© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
George Nazarey Security Consulting System Engineer
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
•
•
•
•
•
•
•
•
•
•
•
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Trends 2014 1997
BYOD / Unified Access
BYOD / Unified Access
Mobility / WLAN
Mobility / WLAN
Mobility / WLAN
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Drivers • Majority of new network devices will have no wired port
• Users are starting to bring in more than one Mobile/WLAN device
• Mobile devices have become an extension of our personality
• Users will change devices more frequently than in the past
• Users will want to access more than Mobilemail on their devices
• Guest access with accountability has become a business requirement
• Finance sees cost savings / productivity in subsidizing personal devices
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Assumptions
• Plug in any device that does not move (printer, smartboards, etc.)
• Plug in any device that requires fixed high bandwidth (telepresence, etc.)
• Users will have 3 or more Mobile/WLAN devices (laptop, tablet, phone)
• Users will expect Wireless to become as predictable as the Wired Network
• Users will expect to simply onboard any Mobile/WLAN device they want
• You have to apply security policy to every user and device
• Guest Access must be isolated and accounted for at all times
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Advanced BYOD Basic Mobility Basic BYOD
Use Cases
• Guest Wi-Fi • Corporate Wi-Fi • Mobilemail • Personal Mobile
Device with Profiling • Restricted Corporate
resource access (HTTPS/ VLAN/ACL)
• Guest Wi-Fi • Corporate Wi-Fi • Mobilemail • Personal Mobile Device
with Profiling and Provisioning
• VPN Access • Unrestricted Corporate
resource access • Wired BYOD • Voice / Video everywhere • VDI / VXI • MDM
• Guest Wi-Fi • Corporate Wi-Fi • Mobilemail only
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Use Cases + Key Functionality
AAA
Guest Management
Wi-Fi Profiling
Wi-Fi Provisioning
Wired Profiling
Wired Provisioning
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Use Cases + Critical Tasks
Scale Wi-Fi for Capacity
Scale DHCP, DNS, AAA, PP, Guest Servers / Services for Capacity
Implement automatic Wi-Fi Interference Mitigation
Tune Wi-Fi for Performance (Voice , Video, Location)
Unify Wired and Wireless Policy and Network Management
Implement ability to Manage and Troubleshoot both IPv4 and IPv6 devices
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Example Walkthrough—Wireless
Policy Engine
My Device Page
Personal Wireless Capable Device
Wireless LAN Controller SSID
Directory PKI CA
Corporate Resources
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Example Walkthrough—Wired
My Device Page
Personal Wired Capable Device
Switch
Corporate Resources
Internet
Policy Engine
Directory PKI CA
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Account Sponsorship
Account Notification
Credentials Automatically Provided to Guest Via Email,
SMS, or Printed Receipt Web Browser Redirects to Login Screen
User Can Manage Access for Their Own Device
Successful Authentication • Isolated Guest Network on DMZ • Role Based Policy Applied • User granted access to Internet
Example Walkthrough—Guest
Approved Sponsor Creates Account.
Captive Portal
Access Granted
ISE
Policy / Guest Engine
Internal WLC
Anchor WLC
Guest User on DMZ
DMZ
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Checklist / Timeline for Success—driven by Use Case and Business Need
Scale Wi-Fi for Capacity
Scale Servers / Services (DHCP, DNS, AAA, PP, Guest)
Implement Wireless (AAA+Profiling+Guest)
Tune Wi-Fi for Performance (Voice, Video, Location)
Unify Wired+Wireless Policy and Network Management - IPv4+IPv6
Implement Wireless (AAA+Profiling+Provisioning+Guest)
Implement Wireless+Wired (AAA+Profiling+Provisioning+Guest)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• Single pane of glass view of all Users and Devices by IT (Visibility)
• Unified Policy Management of all Users and Devices by IT (Control)
• Ability for a User to choose and simply get any device on the network (Choice)
• The Wireless experience is as reliable as the Wired experience (Predictability)
• Operational and economic balance between security and simplicity Guests easily get access and are isolated and accounted for, but do not consume too much bandwidth Personal devices access and use only what productivity demands and corporate policy permits
• Operational and economic balance between Wireless and Wired
1–2 Wired ports per user on average 20–25 users per Wireless radio on average
What is Success?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Cisco’s Mobility Architectures and Extended Mobility / BYOD / Unified Access Portfolio
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Choice and Flexibility
WLAN Controller
Cisco Prime-Network Control System
• Centralized Control Plane • Centralized Data Plane • Centralized Policy • Central RF Management • Central Config
Management
• Higher AP Scalability • Survivability
/Client Resiliency
• Central Image Management
• Centralized IDS Management
• Guest Tunneling • Survivability
• Distributed Control Plane
• Distributed Data Plane
• Independent Operation
• Central Control Plane • Distributed Data Plane • Distributed Policy
Cloud Controller (FlexConnect)
CAPWAP Plug & Play
Access Points
Autonomous Access Point
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Who? What? When? Where? How?
