Cisco Prime Infra, ISE a CMX...partners to align to business needs Fully customizable applications...
Transcript of Cisco Prime Infra, ISE a CMX...partners to align to business needs Fully customizable applications...
PI 3.0, ISE 2.0, CMX 10.2
Cisco Prime Infra, ISE a CMX
Jaroslav Čížek
Systems Engineer, Cisco
Listopad 2015
• Cisco Prime Infrastructure 3.0 & APIC-EM
• Zabezpečení WLAN infrastruktury - Cisco ISE 2.0
• Nadstavbové WLAN funkce - Cisco CMX10.2
Agenda
Cisco Prime Infrastructure 3.0 & APIC-EM
Cisco Prime Infrastructure Realizing the Vision of One Management
Campus Branch to DC Day 0 to Day N Application Centric
One Network
Converged wireless &
wired management with
integrated best practices
One Management
Automated deployment &
simplified Day 2
Operations
One Assurance
From users to
applications and
everything in-between
*requires Pro OVA or Gen2 hardware appliance
Lifecycle
Centralized lifecycle management - discovery, inventory, configuration, SWIM, and proactive/reactive monitoring
Advanced troubleshooting of wired and wireless infrastructure issues
Rapid device support through Device Packs for new Cisco® devices, routers, switches, controllers, access points, Nexus® technology, and more
Customizable configuration templates based on Cisco validated designs and guided workflows, including IWAN support
Cisco Unified Access™ management and client tracking
•Seamless integration with Cisco Identity Services Engine (ISE) for simplified troubleshooting
•Seamless integration with Cisco Mobility Services Engine (MSE) for location-based services, rogue detection, etc.
Enterprise Management 3.0 End-to-End Lifecycle Management
Compliance Baseline* – Audit device configurations
Assura
nce
End-to-end visibility for service-aware networking by
applications, services, and end users
Out-of-the-box support for Cisco® advanced technologies,
including AVC 2.0, NetFlow, Flexible NetFlow, NBAR2,
Performance Agent, Medianet, and more
Service health dashboard allows quick health check on your business-
critical applications
Simplified troubleshooting of applications and
client access issues
Multi-NAM management
• Traffic analysis
• Application response time metrics
• Packet capture and decode
Enterprise Management 3.0 Application Experience and End User Experience
QoS Configuration / Monitoring applied to
interfaces and class-based traffic patterns
Da
tace
nte
r M
anagem
ent
Extends One Management – Visibility of infrastructure and
assurance from Branches all the way through campus and
data center
Cisco UCS B and C series – Discovery, inventory of compute
infrastructure and mapping that back to the network elements
of the data center
Fault and Root cause analysis – Identify and isolate the source of the
problem. Help pin point the issues to the right network or compute
elements. Understand the impact of network problems onto the
compute infrastructure. Remediate the issues at its source
Availability and Performance – Monitor the availability status of the
UCS physical servers. Provides visibility to the UCS ports health
status and performance
Server 360 Degree view – Concise and easy to
consume server details accessible from any where in
the product. Allows for quick troubleshooting
Datacenter UCS Server and VM Management
Ops C
ente
r Distributed
• Supports up to 10 Prime Infrastructure instances
• Addresses geographic distribution, scalability, resiliency and
visibility
• Single pane of glass monitoring with click-through
management
Centralized
• Central view of assets, alarms and clients
• Single sign-on
• Dashlets aggregated from PI instances
• Central Virtual Domain Management – can add/delete domains
from OpCenter
Scalable
• Consolidated view of network health
• Consolidated view of health of each PI instance
• Reports scheduling from one interface
Operations Center Centralized Visualization of Multiple PI Instances
Prime Infrastructure 3.0 – What’s new
INTUITIVE MOBILE FRIENDLY USER INTERFACE
Application Performance
Overview
Enterprise Voice with
MS –Lync integration
Day 2 – Compliance
Validation
Day 0/1 – New
Platforms Managed Client Troubleshooting
Simplified
9
Modern User Interface • Tablet friendly
• Metrics widgets
• Same Menu Structure as 2.2
