-night war rooms.
AppDynamics discovers and maps your business application topology and
how it uses IT resources. Cisco IWO correlates this data with your
infrastructure stacks to create a dynamic dependency graph of your hybrid IT
environment. It analyzes supply and demand and drives workload placement
and resource allocation actions in your IT environment to help ensure that
application components get the computing, storage, and network resources
they need. Together, these intelligent tools replace sizing guesswork with
real-time analytics and modeling so that you know how much infrastructure
is needed to allow your applications and business to keep pace with demand.
If you have workloads running on the premises and in public clouds, your IT
teams need to make complex, on-going decisions about where to locate
workloads and how to size resources in order to ensure performance and
minimize cost.
Figuring out what workloads should run where is nearly impossible if you
lack clear visibility into available resources and associated costs. And for
workloads that run in the cloud, how do you determine what cloud instance
or tier is the best fit at the lowest cost? Cloud costs can become volatile, and
you can get lost in a myriad of sizing, placement, and pricing decisions that
can have very expensive consequences. Cisco IWO can help in the following
ways:
• Manage resource allocation and workload placement in all your
infrastructure environments, giving you full-stack visibility in a single
pane of glass for supply and demand across your combined on-
premises and cloud estate.
• Optimize cloud costs with automated selection of instances, reserved
 instances (RIs), relational databases, and storage tiers based on
workload consumption and optimal costs.
• Dynamically scale, delete, and purchase the right cloud resources to
ensure performance at the lowest cost.
• Extend on-premises resources by continuously optimizing workload
placement and cutting overprovisioning based on utilization trends.
• De-risk migrations to and from the cloud with a data-driven scenario
modeling engine.
In increasingly competitive markets, more organizations are adopting
containerized deployment options to deliver business-differentiating
applications quickly. Kubernetes has become the de facto standard for
container orchestration and helps to build, deliver, and scale applications
faster. For IT teams, Kubernetes has introduced new layers of complexity
with interdependencies and fluctuating demand that make it nearly
impossible to effectively manage modern IT at scale.
Cisco IWO simplifies Kubernetes deployments and optimizes performance
and cost in real time for on-going operations in the following ways:
• Container rightsizing: Scale container limits/requests up or down
based on application demand.
• Pod “move”/rescheduling: Reschedule pods while maintaining
service availability to avoid resource fragmentation and/or contention
on the node.
• Cluster scaling: When Cisco IWO sees that pods have too little (or too
much) capacity in a cluster, it will give the recommendation to spin up
another node (or to suspend nodes).
• Container planning: Model what-if scenarios based on your real-time
environment. With a few clicks, you can determine how much
headroom you have in your clusters or simulate adding or removing
Kubernetes pods.
How Intersight Workload Optimizer Works
To keep your infrastructure in the desired state, IWO performs application
resource management. This is an ongoing process that solves the problem of
ensuring application performance while simultaneously achieving the most
efficient use of resources and respecting environment constraints to comply
to business rules. This is not a simple problem to solve. Application resource
management has to consider many different resources and how they are used
in relation to each other, in addition to numerous control points for each
resource. As you grow your infrastructure, the factors for each decision
increase exponentially. On top of that, the environment is constantly
changing—to stay in the desired state, you are constantly trying to hit a
moving target. To perform application resource management, IWO models
the environment as a market made up of buyers and sellers. These buyers and
sellers make up a supply chain that represents tiers of entities in your
inventory. This supply chain represents the flow of resources from the data
center, through the physical tiers of your environment, into the virtual tier
and out to the cloud. By managing relationships between these buyers and
sellers, IWO provides closed-loop management of resources, from the data
center through to the application.
IWO uses virtual currency to give a budget to buyers and assign cost to
resources. This virtual currency assigns value across all tiers of your
environment, making it possible to compare the cost of application
transactions with the cost of space on a disk or physical space in a data
center. The price that a seller charges for a resource changes according to the
seller’s supply. As demand increases, prices increase. As prices change,
buyers and sellers react. Buyers are free to look for other sellers that offer a
better price, and sellers can duplicate themselves (open new storefronts) to
meet increasing demand. IWO uses its Economic Scheduling Engine to
analyze the market and make these decisions. The effect is an invisible hand
that dynamically guides your IT infrastructure to the optimal use of
resources. To get the most out of IWO, you should understand how it models
your environment, the kind of analysis it performs, and the desired state it
works to achieve. Figure 5-5 illustrates the desired state graph for
Infrastructure management.
 Figure 5-5 Desired state graph for Infrastructure management
The goal of application resource management is to ensure performance while
maintaining efficient use of resources. When performance and efficiency are
both maintained, the environment is in the desired state. You can measure
performance as a function of delay, where zero delay gives the ideal quality
of service (QoS) for a given service. Efficient use of resources is a function
of utilization, where 100% utilization of a resource is the ideal for the most
efficient utilization.

Hivanetwork.com
If you plot delay and utilization, the result is a curve that shows a correlation
between utilization and delay. Up to a point, as you increase utilization, the
increase in delay is slight. There comes a point on the curve where a slight
increase in utilization results in an unacceptable increase in delay. On the
other hand, there is a point in the curve where a reduction in utilization
doesn’t yield a meaningful increase in QoS. The desired state lies within
these points on the curve.
You could set a threshold to post an alert whenever the upper limit is crossed.
In that case, you would never react to a problem until delay has already
become unacceptable. To avoid that late reaction, you could set the threshold
to post an alert before the upper limit is crossed. In that case, you guarantee
QoS at the cost of over-provisioning—you increase operating costs and never
achieve efficient utilization.
Instead of responding after a threshold is crossed, IWO analyzes the
operating conditions and constantly recommends actions to keep the entire
environment within the desired state. If you execute these actions (or let IWO
execute them for you), the environment will maintain operating conditions
that ensure performance for your customers, while ensuring the lowest
possible cost thanks to efficient utilization of your resources.

Understanding the Market and Virtual Currency

To perform application resource management, IWO models the environment
as a market and then uses market analysis to manage resource supply and
demand. For example, bottlenecks form when local workload demand
exceeds the local capacity—in other words, when demand exceeds supply.
By modeling the environment as a market, IWO can use economic solutions
to efficiently redistribute the demand or increase the supply.
IWO uses two sets of abstraction to model the environment:
• Modeling the physical and virtual IT stack as a service supply
chain: The supply chain models your environment as a set of managed
entities. These include applications, VMs, hosts, storage, containers,
availability zones (cloud), and data centers. Every entity is a buyer, a
seller, or both. A host machine buys physical space, power, and
cooling from a data center. The host sells resources such as CPU
 cycles and memory to VMs. In turn, VMs buy host services and then
sell their resources (VMem and VCPU) to containers, which then sell
resources to applications.
• Using virtual currency to represent delay or QoS degradation, and
to manage the supply and demand of services along the modeled
supply chain: The system uses virtual currency to value these buy/sell
transactions. Each managed entity has a running budget. The entity
adds to its budget by providing resources to consumers, and the entity
draws from its budget to pay for the resources it consumes. The price
of a resource is driven by its utilization—the more demand for a
resource, the higher its price.
Figure 5-6 illustrates the IWO abstraction model.
 Figure 5-6 IWO abstraction model
These abstractions open the whole spectrum of the environment to a single
mode of analysis—market analysis. Resources and services can be priced to
reflect changes in supply and demand, and pricing can drive resource
allocation decisions. For example, a bottleneck (excess demand over supply)
results in rising prices for the given resource. Applications competing for the
same resource can lower their costs by shifting their workloads to other
resource suppliers. As a result, utilization for that resource evens out across
the environment and the bottleneck is resolved.

Risk Index
Intersight Workload Optimizer tracks prices for resources in terms of the
Risk Index (RI). The higher this index for a resource, the more heavily the
resource is utilized, the greater the delay for consumers of that resource, and
the greater the risk to your QoS. IWO constantly works to keep the RI within
acceptable bounds.
You can think of the RI as the cost for a resource, and IWO works to keep the
cost at a competitive level. This is not simply a matter of responding to
threshold conditions. IWO analyzes the full range of buyer/seller
relationships, and each buyer constantly seeks out the most economical
transaction available.
This last point is crucial to understanding IWO. The virtual environment is
dynamic, with constant changes to workload that correspond with the varying
requests your customers make of your applications and services. By
examining each buyer/seller relationship, IWO arrives at the optimal
workload distribution for the current state of the environment. In this way, it
constantly drives your environment toward the desired state.

Understanding Intersight Workload Optimizer

Supply Chain
Intersight Workload Optimizer models your environment as a market of
buyers and sellers. It discovers different types of entities in your environment
via the targets you have added, and it then maps these entities to the supply
chain to manage the workloads they support. For example, for a hypervisor
target, IWO discovers VMs, the hosts and datastores that provide resources to
the VMs, and the applications that use VM resources. For a Kubernetes
target, it discovers services, namespaces, containers, container pods, and
nodes. The entities in your environment form a chain of supply and demand,
where some entities provide resources while others consume the supplied
resources. IWO stitches these entities together, for example, by connecting
the discovered Kubernetes nodes with the discovered VMs in vCenter.

Supply Chain Terminology

Cisco introduces specific terms to express IT resources and utilization in
relation to supply and demand. The terms shown in Table 5-1 are largely
intuitive, but you should understand how they relate to the issues and
activities that are common for IT management.
Table 5-1 The Supply Chain Terminologies Used in IWO
Working with Intersight Workload Optimizer
The public cloud provides compute, storage, and other resources on demand.
By adding an AWS Billing Target (AWS) or Microsoft Enterprise Agreement
(Azure) to use custom pricing and discover reserved instances, you enable
IWO to use that richer pricing information to calculate workload size and RI
coverage for your Azure environment. You can run all of your infrastructure
on a public cloud, or you can set up a hybrid environment where you burst
workload to the public cloud as needed. IWO can analyze the performance of
applications running on the public cloud and then provision more instances as
demand requires. For a hybrid environment, IWO can provision copies of
your application VMs on the public cloud to satisfy spikes in demand, and as
demand falls off, it can suspend those VMs if they’re no longer needed. With
public cloud targets, you can use IWO to perform the following tasks:
• Scale VMs and databases
• Change storage tiers
• Purchase VM reservations
• Locate the most efficient workload placement within the hybrid
environment while ensuring performance
• Detect unused storage volumes

Claiming AWS Targets

For IWO to manage an AWS account, you provide the credentials via the
Access Key that you use to access that account. (For information about
getting an Access Key for an AWS account, see the Amazon Web Services
documentation.)
To add an AWS target, specify the following:
• Custom Target Name: The display name that will be used to identify
the target in the Target List. This is for display in the UI only; it does
not need to match any internal name.
 • Access Key: Provide the Access Key for the account you want to
manage.
• Access Key Secret: Provide the Access Key Secret for the account you
want to manage.

Claiming Azure Targets

Microsoft Azure is Microsoft’s infrastructure platform for the public cloud.
You gain access to this infrastructure through a service principal target. To
specify an Azure target, you provide the credentials for the subscription and
IWO discovers the resources available to you through that service principal.
Through Azure service principal targets, IWO automatically discovers the
subscriptions to which the service principal has been granted access in the
Azure portal. This, in turn, creates a derived target for each subscription that
inherits the authorization provided by the service principal (for example,
contributor). You cannot directly modify a derived target, but IWO validates
the target and discovers its inventory as it does with any other target.
To claim an Azure service principal target, you must meet the following
requirements:
• Set up your Azure service principal subscription to grant IWO the
access it needs. To set up the Azure subscription, you must access the
Administrator or Co-Administrator Azure Portal (portal.azure.com).
Note that this access is only required for the initial setup. IWO does
not require this access for regular operation.
• Claim the target with the credentials that result from the subscription
setup (Tenant ID, Client ID, and so on).
• Azure Resource Manager Intersight Workload Optimizer requires the
Azure Resource Manager deployment and management service. This
provides the management layer that IWO uses to discover and manage
entities in your Azure environment.

Cisco Container Platform

Hivanetwork.com
Setting up, deploying, and managing multiple containers for multiple micro-
sized services gets tedious—and difficult to manage across multiple public
and private clouds. IT Ops has wound up doing much of this extra work,
which makes it difficult for them to stay on top of the countless other tasks
they’re already charged with performing. If containers are going to truly be
useful at scale, we have to find a way to make them easier to manage.
The following are the requirements in managing container environments:
• The ability to easily manage multiple clusters
• Simple installation and maintenance
• Networking and security consistency
• Seamless application deployment, both on the premises and in public
clouds
• Persistent storage
That’s where Cisco Container Platform (CCP) comes in, which is a fully
curated, lightweight container management platform for production-grade
environments, powered by Kubernetes, and delivered with Cisco enterprise-
class support. It reduces the complexity of configuring, deploying, securing,
scaling, and managing containers via automation, coupled with Cisco’s best
practices for security and networking. CCP is built with an open architecture
using open source components, so you’re not locked in to any single vendor.
It works across both on-premises and public cloud environments. And
because it’s optimized with Cisco HyperFlex, this preconfigured, integrated
solution sets up in minutes.
The following are the benefits of CCP:
• Reduced risk: CCP is a full-stack solution built and tested on Cisco
HyperFlex and ACI Networking, with Cisco providing automated
updates and enterprise-class support for the entire stack. CCP is built to
handle production workloads.
• Greater efficiency: CCP provides your IT Ops team with a turnkey,
preconfigured solution that automates repetitive tasks and removes
 pressure on them to update people, processes, and skill sets in-house. It
provides developers with flexibility and speed to be innovative and
respond to market requirements more quickly.
• Remarkable flexibility: CCP gives you choices when it comes to
deployment—from hyperconverged infrastructure to VMs and bare
metal. Also, because it’s based on open source components, you’re
free from vendor lock-in.
Figure 5-7 provides a holistic overview of CCP.

Figure 5-7 Holistic overview of CCP

Cisco Container Platform ushers all of the tangible benefits of container
orchestration into the technology domain of the enterprise. Based on
upstream Kubernetes, CCP presents a UI for self-service deployment and
management of container clusters. These clusters consume private cloud
resources based on established authentication profiles, which can be bound to
existing RBAC models. The advantage to disparate organizational teams is
the flexibility to consistently and efficiently deploy clusters into IaaS
resources, a feat not easily accomplished and scaled when utilizing script-
based frameworks. Teams can discriminately manage their cluster resources,
including responding to conditions requiring a scale-out or scale-in event,
without fear of disrupting another team’s assets. CCP boasts an innately open
architecture composed of well-established open source components—a
framework embraced by DevOps teams aiming their innovation toward
cloud-neutral work streams.
CCP deploys easily into an existing infrastructure, whether it be of a virtual
or bare-metal nature, to become the turnkey container management platform
in the enterprise. CCP incorporates ubiquitous monitoring and policy-based
security and provides essential services such as load balancing and logging.
The platform can provide applications an extension into network
management, application performance monitoring, analytics, and logging.
CCP offers an API layer that is compatible with Google Cloud Platform and
Google Kubernetes Engine, so transitioning applications potentially from the
private cloud to the public cloud fits perfectly into orchestration schemes.
The case could be made for containerized workloads residing in the private
cloud on CCP to consume services brokered by Google Cloud Platform, and
vice versa. For environments with a Cisco Application Centric Infrastructure
(ACI), Contiv, a CCP component, will secure the containers in a logical
policy-based context. Those environments with Cisco HyperFlex (HX) can
leverage the inherent benefits provided by HX storage and provide persistent
volumes to the containers in the form of FlexVolumes. CCP normalizes the
operational experience of managing a Kubernetes environment by providing
a curated production quality solution integrated with best-of-breed open
source projects. Figure 5-8 illustrates the CCP feature set.
 Figure 5-8 CCP feature set
The following are some CCP use cases:
• Simple GUI-driven menu system to deploy clusters: You don’t have
to know the technical details of Kubernetes to deploy a cluster. Just fill
in the questions, and CCP will do the work.
• The ability to deploy Kubernetes clusters in air-gapped sites: CCP
tenant images contain all the necessary binaries and don’t need Internet
access to function.
• Choice of networking solutions: Use Cisco’s ACI plug-in, an industry
standard Calico network, or if scaling is your priority, choose Contiv
 with VPP. All work seamlessly with CCP.
• Automated monthly updates: Bug fixes, feature enhancements, and
CVE remedies are pushed automatically every month—not only for
Kubernetes, but also for the underlying operating system (OS).
• Built-in visibility and monitoring: CCP lets you see what’s going on
inside clusters to stay on top of usage patterns and address potential
problems before they negatively impact the business.
• Preconfigured persistent volume storage: Dynamic provisioning
using HyperFlex storage as the default. No additional drivers need to
be installed. Just set it and forget it.
• Deploy EKS clusters using CCP control plane: CCP allows you to
use a single pane of glass for deploying on-premises and Amazon
clusters, plus it leverages Amazon Authentication for both.
• Pre-integrated Istio: It’s ready to deploy and use without additional
administration.

Cisco Container Platform Architecture Overview

At the bottom of the stack is Level 1, the Networking layer, which can
consist of Nexus switches, Application Policy Infrastructure Controllers
(APICs), and Fabric Interconnects (FIs).
Level 2 is the Compute layer, which consists of HyperFlex, UCS, or third-
party servers that provide virtualized compute resources through VMware
and distributed storage resources.
Level 3 is the Hypervisor layer, which is implemented using HyperFlex or
VMware.
Level 4 consists of the CCP control plane and data plane (or tenant clusters).
In the Figure 5-9, the left side shows the CCP control plane, which runs on
four control-plane VMs, and the right side shows the tenant clusters. These
tenant clusters are preconfigured to support persistent volumes using the
vSphere Cloud Provider and Container Storage Interface (CSI) plug-in.
Figure 5-9 provides an overview of the CCP architecture.
 Figure 5-9 Container Platform Architecture Overview

Components of Cisco Container Platform

Table 5-2 lists the components of CCP.
Table 5-2 Components of CCP
Sample Deployment Topology
This section describes a sample deployment topology of the CCP and
illustrates the network topology requirements at a conceptual level.
In this case, it is expected that the vSphere-based cluster is set up,
provisioned, and fully functional for virtualization and virtual machine (VM)
functionality before any installation of CCP. You can refer to the standard
VMware documentation for details on vSphere installation. Figure 5-10
provides an example of a vSphere cluster on which CCP is to be deployed.
 Figure 5-10 vSphere cluster on which CCP is to be deployed
Once the vSphere cluster is ready to provision VMs, the admin then
provisions one or more VMware port groups (for example, PG10, PG20, and
PG30 in the figure) on which virtual machines will subsequently be
provisioned as container cluster nodes. Basic L2 switching with VMware
vswitch functionality can be used to implement these port groups. IP subnets
should be set aside for use on these port groups, and the VLANs used to
implement these port groups should be terminated on an external L3 gateway
(such as the ASR1K shown in the figure). The control-plane cluster and
tenant-plane Kubernetes clusters of CCP can then be provisioned on these

Hivanetwork.com
port groups.
All provisioned Kubernetes clusters may choose to use a single shared port
group, or separate port groups may be provisioned (one per Kubernetes
cluster), depending on the isolation needs of the deployment. Layer 3
network isolation may be used between these different port groups as long as
the following conditions are met:
• There is L3 IP address connectivity among the port group that is used
for the control-plane cluster and the tenant cluster port groups
• The IP address of the vCenter server is accessible from the control-
plane cluster
• A DHCP server is provisioned for assigning IP addresses to the
installer and upgrade VMs, and it must be accessible from the control-
plane port group cluster of the cluster
The simplest functional topology would be to use a single shared port group
for all clusters with a single IP subnet to be used to assign IP addresses for all
container cluster VMs. This IP subnet can be used to assign one IP per cluster
VM and up to four virtual IP addresses per Kubernetes cluster, but would not
be used to assign individual Kubernetes pod IP addresses. Hence, a
reasonable capacity planning estimate for the size of this IP subnet is as
follows:
(The expected total number of container cluster VMs across all clusters) + 3
× (the total number of expected Kubernetes clusters)

Administering Clusters on vSphere

You can create, upgrade, modify, or delete vSphere on-premises Kubernetes
clusters using the CCP web interface. CCP supports v2 and v3 clusters on
vSphere. The v2 clusters use a single master node for its control plane,
whereas the v3 clusters can use one or three master nodes for its control
plane. The multimaster approach of v3 clusters is the preferred cluster type,
as this approach ensures high availability for the control plane. The following
steps show you how to administer clusters on vSphere:
Step 1. In the left pane, click Clusters and then click the vSphere tab.
Step 2. Click NEW CLUSTER.
Step 3. In the BASIC INFORMATION screen:
a. From the INFRASTRUCTURE PROVIDER drop-down list,
choose the provider related to your Kubernetes cluster.
For more information, see Adding vSphere Provider Profile.
b. In the KUBERNETES CLUSTER NAME field, enter a name for
your Kubernetes tenant cluster.
c. In the DESCRIPTION field, enter a description for your cluster.
d. In the KUBERNETES VERSION drop-down list, choose the
version of Kubernetes that you want to use for creating the cluster.
e. If you are using ACI, specify the ACI profile.
For more information, see Adding ACI Profile.
f. Click NEXT.
Step 4. In the PROVIDER SETTINGS screen:
a. From the DATA CENTER drop-down list, choose the data center
that you want to use.
b. From the CLUSTERS drop-down list, choose a cluster.

Note
Ensure that DRS and HA are enabled on the cluster that you
choose. For more information on enabling DRS and HA on
clusters, see Cisco Container Platform Installation Guide.
c. From the DATASTORE drop-down list, choose a datastore.

Note
 Ensure that the datastore is accessible to the hosts in the cluster.
d. From the VM TEMPLATE drop-down list, choose a VM
template.
e. From the NETWORK drop-down list, choose a network.

