- December 27th, 2017Read More
The placement of Voice Infrastructure devices on the network presents some challenges to voice engineers. They must satisfy the security requirements of the Enterprise while providing simple and uninterrupted access to external systems such as PSTN SIP trunks and internal systems such as VoIP phones and servers. In this article, we discuss Voice security from a Routing and Switching point of view. This article is not about internal Voice security mechanisms such as authentication and encryption.
Obviously, we do not recommend terminating external SIP trunks on Unified Communications Manager servers directly. Therefore, in this article, we will talk about the placement of Voice Gateways on the network and the interaction between the various Voice components. We consider the Voice Gateway to be a CUBE that terminates all media streams.
Placing a Voice Gateway on the internal network is a major security risk. It exposes your entire enterprise to an external entity even if that entity is your trusted voice carrier. Therefore, all our designs require placing the Voice Gateway on a DMZ behind a NextGen firewall such as Cisco ASA with Firepower services. First, the ASA does SIP inspection and can deploy security ACLs to filter inbound traffic and only allow connections from specific IPs such as your Voice Gateway SIP signaling and media IP. Second, NextGen firewalls can detect and protect against malware embedded in the data stream.
The following scenarios are based on some very common WAN designs that we have seen deployed at our customer sites of various sizes.
I. Dedicated PSTN SIP trunk via a dedicated Voice Gateway.
This is the simplest setup. A primary dedicated SIP trunk over a private T1 or Ethernet WAN connection and an optional backup SIP trunk via the Internet. Note that the backup SIP trunk can be hosted on a separate Voice Gateway too to provide hardware redundancy. The following diagram illustrates this design.
In this scenario, the Voice Gateway is on a dedicated DMZ behind the NextGen firewall. The firewall has SIP inspection turned on and only allows inbound SIP control traffic sourced from the inside IP of the Voice Gateway to the CUCM. Similarly, an outbound ACL controls SIP signaling traffic from CUCM to the Voice Gateway. SIP media traffic will be automatically allowed based on the negotiated RTP ports.
II. Voice Gateway is co-located with your MPLS router
Today’s most common WAN designs utilize MPLS as the underlay infrastructure for Enterprise WAN connectivity. It is also not uncommon for an MPLS carrier to provide PSTN SIP trunks over the same physical fiber or copper cable. Therefore, to save on hardware your Voice Gateway might be co-located with your WAN ISR router. If your MPLS/SIP provider separates the two functions and terminates each on a separate VLAN, then it is possible to use VRF (Virtual Routing and Forwarding) to virtualize your router: The Voice portion can use the Global Routing table while the MPLS portion can use a VRF. Otherwise, both technologies can use the Global routing table. The following diagram illustrates this former scenario:
In the above diagram, we go a step further by separating MPLS and Voice Routing tables. Note that we are only discussing Voice Security. You still need to configure Quality of Service (QoS) to prioritize your VoIP traffic whether you are using a VRF or not. QoS is outside the scope of this article.
As in the previous scenario, the security ACLs, firewall inspection, and Firepower services protect the Enterprise Voice Infrastructure from external attacks.
III. Dedicated Voice Gateway and a shared MPLS/SIP connection
This is a very common design in which the customer orders an MPLS and a SIP trunk from the same carrier as in the 2nd scenario above. However, the customer is using a dedicated Voice Gateway with an optional backup SIP trunk to the same carrier via the Internet.
The following diagram illustrates this solution:
In this scenario, a single Voice Gateway sits behind a NAT firewall. The VG communicates with the SIP provider via the “out_voice” interface and communicates to CUCM and the IP Phones via the “in_voice” interface. NAT is only used when communicating over the backup SIP trunk via the Internet connection. With recent firewall firmware, we see no issues in NAT’ing SIP control and media traffic. As in all previous scenarios, the Voice Gateway sits on a DMZ segment and the CUCM sits on a dedicated internal VLAN. Note that the “in_voice” interface can be connected directly to the internal LAN without going through the firewall.
