Cisco switches: More security – even if there are no patches yet

Contents

Cisco is launching a whole series of innovations in the network environment. These include new smart switches from the Catalyst 9000 series specifically for campus environments. It was only at the beginning of the year that the Nexus 9000 Smart Switches were announced in the data center environment in cooperation with AMD Pensando. Cisco wants to bring the Hypershield security solution to the edge of the networks to better control data traffic between end devices. There was also a Wi-Fi Campus Gateway and Wi-Fi 7 access points for environments with a high density of users.

The first two models are the non-modular Catalyst 9350 Smart Switches for the access area and the modular Catalyst 9610 Smart Switches for core and distribution levels. Both are based on the standardized Silicon One architecture. Specific application slices of the ASIC are designed to be programmable, allowing specific applications to be operated directly on the ASIC. There is also a coprocessor.

Network security with Hypershiels

As an application example, Cisco cites the Hypershield security solution, which is intended to run as an agent on these switches. If a component has a security vulnerability, but there is no patch or until the patch is applied, Hypershield will implement segmentation guidelines at switch level via so-called compensating control to block attacking traffic patterns. This is intended to serve as an enforcement point in the UZTNA framework (Universal Zero Trust Network Access). For particularly sensitive data streams, Cisco now also offers a function for so-called security service insertion, with which the traffic can be specifically forwarded to specialized Next-Generation Firewalls with Layer 7 intelligence, such as an integrated IPS. This ensures optimum utilization of the available security and network resources. There are also integrations with the ThousandEyes and Splunk platforms to improve visibility in terms of network and application performance, as well as security.

In addition to these features, the switches offer a few innovations compared to their direct predecessors in the 9300 and 9600 model series. The 9350 switches come in a single height unit and now support UPoE+ up to 90 watts, i.e., 802.3bt Class 8 and MultiGigabit Ethernet up to 10G in the downlink and up to 100G uplinks, to meet the increased bandwidth and performance requirements in the Wi-Fi environment. VXLAN does not support these switches. The switches should also support post-quantum-resistant algorithms for MACsec, IPsec and WAN MACsec for link encryption.

Within the UZTNA framework, the new switches act as enforcement points that consistently implement security guidelines. For particularly sensitive data streams, Cisco now offers the Security Service Insertion function, which can be used to forward traffic to specialized firewalls. This ensures optimum utilization of the available security and network resources.

The Catalyst 9610 switches offer a modular chassis with 10 slots in 18 height units. Each slot is designed to support up to 6.4 Tbit/s throughput. At over 120 kg in weight, you would rather not be the integrator who has to bring this into the rack. The switch supports two redundant supervisors and Stackwise Virtual for combining two chassis into a logical network. At connection level, it offers up to 256 × 100G QSFP28 or 16 × 400G QSFP-DD. It also comes with eight power supply units and four fan units. According to the data sheet, it also supports 8 GByte QoS buffers with hierarchical QoS, 256-bit MACsec and VXLAN for Cisco's Software Defined Access (SDA) or BGP-EVPN environments. The proven IOS-XE operating system is used on both.

Wi-Fi 7 from Cisco

Another new product is Cisco's new CW9179F Wi-Fi 7 access point series. It is intended in particular for environments with a high density of users, such as stadiums. To this end, it should be able to adapt flexibly via software-controlled beam switching. It allows the radio coverage to be flexibly adjusted in three different configurations, which should enable the access point to operate dynamically in environments where user behavior and device distribution are constantly changing. In addition, it offers two 4x4:4 antennas in the 5 GHz band and one 4x4:4 antenna each in the 2.4 and 6 GHz bands, which are unidirectional and not omnidirectional. It also offers two 10G uplinks to the switch for redundancy and link aggregation.

With the introduction of the Cisco Campus Gateway, customers who previously used on-premises controllers with centralized traffic routing will be able to switch to the Meraki platform without having to adapt their network architecture. The access points tunnel the data traffic to the central Campus Gateway, which then routes the data traffic centrally. Previously, only local routing was possible. Up to 5000 access points and 50,000 clients are supported. The solution appears to be particularly interesting for guest WLANs to tunnel data traffic to corresponding WLAN DMZs.

Standardized management

Cisco is also standardizing management by introducing a new standardized interface for on-premises and Meraki Cloud management. This is a further standardization expected by customers after the access points and license models were also harmonized.

(olb)