Trends in Enterprise Networking

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.

PUBLIC INFORMATION

Trends in Enterprise Networking Dave Cronberger (Cisco Systems), Xuechen Yang (Cisco Systems)

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 2

Agenda

Cisco TrustSec – Enable Identity-aware Network

SDN – Software Defined Networking


Control and Data Plane resides within Physical Device

The Network Paradigm as We Know it…


Software defined networking (SDN) is an approach to building computer networks that separates and abstracts elements of these

systems

What is SDN? (per Wikipedia definition)

Defining SDN


In other words…

In the SDN paradigm, not all processing happens inside

the same device

The SDN Paradigm


What did this “SDN” thing come from?

6

Stanford University – Clean Slate Project

http://cleanslate.stanford.edu/

“…explore what kind of Internet we would design if we were to start with a clean slate

and 20-30 years of hindsight.”




… Clean Slate led to the development of …

7

OpenFlow


OpenFlow is a Layer 2 communications protocol that gives access to the forwarding plane of a network switch or router over the

network

What is Openflow? (per Wikipedia definition)

Define Openflow


Four parts to Openflow

Let’s take a closer look at Openflow …


Central Administration and Operations

point for Network Elements

Openflow Controller


Northbound API Integral part of

Controller

“Network enabled” application can make use

of Northbound API to request services from the

network…

Controller Northbound API


Agent runs on the network device

Agent receives

instructions from Controller

Agent programs

device tables

Openflow Device Agent


Openflow Protocol is…

“A mechanism for the Openflow Controller to communicate with Openflow Agents…”

Openflow Protocol


Google has been using Openflow to drive their Wide Area Network since January 2011

http://www.eetimes.com/electronics-news/4371179/Google-describes-its-OpenFlow-network

Google’s SDN Network


Open Network Foundation

15

Non Profit Consortium Dedicated to “the transformation of networks through SDN”

Mission to “commercialize and promote SDN…as a

disruptive approach to networking…”

Open Network Foundation


Software Defined

Networking

Openflow is one flavor of SDN

Openflow Does Not Equal SDN

Software Defined

Networking

Openflow


Virtual Overlays

17

Multiple “overlay” networks can co-exist at

the same time

Overlays provides logical network constructs for different

tenants (customers)


Cisco’s ACI (Application Centric Infrastructure)

18

Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. 19

Agenda

Cisco TrustSec – Enable Identity-aware Network

SDN – Software Defined Networking


Challenges with Enterprise Security and Access Control Policy

20

Protected assets are defined by their network connection

• Policies are statically and manually configured

• Rules are based on network topology (subnets, addresses)

• IP Address does not provide user context or meaning

Method does not facilitate key Business / IT requirements like:

• Frequent organizational changes

• Mobile workforces

• Device choice

• Virtualization


Introduce Cisco TrustSec

21


access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780 access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611 access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606 access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005 access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199 access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782 access-list 102 deny ip 193.250.210.122 0.0.1.255 lt 2297 130.113.139.130 0.255.255.255 gt 526 access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959 access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810 access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231 access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679 access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025 access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968 access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167 access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422 access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479 access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28 access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481 access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631 access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663 access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388 access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652 access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851 access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392 access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861 access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794 access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748 access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356 access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327 access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286 access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191 access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721 access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716 access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533 access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539 access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570 access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754 access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486 access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467 access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780 access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611 access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606 access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005 access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199 access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782 access-list 102 deny ip 193.250.210.122 0.0.1.255 lt 2297 130.113.139.130 0.255.255.255 gt 526 access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959 access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810 access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231 access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679 access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025 access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968 access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167 access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422 access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479 access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28 access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481 access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631 access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663 access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388 access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652 access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851 access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392 access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861 access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794 access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748 access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356 access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327 access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286 access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191 access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721 access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716 access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533 access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539 access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570 access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754 access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486 access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