While there are many ways to protect your Voice Infrastructure, we have highlighted three common scenarios and listed the advantages of having Voice control and media traffic inspected by a NextGen firewall. Other more complicated designs can be derived from the above scenarios especially if you combine your DMVPN, MPLS, or iWAN technologies into a single device.
- December 21st, 2017Read More
Last week, High Availability, Inc. welcomed customers and partners alike to the Movie Tavern in Collegeville, PA for an advanced screening of Star Wars: The Last Jedi. The annual movie premiere has been a cornerstone event for High Availability, Inc. since 2012. It’s a chance for the H.A. team to thank customers for their business during the past year and allows for everyone, even our partners, to kick back and relax.
“Our movie premier event is a great chance for our employees, customers, and partners to get together and escape the end-of-year busyness.” Said Greg Robertson, Chief Financial Officer for High Availability, Inc. “The event creates the perfect mixture of industry news, education, and fun,” Robertson added.
However, the event wasn’t as relaxing for our speakers! H.A.’s infamous “Ignite-Style” presentations took place before the film. Speakers from Cisco, NetApp, Quantum, Riverbed, Rubrik, Varonis, Veeam, and High Availability, Inc. had to present an emerging technology or solution from their organization. Although, the H.A. team set forth some abnormally strict rules! Each speaker had only 5 minutes to present and had to utilize 20 slides – no more, no less. The slides were timed to advance every 15 seconds whether the speaker was ready or not.
“The Ignite format was challenging for the speakers, but helpful for the audience.” Explained Pat Hopkins, a speaker from Quantum. “The speakers had to prepare a short, fast moving but focused message to get their point across. With this style, the audience can quickly absorb valuable information about potential solutions they could bring back to their own organizations. Great format,” Hopkins added.
The most talked about presentation of the evening, which was delivered by Bob McCouch from High Availability, Inc., discussed the most popular emerging technologies from each year a Star Wars film was released. McCouch, a Principal Technologist for High Availability, Inc., discussed everything from the rise of the modern cell phone, big data, and the internet of things.
In short, the High Availability, Inc. movie premier was an enormous success! We can’t wait for next year! Thanks to all our customers and partners for participating in the event.
- December 19th, 2017Read More
In the world of backup and recovery, deduplication appliances have always had a great purpose in keeping large amounts of data for long periods of time. From the backup software perspective, Veeam has continued to grow as the platform of choice for virtual environments.
Quantum has recently announced some new integration with Veeam, in the form of Data Mover software for DXi and also the iBlade for Scalar libraries that both integrate very nicely. For now, I would like to focus on the data mover. The Veeam Data Mover is a piece of software that runs directly on the DXi and performs some of the processing for Veeam Backup and Replication software. By running the target data mover directly on the DXi, some of the backup and restore operations within Veeam are much more efficient and happen quickly. The backup data is sent by the Veeam backup server to the data mover, which in turn writes to an NFS share on the DXi for deduplication, compression, and eventually storage.
Configuration is straightforward, and requires only a few steps. There are a few prerequisites that must be met, which are listed below:
- A Veeam License is required, and must be installed on the DXi
- The DXi system must be running at least version of 3.4 firmware
- A memory upgrade may be required on the DXi
- The DXi must have NAS support
My focus for this article is on configuration of the Veeam Data Mover integration, so any of the above listed requirements for the DXi can be addressed by your local Quantum reseller.
The first step that must be configured on the DXi is to create the NAS share. Create a new NFS NAS share with deduplication enabled. If replication is needed, the option is there to use Quantum replication, which can easily be configured on the share as well. Once the share is added, there is a new tab in the 3.4 firmware called “Application Environment”. By checking the “Enable Veeam” box and entering a new password, the DXi software will build the data mover environment. That’s it – a few simple commands and the DXi is ready for Veeam.
Now that the DXi is ready as a target for the data, we must configure Veeam to send it there. In the Backup Infrastructure tab, add a new Linux server. Use the name (or ip address) associated with a data port on the DXi and add the associated credentials that were specified during the Quantum configuration. This will add the newly created data mover as a managed Linux server within Veeam.