Note
Ensure that you select a subnet with an adequate number of free IP
addresses. For more information, see Managing Networks. The
selected network must have access to vCenter.
For v2 clusters that use HyperFlex systems:
■ The selected network must have access to the HypexFlex Connect
server to support HyperFlex Storage Provisioners.
■ For HyperFlex Local Network, select k8-priv-iscsivm-network to
enable HyperFlex Storage Provisioners.
f. From the RESOURCE POOL drop-down list, choose a resource
pool.
g. Click NEXT.
Step 5. In the NODE CONFIGURATION screen:
a. From the GPU TYPE drop-down list, choose a GPU type.

Note
GPU configuration applies only if you have GPUs in your
HyperFlex cluster.
b. For v3 clusters, under MASTER, choose the number of master
nodes as well as their VCPU and memory configurations.

Note
You may skip this step for v2 clusters. You can configure the
number of master nodes only for v3 clusters.
c. Under WORKER, choose the number of worker nodes as well as
their VCPU and memory configurations.
d. In the SSH USER field, enter the SSH username.
e. In the SSH KEY field, enter the SSH public key that you want to
use for creating the cluster.

Note
Ensure that you use the Ed25519 or ECDSA format for the public
key. Because RSA and DSA are less-secure formats, Cisco
prevents the use of these formats.
f. In the ROUTABLE CIDR field, enter the IP addresses for the pod
subnet in the CIDR notation.
g. From the SUBNET drop-down list, choose the subnet that you
want to use for this cluster.
h. In the POD CIDR field, enter the IP addresses for the pod subnet
in the CIDR notation.
i. In the DOCKER HTTP PROXY field, enter a proxy for the
Docker.
j. In the DOCKER HTTPS PROXY field, enter an HTTPS proxy
for the Docker.
k. In the DOCKER BRIDGE IP field, enter a valid CIDR to
override the default Docker bridge.

Note
If you want to install the HX-CSI add-on, ensure that you set the
CIDR network prefix of the DOCKER BRIDGE IP field to /24.
l. Under DOCKER NO PROXY, click ADD NO PROXY and then
specify a comma-separated list of hosts that you want to exclude
 from proxying.
m. In the VM USERNAME field, enter the VM username that you
want to use as the login for the VM.
n. Under NTP POOLS, click ADD POOL to add a pool.
o. Under NTP SERVERS, click ADD SERVER to add an NTP
server.
p. Under ROOT CA REGISTRIES, click ADD REGISTRY to add
a root CA certificate to allow tenant clusters to securely connect to
additional services.
q. Under INSECURE REGISTRIES, click ADD REGISTRY to
add Docker registries created with unsigned certificates.
r. For v2 clusters, under ISTIO, use the toggle button to enable or
disable Istio.
s. Click NEXT.
Step 6. For v2 clusters, to integrate Harbor with CCP:

Note
Harbor is currently not available for v3 clusters.
a. In the Harbor Registry screen, click the toggle button to enable
Harbor.
b. In the PASSWORD field, enter a password for the Harbor server
administrator.
c. In the REGISTRY field, enter the size of the registry in gigabits.
d. Click NEXT.
Step 7. In the Summary screen, verify the configuration and then click
FINISH.
Administering Amazon EKS Clusters Using CCP
Control Plane
Before you begin, make sure you do the following:
• Added your Amazon provider profile.
• Added the required AMI files to your account.
• Created an AWS IAM role for the CCP usage to create AWS EKS
clusters.
Here is the procedure for administering Amazon EKS clusters using the CCP
control plane:
Step 1. In the left pane, click Clusters and then click the AWS tab.
Step 2. Click NEW CLUSTER.
Step 3. In the Basic Information screen, enter the following information:
a. From the INFRASTUCTURE PROVIDER drop-down list,
choose the provider related to the appropriate Amazon account.
b. From the AWS REGION drop-down list, choose an appropriate
AWS region.

Note
Not all regions support EKS. Ensure that you select a supported
region. Currently, CCP supports the ap-northeast-1, ap-northeast-
2, ap-southeast-1, ap-southeast-2, eu-central-1, eu-north-1, eu-
west-1, eu-west-2, eu-west-3, us-east-1, us-east-2, and us-west-2
regions.
c. In the KUBERNETES CLUSTER NAME field, enter a name for
your cluster.
d. Click NEXT.
Step 4. In the Node Configuration screen, specify the following
information:
a. From the INSTANCE TYPE drop-down list, choose an instance
type for your cluster.
b. From the MACHINE IMAGE drop-down list, choose an
appropriate CCP Amazon Machine Image (AMI) file.
To add AMI files to your Amazon account.
c. In the WORKER COUNT field, enter an appropriate number of
worker nodes.
d. In the SSH PUBLIC KEY drop-down field, choose an appropriate
authentication key.
This field is optional. It is needed if you want to ssh to the worker
nodes for troubleshooting purposes. Ensure that you use the
Ed25519 or ECDSA format for the public key.

Note
Because RSA and DSA are less-secure formats, Cisco prevents the
use of these formats.
e. In the IAM ACCESS ROLE ARN field, enter the Amazon
Resource Name (ARN) information.

Note
By default, the AWS credentials specified at the time of Amazon
EKS cluster creation (that is, the credentials configured in the
Infrastructure Provider) are mapped to the Kubernetes cluster-
admin ClusterRole. A default ClusterRoleBinding binds the
credentials to the system:masters group, thereby granting
superuser access to the holders of the IAM identity. The IAM
ACCESS ROLE ARN field allows you to specify the ARN of an
additional AWS IAM role or IAM user who is also granted
administrative control of the cluster.
 f. Click NEXT.
Step 5. In the VPC Configuration screen, specify the following information:
a. In the SUBNET CIDR field, enter a value of the overall subnet
CIDR for your cluster.
b. In the PUBLIC SUBNET CIDR field, enter values for your
cluster on separate lines.
c. In the PRIVATE SUBNET CIDR field, enter values for your
cluster on separate lines.
Step 6. In the Summary screen, review the cluster information and then click
FINISH.
Cluster creation can take up to 20 minutes. You can monitor the
cluster creation status on the Clusters screen.

Note
If you receive the “Could not get token: AccessDenied” error
message, this indicates that the AWS account is not a trusted entity
for the Role ARN.

Licensing and Updates

You need to configure Cisco Smart Software Licensing on the Cisco Smart
Software Manager (Cisco SSM) to easily procure, deploy, and manage
licenses for your CCP instance. The number of licenses required depends on
the number of VMs necessary for your deployment scenario.
Cisco SSM enables you to manage your Cisco Smart Software Licenses from
one centralized website. With Cisco SSM, you can organize and view your
licenses in groups called “virtual accounts.” You can also use Cisco SSM to
transfer the licenses between virtual accounts, as needed.
You can access Cisco SSM from the Cisco Software Central home page,
under the Smart Licensing area. CCP is initially available for a 90-day
evaluation period, after which you need to register the product.

Hivanetwork.com
Connected Model
In a connected deployment model, the license usage information is directly
sent over the Internet or through an HTTP proxy server to Cisco SSM.
For a higher degree of security, you can opt to use a partially connected
deployment model, where the license usage information is sent from CCP to
a locally installed VM-based satellite server (Cisco SSM satellite). Cisco
SSM satellite synchronizes with Cisco SSM on a daily basis.

Registering CCP Using a Registration Token

You need to register your CCP instance with Cisco SSM or Cisco SSM
satellite before the 90-day evaluation period expires. The following is the
procedure for registering CCP using a registration token, and Figure 5-11
shows the workflow for this procedure.

Figure 5-11 Registering CCP using a registration token

Step 1. Perform these steps on Cisco SSM or Cisco SSM satellite to generate
a registration token:
a. Go to Inventory > Choose Your Virtual Account > General and
 then click New Token.
b. If you want to enable higher levels of encryption for the products
registered using the registration token, check the Allow Export-
Controlled functionality on the products registered with this
token check box.

Note
This option is available only if you are compliant with the Export-
Controlled functionality.
c. Download or copy the token.
Step 2. Perform these steps in the CCP web interface to register the
registration token and complete the license registration process:
a. In the left pane, click Licensing.
b. In the license notification, click Register.
The Smart Software Licensing Product Registration dialog box
appears.
c. In the Product Instance Registration Token field, enter, copy
and paste, or upload the registration token that you generated in
Step 1.
d. Click REGISTER to complete the registration process.

Upgrading Cisco Container Platform

Upgrading CCP and upgrading tenant clusters are independent operations.
You must upgrade CCP to allow tenant clusters to upgrade. Specifically,
tenant clusters cannot be upgraded to a higher version than the control plane.
For example, if the control plane is at version 1.10, the tenant cluster cannot
be upgraded to the 1.11 version.
Upgrading CCP is a three-step process:
You can update the size of a single IP address pool during an upgrade.
However, we recommend that you plan ahead for the free IP address
requirement by ensuring that the free IP addresses are available in the control
plane cluster prior to the upgrade.
If you are upgrading from a CCP version, you must do the following:
• Ensure that at least five IP addresses are available (3.1.x or earlier).
• Ensure that at least three IP addresses are available (3.2 or later).
• Upgrade the CCP tenant base VM.
• Deploy/upgrade the VM.
• Upgrade the CCP control plane.
To get the latest step-by-step upgrade procedure, you can refer the CCP
upgrade guide.

Cisco Intersight Kubernetes Service

Cisco Intersight Kubernetes Service (IKS) effectively expands CCP’s
functionality to benefit from Intersight’s native infrastructure management
capabilities, further simplifying building and managing Kubernetes
environments. IKS is a SaaS offering, taking away the hassle of installing,
hosting, and managing a container management solution. For organizations
with specific requirements, it also offers two additional deployment options
(with a virtual appliance). So, let’s take a look at how IKS can make our lives
easier. Figure 5-12 provides an overview of Intersight Cloud management.
 Figure 5-12 Intersight Cloud management

Benefits of IKS
The following are the benefits of using IKS:
• Simplify Kubernetes Day 0 to Day N operations and increase
application agility with a turnkey SaaS platform that makes it easy to
deploy and manage clusters across data centers, the edge, and public
clouds.
• Reduce risk, lower cost, improve governance, and take multicloud
control on a security-hardened platform, with enhanced availability,
native integrations with AWS, Azure, and Google Cloud, and end-to-
end industry-leading Cisco TAC support.
 • Get more value from your investments with a flexible, extensible
Kubernetes platform that supports multiple delivery options,
hypervisors, storage, and bare-metal configurations.
• Automate and simplify with self-service built-in add-ons and
optimizations such as AI/ML frameworks, service mesh, networking,
monitoring, logging, and persistent object storage.

Common Use Case

A good example comes from the retail sector: an IT admin needs to quickly
create and configure hundreds of edge locations for the company’s retail
branches to perform AI/ML processing and a few core ones in privately
owned or co-located data centers. The reason it makes sense for processing or
storing large chunks of data at the edge is the cost of shipping the data back
to the core DC or to a public cloud (and latency to a certain extent).
Creating those Kubernetes clusters would require firmware upgrades as well
as OS and hypervisor installations before the IT admin can even get to the
container layer. With Cisco Intersight providing a comprehensive, common
orchestration and management layer—from server and fabric management to
hyperconverged infrastructure management to Kubernetes—creating a
container environment from scratch can be literally done with just a few
clicks. Figure 5-13 illustrates a high-level architecture of IKS.
 Figure 5-13 Architecture of IKS
IT admins can use either the IKS GUI or its APIs, or they can integrate with
an Infrastructure as Code plan (such as HashiCorp’s Terraform) to quickly
deploy a Kubernetes environment on a variety of platforms—VMware ESXi
hypervisors or Cisco HyperFlex—thus enabling significant savings and
efficiency without the need of virtualization.

Deploying Consistent, Production-Grade

Kubernetes Anywhere
Few open source projects have been as widely and rapidly adopted as
Kubernetes (K8s), the de facto container orchestration platform. With
Kubernetes, development teams can deploy, manage, and scale their
containerized applications with ease, making innovations more accessible to
their continuous delivery pipelines. However, Kubernetes comes with
operational challenges, because it requires time and technical expertise to
install and configure. Multiple open source packages need to be combined on
top of a heterogeneous infrastructure, across on-premises data centers, edge
locations, and, of course, public clouds. Installing Kubernetes and the
different software components required, creating clusters, configuring
storage, networking, and security, optimizing for AI/ML, and other manual
tasks can slow down the pace of development and can result in teams
spending hours debugging. In addition, maintaining all these moving parts
(for example, upgrading, updating, and patching critical security bugs)
require ongoing significant human capital investment.
The solution? Cisco Intersight Kubernetes Service (IKS), a turnkey SaaS
solution for managing consistent, production-grade Kubernetes anywhere.

How It Works
Cisco Intersight Kubernetes Service (IKS) is a fully curated, lightweight
container management platform for delivering multicloud, production-grade,
upstream Kubernetes. Part of the modular SaaS Cisco Intersight offerings
(with an air-gapped on-premises option also available), IKS simplifies the
process of provisioning, securing, scaling, and managing virtualized or bare-
metal Kubernetes clusters by providing end-to-end automation, including the
integration of networking, load balancers, native dashboards, and storage
provider interfaces. It also works with all the popular public cloud–managed
K8s offerings, integrating with common identity access with AWS Elastic
Kubernetes Service (EKS), Azure Kubernetes Service (AKS) and Google
Cloud Google Kubernetes Engine (GKE). IKS is ideal for AI/ML
development and data scientists looking for delivering GPU-enabled clusters,
and Kubeflow support with a few clicks. It also offers enhanced availability
features, such as multimaster (tenant) and self-healing (operator model).
IKS is easy to install in minutes and can be deployed on top of VMware
ESXi hypervisors, Cisco HyperFlex Application Platform (HXAP)
hypervisors, and/or directly on Cisco HyperFlex Application Platform bare-
metal servers, enabling significant savings and efficiency without the need of
virtualization. In addition, with HXAP leveraging container-native
 virtualization capabilities, you can run virtual machines (VMs), VM-based
containers, and bare-metal containers on the same platform! Cisco Intersight
also offers native integrations with Cisco HyperFlex (HX) for enterprise-class
storage capabilities (for example, persistent volume claims and public cloud-
like object storage) and Cisco Application Centric Infrastructure (Cisco ACI)
for networking, in addition to the industry- standard Container Storage
Interface and Container Network Interface (for example, Calico).
Intersight Kubernetes Service integrates seamlessly with the other Cisco
Intersight SaaS offerings to deliver a powerful, comprehensive cloud
operations platform to easily and quickly deploy, optimize, and lifecycle-
manage end-to-end infrastructure, workloads, and applications. Figure 5-14
illustrates the benefits of IKS.

Hivanetwork.com
 Figure 5-14 Benefits of IKS

IKS Release Model

IKS software follows a continuous-delivery release model that delivers
features and maintenance releases. This approach enables Cisco to introduce
stable and feature-rich software releases in a reliable and frequent manner
that aligns with Kubernetes supported releases.
Intersight Kubernetes Service Release and Support Model:
• The IKS team supports releases from N-1 versions of Kubernetes. The
team will not fully support/make available IKS versions older than N-
1.
• IKS follows a fix-forward model that requires release upgrades to fix
issues. Release patches are not necessary with this model.
• Tenant images are versioned according to which version of Kubernetes
they contain.

Deploy Kubernetes from Intersight

The Intersight policies allow simplified deployments, as they abstract the
configuration into reusable templates. The following sections outline the
steps involved in deploying Kubernetes from Intersight.

Step 1: Configure Policies

All policies are created under the Configure > Polices & Configure > Pools
section on Intersight. You can see the path of the policy at the top of each of
the following figures.
1. The IP Pool will be used for IP addresses on your Control and
Worker nodes virtual machines, when launched on the ESXi host.
Figure 5-15 illustrates the IPv4 Pool details for policy
configuration.
Figure 5-15 IPv4 Pool details for policy configuration
2. The Pod and Services Network CIDR is defined for internal
networking within the Kubernetes cluster. Figure 5-16 illustrates
the CIDR network to be used for the pods and services.
Figure 5-16 CIDR network to be used for the pods and services
3. The DNS and NTP configuration policy defines your NTP and
DNS configuration (see Figure 5-17).
Figure 5-17 DNS and NTP configuration policy
4. You can define the proxy configuration policy for your Docker
container runtime. Figure 5-18 illustrates this policy.
Figure 5-18 Policy for configuring a proxy for Docker
5. In the master and worker node VM policy, you define the
configuration needed on the virtual machines deployed as Master
and Worker nodes (see Figure 5-19).
 Figure 5-19 Master and worker node VM policy

Step 2: Configure Profile

Once we have created the preceding policies, you would then bind them into
a profile that you can then deploy.
Deploying the configuration using policies and profiles abstracts the
configuration layer so that it can be repeatedly deployed quickly.
1. You can copy this profile and create a new one with modifications
on the underlying policies within minutes, to one or more
Kubernetes clusters, in a fraction of time needed for the manual
process. Figure 5-20 illustrates the name and tag configuration in
the profile.
 Figure 5-20 Name and tag configuration in the profile
2. Set the Pool, Node OS, Network CIDR policies. You also need to
configure a user ID and SSH key (public). Its corresponding
private key would be used to ssh into the Master and Worker
nodes. Figure 5-21 illustrates the created policies being referred to
in the profile.

Hivanetwork.com
Figure 5-21 Created policies being referred to in the profile
3. Configure the control plane. You can define how many Master
nodes you would need on the control plane. Figure 5-22 illustrates
the K8s cluster configuration and number of Master nodes
Figure 5-22 Cluster configuration and number of Master nodes.
4. Configure the Worker nodes. Depending on the application
requirements, you can scale up or scale down your Worker nodes.
Figure 5-23 illustrates the K8s cluster configuration and number of
Worker nodes.
Figure 5-23 Cluster configuration and number of Worker nodes.
5. Configure add-ons. As of now, you can automatically deploy
Kubernetes Dashboard and Graffana with Prometheus monitoring.
In the future, you can add more add-ons, which you can
automatically deploy using IKS. Figure 5-24 illustrates the K8s
cluster add-ons configuration.
Figure 5-24 Cluster add-ons configuration
6. Check the Summary and click Deploy.
Figure 5-25 illustrates the K8s cluster Summary and Deployment
screen.
 Figure 5-25 Cluster Summary and Deployment screen

Summary
Containers are the latest—and arguably one of the most powerful—
technologies to emerge over the past few years to change the way we
develop, deploy, and manage applications. The days of the massive software
release are quickly becoming a thing of the past. In their place are continuous
development and upgrade cycles that are allowing a lot more innovation and
quicker time to market, with a lot less disruption—for customers and IT
organizations alike.
With these new Cisco solutions, you can deploy, monitor, optimize, and auto-
scale your applications.
References/Additional Reading
cisco.com/c/en/us/products/collateral/cloud-systems-
management/intersight-workload-optimizer/solution-overview-c22-
744342.html
https://www.cisco.com/c/en/us/support/docs/cloud-systems-
management/intersight/217640-configure-deployment-of-kubernetes-
clust.html
https://blogs.cisco.com/cloud/ciscocontainerplatform
https://www.cisco.com/c/dam/global/en_uk/products/cloud-systems-
management/pdfs/cisco-container-platform-at-a-glance.pdf
https://blogs.cisco.com/cloud/saas-based-kubernetes-lifecycle-
management-an-introduction-to-intersight-kubernetes-service?
ccid=cc001268
https://www.cisco.com/c/en/us/products/collateral/cloud-systems-
management/intersight/at-a-glance-c45-744332.html
https://www.cisco.com/c/en/us/support/docs/cloud-systems-
management/intersight/217640-configure-deployment-of-kubernetes-
clust.html
Chapter 6. Cisco Cloud Webex
Application
Collaboration is a key component of any IT solution, and Cisco Webex
provides an ideal platform for staying connected and collaborating with
individuals, teams, and meetings to move projects forward faster. In this
chapter, we are going to cover the Cisco Webex application, which provides
new and advanced features in instant messaging and presence, voice and
video communication, business-to-business communication, Public Switched
Telephone Network (PSTN) access, mobile and remote access, and web
conferencing and meetings. We cover these topics in detail in the following
sections.

Cisco Webex Features

Cisco Webex is a cloud collaboration platform that provides messaging,
calling, and meeting features. Cisco Webex Teams is a client application that
connects to this platform and provides a comprehensive tool for teamwork.
Users can send messages, share files, and meet with different teams, all in
one place. Figure 6-1 lists the top collaboration priorities.
 Figure 6-1 Top collaboration priorities
Cisco Webex Suite gives today’s increasingly distributed organizations a
seamless way to collaborate. It’s one unified offering for calling, meetings,
messaging, polling, events, and more.
The Webex Suite is comprehensive enough to address the collaboration needs
of every type of business, yet adaptable to accommodate future needs. It
delivers AI-driven intelligence that creates ever more engaging and inclusive
collaboration experiences, enterprise-grade security that ensures your data is
always protected, and frictionless deployment and management. Figure 6-2
shows the features of Webex Suite.

Hivanetwork.com
 Figure 6-2 Webex Suite
Webex is one easy-to-use and secure app for calling, messaging, meeting,
and getting work done. It has the following features:
• In-meeting reactions with emojis and hand gestures let you express
yourself nonverbally and bring a little fun into your meetings.
• Immersive share lets you use your presentation or screen as your
virtual background, giving participants an impressive viewing
experience.
• Webex Assistant, your in-meeting digital assistant, provides live
translations into 10 languages.
• With artificial intelligence (AI), Webex surfaces your most important
messages to the top so you can be more productive. You can also
personalize Webex spaces with colors, images, and co-branding.
• Move a 1:1 telephone call into a Webex video meeting and take
 advantage of AI transcriptions, notes and action items, and recordings.