22

Simplified Access Management

Accelerated Security Operations

Consistent Policy Anywhere

• Manages policies using plain language

• Control access to critical assets by business role

• Maintain policy compliance

• Segments networks using central policy management

• Enforces policy on wired, wireless & VPN

• Scales to remote, branch, campus & data center

• Quickly onboard servers

• Speed-up adds, moves and changes, eliminate many

• Automate FW & ACL administration

Traditional Security Policy

Taking Complexity out of Network Security


Traditional Security Administration

23

Adding destination Object

Adding source Object

ACL for 3 source objects & 3 destination objects

permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 for SSH permit SF to SRV1 for HTTPS deny SF to SAP1 for SQL deny SF to SCM2 for SSH permit LA to SRV1 for HTTPS deny LA to SAP1 for SQL deny LA to SAP for SSH

Permit SJC to SRV1 for HTTPS deny SJC to SAP1 for SQL deny SJC to SCM2 for SSH permit NY to VDI for RDP deny SF to VDI for RDP deny LA to VDI for RDP deny SJC to VDI for RDP

A Global Bank dedicated 24 global resources

to manage Firewall rules currently

Complex Task and High OPEX continues

Traditional ACL/FW Rule

Source Destination

NY

SF

LA

DC-MTV (SRV1)

DC-MTV (SAP1)

DC-RTP (SCM2)

NY

10.2.34.0/24

10.2.35.0/24

10.2.36.0/24

10.3.102.0/24

10.3.152.0/24

10.4.111.0/24

…. SJC DC-RTP (VDI)

Production

Servers


Security Administration with TrustSec

24

Permit Employee to Production_Servers eq HTTPS Deny Employee to Production_Servers eq SQL Deny Employee to Production_Servers eq SSH Permit Employee to VDI eq RDP

Deny BYOD to Production_Servers Deny BYOD to VDI eq RDP

Policy Stays with Users / Servers regardless of location/topology

Simple to define, Audit, and Manage

Less operational effort and faster to deploy new services

Security Group

Filtering

NY

SF

LA

DC-MTV (SRV1)

DC-MTV (SAP1)

DC-RTP (SCM2) SJC DC-RTP (VDI)

Production

Servers

VDI Servers

BYOD

Employee

Source SGT:

Employee (10)

BYOD (200)

Destination SGT:

Production_Servers (50)

VDI (201)


Flexible Classification for SGT

25

VLAN-SGT

IP-SGT

Port

Profile

Port-SGT

IPv4 Prefix

Learning

IPv6 Prefix

Learning IPv6 Prefix-

SGT

IPv4 Subnet-SGT

802.1X

MAB

Web

Auth

Profiling

SGT

SGT

Addr.Pool-SGT

VLAN-SGT

Data Center/

Virtualization

User/Device/Location

Cisco access layer

ISE

NX-OS/

CIAC/

Hypervisors

IOS/Routing

Campus

& VPN Access

non-Cisco

& legacy env

Business Partners & Supplier access controls

SGT

• TrustSec decouples network topology and security policy to simplify access control and segmentation