Next, once again go to the Backup Infrastructure tab and add a new Backup Repository. The specified type for this repository will be Linux Server. When you add the server, and the path screen is displayed, click populate and then click next to move to the Repository folder path. Click “Browse” and drill down to the newly created NFS NAS share on the DXi. Make sure to select Decompress backup data blocks and Use per-VM backup files. Default settings can be used for the rest of the wizard.
Once completed, you will have successfully created a new Veeam Repository on the Quantum DXi which resembles the diagram below:
The finished product is not only an extremely efficient way to backup and store virtual machines, but also for recovery as well. You’ve got Quantum DXI with the StorNext data management software to maximize efficiency, as well as the industry leading variable length deduplication technology. Combined with Veeam to manage the backup and recovery process as well as move the data, it doesn’t get any better. Recovery of virtual machines, whether that be instant recovery or individual files, is just as easy and efficient. Protecting your virtual machine data has never been easier.
- November 13th, 2017Read More
Commvault GO 2017 Recap
Last week, thousands of IT professionals gathered in Washington, D.C. for Commvault GO 2017. Commvault GO is Commvault’s annual technical conference for storage and data management professionals. Now in its second year, Commvault GO was created to showcase the newest products and solutions from Commvault and to give end-users an update on the strategic direction of the company.
The agenda was jam-packed with fascinating presentations, breakout sessions, and technical trainings. Luckily, I created a thorough plan for each day so I could make the most of my time at Commvault GO! However, after walking the floor and attending several breakout sessions and technical trainings, I quickly recognized two recurring themes:
- Organizations need to shift to a “Data-Centric” approach
- Commvault is making strides to simplify the deployment and management of their solutions
So, let me break down these two themes:
Robert Hammer, CEO of Commvault, did a brilliant job in his keynote presentation speaking to the “Data-Centric” approach. Hammer spoke about how customers today are starting to change their mindset from infrastructure-centric to data-centric due to a dramatic increase in the new data generation, which is predicted to grow 10x each year from today (163 zettabytes for those keeping score at home) up until 2025. He explained that customers will be forced to focus less on their IT infrastructure and more on the data stored and moving between that infrastructure. Commvault’s answer to this challenge is the Commvault Data Management Platform. Simply stated, the platform is designed to help organizations achieve better data insights for compliance, e-discovery and a variety of other digital transformation use cases.
Today, customers are trying to figure out how to distribute and share their data across multiple platforms, which makes where the data lives irrelevant. At the same time, data protection is critical. There seems to be a concession that it’s no longer a matter of “if” a ransomware attack will hit but rather “when.” No matter the severity of the breach, whether just a few servers were affected or your entire system crashed, the goal is to get operations back online quickly and with minimal data loss. With tools like Intellisnap & Live Sync, customers are provided with the resources to rapidly recover in place or restore operations in another location with minimal downtime, even on a completely different infrastructure. The key to making this all work is planning. In fact, every customer that presented spoke about their S.O.P. when it comes to ransomware attacks. To say “measure twice and cut once” is an understatement, especially when factoring public cloud into the equation. The industry is trying to carefully navigate these waters and ultimately, we are all going to have to get to this place to continue to innovate and grow in all of our respective industries.
The second theme of simplicity I found very refreshing. While Commvault’s capabilities are vast and go far beyond the limits of just backup and recovery, that robust feature set has in the past carried the misperception of the solution being complex to manage. As a result, Commvault has come out with new and innovative solutions to streamline these processes to become more operational and efficient. The first new streamlined solution, and one of the most talked about products of the conference, is Commvault Hyperscale.
Commvault Hyperscale can be used as an appliance or as software. It consolidates all the roles performed by discrete servers in the traditional data protection architecture into a single software defined stack. As mentioned previously, this new offering follows Commvault’s new simplistic and stripped-down approach:
- Setup time is 30 minutes for the appliance
- You only buy what you need today since growing the solution is a simple as adding 3 nodes at a time growing out the CPU, compute and memory resources at the same time
- No more data silos along with fork lift migrations when it’s time to refresh
- More resiliency built into solution as losing a drive or even an entire node does not take down the back environment
- Operation efficiency (especially when using the appliance) as less “components” to maintain (no storage, no SAN, etc…)
- Supported by 7 platforms and can be consumed as an appliance or as software
This is definitely a step in the right direction for Commvault. Eliminating what used to be several weeks of work to just days is every IT professionals dream, especially when a lot of automation is required.
