Network infrastructure has to handle ever-increasing amounts of data. It enables data exchange between employees’ devices as well as communication with the internet. However, companies should be aware of possible external and internal attacks that can infiltrate a network infrastructure and cause security breaches. Therefore, the creation of network infrastructure has to be both efficient and secure. In this article you will learn how you can use Cisco’s Catalyst 9300 platform to mitigate these risks.
Cisco’s Catalyst 9300 is a high performance, stackable switching platform powered by the x86 CPU. It runs the Cisco IOS XE operating system with Linux under the cover. The switch can be configured using:
- Command-Line Interface (CLI),
- Cisco DNA Center,
- Cisco Prime Infrastructure,
- Web User Interface,
- Simple Network Management Protocol (SNMP),
The Catalyst 9300 series introduces the Docker application hosting environment, thanks to which third-party applications can use the hardware resources of the switch. However, this solution raises two main questions:
- Does the operating system work properly with running applications?
- Is the data of the switch operating system secure?
Cisco has ensured operating system stability by these two decisions:
- Cisco chose Docker as the environment to start the applications. Because of that, applications run in completely isolated environments and we can be sure that applications will not affect the switch.
- Applications have dedicated hardware resources. The Cisco Application Framework doesn’t allow the application to start if the switch has insufficient resources. So the switch operating system will not compete for resources.
The dedicated hardware resources for each application are:
Fig. 1 Catalyst 9300 dedicated hardware resources
To support data security, the Cisco Catalyst 9300X has a new version of the Application-Specific Integrated Circuit (ASIC) - UADP 2.5. This circuit adds hardware IPSec crypto support (line rate up to 100 Gbps).
Moreover, in order to give more space to applications’ data, the Cisco Catalyst 9300’s storage can be extended with usb SSD. That’s much more space than any previous switch. However, this can also raise questions about data security. What if the usb SSD gets stolen? Is the applications’ data secure?
To mitigate these risks, Cisco introduced two security features in the SSD:
- Encryption - data stored on the SSD is protected with AES-256 hardware encryption.
- Passcode authentication - the passcode set in SSD has to be matched with a passcode configured in the switch, so even if the SSD is taken from the switch the data will still be protected.
Docker is a platform for building containerized applications. Docker applications execute in a lightweight, isolated environment. It uses the host operating system kernel instead of creating another operating system, so it's much faster than virtual machines. The big advantage is that a Docker container includes an application along with its dependencies. Many errors that come from missing libraries, for example, can be avoided using this approach. The user can be sure that an application will work in a predictable way on another machine.
Furthermore, the Cisco Catalyst 9300 supports the native Docker container environment, so it gives the ability to run applications right on the switch. That's a great opportunity to build and deploy your own Docker application. Catalyst 9300 is powered by an x86-based CPU, so we can choose from among many already created applications.
But why would we want to install an application in this location? The benefits can be divided into three main areas:
- Security - the application can monitor network traffic and protect the network against attacks.
- Internet of Things (IoT) - analyze the data closer to the edge of the corporate network instead of sending it to the cloud (e.g. Azure IoT Edge).
- Network monitoring - network performance monitoring, optimizing, troubleshooting.
The application installation process on Catalyst 9300 is really simple because it relies on the Docker environment. You don’t need to configure the environment or install dependencies, just run the Docker container and start using your application. During the installation process, users can specify resources allocated for the application and configure the interfaces assigned to each application. The IP addresses of the interfaces can be determined in three ways:
- Linux CLI - manual configuration of the interface in the container.
- Dynamic Host Configuration Protocol (DHCP).
- Assign a static IP address via the Cisco IOS XE CLI.
These all steps can be done using CLI but Cisco has also introduced the Cisco Digital Network Architecture (DNA) center, which provides a tool to deploy and manage applications. Cisco DNA has a GUI, so in just a few steps, multiple applications can be installed on multiple switches simultaneously. That’s great because you don’t need to use CLI nor remember specific commands. All the settings covered above can be configured much faster using Cisco DNA. This feature saves a lot of time.