• Correlated Charts
• Dashboard Export
• Dashboard Tagging for favorites
• Application visibility with service health dashboard
• QoS monitoring and management
• PfR monitoring
• DMVPN monitoring
• Device and Interface health statistics
• WAAS application monitoring with NAM integration
IWAN Monitoring with Prime Infrastructure 3.0
Cisco Enterprise Management Consolidation of Licensing / Features
Enterprise Management 3.x
SDN Management for the Enterprise
Lifecycle Assurance Foundation
Apps Solution
Apps
Cisco Prime
Infrastructure 3.0
APIC-EM
Controller
Network Management Application Centric Policy Based Management
`
Cisco APIC-EM An Application Platform for Enterprise WAN and Access Networks
• Virtual (ISO VM) or appliance-based
• Provides user policy abstraction and automation
• Simplification of complex network configuration with Cisco® application best practices
• Existing and new installations (Catalyst®, ISR, ASR, WLC)
Ready-to-deploy applications (October 2015):
IWAN (with a license)
Plug-n-Play (free)
Path Trace (free)
BENEFITS: Brownfield support
Ready-to-use-applications
Open, northbound API
`
APIC-EM Delivers IT Flexibility
Enabling Automation Through Innovative Management Principles
OPEN
Static Programmable
Expert CLI Policy + GUI
Greenfield Brownfield + Greenfield
SIMPLE
A B
Manual Automated
Box-Centric Network-wide
Provision in Months Hours
Applications
Network-Wide Abstractions Simplify the Network
Security Orchestration Automation Collaboration
SOUTHBOUND ABSTRACTION LAYER
REST API
CATALYST® CISCO NEXUS® ASR ISR WIRELESS ASA OTHER
SDN Ideal: Controller as the
Application Platform
The SDN
Ideal: Controller as
the Application
Platform
Virtualization
`
APIC-EM - Platform Architecture
Network PnP Network Inventory Path Trace IWAN
Advanced Topology Visualizer
APIC-EM
Applications
APIC-EM Controller
Northbound REST APIs
APIC-EM
Services
Grapevine
Inventory
Manager RBAC Policy Analysis
Policy
Programmer
Network PnP Data Access
Service
Topology
Services IWAN
Services
Elastic Service Infrastructure
APIC-EM
Applications
APIC-EM
Services
Addresses
Scale Out
and HA
Requirements
APIC-EM Path Trace Application Accelerate Trouble-Ticket Processing
User Trouble Ticket IT Path Trace
NETWORK
Open
Architecture
Network,
Applications
Monitoring
Simple Workflow
BENEFITS
SDN
Easy visual discovery of trouble spots in the
communication path based on 5-tuple info
OpEx for ticket processing decreased by 98%
from 1.6 hours to 1 minute
`
Path Trace App: Enhanced Application Flow Visibility
CAPWAP Tunnel
Visualization
Accuracy Note
(in a percentage)
Link Source
Information
Ingress/Egress
Interface
• PI 3.0 uses the PnP and PKI service from the APIC-EM via Rest API calls
• With this integration, all the actions are driven from PI – no need to logon to the APIC-EM GUI for PnP or PKI
• Add APIC-EM as a server within PI (Administration APIC-EM Controller)
PI integration with APIC-EM PnP and PKI
Enter the APIC-EM Admin
Credentials to Rest API
Calls
Enable the APIC-EM
Global Setting for PnP
and PKI
Zabezpečení WLAN infrastruktury - Cisco ISE 2.0
Network Resources Role-based policy
access
Tradition
al TrustSec
BYOD Access
Secure Access
Guest Access
Role-based Access
Identity Profiling
and Posture
Who
Compliant
What
When
Where
How
Quick Reminder – What is ISE? A centralized security solution that automates context-aware access to network resources and shares
contextual data
Network
Door
Contex
t ISE pxGrid
controller
The Different Ways Customers Use ISE
Guest Access Management Easily provide guests limited-time, limited-resource Internet access
BYOD and Enterprise Mobility Seamlessly & securely onboard devices with the right levels of access
Secure Access across the Entire Network Simplify & unify enterprise network access policy across wired, wireless, & VPN
With Cisco TrustSec® Identity-aware Network Segmentation and Access Policy Enforcement
ISE 2.0 is Here ! Simplified Solution Deployment
• Support for non-Cisco Switches & Wireless Phase 1
• New TrustSec Workcenter, Matrix & Dashboard
• Out-of-Box Default Policies
Simplified Operations
• TACACS+ => Device Admin Work Center, ACS Migration Phase 1 (License Based: $4.5K)
• MDM Enhancements (multiple MDM, tigher Meraki int.)