To summarize, Commvault GO 2017 was fascinating and I could not be more pleased with the direction Commvault has chosen to take. Their understanding of the customers thought process and their simplified solutions show that Commvault has listened to our feedback and is growing as an organization. I can’t wait for Commvault GO 2018!
High Availability, Inc. Receives Execution Excellence Award as Regional Partner of the Year at Cisco Partner Summit 2017November 9th, 2017Read More
Last week at Cisco’s annual partner conference in Dallas, Texas, Cisco named High Availability, Inc. their Regional (U.S. East) Partner of the year for innovation, leadership and best practice as a Cisco business partner. Bill Volovnik, Partner Account Manager for Cisco, accepted the award on behalf of the entire organization.
“We couldn’t be more excited and honored to receive the America’s Regional Partner of the Year award from Cisco,” said Steve Eisenhart, Chief Executive Officer of High Availability, Inc. "Cisco has become our most strategic business partner over the last three years. We have an amazing team of sales people and engineers focused on designing, delivering and supporting Cisco’s entire portfolio. We look forward to continuing our success, and strengthening our Cisco partnership even more in FY18.”
Steve Eisenhart, CEO and founder of High Availability, Inc., will formally accept the award on behalf of the entire organization in a private awards ceremony with Cisco later this month.
Cisco Partner Summit Theatre awards reflect the top-performing partners within specific technology markets across the United States. All award recipients are selected by a group of Cisco Global Partner Organization and regional and theatre executives.
Cisco Partner Summit is attended by more than 2,100 global attendees from Cisco’s eco-system of partners representing more than 1,000 companies worldwide from more than 75 countries.
- October 12th, 2017Read More
Last week, thousands of IT professionals gathered in Las Vegas for the 2017 NetApp Insight conference. NetApp Insight is NetApp’s annual technical conference for storage and data management professionals. The conference was full of technical sessions, round-table discussions, self-paced hands-on labs, certification courses and much more.
One of the highlights of the year’s conference was the official unveiling of NetApp HCI, the next generation of hyper converged infrastructure, and the very first HCI platform designed for enterprise-scale. Chief Product Architect Adam Carter presented a brief overview of NetApp HCI which touched on hardware specifications, an installation/administration demo, performance guarantees, ONTAP select integration, and Data fabric consumption options.
Let’s dive a little deeper into what NetApp HCI has to offer:
Each 2U chassis holds four half width (1RU) storage and/or compute nodes. The base model starts with a dual chassis (4RU) solution consisting of two blank slots for expansion, four storage nodes, and two compute nodes for high availability (HA) and N+1. The minimum configurable model includes 32 cores for VMs, 512GB memory, and 5.5TB-11TB (depending on storage efficiency) of all flash capacity. Node sizes can be mixed and matched to achieve the desired host and storage specifications. Each node can push a staggering 50-100k IOPs depending on the type of workload. The best part is there isn’t a controller VM (CVM) for operations so the CPU and Memory shown will be dedicated to VMs (no “HCI tax”).
Cloud Scale and Datacenter Integration
Because the network is decoupled vs a traditional HCI model, storage and compute nodes scale independently and can coexist within the same 2U chassis. The ability to incrementally and independently scale storage or compute nodes creates a cloud like “grow-as-you need model.” This eliminates the need for a large investment every time there is a requirement to scale out. Nodes can scale into the “100s” according to Chief Product Architect Adam Carter. For additional cost savings, the cloud scale model eliminates the need to purchase additional ESXi licenses to add storage nodes vs traditional HCI platforms.
To scale, you add the node and run through a simple two step process. The node is then non-disruptively and seamlessly assimilated into the ESXi cluster or single storage pool. The same rule applies to a node failure. After replacing a failed node, the self-healing functionality of the cluster kicks in and brings the node back into the cluster with a short two step process.