• Classification process groups network resources into Security Groups


SGT Propagation

26

Wired

Access

Wireless

Access

DC Firewall

Enterprise

Backbone

DC

Virtual

Access Campus Core DC Core

DC

Distribution

Physical

Server

Physical

Server

VM

Server

VM

Server

DC

Physical

Access

SGT 20

SGT 30

IP Address SGT SRC

10.1.100.98 50 Local

SXP IP-SGT Binding Table

SXP

SGT = 50

ASI

C

ASI

C

Optionally Encrypted

Inline SGT Tagging

SGT=50

ASI

C

L2 Ethernet Frame

SRC: 10.1.100.98

IP Address SGT

10.1.100.98 50 SXP

Non-SGT

capable


Typical TrustSec Deployments

27

Enhanced network role-based access control

Controlled access to compliance-critical assets

Context-based classification facilitating BYOD access control

Improved scale compared to IP-based ACLs

Flexible network segmentation

Segmentation to support compliance needs

Allow shared services with user segmentation

User-to-user malware propagation control

Lines of Business / Extranet access control

Zero Touch Firewall rule provisioning


Securing Your BYOD with TrustSec

28

Segmentation using Security

Group, independent from

topology

Offload filtering to ASA for rich

and scalable policy rule

automation

Simplified network design,

lowering operational cost

WLC

CAPWAP Tunnel

Internet VLAN

BYOD Tag

POS Tag

Audit Tag

SGACL/FW

Device

ISE

BYOD Device Audit

DC-PCI-DB

DC-PCI-Web

Local PCI

Server

Payment System

Source Destination Action

IP Sec Group IP Sec Group Service Action

Campus WLAN BYOD Device Any Internet HTTP Allow

Any Payment

System

Any DC-PCI-Web,

Local PCI Server

HTTPS Allow

Any Audit Any DC-PCI-DB TCP Allow

Any Any Any Any Any Deny

Single VLAN


Campus User Segmentation

29

Voice Employee Guest Quarantine

Employee Tag

Supplier Tag

Guest Tag

Quarantine Tag

Data Center

Firewall

Voice

Building 3

Data VLAN

Campus Core

Data Center

Main Building

Data VLAN

Employee Quarantine

Enforcement is based

on Security Group,

even for

communication in

same VLAN

Employee

Supplier

Guest

Employee SRC

DST Supplier Remed. Internet

✗

✗

✗

✔ ✗

Quarantine ✗ ✗ ✗ ✗ ✔

✔

✔ ✗

✔ ✗

✔

Access Layer

Employee


Cisco TrustSec Summary

30

Efficient

Simplifies implementation of security policy

Highly scalable & Inline rate

Simplifies Data Center network design

Secure

Embed security within the infra

Enforcement based on rich context

Solution simplicity enables end-to-end approach

Demonstrable ROI

Reduces ACL and VLAN complexity & maintenance

Automates FW policy

Improve both performance & availability


IPV6 is Happening

Ever So Slowly

31


So What’s Your Address?

Sta

tus

Why everyone is quiet on IPv6 ?

Going forward

What is it Where will it start


Why everyone is quiet on IPv6?

Enterprises find no panic condition to adopt IPv6

Migration to IPv6 is not into the priority list of decision makers

End consumer lacks readiness of IPv6

Governments lagging in their deployment targets

Lots of doubts and fear regarding adoption of IPv6

Conversation around IPv6 is low..


Why everyone is quiet on IPv6? Short government initiatives, and no urgent need

Source: Current Analysis (August, 2013), ITU, Tech Target, IT Business Edge, Caribbean Network Operators Group

• Even after the exhaustion of IPv4 address, service providers and enterprises are in no hurry for IPv6 Enterprises are not finding in any reason to migrate on IPv6 network, as till date IPv4 works

well both inside and outside the enterprise network With various technologies such as NAT, enterprises holds the power of sticking to IPv4 until

there is a compelling reason to migrate

• Availability of IPv4 transfer policies between inter and intra RIR’s (Regional Internet Registry) has further delayed the necessity for adoption of IPv6

• IPv4 to IPv6 migration is still pretty low on the priority list of network administrators – Current Analysis, August- 2013

• Outside of telco’s and technology companies, moving to IPv6 is rarely high on corporate IT agendas – Deloitte, April-2013

• Decision makers are finding themselves resistant to change as: Migration seems to be more of technology requirement not business requirement Lack of skilled manpower Not ready to share pie from shrinking IT Budgets

• Realization of actual need of IPv6 with newer technologies such as IoT, SDN, Cloud, etc. is still not felt

• Federal agencies are lagging far behind the supposed deadlines to upgrade their websites for IPv6

• Government agencies, facing budget constraints, have missed deadlines for migration – Deliotte, April-2013