Webex Cloud Calling

Cloud Calling enables your team to work from anywhere with complete call
control capabilities that are easy to procure, onboard, and manage through a
central management portal. You can experience enterprise-grade calling
features and crystal-clear audio and video with robust security that is globally
available in every major region at an affordable price. What’s more, you can
transition to the cloud at your own pace with migration strategies that are
tailored to you, and you can even leverage on-premises investments. You can
also discover how your teams work with advanced analytics and accurate
performance indicators. This gives you timely and actionable data insights
that can improve performance and productivity. Figure 6-3 shows a secure
and reliable cloud call.

Figure 6-3 Webex Calling

A complete and connected cloud phone service that integrates with your
collaboration tools, Cloud Calling and Collaboration provides businesses
with the flexibility, reliability, and security needed to power hybrid work in
today’s global economy. Critical factors to consider when migrating to the
cloud include the following:
• A complete collaboration experience
• Calling and device innovation
• Migration flexibility
• PSTN options
Cloud Calling covers all the bases—merging, call waiting, holding,
forwarding, do not disturb, visual voicemail, and more. Figure 6-4 shows the
Webex Calling features.
 Fig 6-4 Webex Calling features
Webex Calling allows you to elevate a call to a meeting. You can move your
call from one device to another or turn it into a video meeting
instantaneously. Webex Calling also allows you to take more business calls
with a phone menu, extensions, and intelligent call-routing features. All of
this, with increased in-built security that allows you to stay connected and
secure. Figure 6-5 shows the Webex voicemail feature.

Figure 6-5 Webex Calling voicemail

Figure 6-6 shows the Webex Calling phone app.
 Figure 6-6 Webex phone app

Webex Security Model

The Webex security model is built on the same security foundation deeply
engraved in Cisco’s processes. The Webex organization consistently follows
the foundational elements to securely develop, operate, and monitor Webex
services. We will discuss some of these elements in detail in the next part of
this chapter. Figure 6-7 illustrates the Webex security model.
 Figure 6-7 Webex security model

Hivanetwork.com
Webex Meetings
You can create more interactive and engaging meetings with innovations like
emoji reactions, gesture recognition, immersive share, and next-gen polling
by Slido, as well as take advantage of intelligent, AI-driven innovations like
background noise cancellation, speech enhancement, recordings, and
transcriptions so you can get more done with fewer meetings. Give everyone
an equal seat at the table with inclusive features that enable everyone to be
seen, heard, and understood with features like real-time language translation,
breakout sessions, and moderated Q&A. Figure 6-8 shows the Webex
Meetings feature.

Figure 6-8 Webex Meetings

Customize Your Audio and Video Preferences

When you join a meeting from your computer, the app automatically detects
the audio and video devices you have connected to your computer, such as a
headset. You can change your settings right before you start or join a
meeting, like if you want your video on or want to dial into a meeting with
audio only. You can also make some of these preferences your default
settings, if you’d like. Figure 6-9 shows Webex Meetings audio and video
preferences.

Figure 6-9 Webex Meetings audio and video preferences

You can customize your video settings as follows:
• Choose what camera to use.
• See yourself like you’re looking in a mirror (Mirror My Video).
• Blur your background or use a preset or custom virtual background.
Figure 6-10 shows the Webex Meetings Settings menu.
 Figure 6-10 Webex Meetings Settings menu
You can also personalize your audio settings:
• Choose a headset, speaker, or microphone.
• Reduce disruptions with background noise removal and speech
enhancement.

Start Your First Meeting

With the Webex app, you can meet whenever you need to—right away or
later. There’s two ways to start or schedule your meetings in the app: either
from the calendar or from your spaces. No matter which you choose, you can
connect with video or just audio, record your meeting, set your virtual
background, get rid of distracting background noise, and share your screen
during your meeting.

From a Space
If you’re already working together in a space, anyone can start an instant
meeting to meet right away or schedule one for later. With these types of
meetings, everyone in the space gets invited automatically and gets treated
like a host. Therefore, during the meeting, everyone can let people in, mute
people, and record. Since you’re meeting in the same space where you’re
working, you get easy access to your messages, files, and whiteboards, and
you can work on them while you’re in the meeting.

From a Calendar
From your Meetings calendar, you can start a meeting right away in your
Personal Room. You’ll see this option if you have a host license, and it gives
you a virtual conference room assigned just to you. Because it’s your own
room, your link is always the same.
If you don’t see that choice, you can still schedule a meeting with anyone
else. You don’t need to be connected to them in the app, and they don’t even
need to have a Webex account. Plus, you or anyone you assign as a co-host
can start the meeting, invite people to it, start breakout sessions, enable
recording transcripts, and more. Figure 6-11 shows how to schedule a Webex
meeting from the Webex app.

Figure 6-11 Scheduling a Webex meeting

Upcoming Meetings
Knowing what meetings you have can help you plan your workday. You can
view details about your upcoming meetings in your meetings list, such as
what the meeting is about, when it’s happening, who’s invited, and who
scheduled the meeting. When it’s time for a meeting to start, you can join it
from the meetings list, too. Figure 6-12 shows upcoming meetings in Webex.
 Figure 6-12 Upcoming meetings in Webex

Webex Meetings Security Update

Webex Meetings provides the highest level of security in the industry based
on a simple product development methodology: secure by design, and not as
an afterthought. Considering recent events in the video conferencing industry,
where malicious actors have been disrupting users’ meetings, Cisco has
performed security audits of customers’ site settings to help prevent such
unwanted outcomes. Meetings are protected by passwords to provide the
most secure experience for attendees joining using the Webex app on their
 desktop and mobile devices. Users who are signed into their Webex account
will continue to join their meetings as quickly as before, and external users
will be prompted for the meeting password before they can join meetings.
In addition, Webex has added additional security features:
• Automatically lock Personal Room after 10 minutes.
Automatically locking your Personal Room meetings prevents
unwanted people from joining your meetings. If you haven’t already
enabled it, Webex will now automatically lock your Personal Room 10
minutes after the meeting starts.
When someone tries to join a locked meeting, they’ll be asked to wait
in your lobby, and you’ll get a notification. You can decide if you want
to admit them into the meeting or let them stay in the lobby. Figure 6-
13 shows how Webex automatically locks a Personal Room Webex
meeting.

Figure 6-13 Locking Personal Room Webex meeting

Hivanetwork.com
• Enforce meeting password when joining from phone or video
conferencing systems.
Users joining your meetings using a telephone or a video conferencing
system will now be required to enter a numeric meeting password
before being admitted into the meeting. You’ll find the numeric
meeting password in the email invitation. The password cannot be
disabled and overrides previously disabled password settings.
• When a meeting is in progress, the meeting host (and co-host) using
Webex apps or Webex devices are presented with messages to inform
them of new users in the lobby as well as controls to admit these users
to the meeting or remove them from the meeting/lobby. Users in the
meeting lobby are grouped and managed in three categories:
• Internal: Signed-in (authenticated) users in your organization
• External: Signed-in (authenticated) users outside of your
organization
• Unverified users: Unauthenticated guest users, whose identity is not
verified
Figure 6-14 shows participants in a meeting categorized as Internal,
External, or Unverified.
 Figure 6-14 Participants categorized as Internal, External, or
Unverified

Webex Messaging
Always-on messaging lets you minimize meetings, organize your thoughts,
and actively engage—how you want and when you want—in an intelligent
space that’s personalized to you and your work style. With Webex, all your
messages, contacts, files, content, and projects are stored and organized in a
secure space—so you never miss a beat. Remove time barriers and silos that
slow decision making and connect to all the people and business tools you
need to do your job, from anywhere, anytime, on any device. Ensure a work–
life balance with intuitive features that help you set boundaries. Set a custom
status to show what you are working on, or set “do not disturb” to show when
you are unavailable. Improve company culture with engaging and interactive
features like animated reactions, GIFs, and more, which let participants
express their personality. Figure 6-15 shows Webex Messaging.

Figure 6-15 Webex Messaging

Send a Message
When you write your messages, you can send a quick one, or make it stand
out with more text formatting and emojis. You can also share files, pictures,
videos, and even GIFs. The Webex app keeps a list of all the content shared
in a space, so you’ll never lose track of them. Use @Mentions to make sure
the right people see your message. Don’t worry if you’ve made a mistake and
need to edit it, or if you’ve pasted in the wrong space and need to delete the
message entirely.
Your messages are persistent. The next time you message the group, your
conversation picks right up where you’ve left it. And after you send a
message, you can see who has read your message. Figure 6-16 shows the
Webex Messaging features.

Figure 6-16 Webex Messaging features

Read and Respond to Messages

When you get a new message, you’re notified right away. If you’re too busy
to respond but want to see someone’s message, you can just take a quick peek
instead. People won’t know that you’ve seen the message.
You can also make it easy for yourself and others to follow a specific train of
thought using threading, quotes, and even the ability to forward a message to
someone else.
Organize Your Messages
Another way to help keep yourself productive is by organizing your
messages. You can change appearance, mark favorites which will show on
top, see a compact view, you can also filter your messages so that you can
focus on just your unread messages, for example, or just spaces where you’ve
been @Mentioned. There are many more options to organize your messages.
Figure 6-17 shows the options for organizing messages in Webex.

Figure 6-17 Organizing messages in Webex

You can also flag important messages so that you can refer to them easily.
Figure 6-18 shows how to flag important messages in Webex.
 Figure 6-18 Flagging messages in Webex
And if you’re looking for a message or a file that was shared but you can’t
remember what space it was posted in, you can search for it. Figure 6-19
shows how to search for a message or file.
 Figure 6-19 How to search for a message or file

Webex | App Security

Webex uses various security frameworks, including end-to-end encryption, to
protect your data so your files and messages stay safe while in transit and
when they’re stored in the cloud. You can also manage who can access or
view content in a space.
• Levels of encryption security
• The Webex app encrypts messages, files, and names of spaces on
 your device before sending them to the cloud. When the data arrives
at Cisco’s servers, it’s already encrypted. It’s processed and stored
until it’s decrypted on your device. However, the app can’t provide
end-to-end encryption for messages and files linked to in-app
automation tools like bots or integrations or to Adobe Acrobat PDF
and Microsoft Word documents sent to spaces from Box.
• Secure Hypertext Transfer Protocol (HTTPS) is used to encrypt data
while in transit between your device and servers, which protects the
identities of both senders and receivers.
• The end-to-end encryption uses Advanced Encryption Standard
(AES) 128, AES256, Secure Hash Algorithm (SHA) 1, SHA256, and
RSA.
• For audio, video, and screen sharing, Webex encrypts shared content
using the Secure Real-Time Transport Protocol (SRTP).
• Security features in Webex spaces
• You can add extra security by using moderators for teams and spaces.
If teamwork is sensitive, you can moderate the space. Moderators can
control who has access to the space and delete files and messages.
• Also, if any spaces include people from outside your company, you’ll
see some areas in those spaces highlighted, like the border,
background, the icon in the message area as well as their email
addresses.
Figure 6-20 shows the security features in a Webex space.

Hivanetwork.com
Figure 6-20 Security feature in Webex space
• Privacy for files and messages
• The Webex app uses advanced cryptographic algorithms to safeguard
content you share and send. The only people who can view files and
messages in a Webex space are those invited to that space or
authorized individuals.
• Password security standards
• IT teams can add features that use existing security policies like
single sign-on (SSO) or synchronizing Webex with employee
 directories. Webex automatically recognizes when someone has left a
company, so former employees won’t be able to access company data
using Webex.
• Your company can also configure Webex so that it requires
passwords and authentication that match your corporate security
standards. The Webex app supports identity providers that use
Security Assertion Markup Language (SAML) 2.0 and Open
Authorization (OAuth) 2.0 protocols.

Webex Application Polling

Interact with participants, whether in the office or remote, before, during, and
after meetings. Confirm participants’ understanding of the meeting topics and
address any areas of uncertainty. Streamline decision making by crowd-
sourcing ideas from everyone and ensuring quick alignment on decisions.
Cisco Webex allows participants to view and upvote each other’s questions.
It also empowers everyone by creating a safe space for them to ask and
answer questions anonymously. You can improve decision-making by
collecting feedback from everyone, not just the most vocal participants.
Cisco Webex also facilitates team bonding by allowing everyone to get to
know their colleagues and coworkers better. You can create transparency
across the whole company by enabling anyone to ask and answer questions,
and you can build trust between leaders and employees by allowing them to
ask any questions and address the most critical ones. Figure 6-21 shows
Cisco Webex’s Polling feature, which helps create a more engaging meeting.
 Figure 6-21 Webex Polling

Poll in Webex Meetings or Webex Webinars

Polling must be turned on for your meeting or webinar in Advanced options
> Scheduling options > Meeting options or Advanced options >
Scheduling options > Webinar options. Figure 6-22 shows Cisco Webex
Polling on Windows.
 Figure 6-22 Cisco Webex Polling on Windows
Figure 6-23 shows Cisco Webex Polling on macOS.
 Figure 6-23 Cisco Webex Polling on macOS
Polls are a great way for meeting or webinar hosts to get input from
participants. Use them to engage your audience, test knowledge, and ask for
feedback.

Polls in Slido
Hosts can also use live polls with Slido to engage participants during a
meeting or webinar. Figure 6-24 shows Cisco Webex Polling using Slido.

Figure 6-24 Cisco Webex Polling using Slido

Slido is available in Webex Meetings and Webex Webinars. You use can
Slido in Webex Meetings on version 41.6 and later sites as well as in Webex
Webinars on version 41.9 and later sites. Slido polls and Q&As in webinars
are available for up to 10,000 attendees, while quizzes are available for up to
5,000 participants.
As a meeting or webinar host, you can create and launch polls directly from
Meetings by clicking Apps > Slido. If you want to create polls before the
meeting or webinar, add a guest collaborator to help you create and run the
polls. Go to https://www.slido.com, click Log In > Log in with Webex, and
enter your Webex username and password.
During the meeting or webinar, the host or guest collaborator can activate
polls. Participants can view and answer the questions. There are a few
different types of polls hosts can create, including single poll questions,
quizzes, and surveys.
Here are the tasks you can perform as a host:
• Create a poll
• Create a survey
• Edit or duplicate a poll
• Activate a poll or activate a quiz
• View poll results during a meeting
• Reset a poll
• Export and share poll results after a meeting
• Delete a poll
In case you only want to use the Q&A during your meeting or webinar, you
can turn off polls. Go to https://www.slido.com and click Log In > Log in
with Webex.

Create a Poll in Slido

As a Webex Meetings or Webex Webinars host, you can create a poll to
engage participants, gather their feedback, or test their knowledge. Figure 6-
25 shows how to create a poll in Slido.
 Figure 6-25 Creating a poll in Slido

Activate or Deactivate a Poll in Slido

As a Webex Meetings or Webex Webinars host, after you create a poll, you
can let participants view and answer it. Figure 6-26 shows how to activate or
deactivate a poll in Slido.

Hivanetwork.com
 Figure 6-26 How to activate or deactivate a poll in Slido

Activate or Deactivate a Quiz in Slido

As a Webex Meetings or Webex Webinars host, after you create a quiz, you
can let participants view and answer it. Figure 6-27 shows how to activate or
deactivate a quiz in Slido.
 Figure 6-27 How to activate or deactivate a quiz in Slido

Create a Survey in Slido

Surveys let Webex Meetings and Webex Webinars hosts ask multiple poll
questions at the same time. You can group several polls, even of a different
type, and let your participants respond to them at once. Figure 6-28 shows
how to create a survey in Slido.
 Figure 6-28 Creating a survey in Slido

Webex Events
The expanded Webex Events portfolio includes solutions for events of all
types and sizes—from webinars to multi-session events, to conferences and
community building. With the recent acquisition of Socio, Cisco has
expanded its existing virtual event solutions to include end-to-end hybrid
event management and new capabilities for ticketing, monetization,
networking, and more.
Webex Events (formerly Webex Webinars) can be used to engage your
audience through powerful, interactive online webinars. Figure 6-29 shows
Cisco Webex Events (webinars).

Figure 6-29 Cisco Webex Events (webinars)

Schedule Webex Webinars

As a host, you can schedule webinars. Webinars are interactive and highly
engaging; if your event calls for a simpler attendee experience, webinars in
webcast view are the way to go. You can get these scheduled quickly with the
basics or take a little bit more time to customize your webinars using
advanced options to tailor them to your needs. Figure 6-30 shows how to
schedule Cisco Webex webinars.
 Figure 6-30 How to schedule Cisco Webex webinars
The number of people you can invite to a webinar depends on the license
purchased. Webinars can include up to 10,000 people. A webinar in webcast
view is required if you have more than 10,000 attendees.
After you schedule a webinar, you get a confirmation email as well as an
email to forward to attendees.

Register for a Meeting or Webinar

You can require that attendees of Webex meetings and webinars register
before they can join. This provides enhanced security and allows you to
obtain information from your attendees. When you require that your
attendees register for a meeting or webinar, you can do the following before
and during the session:
• View a list of attendees to determine whether they have registered for
the meeting or webinar.
• Obtain attendees’ names, email addresses, and other information
before they can join the meeting or webinar.
• Accept or reject individual registration requests.
Figure 6-31 shows how to manage Cisco Webex webinar registration.

Figure 6-31 Manage Cisco Webex webinar registration

If you invite someone to a meeting or webinar that requires registration, they
receive an email that includes the following:
• Information about the meeting or webinar
• A link to register for the meeting or webinar
• A random registration ID for the webinar, if you selected this option

Join a Webinar
You can join a Webex webinar on your computer, mobile device, browser,
and more. Figure 6-32 shows how to join a Cisco Webex webinar.

Figure 6-32 How to join a Cisco Webex webinar

 Webex | Record a Meeting
You can record meetings for people who can’t attend or for those who want
to refer to what was discussed. Your recordings can be saved either to the
cloud or your computer as a local recording. Figure 6-33 shows how to
record a Cisco Webex.

Figure 6-33 How to record a Cisco Webex

There are two ways to record meetings, webinars, and events. Your account
type and Webex site configuration determine which recording method you

Hivanetwork.com
can use, as detailed in Table 6-1.
Table 6-1 Recording Options with Cisco Webex

Share Content in Meetings, Webinars, and Events

You can keep everyone informed and engaged in Webex meetings, webinars,
and events (classic) by sharing nearly any type of content. Share your entire
screen, video from a USB camera, or specific files and applications that you
choose. Figure 6-34 shows how to share content in Cisco Webex.
 Figure 6-34 How to share content in Cisco Webex
Anyone in a meeting, as well as a presenter in a webinar or event, can share
content. If you move an open window over the shared application, nobody
can see it, but you can show your camera video over the shared application.

Sharing Multiple Applications

You can share multiple applications without having to stop what you’re
currently sharing. To share an additional app while currently sharing, click
Share and then select Share Content. Figure 6-35 shows how to share
multiple content in Cisco Webex.

Figure 6-35 How to share multiple content in Cisco Webex

When you’re sharing content, you want to make sure you’re sharing only
what you want and that everyone in the meeting can see it. When you share
your screen or an application, check what everyone else sees by opening a
window that shows you what you’re sharing.
While sharing, go to the tab in the meeting control bar at the top of the screen
and click the down arrow. Figure 6-36 shows how to see what you are
sharing.
 Figure 6-36 How to see what you are sharing

Webex Integrations
Webex integrates with hundreds of industry-leading apps and tools so you
can get more done. Webex helps unlock frictionless collaboration with apps
right inside Webex. Instead of toggling between a thousand windows, you
can now use Webex collaboration experience with your favorite apps
integrated right inside Webex meetings and messaging.
Simplify your daily routines, accelerate business outcomes, and automate
everyday tasks using Webex App bots and integrations. Connect your
favorite tools to Webex App and get notified when tasks are done, follow up
on team status, or simply translate a message.
All Webex App users can browse through the available list in the Webex App
Hub and choose a bot or an integration. The bots and integrations are grouped
into categories (for example, customer relations and developer tools). Figure
6-37 shows the Webex App Hub and some of the available apps.

Figure 6-37 Webex App Hub

You don’t need to know coding or use APIs to use bots or integrations.
However, if you want to build your own, see developer.webex.com to learn
how.

Integrations
You can use integrations to connect other tools to Webex App. For each
integration you add, you are presented with a consent page that lists the
functionality the integration needs to work in Webex App.
When you remove the integration, this access is also removed.
Functionality depends on the integration and how it is configured. The
following are some things to know about integrations:
• They may be able to see the list of all space titles you’re in.
• They may be able to post messages or content on behalf of the person
who sets them up in a space.
• They may be able to respond to commands.
• They may be able to alert you whenever someone edits or configures
something.

Bots
A bot acts like any other Webex App user. It has a special bot badge, though,
so you can tell it isn’t human. The bot can post messages, answer your
questions, let you know when something happens, or do your bidding like an
in-app assistant.
Keep in mind the following when you’re working with a bot:
• A bot only reads the information you send to it directly. If you’re in a
group space, use an @mention when you want it to respond. If you’re
in a space with just the bot, then the bot reads every message.
• Some bots only respond to specific commands. Others can understand
natural language questions and requests.

Support
If you’re having issues with an integration or bot, you should reach out to the
company that created it. You can find the company name below the bot or
integration name in the Webex App Hub. If you notice anything urgent,
report issues to [email protected]. Cisco reviews every integration and
bot listed in the Webex App Hub.

