Sending new software and configurations to network devices installed in field offices is an ongoing challenge for Cisco IT. Although we have long used scripts to push updates, we needed a full-featured automation platform.
We gained that platform with the Cisco Network Services Orchestrator (NSO) enabled by the recent Tail-f® acquisition. NSO supports service implementation on a wide variety of networking devices, including traditional hardware elements, virtual software appliances, and software-defined networking (SDN) controllers.
Although the Network Services Orchestrator platform is designed primarily for service provider networks, we determined it would be useful for managing software updates in the Cisco enterprise network. The first case we identified for NSO: Push a new Cisco IOS® version and configuration to more than 400 Cisco field sites so they could begin using 802.1x wired authentication with the Cisco Identity Services Engine (Cisco ISE).
This deployment was especially challenging because of the need to accommodate a wide range of devices and to deploy ISE initially in monitor mode at each site. NSO allowed us to automate activation of both monitor mode and, when the site was ready, enforcement mode, which configured the Cisco Identity-Based Networking Services on specific switch ports.
Due to the complexity of this deployment, we determined that manual processes would be time consuming and prone to error. An individual site could take eight hours or more for an engineer to configure using the command-line interface, meaning the total upgrade effort would require more than 3200 hours.
Through the automation offered by Cisco Network Service Orchestrator, the Cisco IT network security team was able to reduce the deployment time to around half an hour per site. For the entire project, a 93 percent reduction in deployment time which saved 3000 total work hours.
“Network Services Orchestrator significantly reduces the time and resources we need for a global rollout of new network services because we don’t need to manually load and configure updates on each device,” says John Cornell, Network Security Architect, Cisco IT.
Brandon Black, an IT analyst for Cisco notes, “Once NSO has installed an update, it also manages the lifecycle and compliance of that configuration so your ongoing operations are much simpler.” Figure 1 shows the Cisco NSO process for automatically checking and updating configurations on installed devices.
Cisco NSO Automated Configuration Compliance Check and Update Process
The Cisco NSO platform runs on a cluster of three Cisco Unified Computing System™ (Cisco UCS®) virtual machines in the Cisco IT production data center and on a similar cluster in a disaster recovery data center. This cluster design will scale easily as the Cisco network grows and Cisco IT adds more network services, meaning more updates to deploy and devices to monitor for compliance.
With the Cisco Network Services Orchestrator, we have a platform for automating a variety of tasks to maintain our installed base of network devices:
● Pushing software updates to a large number or certain types of devices, both from Cisco and other vendors
● Auditing and remediating software versions to keep individual devices compliant with current IT standards
● Managing device configurations and access control lists for routine operations
● Achieving faster and simpler deployment of new network services while requiring less work from network personnel
In the future, Cisco NSO will benefit several planned projects, including compliance checks on Cisco Virtual Office devices installed in employees’ homes as well as gateways in Cisco R&D labs. Cisco IT will also extend the 802.1x wired authentication project to more than 200 extranet sites.
For More Information
To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT.
To view Cisco IT webinars and events about related topics, visit Cisco on Cisco webinars & Events.
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.