• IPv6 deployment targets are missing because No regulatory and economic incentives to encourage IPv6 adoption No efforts to support and promote awareness and educational activities

http://www.itu.int/ITU-D/asp/CMS/Events/2013/PacificForum/ITU-APT-S4_Paul_Wilson.pdf

http://searchenterprisewan.techtarget.com/tip/IPv6-firewall-security-Fixing-issues-introduced-by-the-new-protocol

http://www.itbusinessedge.com/blogs/data-and-telecom/comcast-ipv6-and-sdns-moving-the-internet-into-the-future.html

http://www.caribnog.org/articles/2013/3/9/addressing-ipv6-in-the-caribbean


Why everyone is quiet on IPv6?

Lack of readiness and doubtful state is difficult to overcome

Source: Heavy Reading (March, 2013), Network Computing, GCN,

Deloitte,

• Much of the consumer electronics industry lacks the readiness of IPv6. Unfortunately, most consumers are not aware of these incompatibility issues Many older equipment's such as cable modems, digital set-top boxes,

home routers, smart TVs, DVD players, Blu-ray players, gaming consoles, and other devices that uses IPv4 protocol lacks IPv6 capability

• Consumer electronics industry should follow the lead and show greater support for IPv6 by churning out more IPv6-ready devices

• Currently, there is no rush from end consumers to migrate on IPv6 network, so no motivation for service providers for migration

• The principal challenge for operators is that IPv6 does not have direct backward compatible with IPv4 – Heavy Reading, March-2013.

• Fear of handling different types of network at same time, as SP/ISPs will have to maintain IPv4 operations with legacy equipment's, while adding IPv6 to the mix.

• Other than legacy IPv4 supported equipment's, IPv6 providers also need to revamp their software element

• Security complications in maintaining firewalls which are both IPv6 and IPv4 compatible

• Increase in security threat with auto-configuration feature of IPv6

http://www.networkcomputing.com/ipv6/ipv6-adoption-on-the-rise/240159963

http://gcn.com/articles/2013/12/12/ipv6.aspx

http://deloitte.wsj.com/cio/2013/04/12/why-its-time-to-migrate-to-ipv6/


Going Where?

Pro

ject

sco

pe


Going forward



Going forward Implementation of IPv6 has been a marathon not a sprint race

Source: Heavy Reading (March, 2013) Current Analysis (August, 2013), IT

Business edge, GCN End-consumers need to get upgraded or replace their huge legacy electronics equipment, which is supporting IPv4 protocol but not IPv6 Status– End consumers are least motivated for migration to IPv6 supported equipment's

CDN and web hosting companies are required to increase IPv6-enabled content. Status– Number of people in the industry planning to implement IPv6 has increased, so IPv6 supported content for these users need to be ready

More professional services from service providers and IPv6 skilled workforce by enterprises is desired Status– Decision makers finding themselves resistant to adopt to IPv6 because of scarce skills



http://gcn.com/Articles/2013/12/12/IPv6.aspx?Page=2


What is it Where will it start?

Pro

ject

sco

pe


Going forward



What is it?

Service IPv4 IPv6

Addressing Range 32-bit, NAT 128-bit, Multiple Scopes

IP Provisioning DHCP SLAAC, Renumbering,

DHCP

Security IPSec IPSec

Mobility Mobile IP Mobile IP with Direct

Routing

Quality-of-Service Differentiated Service,

Integrated Service Differentiated Service,

Integrated Service

Multicast IGMP/PIM/MBGP MLD/PIM/MBGP, Scope

Identifier


340,282,366,920,938,463,374,607,432,768,211,456 (IPv6 Address Space - 340 Trillion Trillion Trillion)

vs

4,294,967,296 (IPv4 Address Space - 4 Billion)

.

Antares 15th Brightest star in the sky

Our Sun

You said it was how many?

Let’s assume our Sun represents 4 Billion Addresses

The IPv6 Address space would approach the size Antares

In fact, a proper comparison would be to compare Antares

with a Telephone Box


What does it look like?