Add Bots and Integrations

If the tool you want to integrate requires you to create an account, create it
before adding the integration. Here are the steps to follow:
Step 1. Go to Webex App Hub and click Log in using your Webex App
username and password.
Step 2. Click your profile picture and select My Webex Integrations to see
your current integrations.
Step 3. Click Webex App.
Step 4. Click the icon of the integration or bot you want to add or connect to:
■ • To add an integration, click Connect. Some integrations may
have unique requirements; review the details in Webex App Hub.
■ • To add a bot, click Add to Space. The spaces listed are spaces
with two or more people or team spaces. However, you can start a
conversation directly with the bot, create a space, and add the bot
using the bot name and @webex.bot. For example, add the Help
bot using [email protected].
Step 5. Follow the prompts to add your bot or integration to a space in
Webex App.
Figure 6-38 shows an example of some app integrations with Webex.
 Figure 6-38 App integrations with Webex

Hivanetwork.com
Remove an Integration
For all the integrations listed on Webex App Hub, you can review the access
permissions and remove the integrations by following these steps:
Step 1. Sign in to Webex App Hub using your Webex App username and
password.
Step 2. Click your profile picture and select My Webex Integrations to see a
list of all the integrations you have added.
Step 3. Select the integration you want to remove and click Disconnect.
The integration is removed from all spaces and the access permissions are
disconnected.

Remove a Bot
You can remove bots from teams and spaces in the same way you remove
members from teams and spaces.
New feature additions are happening as we speak, making Cisco Webex a
standout collaboration solution. Hopefully, the information covered in this
section provided insight into some of the key features. In the next section, we
will cover the Cisco Webex Cloud Service Architecture.

Cisco Webex Cloud Service Architecture

Webex Teams uses services that are located in several data centers. The
services within these data centers can be broadly categorized as follows:
• Identity services: Storage of user identities, user authentication, single
sign-on, and directory synchronization.
• Webex Teams microservices: Encryption key management, message
indexing services for search functions and eDiscovery services,
signaling services for Webex Teams apps, Webex devices, and API
functions.
• Content services: Storage and retrieval of user-generated content such
 as messages and files.
• Media services: Media nodes for switching and transcoding for voice,
video, and screen sharing content.
• Anonymized data collection and analytics services: Critical Webex
Teams services are replicated across data centers for geographical
redundancy. Within each data center, these Webex Teams services are
hosted on virtual machines (VMs). These VMs can be moved for
support and maintenance purposes, or new virtual machines can be
installed as services expand.
Figure 6-39 shows an overview of the Webex Teams Cloud Service
Architecture.

Figure 6-39 Webex Teams Cloud Service Architecture

Typically, audio and video from Webex Teams or a Webex device transit
from the user’s location to media nodes in the Webex cloud. This is true for
all call types (such as 1:1 calls and multiparty calls or meetings). All audio
and video media streams are sent over the Secure Real-Time Transport
Protocol (SRTP) using AES_CM_128_HMAC_SHA1_80 encryption.
UDP is recommended as the transport protocol for Webex Teams media,
although most Webex Teams and Webex devices support TCP and HTTP
(apps only) as a fallback protocol. TCP and HTTP are not recommended as
media transport protocols because they are connection-oriented and designed
for reliability, rather than timeliness. Using HTTP can also mean that media
traffic must pass through a proxy server to reach media servers in the Webex
cloud. Media quality can be impacted if the proxy server reaches a
performance threshold when processing large numbers of high-bandwidth
video streams.

Webex Teams Security Features and Deployment

Practices
As enterprise customers increase their adoption of cloud-based services, the
amount of Internet traffic generated by enterprise users also increases. Today,
the ratio of the cost of enterprise WAN bandwidth (for example, MPLS) to
that of Internet bandwidth can be as much as 200:1. Moving your
cloud/Internet access to sites where your cloud users reside can provide
significant savings in monthly bandwidth costs. Although this direct Internet
access model is growing in popularity, many customers who deploy a
centralized/regionalized Internet access model today have concerns that
provisioning Internet access in each of their sites will perforate the security
perimeter that surrounds their network. These security concerns can be
addressed by limiting Internet access in these sites so that only traffic to and
from approved cloud-based services is accessible via the site-based Internet
connection.

Internet Access for Cloud-Based Services

You should provision Internet access as close as possible to the site where
your Webex Teams and Webex devices reside. By providing local
cloud/Internet access at each site for Webex devices, you can eliminate the
need to transport Webex Teams traffic over the enterprise WAN to a
regionalized/centralized Internet access point. Figure 6-40 and Figure 6-41
show the media flows for Webex Teams deployments with per-branch
Internet access and centralized Internet access, respectively.

Figure 6-40 Media paths for Webex Teams deployments with per-
branch Internet/cloud access
 Figure 6-41 Media paths for Webex Teams deployments with
centralized Internet/cloud access

Reducing Traffic to the Webex Cloud by Deploying Video

Mesh Nodes
You can deploy Video Mesh Nodes in the enterprise network to provide local
media processing. By processing audio and video media locally, the Video
Mesh Nodes deliver a better quality experience for audio, video, and content
sharing in meetings. A Video Mesh Node can also reduce or eliminate
bandwidth consumption from the enterprise network to the Webex cloud.
Webex Teams also provides automatic overflow to Media Nodes in the
Webex cloud when large meetings/large numbers of meetings exhaust the
locally available Video Mesh Node resources.
Figure 6-42 and Figure 6-43 show the media flows for Webex Teams
deployments with per-branch Internet access and centralized Internet access,
respectively, where a Video Mesh Node has also been deployed at the central
site to provide local media processing. The Video Mesh Node processes
media for local devices in meetings and, if needed, creates a cascade link to a
Media Node in the Webex cloud for remote meeting participants.

Figure 6-42 Media paths for Webex Teams deployments with a central
site Video Mesh Node and per-branch Internet access
 Figure 6-43 Media paths for Webex Teams deployments with a central
site Video Mesh Node and centralized Internet access

Webex Teams Inspection Capabilities

Webex Teams supports SSL/TLS/HTTPS inspection, which allows enterprise
proxies to do the following:
• Decrypt Internet-bound traffic.
• Inspect the traffic.
• Re-encrypt the traffic before sending it on to its destination.
The signaling traffic from Webex devices uses TLS for session encryption.
Within a Webex Teams TLS session, messages and content such as files and
documents are also encrypted, so SSL/TLS/HTTPS inspection has limited
 value because these messages and files cannot be decrypted and inspected.
Some information is visible in the decrypted TLS session, such as API calls,
obfuscated user IDs (such as a Universally Unique User Identifier [UUID], a
128-bit random value that represents the Webex Teams user ID), and so on.
Figure 6-44 shows SSL/TLS/HTTPS signaling inspection by a proxy server.

Figure 6-44 SSL/TLS/HTTPS signaling inspection by a proxy server

Webex Teams apps and Webex devices use certificate pinning to verify that
they are connecting to Cisco’s Webex service and to ensure that the session
data is not intercepted, read, or modified while in transit. SSL/TLS/HTTPS
inspection is a form of man-in-the-middle (MITM) attack.
Cisco pins server certificates to a few root Certificate Authorities (CAs) that
have committed to not issue intermediate certificates through both the
issuer’s Certification Practice Statement and the root certificate containing a
“pathLenConstraint” field in the Basic Constraints extension, which is set to
zero (0) to indicate that no CA certificates can follow the issuing certificate in
a certification path. This means that, ordinarily, Webex apps will not accept

Hivanetwork.com
an impersonation certificate sent by a proxy for SSL inspection.

SSL/TLS/HTTPS Inspection for Webex Teams Desktop Apps

The Webex Teams apps rely on the certificates installed in the underlying OS
Trust store to bypass the Webex Teams certificate pinning process. If the
enterprise CA certificate exists in the OS Trust store, the Webex Teams app
will trust certificates signed by the enterprise CA, when presented to it by the
proxy server. This bypasses the certificate pinning process used by the
Webex Teams app and allows a TLS connection to be established to the
proxy server.

SSL/TLS/HTTPS Inspection for Webex Teams Devices

The Webex Teams devices download a list of trusted certificates during the
onboarding process. To include your Enterprise CA certificate into the device
trust list for your organization, open a service request (SR) with Cisco TAC.
For details on Webex Teams app and device support for SSL/TLS/HTTPS
inspection, see the “Network Requirements for Webex Teams Services”
article at https://help.webex.com/article/WBX000028782.

Webex Team Data Protection

Webex Teams uses the following mechanisms to protect data in transit:
• All signaling connections from Webex Teams and Webex devices are
protected using an encrypted TLS session. TLS cipher suites use 256-
bit or 128-bit symmetric cipher key sizes, and SHA-2 family hash
functions. TLS cipher suites using 256-bit symmetric cipher keys are
preferred. For example:
TLS_EDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• Only TLS version 1.2 is supported.
• Webex Teams TLS servers also support TLS_FALLBACK_SCSV
 (https://datatracker.ietf.org/doc/rfc7507/) to prevent TLS version
downgrade attacks.
• All messages and content (files) sent by Webex Teams are encrypted
before they are sent over the TLS connection. Encrypted messages and
content sent by the Webex Teams use AES_256_GCM encryption
keys.
• Media streams (voice, video, and screen share) from Webex Teams
and devices are encrypted using SRTP with
AES_CM_128_HMAC_SHA1_80 ciphers. SRTP ciphers are
negotiated using SDES. For more information, see
https://tools.ietf.org/html/rfc4568.
Figure 6-45 shows TLS connections from Webex Teams and Webex devices
to the Webex cloud.
 Figure 6-45 TLS connections from Webex Teams and Webex devices to
the Webex cloud
Webex Teams and Webex devices make outbound connections only to the
Cisco Webex cloud, and Webex Teams services only support TLS versions
1.2.
Webex Teams supports the TLS Fallback Signaling Cipher Suite Value
(SCSV) feature, which is used to prevent TLS version downgrade attacks, by
indicating to the TLS server that the connection should only be established if
the highest TLS version supported by the server is equal to, or lower than,
that received by the app. Also, all Webex Teams data in transit (including the
UUID) is encrypted using Transport Layer Security (TLS).
By default, all encrypted files and encrypted messages sent by Webex Teams
to the Webex Teams Service are stored in U.S. data centers. The encrypted
files and messages are stored in an encrypted database that is replicated for
redundancy. For files, customers can choose to deploy an Enterprise Content
Management service, such as Microsoft OneDrive or SharePoint Online for
Webex Teams file storage and distribution.
Any customers who are concerned about Cisco storing their message and file
encryption keys and content can choose to deploy an on-premises
(encryption) Key Management Server (KMS), which is a component of the
Webex Hybrid Data Security platform. The KMS controls and manages the
encryption keys for content stored in Webex data centers. Encryption keys
for content are created, distributed, and stored on the customer’s premises.
KMS has a secure (TLS) connection to the Webex cloud and can distribute
keys to Webex Teams over a dedicated TLS connection between the KMS
and Webex Teams. As shown in Figure 6-46, the on-premises KMS service
can run on one or more Hybrid Data Security Nodes in your data center.
 Figure 6-46 On-premises hybrid data security services
When Hybrid Data Security Nodes are deployed on the customer premises,
encrypted files and content are stored in Webex Teams data centers, while
their encryption keys are stored and managed locally. To read any file or
message sent to the Webex cloud, two pieces of information are required:
• The encrypted file or message
• The encryption key used to secure it
All customer data within Webex Teams is encrypted and is inaccessible to
Cisco personnel without authorization. Attempts to access encrypted
customer content without authorization by any employee would be a
violation of Cisco policy and would be investigated, and the employee would
be subject to disciplinary action up to and including termination of
employment.
In an effort to protect customers’ interests, Cisco has outlined the steps for
sharing requests for data. Details can be found at
https://www.cisco.com/c/en/us/about/trust-center/transparency.html.
By default, all content (messages and files) sent to Webex Teams spaces is
securely stored in Webex Teams data centers. Using Webex Teams APIs,
customers have the option to archive a copy of this content with a third-party
data archival company (for example, Actiance, Global Relay, or Verint
Verba). Customers can retrieve and store content on their own archival
system.
Cisco has also developed a Webex Teams API framework that allows
enterprise customers to store all their files with their preferred Enterprise
Content Management (ECM) provider instead of in the Webex cloud (for
example, OneDrive, Box, or Google Drive). Customers can also use the API
for Enterprise Content Management to store files within their enterprise
network. For more information, see the “Webex App | Microsoft OneDrive
and SharePoint Online” article at https://help.webex.com/article/nuz39yeb.
Figure 6-47 shows the Webex Teams API for Enterprise Content
Management.

Figure 6-47 Webex Teams API for Enterprise Content Management

File version control is maintained by the ECM application. Webex Teams
uses Microsoft standard Graph API for ECM integration to Microsoft
OneDrive or SharePoint Online. For more information, see
https://docs.microsoft.com/en-us/onedrive/developer/rest-api/?view=odsp-
graph-online.

Webex Teams Apps – Data at Rest Protection

Encryption of data at rest applies not only to content stored in the Webex
cloud, but also to content stored by Webex Teams apps. The following
content is securely stored by Webex Teams for Windows, macOS, iOS, and
Android:
• Messages
• Preview files and files converted to Portable Network Graphics (PNG)
file format
• Space encryption keys
• Profile pictures
• Space details
• Meeting details
• Whiteboard files
• OAuth tokens
Webex Teams apps on desktop and mobile devices store this content in an
SQLite database that is encrypted using the AES-256-OFB algorithm. The
master key for the SQLite database is encrypted by and stored in the platform
OS secure store (for example, Windows Data Protect API, macOS/iOS
Secure Enclave and Keychain, and Android Keystore).
Figure 6-48 shows Webex Teams feature for the encryption of data at rest.
Hivanetwork.com
 Figure 6-48 Webex Teams encryption of data at rest
Files downloaded by the Webex Teams app are decrypted prior to storage.
The storage location of downloaded files is determined by the user (for
example, the Windows Downloads folder).

Webex Teams App for Web – Data Storage

Webex Teams for Web (https://teams.webex.com) does not permanently
store content. Messages, files, encryption keys, and tokens are deleted when
the browser or browser tab is closed. One exception to this case is when the
“Remember Me” option is selected by the user to bypass user authentication.
In this case, the access and refresh tokens are stored and reused when Webex
Teams is relaunched in the browser.

Webex Team Indexing Service

The Webex Teams Indexing Service enables rapid searches of messages, files
(filenames), people (usernames) and places (space names and team names) by
Webex Teams users.
Typically, the Webex Teams Indexing Service resides in the Webex cloud
(see Figure 6-49), but it can also be deployed on a customer’s premises as a
component of the Hybrid Data Security Service (see Figure 6-50). This
service parses, stems, and hashes terms in all messages and filenames in
spaces, as well as usernames and space names, to create a series of hashed
indexes. These hashed indexes are stored in the Search Service in the Webex
cloud. Indexing takes place for each message and file (name) posted by a
Webex Teams user. Indexing involves decrypting the posted content,
followed by the indexing process. Decrypted messages and filenames are
deleted immediately after the indexing process is completed. User search
requests use the Search service in the Webex cloud to find either content in
spaces and team spaces that the user is a member of or names of other users
and spaces.
Figure 6-49 Webex cloud-based indexing and search services
 Figure 6-50 Customer premises-based indexing and search services for
Webex Teams hosted on a Hybrid Data Security Node
When deployed on-premises, Hybrid Data Security (HDS) services provide
an additional benefit, in that decryption of posted content for indexing takes
place on the customer premises, not in the Webex cloud. Additionally, the
encryption keys for messages and files are also owned, stored, and managed
on the customer’s premises as part of the Hybrid Data Security service.

KMS On-Premises
Webex Teams and Webex devices establish TLS connections to the Webex
cloud. These encrypted connections are used for all communication to Webex
cloud services and on-premises services such as the Hybrid Data Security
service. To ensure that communication between Webex Teams and on-
premises HDS services remain confidential, an additional encrypted
connection is established between Webex Teams and the on-premises HDS
service. This secure connection uses ECHDE for key negotiation and AES-
256_GCM for authenticated encryption of data. Figure 6-51 shows the
Webex Teams secure feature Webex cloud and HDS connections.

Figure 6-51 Webex Teams – Webex cloud and HDS connections

Key management services in HDS nodes automatically federate with the
KMS services of other organizations when Webex Teams users from two or
more organizations participate in a Webex Teams space. This KMS-to-KMS
connection is established by using mutual TLS between the HDS nodes in
each organization. Figure 6-52 shows KMS federation between two
organizations using Webex Teams and HDS.

Figure 6-52 KMS federation between two organizations using Webex

Teams and HDS
The Key Management Server (KMS) does not perform an encryption
function; it creates and distributes encryption keys to Webex Teams that use
end-to-end encryption for content (messages and files). The KMS does not
create and distribute encryption keys for Webex Teams media streams; these
keys are generated by the Webex Teams, devices, and media servers
participating in a call or conference.
All encryption keys used by Webex Teams are securely stored. Encryption
keys for messages and content shared in Webex Teams spaces and the details
of these spaces are held in a database and encrypted before being stored. The
space details include the space name, space owner or moderator, and
participants.
For Webex Teams organizations using the Webex cloud KMS service, their
encryption keys and space details are securely stored on Cisco-dedicated
database servers. For Webex Teams organizations using the Webex Teams
HDS service, their encryption keys and space details are securely stored in
the organization’s premises on customer-owned database servers (for
example, Microsoft SQL or Postgres).
Access to KMS/HDS-related data is tenanted through a combination of the
following:
• Access tokens that identify the user, the organization that they belong
to, and the scope of Webex Teams services that they are authorized to
access
• Data structures for Webex Teams spaces, meetings, and so on that
define their authorized participants
The encryption keys for Webex Teams spaces and content (messages and
files) are securely stored and cached by Webex Teams, which is helpful if the
KMS goes down (especially for HDS).
For Webex Teams for iOS and Android, resetting user access in the Cisco
Webex Control Hub deletes the cached content. Resetting user access also
revokes the user’s OAuth access token across all Webex Teams apps,
requiring users to sign in again. For Webex Teams for Web, cached content is
deleted when the user signs out or closes the browser or the browser tab.
As for file storage security during transcoding, files are never stored by the
document transcoding application; they are processed by the application
(converted to a PNG image). After the content is transcoded, the original
document is deleted. Native document and file transcoding in the Webex
cloud were introduced in 2019. File and document transcoding in the Webex
cloud removes the requirement to use third-party transcoding services and
improves transcoding performance.
For information about the encryption and security capabilities of Webex
Teams, see:
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudCollaborat
ion/spark/whitepapers/cisco-wbxt-firewall-traversal-whitepaper.pdf
For details of encryption and key management features and services
supported today, see
https://www.cisco.com/c/en/us/products/collateral/collaboration-
endpoints/webex-room-series/datasheet-c78-740770.html.

Webex Team Single Sign-On

Webex Teams supports any Identity Provider (IdP) that complies with SAML
v2. Webex Teams works with the leading identity providers for both on-
premises and Identity as a Service (IaaS) integration for the purpose of
SAML v2 federated single sign-on. Cisco has created integration guides for
some of these partners and has posted them on its Help site at
https://help.webex.com/article/lfu88u. Integration guides or confirmed
customer integrations are available for the following identity providers:
• On-premises identity providers:
• Microsoft ADFS
• Oracle Access Manager
• Ping Identity
• OpenAM
• IBM Security Access Manager
• CA Siteminder
• F5 Big-IP
• Shibboleth
• IaaS vendors:
• Okta
• PingOne
 • Salesforce
• Microsoft Azure
• Oracle Identity Cloud Service
• Centrify
• OneLogin

Multifactor Authentication
Webex Teams provides authentication through multifactor authentication
(MFA) by integrating with SAML v2 identity providers that support this
mechanism. Many organizations deploy MFA mechanisms across their
enterprise for all services that require special additional factors during
authentication—something you know, such as your password, and something
you have, such as an x509 certificate, HMAC-based one-time password
(HOTP), time-based one-time password (TOTP), device fingerprinting, or
other supported mechanisms by the IdP.

IdP and MDM/MAM with Webex Teams

Enterprise customers are building new architectures to address the security of
mobile devices, authentication, and authorization of cloud-based SaaS.
Enterprise customers look to the identity provider vendors to provide
authentication and authorization to web apps, as well as access control to
mobile apps (also known as mobile application management, or MAM).
These same IdPs also include mobile device management (MDM) features or
integrations to make sure that trusted devices are used by employees when
accessing applications. Many IDPs use features such as device registration or
certificate-based authentication to achieve these goals.

Webex Teams Proximity and Device Pairing

Webex Teams desktop and mobile apps can use proximity to pair with
Webex cloud-registered devices and on-premises Cisco video devices
registered to Cisco Unified CM and Cisco TelePresence Video
Communication Server (VCS). The device discovery and pairing mechanisms

Hivanetwork.com
are similar for cloud-registered devices and Unified CM/VCS-registered
devices; the content sharing and device control mechanisms both use
TLS/HTTPS connections but differ in the paths they use between the Webex
Teams app and the device.

Note
Webex Teams for web supports manual pairing only.

Proximity for Cloud-Registered Webex Devices

Cloud-registered Webex devices use ultrasonic signaling and tokens to pair
with Webex Teams apps. Figure 6-53 shows that unique tokens are generated
by the Webex cloud every 30 seconds and securely sent over TLS to the
Webex device, which emits these tokens using ultrasound from the device
speakers. A Webex Teams app within range of the ultrasound signal can use
the received token to pair with Webex device, by sending the token to the
Webex cloud service. Once the device and app are paired, newly emitted
tokens must be received by the Webex Teams app and sent to the Webex
cloud service to maintain the paired connection.
One reason for using ultrasound for proximity detection is its limited range;
ultrasound signals typically do not pass through walls, limiting the pairing
token’s range to the enclosed room that the endpoint is placed within.
 Figure 6-53 Ultrasound pairing for Webex Teams and Webex devices
Figure 6-54 shows that once the paired connection between the device and
app has been established using the Webex cloud, the Webex Teams app can
control the Webex device (for example, to make calls, mute, and so on) and
also share content on the Webex device. Both the Webex Teams app and the
Webex device use their existing TLS connections to the Webex cloud to
exchange call control signaling and media for content sharing.
 Figure 6-54 Ultrasound pairing for Webex Teams and Webex devices
post connection

Proximity for On-Premises Registered Webex Devices

Figure 6-55 shows that Unified CM and VCS registered Cisco video devices
use ultrasonic signaling and tokens for proximity pairing with Webex Teams
apps. Unique tokens are generated by the device every 180 seconds and
emitted using ultrasound from the device speakers. A Webex Teams app
within range of the ultrasonic signal can use the received token to pair with a
Unified CM or VCS registered Cisco Video device by sending the token to
the device over an HTTPS connection. Once the pairing is complete, newly
emitted tokens must be received by the Webex Teams app and returned to the
device to maintain the paired connection.
For more information, see the “Configure On-Premises Devices for Cisco
Webex Teams Users” article at https://help.webex.com/article/poqjhk.

