Just deployed SD-WAN on Cisco NFVIS … feeling cute, idk might delete later and redeploy something else…

A completely untouched picture of me and a ENCS 5412. #nofilter

I’ve found my new favorite platform for branch infrastructure. I’m talking about the Cisco ENCS 5400 appliance, paired with Cisco’s NFVIS virtualization software.

Who should read this article? Financial, retail and other multi-location organizations that want to simplify and standardize their branch infrastructure while at the same time making it much easier to react to business curve-balls. If you’d like to discuss this possibility for your organization, let’s book a time.

There are two things here to explain:

• Cisco ENCS 5400: This is a hardware virtualization appliance. It’s a 1U box and comes in a variety of memory and processor configurations (the smaller spec’d configuration is the Cisco ENCS 5100 — you can find all relevant information on the data sheet).

ENCS-5412–1U with 8 LAN ports, 2 WAN ports, 1 NIM slot and 2 Hard Drive modules

• Cisco NFVIS (Network Functions Virtualization Infrastructure Software). That’s a mouthful. NFVIS is a software hypervisor that is designed to run virtualized software images. NFVIS can be run on an ENCS platform, as well as UCS servers.

With a traditional branch router (or SD-WAN gateway), you’re limited to just that box’s functionality. An ISR router is an ISR router. A PAN firewall is a PAN firewall. When your business requirements change, you’re rolling a truck. With ENCS+NVFIS, there are no more redeployments when you get a curveball.

Why for a branch?

I like the ENCS platform because it has everything you need for a branch and nothing more. I believe that 90% of organizations need a router/SD-WAN gateway, maybe a firewall, and maybe a local utility server.

Even with an SD-WAN, adding a 4G backup connection usually makes sense. With the ENCS platform, you can add a 4G NIM, without an external router.

If you’re running one-off NIM cards in your ISRs, this topology may require you to make some compromises. If you have FXO interfaces, move them to SIP, convert FXS ports to ATAs, etc. Everything in this business is about choice and compromise, so the need for flexibility might override changing supplementary service form factors.

The ENCS-5100 has a smaller desktop footprint and reduced specs, at a lower price point.

But all I need is a router!

With the ENCS, you get that, and more if your business demands ever change! At heart, ENCS is a virtualization platform. Need a router? Install Cisco ISRv. Want a firewall? No problem... vFTD. Have a Cisco SD-WAN? Deploy a Viptela image.

By decoupling, you increase flexibility.

Think about this: you’re doing a significant upgrade. Instead of modifying production infrastructure, you setup your new router/firewall in parallel, then flip to it. Something goes wrong? Just change back. A/B testing for your network!

Flip flop between VMs. Does it get any better than that?

Here’s where this gets awesome… look at all the non-Cisco stuff you can deploy.

• Want to deploy a local Microsoft Windows 2019 Core branch server? No problem, just load the ISO.
• Deploying Palo Alto firewalls? There’s an image for that.
• Bob from Marketing is hounding you about installing an Ubuntu server for digital signage? Go for it.
• Do you need separate “stuff” for HIPPA, PCI or SCADA separation? Assign a dedicated Ethernet port and you’re done.

Need more awesome? Let’s automate!

The NFVIS platform is designed to be zero-touch provisioned and has a full suite of APIs to manage the environment. If your team is configuring these boxes via console cable, you’re leaving a lot of efficiencies on the table. Let’s look at a real-world example using a bank.

Use Case: A 200-branch financial institution with Cisco SD-WAN (Viptela) and a FirePower appliance for guest Internet.

Let’s look at a next-gen deployment for BankCo, who go all-in on the ENCS platform.

BankCo’s vendor (24/7 Networks, of course!) sends a spreadsheet with all the serial numbers of the ENCS units. Plug and Play (PnP) configuration templates are generated that configure each serial number to the chassis :

• CIMC and system management services, including logging, TACACS and SNMP
• Virtual network configurations for a dual-NIC outside and single LAN inside configuration.
• NFVIS software version and image

After the NFVIS software running on the ENCS is in a known-good state (verified by making API queries against the unit), we start the deployment process.

• Both the vEdge and FTDv gold images are downloaded from the local deployment server.
• The local deployment server sends device information to both vManage and FirePower Management Center (FMC) for the new virtual devices.
• The local deployment server sends NFVIS API commands to spin up a vEdge and FTDv virtual machine, with the IP addresses of vManage (for the SD-WAN image) and FMC. The virtual machines register to their respective management systems and they download their application configuration right from those platforms.

At this point, it doesn’t matter if BankCo deploys one or one thousand ENCS systems. In traditional deployments, the hard part is getting to the finish line. With an automated deployment, all the work goes into getting the first one out the door. After that, it’s just a matter of scale.

Lather. Rinse. Repeat.

In Summary

When it comes time to look at branch refresh, take a peek at ENCS + NFVIS and see if it’s the right fit for your organization and the business needs. There are some drawbacks, and the cost may not be at par, but you may gain operational efficiencies that make it worth it as your organization changes and evolves.

If you’d like to discuss this as an option for your organization, book 30 minutes on my calendar. Let’s virtually whiteboard to see if it makes sense for you and your team. No pressure, no pitch.

And, seriously, that picture is untouched. Seriously. I mean it. Seriously.

No more console cables, people.