• Posture Enhancements (e.g., disk encryption check)
• BYOD & Certificate Enhancements
• Endpoint Identity - Visibility
Integrated Threat Defense
• Fire & ISE; Adaptive Network Control
• Location integration via Mobility Services Engine
• Extending PxGrid integration with other partners
Enhance control with location-based authorization
Location-based authorization
Admin defines location
hierarchy and grants users
specific access rights
based on their location.
Benefits
What’s new for ISE 2.0?
The integration of Cisco Mobility
Services Engine (MSE) allows
administrators to leverage ISE to
authorize network access based on
user location.
Enhanced policy enforcement
with automated location check
and reauthorization
Simplified management
by configuring authorization with
ISE management tools
Granular control
of network access with
location-based authorization for
individual users
Capabilities
• Enables configuration of location hierarchy across all location entities
• Applies MSE location attributes in authorization policy
• Checks MSE periodically for location changes
• Reauthorizes access based on new location
With the integration of Cisco Mobility Services Engine (MSE)
Lobby Patient
room Lab ER
Doctor
No access
to patient
data
Access to
patient
data
No access
to patient
data
Access to
patient
data
Patient
data Patient data
access locations
Patient
room
ER
Lab
Lobby
Enable Rapid Threat Containment With Cisco Firepower Management Center (FMC) and Identity Service Engine (ISE)
Rapid Threat Containment with FMC and ISE What’s new for ISE 2.0?
Cisco Firepower Management Center
integration with ISE identifies and
addresses suspicious activity, based
on pre-defined security policies.
Benefits
• Integrate with Cisco Advanced Malware
Protection (AMP) for malware protection
• Trigger quarantine actions, per policy with
Cisco FireSight and ISE integration
• Admit or deny access to contractor portal
Capabilities
FMC detects
suspicious file and
alerts ISE using pxGrid
by changing the
Security Group Tag
(SGT) to suspicious
Access denied per
security policy
Automate alerts
Leveraging ISE ANC to alert the
network of suspicious activity
according to policy
Detect threats early
FireSight scans activity and
publishes events to pxGrid
Corporate user
downloads file
New ISE and pxGrid ecosystem partners
Leverage a growing ecosystem
of partners that provide rapid
threat containment by integrating
with ISE
FMC scans the user
activity and file
Based on the new tag,
ISE enforces policy on
the network
Easy, Affordable Guest Services
Now Available: Entry-Level Bundle for the Market-Leading Cisco ISE
The Offer: One ISE VM with ISE Base Licenses for 150 Endpoints
for Single Site Deployment (non-distributed, no HA)
The Features: Guest, RADIUS/AAA, Unlimited Custom Portals
with ISE Portal Builder
The Price: $2,500 US List Price*
Cisco ISE Express Licensing Bundle Enterprise Guest for Less with No ATP Requirement
*Current as of Date of Recording, May 8, 2015
NEW
Nadstavbové WLAN funkce - Cisco CMX10.2
Gain Insights & Innovate with Cisco CMX
• Presence and location detection
• Visibility (Wi-Fi, BLE)
• Easy Wi-Fi login, custom or social
• Zone-based, custom
splash pages
• App-based mobile engagement
• Context-aware in-venue
experiences
DETECT CONNECT ENGAGE
Presence Location Social ANALYTICS
Number of people by venue and zones
Peak time in venue
New compared to repeat visitors
Common traffic patterns
Where people spend time
Understand How People Interact in the Location
DETECT
CMX 10.2 - Analytics
Analytics
Presence – Maps & PI not required, easy set up, ideal for smaller deployments; lends nicely to ME customers
Social Analytics
Verticalization & Zone Tagging
Auto Report Generation
New Analytics Widgets
CMX 10.2 Presence Analytics
CMX 10.2 - New Analytics Widgets
• CMX version 10.2 adds three new Widgets that can be added to a custom Analytics report.