Figure 6-55 Ultrasound pairing for unified CM/VCS registered devices

and Webex Teams
When the paired connection between the Cisco video device and Webex
Teams app has been established, the Webex Teams app can control the
device (for example, to make calls, mute, and so on) and also share content
(see Figure 6-26). The Webex Teams app and Unified CM or VCS registered
video device use the directly established HTTPS connection to exchange call
control signaling and media for content sharing.
There are differences in how the Webex Teams app connects to cloud-
registered and on-premises devices. When connecting to an on-premises
device, the content that is shared between the Webex Teams app and the
video device is always encrypted. However, we don’t enforce certificate
verification when an HTTPS session is established with an on-premises
device. Verifying certificates would prevent pairing with guest devices and
would be complex to deploy and maintain. Figure 6-56 shows the Webex
Teams discovery of on-premises devices option in Webex Control Hub; this
option is disabled by default.

Figure 6-56 Webex Teams discovery of on-premises devices option in

Webex Control Hub

Other Webex Device Discovery Mechanisms

Webex Teams apps can also use Wi-Fi to discover Webex devices and
manually connect using a personal identification number (PIN). For more
information, see the following articles:
• “Manage Wi-Fi Discovery of Webex Devices”
 (https://help.webex.com/article/nz9iowf)
• “Find and Connect to Nearby Cisco Webex Devices from Cisco
Webex Teams”
• “Manually Connect to Cisco Webex Devices from Cisco Webex
Teams” (https://help.webex.com/article/nf29igm)

Summary
In this chapter, we covered some of the key features and insights into Webex
Teams architecture and some best practices to be used when you are
deploying Webex in your network.

References
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudColla
boration/spark/esp/Cisco-Webex-Apps-Security-White-Paper.pdf
https://www.cisco.com/c/en/us/products/collateral/conferencing/webex-
meeting-center/white-paper-c11-737588.html
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cloudColla
boration/spark/esp/Webex-Teams-Security-Frequently-Asked-
Questions.pdf
https://help.webex.com/en-us/article/nv2hm53/Webex-Security-and-
Privacy
https://help.webex.com/
https://www.cisco.com/c/en/us/products/conferencing/web-
conferencing/index.html
https://www.cisco.com/c/en/us/solutions/collaboration/webex-call-
message-meet.html
Chapter 7. Internet of Things (IoT)
Introduction to the Internet of Things
Before we can begin to see the importance of the Internet of Things (IoT), it
is first necessary to understand the differences between the Internet and the
World Wide Web (or Web)—terms that are often used interchangeably. The
Internet is the physical layer or network made up of switches, routers, and
other equipment. Its primary function is to transport information from one
point to another quickly, reliably, and securely. The Web, on the other hand,
is an application layer that operates on top of the Internet. Its primary role is
to provide an interface that makes the information flowing across the Internet
usable.
By comparison, the Internet has been on a steady path of development and
improvement, but arguably hasn’t changed much. In this context, IoT
becomes immensely important because it is the first real evolution of the
Internet—a leap that will lead to revolutionary applications that have the
potential to dramatically improve the way people live, learn, work, and
entertain themselves. Already, IoT has made the Internet sensory
(temperature, pressure, vibration, light, moisture, stress), allowing us to
become more proactive and less reactive. Figure 7-1 provides an overview of
Cisco’s IoT portfolio.
 Figure 7-1 An overview of Cisco’s IoT portfolio
As the planet’s population continues to increase, it becomes even more
important for people to become stewards of the earth and its resources. In
addition, people desire to live healthy, fulfilling, and comfortable lives for
themselves, their families, and those they care about. By combining the
ability of the next evolution of the Internet (IoT) to sense, collect, transmit,
analyze, and distribute data on a massive scale with the way people process
information, humanity will have the knowledge and wisdom it needs not only
to survive, but to thrive in the coming months, years, decades, and centuries.
The sheer size and variety of data traversing today’s networks are increasing
exponentially. This highly distributed data is generated by a wide range of
cloud and enterprise applications, websites, social media, computers,
smartphones, sensors, cameras, and much more—all coming in different
formats and protocols. IoT contributes significantly to this rising volume,
often by generating a high frequency of relatively small amounts of data.

How Do OT and IT Differ?

Operational technology (OT) is the hardware and software that monitors and

Hivanetwork.com
controls devices, processes, and infrastructure, and it’s used in industrial
settings. IT combines technologies for networking, information processing,
enterprise data centers, and cloud systems. OT devices control the physical
world, while IT systems manage data and applications.
IT is the technology backbone of any organization. It’s necessary for
monitoring, managing, and securing core functions such as email, finance,
human resources (HR), and other applications in the data center and cloud.
OT is for connecting, monitoring, managing, and securing an organization’s
industrial operations. Businesses engaged in activities such as manufacturing,
mining, oil and gas, utilities, and transportation, among many others, rely
heavily on OT. Robots, industrial control systems (ICS), supervisory control
and data acquisition (SCADA) systems, programmable logic controllers
(PLCs), and computer numerical control (CNC) are examples of OT.
Operational technology can also be found in warehouses and outdoor areas
such as parking lots and highways. Some OT examples include ATMs and
kiosks, connected buses, trains, and service fleets, weather stations, and
systems that allow a city to manage chargers for electric vehicles.
The key difference between IT and OT is that IT is centered on an
organization’s frontend informational activities, while OT is focused on the
backend production (machines).
OT and IT network infrastructures have similar elements, such as switches,
routers, and wireless technology. Therefore, OT networks can benefit from
the rigor and experience that IT has built over the years with common
network management and security controls to build a solid network
foundation.
However, there are key differences:
• Form factor: OT network devices come in smaller and modularized
form factors so they can be mounted in different ways, such as on rails,
walls, or light poles, in cars, or even embedded within other
equipment.
• Hardening: OT network infrastructure may need to be ruggedized
when deployed in severe industrial conditions. The infrastructure must
be resistant to shock, vibration, water, extreme temperatures, and
 corrosive air and chemicals.
• Network interfaces: Depending on their purpose, OT devices may
support networks such as LoraWAN or WiSun to connect industrial
IoT (IIoT) devices.
• Protocols: OT network devices connect IoT sensors and machines,
which run communications protocols that are not commonly used in
traditional IT networks. Therefore, industrial networking products
must support a wide variety of protocols such as Modbus, Profinet, and
Common Industrial Protocol (CIP).

IoT Challenges
The following is a list of some of the challenges IoT presents:
• The process of connecting, securing, and managing diverse devices is
complex.
• A lot of data remains locked inside its sources.
• Flexibility is needed to compute data at the edge, data center, and/or
cloud.
• There’s no programmatic way to move the right data to the right apps
at the right time.
• There’s no software control to enforce ownership, privacy, and
security.

Cisco Kinetic Platform

To get real business value from all of your IoT data, you can use the power of
the Cisco Kinetic platform to extract, compute, and move data from your
connected things to various applications—and get maximum business benefit.
Figure 7-2 shows how Cisco Kinetic integrates seamlessly between your data
sources and apps.
 Figure 7-2 How Cisco Kinetic integrates seamlessly between your data
sources and apps
You need to realize the full potential of your IoT data to drive better business
outcomes. The data produced by all your “things” is a high-value asset that
can change the trajectory of your business—if you can make full use of it.
But that can be challenging when you’re working with disparate things and a
variety of applications that may live in edge or fog nodes, your data center,
private clouds, and/or public clouds.
Cisco Kinetic makes it easy to connect distributed devices (“things”) to the
network and then extract, normalize, and securely move data from those
devices to distributed applications. The platform plays a vital role in
enforcing policies defined by data owners, as to which data goes where, and
when. Figure 7-3 illustrates how Cisco Kinetic can get data from devices in a
highly distributed environment
 Figure 7-3 How Cisco Kinetic can get data from devices in a highly
distributed environment
Cisco Kinetic is a new class of platform—an IoT data fabric. This distributed
system of software streamlines your IoT operations by performing three key
functions:
• It extracts data from disparate sources (“things”), regardless of
protocol, and transform it, making it usable by the applications that
provide business value.
• It computes data anywhere, from edge to destination, to provide
processing where it’s needed. This enables fast decisions at the point of
 action, dramatically reduces latency, and makes most efficient use
network resources
• It moves data programmatically to get the right data to the right
applications at the right time. The platform serves the need for data
distribution in multicloud, multiparty, and multilocation situations,
executing policies to enforce data ownership, privacy, and security.
The Kinetic platform is a scalable, open system, adaptable for a variety of use
cases across a broad range of industries. Its modular design is well-suited for
companies that want to get a fast start on their IoT journey and grow.

Why Cisco Kinetic

Table 7-1 describes the key features of Cisco Kinetic Platform.
Table 7-1 Kinetic Platform Key Features
Understanding Cisco Kinetic Platform
Cisco Kinetic makes it easy to connect distributed devices (“things”) to the
network and then extract, normalize, and securely move data from those
devices to distributed applications. The Kinetic platform also plays a vital
role in enforcing policies defined by data owners, so they can control which
data goes where, and when.
The platform includes three integrated modules:
• Gateway Management (GMM): Provision gateways at scale with a
highly secure, low-touch work flow. Plus, view and control your
gateways from a cloud-based dashboard.
• Data Control (DCM): Move the right data from diverse devices to the
right cloud-based applications at the right time, according to policy set
by the data owner.
• Edge and Fog Processing (EFM): Compute data in distributed nodes.
Make critical decisions near the point of action, and use network
resources most efficiently.
Figure 7-4 lists the modules of Cisco Kinetic Platform.
 Figure 7-4 Modules of Cisco Kinetic Platform

Cisco Kinetic – Gateway Management Module

The Cisco Gateway Management Module (GMM) is a secure, scalable tool to
provision, manage, and monitor IoT gateways. It is cloud-native, multitenant,
and Cisco SBP (Service Billing Platform) enabled.
Use GMM to bring new gateways online in minutes instead of days—and
easily manage them remotely with this secure cloud-hosted application.
GMM streamlines provisioning and provides you with ongoing visibility and
control of your Cisco-supported gateways from your desktop browser.
For example, in a transportation use case, gateways installed along a roadway

Hivanetwork.com
can be remotely managed using GMM. All required network configurations
can be pushed from a single point in the cloud across all gateways based on
user-defined templates. Figure 7-5 describes the GMM Module.

Figure 7-5 GMM Module overview

The following list explains some of the benefits provided by GMM:
• Instant provisioning: Dramatically reduce gateway on-boarding time
with simple setup.
• Power up the gateway, plug it into the network, or use its cellular
power to connect with GMM.
• Enter the gateway’s serial number in your browser-based Cisco GMM
dashboard to securely “claim” it.
• Select from your library of templates to automatically configure the
gateway as it onboards.
There’s no configuration code to write, and no need to send a network
engineer on site. The installation technician simply powers it on and
makes sure it has a connection. You handle the rest from your cloud-
based dashboard. There are no delays, and you can apply bulk
operations to handle volume provisioning for even greater efficiency.
• Manage gateways securely in various deployment models: Whether
you’re adding gateways to an existing network or using them as
standalone access points with cellular connectivity only, GMM
streamlines your deployment. You can also extend your network
security to mobile and remote gateways with an optional Cisco Flex
VPN connection between these assets and your network and associated
user access controls. Figure 7-6 illustrates the GMM deployment
modules.
Figure 7-6 GMM deployment modules
• Cellular connectivity and strength: Gain real-time visibility into the
cellular connectivity and strength. Use this information to manage dual
SIM connectivity when enabled on your gateways. This provides
always-on connectivity for mission-critical remote and mobile
applications. Plus, if your use case includes video recording in a
vehicle, you can automatically offload files via Wi-Fi when in range of
your network to avoid the higher cost of cellular data transfer. Figure
7-7 illustrates the GMM connectivity.
 Figure 7-7 GMM connectivity

Cisco Kinetic – Data Control Module

Transform and filter sensor data and send the results to the cloud and/or other
destinations, according to policies set by the data owner.
The benefits for Cisco DCM are as follows:
• Simplify management of operations at scale.
• Global view of all assets allows for better planning and management.
• Increase uptime and efficiency of IoT devices.
• Enforce data ownership and control of who gets your data.
• Scalable control of data by offering programmable filtering, throttling,
and alerting from a single pane of glass.
• Triage and fix device issues remotely; avoid costly truck rolls.
Figure 7-8 illustrates the DCM dashboard.
 Figure 7-8 DCM dashboard

Cisco Kinetic – Edge & Fog Processing Module

Compute on distributed nodes of the network, from edge to destination.
The benefits of Cisco EFM are as follows:
• Connect a wide range of devices; capture and transform data,
normalizing it to make it usable.
• Supports industrial environments without cloud connectivity or limited
access.
• Respond in real time; apply rules to data in motion.
• Perform distributed micro-processing, where needed, from edge to
endpoint.
• Securely and reliably deliver data at the edge or fog.
• Maintain historian data for future analysis.
• Visualize data in real time for faster responses to machine
performance.
Figure 7-9 illustrates the EFP Module.

Hivanetwork.com
 Figure 7-9 EFP Module

Introduction to Cisco IoT

The best decisions are made when the right people have access to the right
information at the right time. The Internet of Things (IoT) has dramatically
increased the volume and variety of data produced, opening the door to a
wave of new possibilities. The key is to extract the data from its source,
transform it so it is usable, and securely deliver the right data to the right
applications to put it to work. Figure 7-10 illustrates the Cisco Edge
Intelligence Solution.

Figure 7-10 Cisco Edge Intelligence Solution

However, most solutions today are so complicated that organizations often
cannot reap the full rewards of their data-gathering projects. The most
important data is often at the remote edge of the network, where the core
business operates, such as in oil rigs, delivery trucks, and utility substations
and on roads. In addition, organizations lose insight into who has access to
what data and often don’t have the needed flexibility and simplicity to send
the data everywhere it needs to go.
Cisco offers an unparalleled end-to-end IoT OD architecture to interconnect
assets, applications, and data to uncover transformative business insights.
Figure 7-11 illustrates Cisco IoT Solution Overview.

Figure 7-11 Cisco IoT Solution Overview

Edge Device Manager

Edge Device Manager is a core service in Cisco IoT used to manage
industrial network devices such as IR1101, IR829, IR809, and IR807.
Customers can bring new devices online with Zero Touch Deployment
(ZTD) and easily manage them remotely with this service, for software
upgrades, monitoring, and troubleshooting. With the included Cisco
Validated Design (CVD) templates and eCVD templates, customers can now
confidently configure one or thousands of devices quickly. When customers
purchase Cisco IoT, Edge Device Manager is a service that always comes
with the product and is enabled by device management licenses. Edge Device
Manager has Cisco Control Center integration, allowing greater visibility and
control of SIM-level details of the Cisco Control Center SIM.
The Cisco IoT Edge Device Manager (EDM) is a secure, cloud-native,
scalable tool to provision, manage, and monitor IoT network devices. You
can use the Edge Device Manager to bring new edge devices online in
minutes instead of days—and easily manage them remotely with this secure
cloud-hosted application. Edge Device Manager streamlines provisioning and
provides you with ongoing visibility and control of your Cisco-supported
edge devices from your desktop browser.
For example, in a transportation use case, network devices installed along a
roadway can be remotely managed using EDM. All required network
configurations can be pushed from a single point in the cloud across all
network devices based on user-defined templates. Figure 7-12 provides an
overview of Cisco EDM.
 Figure 7-12 Cisco Edge Device Manager Overview
Cisco EDM includes the following main features:
• Zero-touch deployment (ZTD): Quick and easy provisioning of IoT
network devices minimizes costly manual work. Using Secure Device
Onboarding (SDO) and Cisco Plug and Play Connect, Cisco industrial
routers can call home to Cisco IoT OD automatically, over cellular or
Ethernet, for onboarding and provisioning upon power-up. An intuitive
GUI enables you to create groups and apply configuration templates or
custom template to one or thousands of devices. Other benefits of ZTD
including the following:
 • Accelerate device setup and configuration.
• Reduce deployment cost and project risk associated with time-
consuming and error-prone manual configuration.
• Avoid the training costs associated with more complex deployment
models.
• Device lifecycle management: Properly maintain your network
devices with the following:
• Software upgrades
• Configuration updates
• Device monitoring
• Device diagnostics
• Alerts and Events
• Cellular visibility: Use Control Center integration to gain real-time
visibility into cellular signal strength and aggregated cellular data
usage.
• End-to-end security: Ensure your data is protected with Cisco
security at many levels. Enable certificate-based authentication during
the device-claiming process.
• Device location: View the location of your devices on a map and
status summaries of device health, cellular usage, and more.
• User and organization management: Gain greater control over user
access and permissions with the following:
• Multitenancy
• Role-based access control (RBAC)
• Single sign-on (SSO) authentication with SAML
Supported Device Interfaces for Onboarding
The following interfaces are supported for IoT OD PnP onboarding using the
default-configuration template. Only these supported interfaces provide
monitoring data in the Dashboard page and in the device details Monitoring
tab (Inventory > device > Monitoring). Currently, dual active/active LTE is
not supported on any platform in the default template.
Table 7-2 details all the supported devices and interfaces used.
Table 7-2 All Supported Devices and Interfaces Used

Onboarding Devices
Once your Edge Device Manager (EDM) account is set up, you can proceed
with onboarding your various devices.

Onboarding IR devices
Use Edge Device Manager (EDM) to add network devices to IoT OD. Enter
the device serial number and select the device group that is associated with
the correct configuration template. You can then make any device-specific
settings and add the device. The following example describes how to create a
device group and apply an eCVD (Cisco Validated Design) template to an IR
1101 device. Figure 7-13 illustrates the IR device onboarding process.
Hivanetwork.com
 Figure 7-13 IR device onboarding process
Step 1. Set up a new organization in Cisco IoT OD, or log in to an existing
admin account.
Step 2. Select the Edge Device Manager service in the left banner.
Step 3. Pre-stage your network configuration by creating a device group and
configuration template.
Device groups allow you to apply the same configuration template to
groups of similar network devices. Any network device you add to
the group will receive the group template. Any changes to that
template will apply to all devices in the group.
a. Click Configuration.
b. In the Groups tab, click Add Group.
c. Enter the group settings:
• Group Name: Enter a meaningful name.
• Select Device Type: Select the device model, such as the IR1101
series. Each device type has a different set of features that can be
configured.
d. Select a new base template. Select the eCVD-IR1101-Basic
template.

Note
This configuration can be used as-is or customized later.
e. Group Description (Optional). Describe the devices and
configuration.
f. Verify the settings and click Create. Your new group appears in
the list.
Step 4. Configure the group’s WAN uplink settings.
 This is only required if your deployment uses a private or custom
Access Point Name that is not automatically recognized by the
modem. There may be cases where a public APN is not in the
modem’s default list and would need to be added as part of the steps
described next. If the APN name is required, you must also use
Ethernet for the initial onboarding. After you add the device to IoT
OD, Ethernet can be disconnected.
a. Click the group name and then select Edit Group.
b. Click the Configuration tab and select Form View (no Form
View for IG 20 devices).
c. Click WAN, enter the following settings, and click Save:
• Ethernet: Select Enabled.
• Ethernet port WAN priority: Select First.
• Cellular 1: Enabled.
• Primary Cellular Access Point Name: Enter the
private/custom APN name.
• First Cellular interface WAN priority: Select Second.
Step 5. Add a device to IoT OD and map it to an existing pre-staged device
group.
a. From the left pane, click Inventory.
b. Click Add Devices.
c. Select Manual Add and complete the following fields in the Add
Device page:
• Product ID (PID): Select the product ID (model number) from
the drop-down list.
• Serial Number: Enter a serial number.
• Name: (Optional) Enter a device name.
 • Latitude / Longitude: (Optional) Enter the location of the device
to display it on the dashboard map.
d. Select the device group you just created. The configuration
template for that group will be applied to the network device.
e. Click Next.
f. In the Configuration window, complete the settings and variables
included in the template. The following settings are required to
create a remote session with the subtended device.
WAN: Enable the following for your WAN back-haul settings:
• Cellular: Click Enabled. If you’re using a public APN, leave the
Primary Cellular Access Point Name blank (the name is
automatically entered). For custom or private APNs, the APN
name configured for the device group should appear.
• Ethernet: This should be Enabled for private or custom APNs, or
if your device uses a wired network connection. For private or
custom APNs, Ethernet is used to onboard the device. After the
device is added, Ethernet can be disconnected and the
private/custom cellular network will be used instead.
g. Click Next after all settings are complete.
h. Correct any errors before proceeding, if necessary.
i. In the Review window, check that your settings are correct and
click Save.
Step 6. Connect the device to power and add it to your network.
When the device is powered on and connected to the network using
either Ethernet or cellular, it will connect to IoT OD and be
configured for use with IoT OD. The selected template configuration
will also be applied. The device will go through the following states:
Unheard > Configuring > Up (Green). This can take 5–7 minutes.
SIM Card Activation and Seamless Device
Onboarding
This feature will automatically activate your Cisco-provided AT&T SIM
card, as long as you have set up an account with AT&T and entered the
account credentials into IoT Operations Dashboard (OD). Once you enter
your AT&T account credentials into IoT OD, you can preconfigure a group
of devices to share the same SIM configuration with (comm plan and rate
plan).
Once you complete these prerequisites, devices that are moved into the group
will automatically provision into your AT&T account as soon as the IoT
network devices are switched on for the first time. SDO accomplishes the
following:
• Automate device configuration for Day 1 operation (APNs, cellular
config), replacing error-prone manual APN configuration.
• Automate switching of device SIM from Cisco’s holding account to
customer’s enterprise Control Center Account.