16-bit hexadecimal numbers

Numbers are separated by (:)

Hex numbers are not case sensitive

Abbreviations are possible

• Contiguous blocks of zeros could be represented by (::)

Example: 2001:0db8:0000:130F:0000:0000:087C:140B

2001:0db8:0:130F::87C:140B

Double colon can only appear once in the address

• Leading zeros in a block can be omitted

Example: 2001:0db8:00e2:0300::087C:140B

2001:db8:e2:300::87C:140B


More then this will take a day…

Addresses are assigned to interfaces

Interface “expected” to have multiple addresses

Addresses have scope

Link Local

Unique Local

Global

Source Address Selection Algorithm selects source IP with scope ≥ than

scope of destination address

Addresses have lifetime (advertised via RA or DHCP)

Valid and preferred lifetime

Link Local Unique Local Global


Bring Your Own…..?

This is really more about Wireless

Cooperate with IT or prepare to face failure

Device Management - MDM

Device Security – Integrated

This is why IPV6 will happen!


BYOD Use Cases

44

Differentiated Services, On-Boarding Securely

Personal and Corporate Devices

Deny Some Devices

Focus on Basic Services,

Guest Access

Broader Device Types

Internet Only

Posture from Mobile Device Management

Any Device, Any Ownership

MDM Compliance

LIMITED ADVANCED ENHANCED BASIC/GUEST

Environments with Tight Controls

Only Corporate Devices

IT Whitelist


AP AP AP AP

Services & Policies

Mgmt & Policy Architecture Outcomes: Scale and performance for ubiquitous wireless (20X)

Local traffic switching to avoid hair-pinning

Unified Policy for Wired and Wireless

Architected for HA

Brings new feature set to Wireless

CAPWAP (Data, Ctl)

Mobility, Mgmt

5508 / WiSM2

Software upgrade

Improving Mobile Experience Converged Wired/Wireless


Integrated security & MDM Integration - Scope

Enrollment: (IS)-orchestrated to simplify user experience

o Non registered clients redirected to MDM registration page

o Non compliant clients will be given restricted access

Daily Access: network+device

o Update data from endpoint which can be tied into access policy

De-enrollment: Ability to Initiate Device Action from

ISE

o Device stolen -> need to wipe data on client Cisco MCMS


Improving Mobile Experience WLAN Rate Limiting & QoS Prioritization

In combination with QoS

Helpful to prevent Guest WLAN traffic (or other less critical traffic) from

overrunning the WAN

Significant customer issue for customers due to BYOD and Mobile

Device explosion!

Wired Clients w/LAN traffic

Wireless Clients w/LAN traffic

Downstream

Upstream

Rate Limited

Both Upstream and Downstream traffic is rate limited by the AP


Integration with Virtualization Clients

Virtualized App Environment

Application Virtualization Client

Application Portability:

Delivering legacy/non-native apps to broad device set

Example: iPad does not support an application natively

Data Loss Prevention:

Securing Enterprise applications and data

Example: avoid storing data locally, use of virtualization for application subset – confidential, intellectual property, financial


BYOD will Force IPV6

Why

Literally 100’s of Thousands of devices

Cisco as an example:

65,500 employees

1 IP Phone

1 Smart Phone

1 Tablet

1 Laptop

That’s 65,500 x 4 = 262,000 addresses


But wait!

Now add:

Door locks

Thermostats

Security Cameras

Servers

PAC/PLCs

I/O

And…


We care what you think!

On the mobile app:

1. Locate session using

Schedule or Agenda Builder

2. Click on the thumbs up icon on

the lower right corner of the

session detail

3. Complete survey

4. Click the Submit Form button

51

Please take a couple minutes to complete a quick session survey to tell us how we’re doing.

2

3

4

1

Thank you!!


www.rsteched.com

Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.

PUBLIC INFORMATION

Questions?

Trends in Enterprise Networking

Technology

Transcript of Trends in Enterprise Networking