Traditional HCI models are difficult to phase in and often require a full datacenter refresh. NetApp HCI leverages existing SAN/NAS switches and can present iSCSI storage to external servers for permanent use or to utilize a phase out approach.
Installation and Administration
With over 400 steps automated by the NetApp Deployment Engine (NDE), the NetApp HCI cluster is VM ready in under an hour. To deploy NetApp HCI, the user accepts the VMware and NetApp EULAs, sets the admin password, then enters the IP information for storage and VM networking. The HCI cluster then automatically installs the SolidFire Element OS on the storage nodes, installs VMware ESXi on the server nodes, deploys a new vCenter or alternatively integrates with an existing vCenter, then installs NetApp HCI management plugins and the lightweight management VM used for alerting, management, and phone home. The system is now fully VM ready.
NetApp HCI is integrated with vSphere eliminating the requirement to learn a new UI. The automatically injected NetApp HCI plugins allow administrators to add new volumes by selecting the size, performance SLA, and target hosts (how big, how fast, and who needs it). The volumes are then automatically created and presented to the appropriate resources. Alerting is further integrated giving users the ability to view storage related events directly through vCenter.
Advanced Storage Services
Simplicity is one of the key components to most HCI implementations. The tradeoff to simplicity usually means administrative capabilities are limited and unlocking advanced features is cumbersome. NetApp has considerably simplified their APIs and added what I think is a learning feature. Not only did NetApp consolidate and simplify their API commands, they added a checkbox to the GUI which will give administrators the API output. The administrator can then modify the API output to gain higher-level and repeatable management, orchestration, backup, and disaster-recovery options.
For even greater advanced functionality, NetApp HCI goes beyond SAN. ONTAP Select comes prepackaged and deployed at no additional CPU, memory, or storage cost. This gives organizations best in class NAS file services for advanced CIFS and NFS configuration and protection.
NetApp HCI storage is built on the SolidFire platform which was originally designed for cloud providers with multiple customers sharing the same infrastructure. Besides building in multitenancy, SolidFire added comprehensive Quality of Service (QoS) capabilities to guarantee performance of all tenants and workloads. NetApp HCI leverages QoS at the aggregate level or granular control at the VM level though the automated VVOL integration. Administrators can define and enforce performance guarantees with minimum, maximum, and burst settings for each volume or application independent of capacity.
Data Fabric Ready
It was also announced that SnapMirror will be added to NetApp HCI in the very near term. Administrators will soon be able to migrate data between NetApp portfolio products. In the near term, workloads will have the ability to be moved between or protected at endpoints between NetApp HCI, FAS/AFF, ONTAP Select, and ONTAP Cloud deployments. Below are the fundamental components of the NetApp Data Fabric ecosystem HCI can leverage:
- File services with ONTAP select
- Data protection with Snapshots and cloning capabilities
- Data Management and Monitoring with Active IQ and OnCommand Insight (OCI)
- Backup and recovery with Altavault, CommVault, or Veeam Snapshot integration
- Object services with Storage Grid
- Replication via SnapMirror
- October 1st, 2017Read More
The Cisco UCS platform has proven to be a leading enterprise solution for converging network and compute into one manageable system. The UCS Manager Graphical User Interface (GUI) allows users to manage an entire UCS domain, including the chassis, servers, and interconnects, from one central place, all while using a state of the art java-based UI. Wait, did you say java?
Like most vendors at the time, Cisco chose java as the basis for their management GUI. Now, I don't know about you, but I haven't come across anyone in the IT world that likes dealing with java. Incompatibilities between different architectures and versions have created an IT nightmare.
- September 29th, 2017Read More
Why Cisco ISE?
Ever wonder if it is possible to provide network access (wired, wireless and VPN) to departments within your company, yet restrict access to certain parts of the network to only specific departments?
Do you have a new corporate policy to allow "Bring Your Own Device" (BYOD) to work, where those devices will need access to the network, and you need enforce compliance to your company's security policy prior to providing access to the network?
Is there a need to lock down management access to your company's network infrastructure, offer appropriate authorization to the different teams managing the network, and provide detailed accounting regarding the commands entered?