SDO Architecture
Figure 7-14 is a simplified graphic of the Secure Device Onboarding process.
 Figure 7-14 Secure device onboarding process

Secure Equipment Access

Use Secure Equipment Access (SEA) to remotely manage access and interact
with both the gateways and connected devices. This can be used to directly
troubleshoot or monitor the IoT devices in your deployment.
SEA provides browser-based access to equipment for all supported protocols:
HTTP/S, SSH, RDP, and VNC. No additional software is required on the
user laptop to access equipment. Specific users within in-house operations
teams and external third parties can be assigned access to a group of
equipment.
Here’s an example:
• An elevator technician can use SEA to establish IP connectivity
between his PC and an elevator in another city. He can then use a
diagnostics application on his PC to troubleshoot an issue, determine a
solution, and dispatch a repair technician with the right parts for that
issue.
• An administrator can use a VNC connection to remotely access and
control a Windows computer attached to the gateway.
• A device (such as a camera management server) can be accessed and
used to configure and manage other devices (such as video cameras).

Summary Steps
Step 1. Log in to your Operations Dashboard account.
Step 2. A system administrator sets up device access.
Step 3. Onboard and configure gateways using the Edge Device Manager
service.
Step 4. Add IoT devices to the gateways in SEA.
• Connected clients configured in EDM can be selected from a list.
(Note: Connected clients for IG devices are auto-discovered.)
• Additional devices can be manually added in SEA.
Step 5. An operator administrator gives users SEA access to specific
equipment.
Step 6. Operator users can then access the equipment.
Edge Intelligence
Edge Intelligence (EI) is edge-to-multicloud data orchestration software
designed for connected assets. This software is deployed on Cisco industrial
routers and compute gateways for simple out-of-the box deployment.
EI gives organizations full control over data—from its extraction to its
transformation to its governance to its delivery. At each stage of data
collection, EI streamlines the process so that it can be delivered easily at
scale. For example, EI significantly speeds the labor-intensive process of
developing and deploying applications that process data at the edge. It offers
a plug-in for Microsoft Visual Studio Code. Organizations everywhere can
easily create code and push applications out wherever they need to go
without having to leave Microsoft Visual Studio.
EI provides the flexibility to integrate with multiple applications in multiple
clouds. EI offers native integrations that simplify the entire process for
Microsoft Azure IoT Hub and other MQ Telemetry Transport (MQTT)
applications.

Edge to Multicloud Data Flow

EI helps you take control of your data throughout key aspects of its lifecycle,
helping you simplify from start to finish. The following list and Figure 7-15
summarize this edge-to-multicloud lifecycle:

Figure 7-15 Lifecycle of Edge Intelligence

• Extract: You can automatically ingest data from any edge sensor using
 Cisco EI hosted on Cisco network equipment. EI has built-in industry-
standard connectors, such as OPC Unified Architecture (OPC-UA),
Modbus (TCP and Serial), and MQ Telemetry Transport (MQTT), that
allow data to be extracted from disparate sources. The data is then
converted to industry-standard formats to enable its full use.
• Transform: Once the data is extracted, EI enables real-time processing
to filter, compress, or analyze data in a uniquely simple way. Via a
plug-in, EI is fully integrated with one of the most popular tools,
Microsoft Visual Studio Code. Developers can create, test, and deploy
code without ever leaving the tool.
• Govern: EI provides a central point for the creation and deployment of
polices that govern how edge data is processed and delivered.
• Deliver: Organizations have the data they need from multiple
aggregated sources to gain actionable insights for the best decision
making. You can then choose which data is sent to which destination
and send it to multiple destinations/applications.

Overview of Configuration Lifecycle Management

in EI
Creating an edge-to-multicloud data policy is a multistage process that can be
completed in the EI UI. The key steps for EI management are shown in
Figure 7-16.

Figure 7-16 Process of EI management

The progression begins with the extraction of the data from disparate sources
and the transformation of the data using data policies. Finally, the deployed

Hivanetwork.com
data policies deliver the data securely to the predetermined destinations.
Step 1. Enable EI agents. Deploy and configure the EI agents on the network
device. They will then “call home” and show up in the EI cloud.
Step 2. Add and configure assets. Define the asset type, test it, and then
configure the assets based on this asset type.
Step 3. Add data destinations such as Microsoft Azure IoT, MQTT Server,
IBM Watson, Software AG Cumulocity IoT, or AWS IoT Core.
Step 4. Create and deploy the data policy, which send data from the assets to
the destinations. There are two options:
• Data Rules: Sends data from assets to destinations without
transformation.
• Data Logic: Uses JavaScript scripts developed in Microsoft Visual
Studio (VS) code to transform data before it is sent to a destination
(if local processing of data is required).
Figure 7-17 summarizes the creation and deployment of data policies using
the EI.
 Figure 7-17 Creation and deployment of data policies using the EI

Enable and Manage EI Agents

Cisco Edge Intelligence is enabled by installing the EI agent software on your
Cisco network devices. The EI agent is a Cisco IOx app that runs on Cisco
network devices such as the IR809, IR829, IR1101, and IC3000.
In this release, enable the EI agent on your network devices using the Cisco
Kinetic Gateway Management Module (GMM), Cisco Field Network
Director (FND), Cisco IoT Operations Dashboard (OD), or the Local
Manager. EI agent details cannot be modified from EI.
Table 7-3 details the steps for enabling EI agents.
Table 7-3 Steps for Enabling EI Agents

Asset Management Workflow

To integrate IoT edge data into applications, you must first extract the data
from assets. The main steps are as follows:
Step 1. Add an asset type. An asset type is a template that defines the type of
business asset and sensor attached to it.
• Configure the connection settings. Connection settings define how
the associated assets connect to the EI agent running on a network
device.
• Create a data model. The data model defines the format of the data
being generated from assets (how the data is represented in the
asset).
• Test and verify the data model. The data model can be tested before
 saving it.
• Save the asset type.
Step 2. Add assets:
• Assets are physical instances that will be attached to a gateway.
• Asset instances are assigned to an asset type to define the
connection settings and data model.
• Asset details and custom attributes values are also added.
Step 3. Map the asset to the associated EI agent.
Step 4. Map physical instances of assets to their attached gateways.

Add Data Destinations

Add data destinations to define where data policies send data, such as Azure
IoT or MQTT. The data destination defines the connection details.
A destination must be set before you can design and deploy data policies.

Add an MQTT Server Destination

EI has customized screens for specific MQTT-based cloud destinations such
as IBM Watson and SAG Cumulocity IoT based on the MQTT parameters
typically required for those implementations. A generic MQTT destination
can be used for different configurations.
For example, a SAG Cumulocity destination that requires TLS and peer
verification can be configured in EI. You can use a generic MQTT
connection, however, to connect to a SAG Cumulocity IoT instance without
TLS. For generic MQTT connections, make sure the configuration matches
the destination instance requirements such as parameters, message format,
and so on.
To add an MQTT Server destination, complete the required fields.
Step 1. From the left menu, click Data Destinations.
Step 2. In the right pane, click Add Data Destination and select MQTT.
Step 3. Complete the fields in the Add Data Destination – MQTT Broker
page and click Save.

Deploy Data Rules

Data rules are deployed and run on the EI agent software installed on edge
devices. At least one asset must be mapped to each EI agent where the data
rule is deployed.
Step 1. From the left menu, click Data Policies > Data Rules.
Step 2. In the Data Rule entry, click Deploy / Undeploy.
Step 3. In the Data Rule section, select the EI agent(s) and click Deploy.
Step 4. Scroll down to Deployment Status:
• Deployment Pending (yellow): The data policy is in the process of
being deployed.
• Deployed (green): Deployment is successful on all EI agents. Data
is flowing from all assets to the data destination as configured.
• Error (red): The policy deployment is unsuccessful. There is at
least one EI agent where the deployment failed. The data flow from
assets to data destination is not successful for some configured
assets.

Deploy Data Logic

Use data logic to transform the data from assets before it is sent to a data
destination. Data logic scripts are created in VS code and synchronized with
your organization’s Cisco IoT account, where they can be deployed to an EI
agent. This means the script will run on the Cisco network device where the
EI agent is installed, receive data from assets, transform that data according
to the data logic script, and send the results to a data destination. Here are the
steps to follow:
Step 1. In Cisco EI, configure the EI agents, asset types, asset instances, and
data destinations that will be used by the data logic.
Step 2. In VS code, develop and debug the data logic script.
Step 3. In VS code, click Push to Production to save the data logic to Cisco
EI.
Step 4. In Cisco EI, deploy the data logic to an EI agent:
• Click Data Polices > Data Logics.
• Click New / Not Deployed.
• In the Data Logic entry, click Configure.
• (Optional) Click the Configuration tab to change the data
destination, or view the script or Input Asset Type details.
• Click Deploy. This takes you to the Deployment tab.
• Select one or more EI agents and click Deploy. This takes you to
the Status tab, which shows the list of deployed EI agents.

Licensing
Cisco Edge Intelligence is licensed as a subscription. Licenses are divided
into two groups: base functionality and industry-specific device adapters. A
base license defines the general set of agent capabilities available for the
agent and is required for each Cisco network device that will run an Edge
Intelligence agent. An additional industry-specific device adapter license may
be purchased for each agent when industry-specific device connectivity is
needed.
One base license must be purchased for each hardware device that will run
the Cisco Edge Intelligence agent. Additional device adapter licenses may be
purchased for specific industry use cases.
Summary
Cisco all-in-one IoT gateways provide simple, essential connectivity for
assets at mass scale. The solution offers low upfront costs with an affordable
monthly cloud subscription. The gateways take just a few minutes to deploy
with minimal IT support. It’s a fast and simple Day 0 set up: plug in and
power on, with no staging required. The SIM provisioning is automated with
Cisco Control Center integration with no manual intervention.
The Cisco IoT gateways portfolio consists of ruggedized and non-ruggedized
options, allowing you to connect outdoor and indoor assets. Simply connect
your unconnected assets to eliminate digital blind spots in your operations.
The IoT gateways are managed centrally through a simple, easy-to-use cloud
management tool, the Cisco IoT Operations Dashboard. With this dashboard,
you can remotely deploy, monitor, and troubleshoot the gateways. It enables
you to gain insights into network usage and carry out updates remotely
without sending anyone onsite. You receive automatic alerts if a device goes
down so that you can take quick action. All of this is done remotely and at
scale.
The gateways have essential security built in to secure the hardware,
interfaces, and all communications to the data center. With Cisco networking,
organizations benefit from end-to-end security, from the edge all the way to
the headend in the data center. They can remotely monitor and diagnose the
operational assets connected to an IoT gateway using Cisco’s Secure Remote
Access, eliminating the need for any truck rolls.
 Part 3: Cisco Cloud Security

Hivanetwork.com
Chapter 8. Cisco Cloud Security
More applications and servers are moving to the cloud to take advantage of
cost savings, scalability, and accessibility. Because of this, you’ve lost some
of the visibility and control you once had. You don’t know who is doing what
and when in the cloud. Your data is now hosted in the cloud, which brings up
concerns about what information is there, who’s accessing it, where it’s
going, whether it’s being exfiltrated, and so on. Despite multiple layers of
security, malware infections and other advanced threats still loom.
With Cisco Cloud Security, you can adopt the cloud with confidence and
protect your users, data, and applications, anywhere they are. Unlike
traditional perimeter solutions, Cisco Cloud Security blocks threats over all
ports and protocols for comprehensive coverage. Cisco Cloud Security also
uses API-based integrations so you can amplify your existing security
investments. It’s simple to use and deploy, so you can start defending your
organization in minutes.
This chapter will cover following solutions:
• Cisco Cloudlock
• Cisco Umbrella
• Cisco Secure Cloud Analytics
• Cisco Duo Security

Shadow IT Challenge
You can’t enable, manage, secure, or block what you can’t see.
Organizations, departments, and individual users are all embracing the cloud
and leveraging new apps to help improve productivity, but the majority of
new apps are being adopted without any involvement from IT or Security.
This results in a big shadow IT challenge with the typical organization
accessing hundreds of cloud apps that IT isn’t aware of. The lack of a
coordinated cloud-enablement strategy typically leads to a broad set of
productivity, expense, security, and support issues. You need full visibility
into cloud activity and the ability to block unwanted apps to enable cloud
adoption in a secure and organized fashion.
True visibility is more than just app identification. The first step is identifying
the full spectrum of cloud apps that are in use in your organization, but that
isn’t enough. You need to understand who the vendor is, what the app does,
how many users are accessing it, the volume of requests, and what level of
risk it represents. Figure 8-1 lists key questions that all organizations have.

Figure 8-1 Key questions organizations have

On average, 24,000 files are exposed per organization, with the majority done
using non-corporate email addresses. Figure 8-2 illustrates data exposure per
organization.
 Figure 8-2 Data exposure per organization

Cisco Cloudlock
Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that
helps you move to the cloud safely. It protects your cloud users, data, and
apps. Cloudlock’s simple, open, and automated approach uses APIs to
manage the risks in your cloud app ecosystem. With Cloudlock, you can
more easily combat data breaches while meeting compliance regulations.
Figure 8-3 illustrates Cisco Cloudlock solution.
 Figure 8-3 Cisco Cloudlock solution
Cloudlock discovers and protects sensitive information for users, data. and
applications. Figure 8-4 provides an overview of Cisco Cloudlock.
 Figure 8-4 Cisco Cloudlock overview

User Security
Cloudlock uses advanced machine learning algorithms to detect anomalies
based on multiple factors. It also identifies activities outside allowed
countries and spots actions that seem to take place at impossible speeds
across distances.
You can defend against compromised accounts and malicious insiders with
User and Entity Behavior Analytics (UEBA), which runs against an
aggregated set of cross-platform activities for better visibility and detection.

Data Security
Cloudlock’s data loss prevention (DLP) technology continuously monitors
cloud environments to detect and secure sensitive information. It provides
countless out-of-the-box policies as well as highly tunable custom policies.

Identify Sensitive Data in Cloud Environments

Cisco Cloudlock continuously monitors cloud environments with a cloud data
loss prevention (DLP) engine to identify sensitive information stored in cloud
environments in violation of policy. With Cisco Cloudlock, security
professionals enforce out-of-the-box policies focused on common sensitive
information sets, such as PCI-DSS and HIPAA compliance, as well as
custom policies to identify proprietary data, such as intellectual property.
Advanced capabilities such as custom regular expression (RegEx) input,
threshold settings, and proximity controls ensure high true-positive and low
false-positive rates.
Cloudlock protects against exposures and data security breaches using a
highly configurable DLP engine with automated, policy-driven response
actions. Cloudlock has over 80 predefined policies. Figure 8-5 illustrates
some of the Cisco Cloudlock predefined policies.

Figure 8-5 Cisco Cloudlock predefined policies

Mitigate Increased Risk of Data Exposure in Cloud
Applications
Combating data leakage in the cloud is a formidable challenge given the
collaborative nature of cloud environments and the ease with which they
enable users to access, create, and share sensitive information. Organizations
are struggling to bridge the gap between legacy data protection tools and the
often-limited level of visibility and control within cloud environments,
particularly when accessed by external users or employees off of the
corporate network.

Mitigate Risk Through Automated Responses

Cisco Cloudlock takes cloud DLP beyond discovery by offering configurable
cross-platform automated response actions. Through an API-driven CASB
architecture, Cisco Cloudlock supports deep, integrated response workflows
that leverage the native capabilities of the monitored application, such as
automated field-level encryption in Salesforce.com and automated file
quarantining in Box. Cisco Cloudlock enables efficient risk reduction without
the resource-intensive operation of many data protection tools. Figure 8-6
shows the Cisco Cloudlock dashboard.
 Figure 8-6 Cisco Cloudlock dashboard

App Security
The Cloudlock Apps Firewall discovers and controls cloud apps connected to
your corporate environment. You can see a crowd-sourced Community Trust
Rating for individual apps, and you can ban or allow-list them based on risk.
Cloudlock Apps Firewall discovers and controls malicious cloud apps
connected to your corporate environment and provides a crowd-sourced
Community Trust Rating to identify individual app risks.
The following are Cloudlock use cases for user and entity behavior analytics,

Hivanetwork.com
Cloud DLP, and Cloudlock Apps Firewall:
• Analyze and take action: Analyze application risk in order to block
access to risky applications so they don’t introduce unnecessary cost or
risk to your organization.
• Continuously monitor cloud environments for sensitive information
and exposures.
• Enforce cross-platform automated response actions to mitigate risk
rapidly.
• Application governance: Categorize applications as sanctioned or
unsanctioned and baseline cloud usage in order to prevent the loss of
your company’s IP and to remain compliant.
• Integrate with SIEM solutions for simplified incident investigation
and incorporation in broad security analysis.
• Alerting: Proactively notify you about any apps in your environment
that are very high-risk so that you can triage them before they do any
damage in order to protect company’s data.
• Pinpoint sensitive data within cloud apps through custom and out-of-
the-box DLP policies.
• Anomaly detection: Alert you when there are spikes in traffic passing
between a user and a discovered app, so that you can investigate and
potentially ban the app in order to protect company’s data.
• Reduce false positives through advanced DLP capabilities such as
threshold and proximity controls
• Reporting: Exportable reports of cloud services in use with detailed
risk analysis and insight into data usage, user specifics so you can have
this information at your fingertips, share with stakeholders.
Activate automated end-user notifications to educate employees and
reduce future DLP violations
Figure 8-7 illustrates Cisco Cloudlock use cases.
 Figure 8-7 Cisco Cloudlock use cases

Enabling Cloudlock via WSA (11.5)

Figure 8-8 illustrates Cisco Cloudlock enablement workflow using WSA.

Figure 8-8 Cisco Cloudlock enablement workflow using WSA

Figure 8-9 shows the Cisco Cloudlock onboarding page for signing in and
signing up.
 Figure 8-9 Cisco Cloudlock onboarding page (sign-in and sign-up)
The new radio button for Cloudlock log subscription has the following
features:
• It is preselected when it is triggered from the Cloudlock settings page.
 • Preselected fields and parameters are sent to Cloudlock.
• The admin enters SCP-related information and clicks Submit.
Figure 8-10 illustrates Cisco Cloudlock log subscription configuration.
 Figure 8-10 Cisco Cloudlock log subscription configuration
Figure 8-11 shows the Cisco Cloudlock settings configuration page.
 Figure 8-11 Cisco Cloudlock settings configuration
Figure 8-12 shows the Cisco Cloudlock “Add a New Log Source” process.
 Figure 8-12 Cisco Cloudlock “Add a New Log Source” process
Figure 8-13 shows the Cisco Cloudlock “Add a New Log Source” SCP
configuration process.
 Figure 8-13 Cisco Cloudlock “Add a New Log Source” SCP
configuration process

The Evolution of Cloud Security Service

Figure 8-14 illustrates the timeline of Cisco Cloudlock and Umbrella
integration.

Hivanetwork.com
 Figure 8-14 Cisco Cloudlock and Umbrella integration
To help organizations embrace direct Internet access, in addition to DNS-
layer security and interactive threat intelligence, Cisco Umbrella now
includes secure web gateway, firewall, and CASB functionality, plus
integration with Cisco SD-WAN, delivered from a single cloud security
service. Figure 8-15 illustrates multiple security functions in a single cloud
security service Cisco Umbrella.
 Figure 8-15 Multiple security functions in a single cloud security
service Cisco Umbrella

DNS-Layer Security
Umbrella’s DNS-layer security provides the fastest, easiest way to improve
your security. It helps improve security visibility, detect compromised
systems, and protect your users on and off the network by stopping threats
over any port or protocol before they reach your network or endpoints.

Secure Web Gateway

Umbrella’s secure web gateway logs and inspects web traffic for full
visibility, URL and application controls, and protection against malware. Use
IPsec tunnels, PAC files, or proxy chaining to forward traffic to our cloud-
based proxy to enforce acceptable use policies and block advanced threats.

Firewall
Umbrella’s firewall logs all activity and blocks unwanted traffic using IP,
port, and protocol rules. To forward traffic, simply configure an IPsec tunnel
from any network device. As new tunnels are created, policies are
automatically applied for easy setup and consistent enforcement everywhere.

Cloud Access Security Broker

Umbrella exposes shadow IT by providing the ability to detect and report on
cloud applications in use across your organization. For discovered apps, you
can view details on the risk level and block or control usage to better manage
cloud adoption and reduce risk. Figure 8-16 illustrates Cisco Cloudlock’s
“shadow IT” visibility.
 Figure 8-16 Cisco Cloudlock’s “shadow IT” visibility

Interactive Threat Intelligence

Our unique view of the Internet gives us unprecedented insight into malicious
domains, IPs, and URLs. Available via a console and API, Umbrella
Investigate provides real-time context on malware, phishing, botnets, trojans,
and other threats, enabling faster incident investigation and response.

Integration with SD‑WAN

The Umbrella and Cisco SD‑WAN integration deploys easily across your
network for powerful cloud security and protection against Internet threats.
Cisco’s integrated approach secures cloud access and efficiently protects your
branch users, connected devices, and app usage from all direct Internet access
breakouts. The App Discovery dashboard and Umbrella’s logs can be used
for visibility.
Leveraging Umbrella Log Files for Shadow IT Visibility
You can now use your DNS logs to discover the cloud apps your users are
accessing because Cisco provides in-product integration between Umbrella
and Cloudlock. The Umbrella user interface can now be configured to
include both the Cloudlock App Discovery dashboard and drill down reports
based on your existing Umbrella DNS activity.

