Does Security Belong Near Endpoints?
Tagging network elements simplifies network management.
I wrote a blog a few years ago, Device and Interface Tagging, in which I described the use of tags to identify the purpose of various network elements. A tag of “TAG:core-core” would identify an interface that connects one core device to another core device. Adding “TAG:dist” to the device’s SNMP Location string would identify a distribution device without needing to include that string in the device name. (Including the device purpose in the name may still be a good idea to help us work with the network.) These tags would be used to aid in grouping within the network management system. Network management configuration automation can then use these tags to automatically identify devices and interfaces that should have a specific configuration change applied. During troubleshooting, it allows someone to quickly identify which links are performing a given purpose. Multiple tags can be used, up to the limit of the space available in the description field.
I happily discovered this week that Cisco’s APIC (Application Policy Infrastructure Controller) provides for the use of tags on interfaces and devices. There are three short videos by Adam Radford on using the APIC REST API, and the second one describes setting the tag and location information for an interface and a device. Multiple tags can be applied, which makes them very useful. I don’t claim to have originated the use of tags, even though I came up with it independently. I’ve seen a few references to using tags after I came up with the idea and I am sure that I wasn’t the first.
APIC puts the tags to good use. The REST API allows a single configuration change to be applied to all elements that have a specified tag. Be careful, though. The REST API uses both “tag” and “scope” to reference a defined tag. The video I referenced above uses “tag”, while the Cisco Live session BRKCDN-2967 (San Francisco 2014), pp 37, uses “scope” to apply a QoS policy to all devices with the tag “branch”. (Note: It seems to me that the policy would be applied to interfaces, not devices, but since I’m just learning the REST API, I could very well be wrong.)
I’m happy about anything that improves our ability to manage networks. APIC’s tags and locations are a welcome addition that will be very beneficial.
Does Security Belong Near Endpoints?
Replicating at Speed
Practice Safe BGP
Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.
John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services. Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.
He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.