- Path
- Associated Status
- Dwell Time Breakdown
CMX 10.2 - Location Analytics
CMX 10.2 - Social Analytics
Enable Location-Specific Guest Access
Simplify access with user opt-in
Offer clear terms and conditions
Multiple access methods
Custom or social media
Customized access and promotion
Proximity-based landing pages
and video
Understand who is in your location
Enhanced analytics
CONNECT
Work with Cisco and ecosystem
partners to align to business needs
Fully customizable applications with
zone-based captive portals and
enhanced advertising
Location-aware app for
personalized experience
Integrate with business systems
Engage Consumers Using Location Services
ENGAGE
Introducing the Cisco Hyperlocation Module
Improved Security Coverage
Integrated Wireless Security Module
Centralized Management
BLE and Wi-Fi visibility
Angle of Arrival (AoA) Triangulation
1-3 m accuracy, <1m with beacons
Integrated BLE Beacon
Reduce BLE deployment size
Enhanced FastLocate
Faster refresh rates
MSE 10.x and
WLC 8.1
Innovation: Angle of Arrival(AOA) = ~meter accuracy
• Different antenna elements hear the signal a little earlier/later than others, measured by the phase of the signal
• Favors line-of-sight with stellar accuracy in cone under AP
AP antenna
array
90 d
egre
e co
ne
Client
Wavefront
(rays with a
common distance)
Each antenna element is a fraction of a
wavelength closer/farther to the client than
its neighbor, and the exact value depend
on the client location (if underneath => 0,
if side on => element spacing)
Data RSSI + Angle of Arrival
• ~1-3m Accuracy
• <5 Seconds Timeliness
Data RSSI Location
• ~5-10m Accuracy
• ~5 Second Timeliness
Monitor Module NEW
Probe RSSI Location
• ~ 5-10m Accuracy
• ~ 40 Sec Timeliness
Cisco CMX Location Methods
BLE Aware BLE Capable BLE Gateway
• Combined WiFi + BLE Location and Analytics
• Integrated BLE radio with Hyperlocation module
• Reduce number of beacons
• Transmit multiple UUIDs
• Use CleanAir to detect BLE
• Check Beacon Health
• Track Assets with BLE
• Alert on rogue beacons
CMX BLE Offering
Future CMX 10.2 and above CMX 10.1 and above
Enhance Mobile Experiences with BLE
Consolidated Wi-Fi & BLE Management
Configuration & Provisioning*
Enriched Visitor Analytics
Supplement Location Analytics*
! BLE Beacon Monitoring
Beacon Health, Rogue Detection & Alerts
Inventory Management
Track Assets with BLE
Proximity Messaging
BLE SDK* enabled application experiences
41
Use Case: Location Engagement with Beacons
1. AP deployed in contextual area, configured as specific
Beacon.
2. User with context-aware mobile app walks by Beacon location.
3. App hears Beacon, alerts on lockscreen.
4. User launches app for location-related engagement.
5. (Optional) App communicates with backend systems for
dynamic content or analytics.
2
1
5 4 3
1 010 011010101110110 11010001001001001 100101011001111 100 1
Technical Capabilities of Cisco’s Enterprise CMX Optimized for Flexibility and Control
Real-time Analytics with 2 – 4 second
initial display and refresh
Real-time and Historical Analytics with
archiving up to 10 years
Deep API capabilities, including predesigned
industry specific applications
Multiple Data source integration – Wi-Fi,
iBeacon, Video, Enterprise systems, etc.
Up to 1 Square Meter accuracy with
Fast-Locate and Hyperlocation solution
Analytics
FastLocate: Critical to
actionable data
T=00s T=30s
Technical Capabilities of Cisco’s Cloud-Managed CMX Optimized for Ease of Management
Statistics on capture rate, engagement and
Appeal via Intuitive, Customizable Graphs
Built–in, centralized management with multi-
site comparisons, from a single dashboard
Out of the box client Proximity and Presence
information with full network visibility
Cloud CMX Location API can provide client
X,Y coordinates for user created apps
Unique integrated iBeacon capabilities
provide Proximity information
!