Dashboard for Visibility and Trends

The dashboard shows the level of cloud service activity and risk in your
organization. It also provides a summary by app category that is sorted by
risk level. This gives insight into potential policy and compliance violations
if employees use a new cloud service instead of an approved app. Figure 8-17
illustrates the Cisco Umbrella App Discovery dashboard.
 Figure 8-17 Cisco Umbrella App Discovery dashboard

Overview and Trending Information

The App Discovery dashboard provides an overview of the number of app
requests by date and risk level to show patterns and changes over time. The
most recent set of discovered and unreviewed apps is highlighted for easy
access, and a chart showing the number of apps in each major category is
provided with a breakdown by risk level. These summary charts allow point-
and-click access to more detailed information on the category or individual
application to simplify common administrator tasks.
Application Details
Preset application-level reports provide a list of apps labeled either
Unreviewed, Under Audit, Approved, or Not Approved. You can easily apply
filters to create custom views that help you understand and track by category,
usage, type, or status. Figure 8-18 shows an example of a Cisco Umbrella
application-level report.

Figure 8-18 Cisco Umbrella application-level report

Optimization
 With hundreds of apps in use and new ones being adopted on a regular basis,
organizations need an automated way to view key vendor and app details and
compare risk elements and compliance certifications. It’s also important to be
able to view which identities are using which applications to enable
monitoring and to help with policy formation or incident investigations. This
information is provided in the app detail pages, which can be accessed from
the dashboard or any of the aforementioned App Grid reports. All of this
insight will help you to make informed decisions about the cloud apps you
want to approve in your environment.
Utilize the 30 application categories to organize the apps in use and filter by
risk level or number of requests to understand your current exposure. Then
make informed decisions about categories and assign the individual apps to
the Approved, Under Audit, or Not Approved group. Figure 8-19 shows an
example of a Cisco Umbrella categorized application-level report.

Figure 8-19 Cisco Umbrella categorized application-level report

Figure 8-20 shows apps by category and risk.

Hivanetwork.com
 Figure 8-20 Apps by category and risk

Application Blocking
Once the organization has visibility into the full spectrum of apps in use and
details on the usage and risk levels, it is natural to want to block either entire
categories or specific applications that don’t match the cloud adoption or
security strategy. The blocking capabilities in Umbrella allow you to select a
category or individual application and block it for all users, specific groups,
individuals, or networks.
You can easily block the available apps by clicking the link in the application
listing or detail pages as well as enforce this control for any network, group,
or individual user accessible by Umbrella policies. Figure 8-21 illustrates the
configuration steps to control an application.
Figure 8-21 Configuration steps to control an application
Enabling Healthy and Efficient Cloud Adoption
Users are aggressively adopting cloud applications to improve collaboration
and productivity. This activity should be enabled and encouraged due to the
many benefits, but you need the ability to monitor cloud app usage on an
ongoing basis and compare vendors and apps to provide guidance and
control. Armed with a list of sanctioned and unsanctioned apps, you can
intelligently manage the volume of cloud apps in use and help enable end
users trying to make decisions about new apps. Figure 8-22 shows the Cisco
Cloudlock Composite Risk Score.

Figure 8-22 Cisco Cloudlock Composite Risk Score

Cisco Umbrella
Security is shifting and converging in the cloud. You may hear different
names for this trend, such as secure Internet gateway (SIG), edge security,
secure access service edge (SASE), and more. It can get confusing.
Regardless of what you call it, it denotes multiple security functions
integrated into one cloud service, the flexibility to deploy security services
how and where you choose, the ability to secure direct-to-Internet access,
cloud app usage, and roaming users, plus, no appliances to deploy.
Today’s work environment allows employees to work from any device,
anywhere and anytime. As remote users work directly in cloud apps,
perimeter security appliances and VPNs are no longer always going to protect
devices and data. Therefore, Cisco continues to enhance its secure Internet
gateway (SIG), Cisco Umbrella, to protect users when off the network and
off the VPN. Formally launched at the RSA Conference in February 2017,
Cisco Umbrella now processes more than 120 billion DNS requests per day,
with more than 85 million daily active users. The recently announced Cisco
Security Connector app for iOS enables company-managed iPhones and
iPads to be protected by Cisco Umbrella, whether on Wi-Fi or the cellular
network.
Cisco Umbrella is a cloud-delivered security platform that secures Internet
access and controls cloud app usage across networks, branch offices, and
roaming users. Unlike disparate security tools, Umbrella unifies secure web
gateway, cloud-delivered firewall, DNS-layer security, and cloud access
security broker (CASB) functionality into a single cloud platform. Umbrella
also integrates with Cisco SD-WAN to provide security and policies for
direct Internet access (DIA) at branch offices. Umbrella acts as a secure
onramp to the Internet and delivers deep inspection and control to support
compliance and provide the most effective protection against threats for users
anywhere they connect. Figure 8-23 provides an overview of Cisco Umbrella
SIG.
 Figure 8-23 Cisco Umbrella SIG overview

Benefits
The following components are integrated seamlessly in a single, cloud-
delivered platform:
• DNS-layer security: DNS requests precede the IP connection,
 enabling DNS resolvers to log requested domains over any port or
protocol for all network devices, office locations, and roaming users.
You can monitor DNS requests, as well as subsequent IP connections,
to improve accuracy and detection of compromised systems, security
visibility, and network protection. You can also block requests to
malicious destinations before a connection is even established, thus
stopping threats before they reach your network or endpoints. Figure 8-
24 illustrates Cisco Umbrella DNS-layer security.

Figure 8-24 Cisco Umbrella DNS-layer security

• Secure web gateway: A cloud-based full (or selective) proxy that can
log and inspect your web traffic, including uploaded and downloaded
files, for greater transparency, control, and protection against malware
and other hidden threats. You can view detailed reporting with full
URL addresses, network identity, allow or block actions, plus external
IP addresses. You can also create policies for content filtering by
category or specific URLs to block destinations that violate policies or
compliance regulations. Figure 8-25 illustrates Cisco Umbrella as a
secure web gateway.
 Figure 8-25 Secure web gateway
• Cloud-delivered firewall: All Internet activity is logged and unwanted
traffic is blocked using customizable IP, port, and protocol rules. To

Hivanetwork.com
forward traffic, simply configure an IPsec tunnel from any network
device. As new tunnels are created, security policies can automatically
be applied for better visibility and control of all Internet traffic,
including easy setup and consistent enforcement throughout your
environment. Figure 8-26 illustrates Cisco Umbrella as a cloud-
delivered firewall.
Figure 8-26 Cloud-delivered firewall
• Cloud access security broker (CASB): You can detect and report on
the cloud applications in use across your environment as well as
automatically generate overview reports on the vendor, category,
application name, and the volume of activity for each discovered app.
Drill-down reports include web reputation score, financial viability,
and relevant compliance certifications to enable better management of
cloud adoption, reduce risk, and provide more control to block the use
of offensive or inappropriate cloud applications in the work
environment. Figure 8-27 illustrates Cisco Umbrella as a cloud access
security broker.

Figure 8-27 Cloud access security broker

• Interactive threat intelligence access: Umbrella utilizes threat
intelligence from Cisco Talos, one of the largest commercial threat
intelligence teams in the world, to uncover and block a broad spectrum
of malicious domains, IPs, URLs, and files used in attacks. Cisco feeds
 volumes of global Internet activity into a combination of statistical and
machine learning models to identify new attacks staged on the Internet
to help organizations respond to the rise in threats, incidents, and
breaches. You can view unparalleled threat intelligence in Cisco’s web
console or integrate with your existing security tools for faster
remediation. Figure 8-28 illustrates Cisco Umbrella utilizing threat
intelligence.

Figure 8-28 Threat intelligence

• SD-WAN integration: You can deploy across your network and gain
powerful cloud-delivered security to protect against threats on the
Internet and when accessing the cloud. You can also create flexible
security policies based on the level of protection and visibility you
need—all in the Umbrella dashboard. Cisco’s integrated approach can
efficiently protect your branch users, connected devices, and
application usage from all DIA breakouts.
Deployment Options
The following are some key points concerning the deployment of Cisco
Umbrella:
• To deploy Umbrella’s DNS-layer security, you can provision any
network device (router, DHCP server, and so on) by pointing external
DNS to Cisco’s IP addresses. You can also use your existing Cisco
footprint—SD-WAN (Viptela), Integrated Services Router (ISR) 1K
and 4K Series, Meraki MR, and wireless LAN controllers—to quickly
provision protection across hundreds of routers and access points.
• Off-network protection is available for laptops that use Windows,
macOS, Chrome OS, and supervised Apple devices that run iOS 11.3
or higher.
• To enable the secure web gateway or cloud-delivered firewall
functionality, the following options are available:
• For cloud-delivered firewall, you create IPSec tunnels to forward all
Internet traffic to Cisco’s platform.
• For secure web gateway, you can forward web traffic via proxy
chaining or PAC files.
• IPSec tunnels.
• If the end user IP address needs to be visible, you can deploy Umbrella
Virtual Appliance (VA) within the customer environment.
• To set up policies based on username, deploy an AD connector within
the customer environment.
• For roaming users, deploy the roaming client or use Cisco
AnyConnect.

Umbrella Integrations
Umbrella, while providing multiple levels of defense against Internet-based
threats, is the center piece of a larger architecture for Internet security. Figure
8-29 illustrates Cisco Umbrella integrations.

Figure 8-29 Cisco Umbrella integrations

This section will explore the integrations that occur with other products in the
Cisco portfolio and the role each plays in securing the business flows.
Backhauling Internet-bound traffic from remote sites is expensive and adds
latency. Many organizations are upgrading their network infrastructure by
adopting SD-WAN and enabling DIA. With the Umbrella and Cisco SD-
WAN integration, you can simply and rapidly deploy Umbrella IPsec tunnels
across your network and gain powerful cloud-delivered security to protect
against threats on the Internet and secure cloud access. This market-leading
automation makes it easy to deploy and manage the security environment
over tens, hundreds, or even thousands of remote sites. Umbrella’s DNS
security also can be deployed with a single configuration in the Cisco SD-
WAN vManage dashboard. When you need additional security and more
granular controls, Cisco’s integrated approach can efficiently protect your
branch users, connected devices, and application usage at all DIA breakouts.
Umbrella offers flexibility to create security policies based on the level of
protection and visibility you need—all in the Umbrella dashboard. Figure 8-
30 illustrates Cisco Umbrella integration with SD-WAN.

Figure 8-30 Cisco SD-WAN integration

The Cisco SecureX platform connects the breadth of Cisco’s integrated
security portfolio and additional third-party tools for a consistent, simplified
 experience to unify visibility, enable automation, and strengthen security. It
aggregates data from a multitude of Cisco and partner products for improved
intelligence and faster response time. You can immediately visualize the
threat and its organizational impact and get an at-a-glance verdict for the
observables you are investigating through a visually intuitive relations graph.
It enables you to triage, prioritize, track, and respond to high-fidelity alerts
through the built-in Incident Manager. Then you can take rapid response
actions across multiple security products, such as isolate hosts, block files
and domains, and block IPs, all from one convenient interface. SecureX
empowers your security operations center (SOC) teams with a single console
for direct remediation, access to threat intelligence, and tools such as
Casebook and Incident Manager. It overcomes many challenges by making
threat investigations faster, simpler, and more effective. Figure 8-31 shows
Cisco Umbrella integration with SecureX.

Hivanetwork.com
 Figure 8-31 Cisco SecureX Integration
Umbrella is not an open proxy and therefore must trust the source forwarding
web traffic to it. This can be accomplished by assigning either a network or
tunnel identity to a web policy. Policies created in this fashion apply broadly
to any web traffic originating from the network or tunnel. However, to create
more granular policies for users or groups, Security Assertion Markup
Language (SAML) should be implemented or AnyConnect should be
installed on the devices. Identities obtained from SAML can be matched to
users and groups that have been provisioned by manually importing a CSV
file from Active Directory This can also be done automatically by using
Active Directory–based provisioning with the Umbrella AD Connector. Duo
Access Gateway acts as an identity provider (IdP), authenticating your users
using existing on-premises or cloud-based directory credentials and
prompting for two-factor authentication before permitting access to your
service provider application. Figure 8-32 illustrates Cisco Umbrella
integration with Duo.

Figure 8-32 Cisco Duo integration

Umbrella Packages
Cisco offers various Umbrella packages based on the functionality needed to
address your cybersecurity challenges. Table 8-1 details the various Cisco
Umbrella packages and their features.
Table 8-1 Cisco Umbrella Packages and Features
Cisco Secure Cloud Analytics
Only 56 percent of security alerts are investigated, and more than half of
those are not remediated, according to the Cisco 2017 Annual Cybersecurity
Report. Responding to these alerts is an overwhelming job, and most
organizations do not have the security staff to keep up. Companies of all sizes
face the challenge of securing their public cloud environments as well as their
on-premises infrastructure.
Adding effective security measures for public cloud workloads—with
solutions that can reduce the number of false positives—is a critical task.
However, the public cloud infrastructure differs from an on-premises
infrastructure. A public cloud offers fewer network-monitoring capabilities,
even as it undergoes a very high change rate in assets. To provide effective
security while reducing the number of false positives, a new approach is
necessary.
Imagine that an employee’s cloud credentials are compromised, through
phishing or another method. Can you tell if that employee begins logging in
from another country? Cisco Secure Cloud Analytics (formerly Stealthwatch
Cloud) provides the actionable security intelligence and visibility necessary
to identify these kinds of malicious activities in real time. You can quickly
respond before a security incident becomes a devastating breach. Figure 8-33
illustrates Cisco Secure Cloud Analytics integrating with the network.
 Figure 8-33 Cisco Secure Cloud Analytics integration
The following are some of key challenges your business faces as it grows in
the cloud:
• The transition to the cloud is complicated. In their quest to remain
agile, businesses have flocked to the public cloud, a place where they
can migrate workloads into managed, serverless, and containerized
environments that offer faster and more flexible deployments, higher
efficiency, and more scalable ways to grow their operations. According
to the Cisco Annual Internet Report, Cloud data centers will process
nearly 95% of workloads in 2021. And while your organization and
cloud footprint continue to grow, so do your compliance concerns and
your attack surface. In fact, 94% of cybersecurity professionals report
that they are at least moderately concerned about public cloud security.
• As their cloud footprint expands, businesses are increasingly more
worried about ensuring compliance and the risk of threats, which is
why maintaining proper cloud security posture is critical. Over the past
5 years, some big-name companies have fallen victim to attacks that
stem from improper cloud management and resource configuration.
With sensitive workloads and data up in the cloud, it is critical that you
 have the proper tools in place to monitor and protect this information.
• It doesn’t help that most IT tasks are divided into various functions.
Your SecOps organization is responsible for threat hunting and
monitoring the network for attacks and malicious behavior, while your
DevOps team is responsible for rapidly building and deploying
applications in the cloud. These groups are separately trying to tackle a
wide variety of challenges in the public cloud, and often they don’t
work together as closely as they should. As organizations mature, they
often pursue a strategy that enables close collaboration between
SecOps and DevOps teams.
Cisco Secure Cloud Analytics has many benefits. With Cisco Secure Cloud
Analytics, security teams can confidently monitor and protect their cloud
workloads and perform quick security posture assessments of their cloud
environments using a cloud-native, API-driven solution that works the way a
DevOps team would expect. With just one intuitive solution, both SecOps
and DevOps can share information on cloud workloads and resolve
compliance or configuration issues before an attack takes place. The
following table and Figure 8-34 outline the key benefits of Cisco Secure
Cloud Analytics:
 Figure 8-34 Cisco Secure Cloud Analytics benefits
• Gain actionable intelligence through visibility of your environment,
from the private network to the public cloud
• Rapidly detect advanced threats and indicators of compromise
• Grow your security with your business while lowering operational
overhead
• Greatly reduce false positives with higher fidelity alerts supported by
underlying observations
• Attain a stronger security posture across the enterprise, including the
public cloud
With Secure Cloud Analytics, you can detect external and internal threats
across your environment—from the private network to the branch office to
the public cloud. Secure Cloud Analytics is a SaaS solution delivered from
 the cloud. It is easy to try, easy to buy, and simple to operate and maintain.
When data is received, it requires very little additional configuration or
device classification. All the analysis is automated.

Understanding Secure Cloud Analytics

Cisco Secure Cloud Analytics is a SaaS-based network detection and
response (NDR) offering that give CISOs more confidence in their ongoing
journey into the cloud. This solution is already built to protect your public
cloud resources, as it provides comprehensive visibility into all of your public
cloud traffic. It is a true multicloud solution and can ingest native telemetry
from Amazon Web Services (AWS), Microsoft Azure, and Google Cloud
Platform (GCP). It even has the ability to detect threats in encrypted traffic
without active packet inspection. Figure 8-35 illustrates the inclusion of
Cloud Insights into Cisco SecureX.

Hivanetwork.com
 Figure 8-35 Cloud Insights in Cisco SecureX
Secure Cloud Analytics is a highly flexible event viewer that offers a wealth
of information about your business’s cloud deployment, resource
configuration, alignment to industry standards and regulations, and much
more. Here is a breakdown of how these features will help your business:
• Encourage collaboration through simple reporting on cloud
security posture: Secure Cloud Analytics enables your DevOps and
SecOps groups to work cohesively, as one team. It identifies a critical
gap that often exists between these functions. Your SecOps team is
focused on threat hunting and protecting the business. It must monitor
the network for alerts and address suspicious behavior in a timely
manner. DevOps is responsible for implementing changes to code and
configuring cloud resources but often lacks visibility into what SecOps
is discovering about the network. The event viewer allows the SecOps
teams to identify vulnerabilities and gather critical information about
configurations in the cloud and seamlessly deliver this information to
DevOps to ensure that proper adjustments are made and that cloud
workloads stay secure. Integrated with Cisco SecureX and other third-
party platforms, Secure Cloud Analytics makes it easier than ever for
teams to communicate their findings and make fluid adjustments in the
public cloud.
• Maintain compliance and meet standards unique to your industry:
There is no one team solely responsible for ensuring compliance or
meeting segmentation rules; however, these new features enable teams
to find and share information about public cloud traffic easily. The
event viewer allows users to monitor cloud posture as it relates to
various industry best practices. Users can investigate all cloud accounts
and be alerted on those that are not compliant with industry standards
like PCI, HIPAA and CIS frameworks or custom internal policies.
Robust filtering and query searches allow the user to zero in on
misconfigured or vulnerable assets that cause any compliance
concerns.
• Seamlessly monitor and protect your public cloud resources: The
bread and butter of Secure Cloud Analytics is its ability to classify
 your network devices and monitor their behavior to detect threats. This
process is known as dynamic entity modeling. Upon deployment,
Secure Cloud Analytics starts to establish a baseline for learned
“normal” behavior. While it does provide some alerts out of the box,
the most powerful alerts are triggered when it begins to understand the
network and sees some deviation from the behavioral norm. It
automatically groups your cloud resources into roles such as EC2
instances, S3 buckets, AWS load balancers, and more. It generates
alerts like Geographically Unusual Azure API Usage and AWS
Lambda Invocation Spike, which are designed specifically to spot
vulnerabilities in your cloud configurations.

How Secure Cloud Analytics Works

The deployment and working of Secure Cloud Analytics is described in the
following sections.

Deployment
Secure Cloud Analytics supports two deployment types to support your
network:
• Public cloud monitoring: Agent-less monitoring of workloads by
ingesting native cloud logs, and API integration to deliver threat
detection and configuration monitoring.
• Private cloud monitoring: Virtual Cisco Secure Cloud Analytics
sensor deployment to ingest network flow data, SPAN/mirror port
traffic, and NGFW log information. (In this book, we only focus on
public cloud monitoring.)
You can deploy either or both at the same time and review the configuration
and alerts from both in a single Secure Cloud Analytics web portal UI. The
web portal displays all sensors and monitored cloud deployments from the
same page, so you can quickly review the state of your monitoring.

Dynamic Entity Modeling

Secure Cloud Analytics uses dynamic entity modeling to track the state of
your network. In the context of Secure Cloud Analytics, an entity is
something that can be tracked over time, such as a host or endpoint on your
network, or a Lambda function in your AWS deployment. Dynamic entity
modeling gathers information about entities based on the traffic they transmit
and activities they perform on your network. Secure Cloud Analytics can
ingest native cloud log data and industry-standard telemetry as well as user
cloud provider APIs to identify entities and the types of traffic entities
usually transmit. Secure Cloud Analytics updates these models over time, as
the entities continue to send traffic, and potentially send different traffic, to
keep an up-to-date model of each entity. Figure 8-36 illustrates the interaction
between various cloud-native security functions.

Figure 8-36 Interaction between various cloud-native security functions

From this information, Secure Cloud Analytics identifies the following:
• The roles for the entity, which are descriptors of what the entity
usually does. For example, if an entity sends traffic that is generally
associated with email servers, Secure Cloud Analytics assigns the
entity an Email Server role. The role/entity relationship can be many-
to-one, as entities may perform multiple roles.
• Observations for the entity, which are facts about the entity’s behavior
on the network, such as a heartbeat connection with an external IP
address, an interaction with an entity on a watchlist, or a remote access
session established with another entity. Observations on their own do
not carry meaning beyond the fact of what they represent. A typical
customer may have many thousands of observations and a few alerts.

Alerts and Analysis

Based on the combination of roles, observations, and other threat intelligence,
Secure Cloud Analytics generates alerts, which are actionable items that
represent possible malicious behavior as identified by the system.
To build on the previous example, a New Internal Device observation on its
own does not constitute possible malicious behavior. However, over time, if
the entity transmits traffic consistent with a domain controller, then the
system assigns a Domain Controller role to the entity. If the entity
subsequently establishes a connection to an external server that it has not
established a connection with previously, using unusual ports, and transfers
large amounts of data, the system would log a New Large Connection
(External) observation and an Exceptional Domain Controller observation. If
that external server is identified as on a Talos watchlist, then the combination
of all this information would lead Secure Cloud Analytics to generate an alert
for this entity’s behavior, prompting you to take further action to research and
remediate the malicious behavior.
When you open an alert in the Secure Cloud Analytics web portal UI, you
can view the supporting observations that led the system to generate the alert.
From these observations, you can also view additional context about the
entities involved, including the traffic they transmitted, and external threat
intelligence if it is available. You can also see other observations and alerts
that entities were involved with, and you can determine if this behavior is tied
to other potentially malicious behavior.

Public Cloud Monitoring Configuration for

Amazon Web Services
Cisco Secure Cloud Analytics public cloud monitoring is a visibility, threat
identification, and compliance service for Amazon Web Services (AWS).
Secure Cloud Analytics consumes network traffic data, including virtual
private cloud (VPC) flow logs, from your AWS public cloud network. It then
performs dynamic entity modeling by running analytics on that data to detect
threats and indicators of compromise. Secure Cloud Analytics consumes
VPC flow logs directly from your AWS account using a cross-account IAM
role with the proper permissions. In addition, Secure Cloud Analytics can
consume other sources of data, like CloudTrail and IAM (Identity and Access
Management), for additional context and monitoring. Figure 8-37 illustrates
the Cisco validated design for AWS three-tier architecture.
 Figure 8-37 Cisco validated design for AWS three-tier architecture
To configure an S3 bucket to store your flow logs as well as Secure Cloud
Analytics to ingest these flow logs, follow these steps:
1. In AWS, enable VPC flow logging for a VPC and then configure an S3
bucket to which you export the flow logs.
2. In AWS, configure an IAM access policy and IAM role to allow Secure
Cloud Analytics the permission to access and ingest the flow logs.
3. In the Secure Cloud Analytics web portal UI, update the configuration
with the S3 bucket and IAM role to enable AWS flow log data
ingestion.

Public Cloud Monitoring Configuration for Google

 Cloud Platform
Cisco Secure Cloud Analytics public cloud monitoring is a visibility, threat
identification, and compliance service for Google Cloud Platform (GCP).
Secure Cloud Analytics consumes network traffic data, including VPC flow
logs, from your GCP public cloud network. It then performs dynamic entity
modeling by running analytics on that data to detect threats and indicators of
compromise. Secure Cloud Analytics consumes VPC flow logs directly from
your GCP account using a cross-account IAM service account with the
proper permissions.

Single GCP Project Configuration

To configure GCP to generate and store flow log data for a single project as
well as Secure Cloud Analytics to ingest that data, follow these steps:
1. In GCP, configure a service account with the proper permissions to
view flow log and other data and then save the JSON credentials.
2. In GCP, enable flow logging and the Stackdriver monitoring API for
metrics gathering.
3. In the Secure Cloud Analytics web portal UI, upload the service
account JSON credentials.
If you have a high-throughput GCP environment, you can optionally
configure Pub/Sub for a single project to deliver flow log data to Secure
Cloud Analytics, as follows:
1. Determine if your deployment is high throughput.
2. Configure a Pub/Sub topic to ingest flow log data as well as a Pub/Sub
subscription for the topic to deliver the flow log data.

Multiple GCP Project Configuration

To configure GCP to generate and store flow log data for multiple projects as
well as Secure Cloud Analytics to ingest that data, follow these steps:
1. In GCP, configure a service account with the proper permissions to
view flow log and other data and then save the JSON credentials.

Hivanetwork.com
 Configure the additional projects to use a single service account.
2. In GCP, configure the additional projects to use the service account.
3. In GCP, enable flow logging and the Stackdriver monitoring API for
metrics gathering.
4. In the Secure Cloud Analytics web portal UI, upload the service
account’s JSON credentials.
If you have a high-throughput GCP environment, you can optionally
configure Pub/Sub for multiple projects to deliver flow log data to Secure
Cloud Analytics, as follows:
1. Determine if your deployment is high throughput.
2. Configure a Pub/Sub topic to ingest flow log data as well as a Pub/Sub
subscription for the topic to deliver the flow log data.
3. Configure additional Pub/Sub topics and subscriptions for the
additional projects.

Public Cloud Monitoring Configuration for

Microsoft Azure
Cisco Secure Cloud Analytics public cloud monitoring is a visibility, threat
identification, and compliance service for Microsoft Azure. Secure Cloud
Analytics consumes network traffic data, including Network Security Group
(NSG) flow logs, from your Azure public cloud network. It then performs
dynamic entity modeling by running analytics on that data to detect threats
and indicators of compromise. Secure Cloud Analytics consumes NSG flow
logs directly from your Azure storage account and uses an application to gain
additional context. Figure 8-38 illustrates the Cisco validated design for
Azure three-tier architecture.
 Figure 8-38 Cisco validated design for Azure three-tier architecture
To configure Azure to generate and store flow log data as well as Secure
Cloud Analytics to ingest that flow log data, follow these steps:
1. In Azure, have at least one resource group to monitor.
2. In Azure, obtain your Azure AD URL and subscription ID.
3. In Azure, create an AD application and then associate roles with the
application.
4. In Azure, create a storage account for the flow log data and then
generate a SAS URL.
 5. In Azure, enable Network Watcher and flow logs.
6. In Azure, if you want additional visibility on activity taken, configure
your storage account to store activity logs.
7. In Secure Cloud Analytics, upload Azure credential and flow log
storage information, including the AD URL, subscription ID,
application ID and key, and blob service SAS URL.

Watchlist Configuration
Watchlists control whether or not traffic from a specific entity will generate
an alert. You can configure entries such that traffic involving those entities
always causes the system to generate an alert. You can also configure those
watchlist entries to expire after a configured period of time, at which point
traffic involving those entities no longer causes the system to generate an
alert. Figure 8-39 illustrates the alerts on the Secure Cloud dashboard.
 Figure 8-39 Alerts on the Secure Cloud dashboard

Configuring the AWS CloudTrail Event Watchlist

You can configure a watchlist to generate an alert for specific AWS
Cloudtrail events generated for specific AWS accounts. Follow these steps to
add an entry to the AWS CloudTrail Alert Watchlist:
Step 1. Select Settings > Alerts > AWS CloudTrail Watchlist.
Step 2. Select an AWS Account ID from the drop-down or select to generate
an alert if the system detects the CloudTrail event in any of your
monitored AWS accounts.
Step 3. Enter a CloudTrail event. See AWS documentation on CloudTrail
events for more information on the supported events.
Step 4. Click Create.

Configuring the GCP Logging Watchlist

You can configure a watchlist to generate an alert for specific GCP events
generated for specific GCP projects. To add an entry to the GCP Logging
Watchlist, follow these steps:
Step 1. Select Settings > Alerts > GCP Logging Watchlist.
Step 2. Click New Watchlist Item.
Step 3. Enter a GCP action. See the GCP documentation for more
information on the available actions.
Step 4. Select a GCP project ID from the drop-down or select to generate an
alert if the system detects the action in any of your monitored GCP
projects.
Step 5. Click Create.

Configuring the Azure Activity Log Watchlist

You can configure a watchlist to generate an alert for specific Azure events.
Follow these steps to add an entry to the GCP Logging Watchlist:
Step 1. Select Settings > Alerts > Azure Activity Log Watchlist.
Step 2. Click New Watchlist Item.
Step 3. Select a subscription ID from the drop-down or select to generate an
alert if the system detects the action in any of your monitored Azure
 projects.
Step 4. Enter an operation (or action). See Azure documentation for more
information on the available actions.
Step 5. Click Create.

Dashboard Overview
The Dashboard menu option presents several different ways to view your
network at a high level:
• The dashboard provides a summary of alerts, entities on your network,
and traffic statistics.
• The AWS visualizations present AWS-related spider graphs, with your
AWS resources, security groups, and IAM permissions as nodes.
• View the overall health of your network from the dashboard.
• View the open alerts and supporting observations and other context to
determine whether network behavior is malicious.
• View the models to detect historical patterns in entity, network, and
other related behavior over time.
• View reports in the Help menu to understand the breadth and depth of
traffic monitored by the system.
Figure 8-40 illustrates the Secure Cloud dashboard.
 Figure 8-40 Secure Cloud dashboard

Cisco Duo Security

The landscape of authentication is clearly changing. Just a few years ago,
security experts started preaching a risk-based access model—evaluating
 users, their devices, and the applications they access to determine a login’s
legitimacy. The corporate network wasn’t the ultimate source of security
anymore. Instead, risk could be managed using stronger security controls
such as like multifactor authentication (MFA).
Now, with the concept of de-perimeterization firmly established, access
security is building on the foundation of MFA. IT professionals are realizing
that security adoption is as important as the technology itself—and that
forgoing passwords is a major usability improvement. It is also clear that
remote work is here to stay, and access security must respond to new and
evolving use cases. In the face of so much change, it’s more important than
ever that organizations have a streamlined, effective security stack that runs
like clockwork.
In this section, we’ll examine these industry shifts and look at how accessing
security for everyone, from any device, anywhere is possible with Duo.
Since its founding in 2010, Duo has stood out in the cybersecurity industry
by offering users people-focused endpoint verification solutions that make
effective security easy. With user-friendly tools for authentication (including
MFA and passwordless single sign-on), device trust, and adaptive context-
based access, Duo quickly became a sought-after security software provider
—and an obvious choice for joining Cisco Secure’s powerful digital security
portfolio. Duo Security has been a part of Cisco Secure since 2018, and its
secure access product portfolio has continued to expand both in breadth and
in its ability to solve emerging security challenges, like those faced in remote
and hybrid workplace migrations.
Today, Duo provides Cisco Secure with streamlined endpoint verification
tools, secure remote access platforms, cutting-edge visibility tools for
administrators, and much more. Duo’s dynamic and effective zero-trust
solutions offer users security resilience by providing both product reliability
and flexibility. Because of Duo’s ability to integrate with any device, identity
provider, application, or infrastructure, Cisco Secure clients can confidently
deploy these sophisticated products to add zero-trust security into any setting.
Figure 8-41 illustrates the capabilities of Duo Security.

Hivanetwork.com
 Figure 8-41 Capabilities of Duo Security
Zero-trust takes security beyond the corporate network perimeter, protecting
your data at every access attempt, from any device, anywhere. It’s the future
of information security, and Duo is your rock-solid foundation.

Multifactor Authentication from Duo

Two-factor authentication (2FA) is a specific type of MFA that strengthens
access security by requiring two methods (also referred to as authentication
factors) to verify your identity. These factors can include something you
know, such as a username and password, and something you have, such as a
smartphone app, to approve authentication requests.
2FA protects against phishing, social engineering, and password brute-force
attacks and secures your logins from attackers exploiting weak or stolen
credentials. You can ensure users are who they say they are at every access
attempt, and you can regularly reaffirm their trustworthiness. MFA is the
foundation for zero-trust. Duo verifies that your users are who they say they
are, before they access your data—and with multiple second-factor options,
including one-touch Duo Push, users can easily authenticate in seconds.
MFA from Cisco’s Duo protects your applications by using a second source
of validation, such as a phone or token, to verify user identity before granting
access. Duo is engineered to provide a simple, streamlined login experience
for every user and application, and as a cloud-based solution, it integrates
easily with your existing technology. Figure 8-42 illustrates the Duo App
MFA.
 Figure 8-42 Duo App multifactor authentication
We know the most effective security solution is one your users actually use.
Duo’s 2FA solution only requires your users to carry one device—their
smartphone, with the Duo Mobile app installed on it. Duo Mobile is available
for both iPhones and Android, as well as wearables such as the Apple Watch.
With support for a large array of authentication methods, logging in via push
notification is fast and easy with Duo Mobile. We strongly recommend using
Duo Push or WebAuthn as your second factor because they’re secure and can
protect against man-in-the-middle (MITM) attacks, but with Duo’s flexibility
and customizability, you’ll be able to find the adaptive authentication method
that meets the unique needs of your diverse user base.

Types of 2FA
A number of different second factors that can be used to verify a user’s
identity. From passcodes to biometrics, the available options address a range
of use cases and protection levels:
• SMS 2FA: SMS two-factor authentication validates the identity of a
user by texting a security code to their mobile device. The user then
enters the code into the website or application to which they’re
authenticating.
• TOTP 2FA: The time-based one time password (TOTP) 2FA method
generates a key locally on the device a user is attempting to access.
The security key is generally a QR code that the user scans with their
mobile device to generate a series of numbers. The user then enters
those numbers into the website or application to gain access. The
passcodes generated by authenticators expire after a certain period of
time, and a new one will be generated the next time a user logs in to an
account. TOTP is part of the Open Authentication (OAuth) security
architecture.
• Push-based 2FA: Push-based 2FA improves on SMS and TOTP 2FA
by adding additional layers of security, while improving ease of use for
end users. Push-based 2FA confirms a user’s identity with multiple
factors of authentication that other methods cannot. Duo Security is the
leading provider of push-based 2FA.
• WebAuthn: Created by the FIDO (Fast IDentity Online) Alliance and
W3C, the Web Authentication API is a specification that enables
strong, public key cryptography registration and authentication.
WebAuthn (Web Authentication API) allows third parties like Duo to
tap into built-in capabilities on laptops, smartphones, and browsers,
letting users authenticate quickly and with the tools they already have
at their fingertips.
Duo Device Trust Monitor
With Duo, you can monitor the health of every device across your
organization in real time, whether it’s corporate-managed or not. With Duo’s
device trust features, you can customize access requirements at the device
level, and because it’s a cloud-based solution, you’ll stay ahead of the latest
security threats. Identify risky devices, enforce contextual access policies,
and report on device health using an agentless approach or by integrating
with your device management tools.
You can’t protect what you can’t see. Gaining visibility into devices is the
first step in establishing device trust, and it’s an essential aspect of a strong
zero-trust strategy. Duo provides visibility into every single device on your
network and enforces health checks at every single login attempt.
With Duo, you can verify device health before granting access, to prevent
exposing your applications to potential risk. Duo provides detailed
information about both corporate and unmanaged devices, so you can easily
spot security risks like out-of-date or jailbroken devices. Figure 8-43 shows
Duo Device Trust Monitor dashboard.
 Figure 8-43 Duo Device Trust Monitor dashboard
Duo helps you spot potential risks so you can meet compliance and adjust
your access parameters for any situation. With powerful reporting capabilities
and an admin-friendly dashboard, Duo makes it easy to monitor your security
policies and spot anomalous login activity.
Duo Trust Monitor analyzes and models authentication telemetry in order to
highlight risk as well as adapt its understanding of normal user behavior.
Table 8-2 provides a sampling of some of the telemetry Duo Trust Monitor
considers.
Table 8-2 Sampling of Duo Trust Monitor’s Telemetry

Duo Trust Monitor may leverage up to 180 days’ worth of historical Duo data
to define a baseline. However, organizations don’t need this much data for
Duo Trust Monitor to be useful. We recommend customers enable the feature
after using Duo in their environment for at least six weeks.
Duo Trust Monitor uses a variety of tactics to build out a threat model. Duo
Trust Monitor evaluates the effect of each component over time and learns
which combinations provide the most security value.
Table 8-3 illustrates a sampling of some of the models present within the
feature.
 Table 8-3 Duo Trust Monitor’s Models

When first setting up Duo Trust Monitor, administrators should designate

their organization’s risk profile. The Risk Profile flow enables administrators
to select a prioritized set of Duo-protected applications, user groups, and
locations/IPs.
Setting the risk profile is required to surface and view events. If an
administrator creates a risk profile that selects every application, group, and
location, Duo Trust Monitor still functions, but the feature will not prioritize
any anomalies specifically over others.
To set up a risk profile, follow these steps:
 Step 1. Log in to the Duo Admin Panel and navigate to Trust Monitor >
Risk Profile.
Step 2. Click Create Risk Profile.
Step 3. Begin by selecting applications. Scroll through the list of all
applications protected by Duo in your organization’s environment
and then select the high-value applications to include in the risk
profile.
Figure 8-44 illustrates application selection while creating a risk
profile.

Hivanetwork.com
Figure 8-44 Application selection while creating a risk profile
Step 4. Your next step is selecting the priority user groups. Highly
credentialed power users, contractors, and users in bypass mode are
often selected, but the exact configuration will vary by organizational
structure. We recommend selecting three to eight groups.
Figure 8-45 illustrates the user group selection while creating a risk
profile.
 Figure 8-45 User group selection while creating a risk profile
Step 5. In this step of configuring the risk profile, you set trusted IPs or select
risky countries. Typical selections would be countries where your
organizations doesn’t do any business or have any users, meaning an
access attempt from those countries would warrant some suspicion.
For low-risk IPs, companies may enter corporate network blocks or
trusted IP ranges. To reiterate, this tool merely prioritizes anomalies;
events from a trusted network or country can still be surfaced in the
Security Events dashboard.
Figure 8-46 illustrates the trusted location and IP selection while
creating a risk profile.
Figure 8-46 Trusted location and IP selection while creating a risk
 profile
Step 6. If you want Trust Monitor to surface non-authentication events that
may be considered high risk, such as when a Duo admin applies
bypass status to a user, enable that in this step.
Step 7. Review your application, group, location/IP, and non-authentication
event selections. If you need to make corrections, you can use the
Back to ... buttons to revisit each of the selection’s steps. If
everything looks okay, click Apply Configuration.

Enforce Adaptive Policies

With Duo, you can assign granular and contextual access policies, limiting
exposure of your information to as few users and devices as possible, and you
can grant your users just the right amount of access. Duo’s advanced policy
enforcement capabilities let you define security requirements at the user,
device, and application levels, based on contextual factors such as location
and update status.
A true zero-trust strategy changes the level of access or trust based on
contextual data about the user or device requesting access. It also limits
access to only users who really need it. With Duo, you can set up detailed
policies in minutes via a simple, intuitive administrator dashboard, and you
can manage rules globally or for specific applications or user groups.
Every user has a different use case for access to your applications, and Duo
handles them all with ease. Detect user location, device, role, and more at
every login, set security policies based on these attributes, check for
anomalous access, and continuously monitor policy efficacy—all without
interrupting your users’ daily workflows. Figure 8-47 illustrates adaptive
policies in Duo.
 Figure 8-47 Adaptive policies in Duo
With Duo, you can protect against potentially compromised or risky devices
accessing your applications and data as well as apply security policy across
every device—managed or unmanaged. Duo lets you define permissions
based on OS and individual device settings and automatically notify (or even
block) users when their software is out of date.
With Duo, you can take a big step toward zero-trust by making sure the right
people have access to the right tools. Duo’s application-specific controls
make it easy to onboard contract employees, change access permissions,
protect high-value information with stringent security policies, and more.

Secure Access for Every User

For today’s workforce, the “office” could be anywhere: home, a coffee shop,
even an airplane. Duo protects every device and every application, so your
users can keep working with the tools they love, anywhere, anytime.
Flexibility and peace of mind? With Duo, you can have both.
You can provide appropriate permissions for every user accessing any
application, anytime and from anywhere. You can also enable your mobile
workforce without compromising your company’s data. Duo provides
modern remote access solutions and protects existing IT infrastructure,
making it easy to onboard new employees and contractors, thus allowing
employees to work on the go. Figure 8-48 illustrates remote access
enablement with Duo.
 Figure 8-48 Remote access enablement with Duo

Secure VPN-Less Remote Access for Any

Environment
Everyone’s IT stack is unique, and Duo can help protect everything—even
surpassing the need for VPN connectivity. Helping to secure both on-
premises and cloud environments (like Microsoft Azure, Amazon Web

Hivanetwork.com
Services, and Google Cloud Platform), Duo’s VPN-less remote access proxy,
the Duo Network Gateway, can streamline and facilitate remote access in
your organization.

Simple, Secure Single Sign-On

Today’s workforce relies on an incredible variety of programs and platforms
for productivity, and it can be difficult to provide on-demand access to these
tools without compromising on security. Luckily, Duo safely puts essential
applications at your users’ fingertips. Whether you’re looking for a new SSO
solution or want to protect an existing one, Duo enables a streamlined login
experience that’s backed by airtight information security:
• Reduce the risk of credential theft by enabling users to securely access
their applications with a single username and password.
• Duo’s cloud-based single sign-on (SSO) grants users secure access to
all protected applications (on-premises or cloud-based) through a
uniform, frictionless interface that’s accessible from anywhere.
• SSO from Duo provides users with an easy and consistent login
experience for any and every application, whether it’s on-premises or
cloud-based. Cloud-based and hosted by Duo, it’s easy to set up and
manage.
Figure 8-49 illustrates single sign-on enablement with Duo.
 Figure 8-49 Single sign-on enablement with Duo
You can implement SSO with the tools people are actually using. Whether
your applications are on-premises or cloud-based, they’re all conveniently
integrated for easy access—and with Duo’s granular access policy options,
you can provide just the right level of access for each.
Duo’s cloud-based SSO is designed to complement Cisco’s multifactor
authentication solution, but its zero-trust platform integrates with dozens of
other SSO and identity provider tools, allowing you to secure application
access in the way that works best for your business.

Summary
Securing the public cloud is an increasingly difficult challenge for businesses.
As a result, IT departments are searching for a cloud-delivered security
solution that provides sufficient end-user security.
Cisco Cloud Security products extend protection to all aspects of your
business. Cisco Umbrella helps secure cloud access, and Cisco Cloudlock
safeguards the use of SaaS applications.
In addition, Cisco Secure Cloud Analytics(Stealthwatch Cloud) monitors
your IaaS instances and alerts on suspicious activities. Cisco Cloud Security
products deliver a broad, effective security solution for your multicloud
world.