Best in Class and Best of Breed
Mobility Innovation (Reliability and Predictability) Policy & Network Management
CleanAir
Chip level proactive and automatic electronic beamforming
Simplified advanced RF management
Chip level wired multicast over a Wireless network
ClientLink
VideoStream
Chip level proactive and automatic interference mitigation
Radio Resource
Management
Persistent context-aware VPN connectivity AnyConnect
BandSelect Proactive and automatic band steering for 5GHz capable clients
ISE (Control)
NCS (Visibility)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Control and Visibility for IT / Device Choice and Reliability for Users
Access Switches
Compact 2960-S 3750-X/ 3560-X 4500E
Identity and Policy Data Integration
ISE
NCS
Distribution Switches
6500 Series
Wireless LAN Controllers Branch Controller
Campus Controllers
Cloud Controller
2500 Series
5500 Series
Flex 7500
WLC on SRE
WiSM2
Access Points
3500i Series Density
Outdoor
Teleworker Indoor
1040 Series
1140 Series
1260 Series
35/3600e Series 3500p Series
1550 Series
600 Series
Mobility Services Engine
3310 & 3355
Physical or Virtual
Physical or Virtual
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Cisco’s Unified Policy and Network Management
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Industry’s First Context-Based Wired+Wireless+VPN Policy/Guest Management
Wired | VPN | Wireless Simple | Unified | Automated
Who? What? When? Where? How?
AAA + PP = Secure BYOD
BEFORE Separate policy and guest management
AFTER Unified context-based policy management
for employees and guests across the network
Cisco ISE–Provides Unparalleled Control
Improved Control
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Guest
Contractor
Employee
Personal Device
Contractor Device
Personal Device
Corporate Device
Personal Device
Wireless Conference Rooms
Captive Portal DMZ Guest Tunnel
Employee VLAN
5 Dimensions of Policy and Provisioning
Anytime
M – S 8 am -6 pm
Contractor VLAN
Contractor ACL
Wired
Wireless
VPN
Employee ACL
Guest VLAN
M–S 8 am–6 pm
Anywhere
Anywhere
Anywhere
Anywhere
Anywhere
Anywhere
Anywhere
Wired
Wireless
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Single Pane of Glass View and Management of Wired+Wireless+Identity
BEFORE Separated management
AFTER Comprehensive user and access
visibility with advanced troubleshooting
Improved Visibility
Cisco Prime NCS–Provides Unparalleled Visibility
Wireless
Wired
Identity
Siloed Inefficient Operational Model Repetitive Manual correlation of data Error Prone Consumes time and resources
Wireless
Wired
Identity
Simple Improves IT efficiency Unified Single view of all user access data
Advanced Troubleshooting Less time and resources consumed
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Unified Network
and Policy Management
Comprehensive Wireless Lifecycle
Management
Integration with Cisco Identity
Services Engine
Highly Scalable
• Extends visibility beyond the edge to both wired and wireless users • Unifies wired, wireless and security visibility into a single view • Aligns to how networks and organizations are evolving for efficient
operations and faster troubleshooting
• Comprehensive lifecycle management of 802.11n and 802.11a/b/g enterprise-class indoor and outdoor wireless networks
• Delivers a wide array of tools and resources for effective planning, deployment, monitoring and troubleshooting, remediation, and optimization
• Monitor thousands of switches and Manage hundreds of Cisco wireless LAN controllers and thousand of Aironet access points
• Seamlessly integrates with Cisco context-aware software, Adaptive Wireless Intrusion Protections System (AWIPS), CleanAir, and the Cisco Integrated Services Router
• Cisco Prime NCS retrieves information directly from clients: Wired, wireless and authenticated, unauthenticated
• Enables client posture status and client profiled views
• Directly links from Cisco Prime NCS to ISE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Cisco’s Mobility Innovations
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Industry’s First Chip Level Proactive and Automatic Interference Protection
BEFORE Wireless interference decreases
reliability and performance
AFTER CleanAir mitigates RF interference
improving reliability and performance
Cisco CleanAir–Improves Performance and Predictability
AIR QUALITY PERFORMANCE AIR QUALITY PERFORMANCE
Wireless Client Performance
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• CleanAir Radio ASIC • Detect Wi-Fi and
non-Wi-Fi interference sources
• Assess impact to Wi-Fi performance
• Proactively change channels when interference occurs
• Monitor air quality
High Resolution Interference Detection, Classification, and Mitigation at Chip Level
63
97
35
20
Detect | Classify | Locate | Mitigate
90
100
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Advanced Beam Forming Technology Improves Wireless Client Performance
BEFORE Beam not directed towards clients resulting inconsistent performance
AFTER Beam directed towards client resulting in
consistent experience and better performance
Cisco ClientLink—Improves Predictability and Performance
802.11a/g (ClientLink) 802.11a/g/n (ClientLink 2.0)
Beam Strength X
802.11a/g (ClientLink) 802.11a/g/n (ClientLink 2.0) Wireless Client
Performance
802.11n 802.11n
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Cisco ClientLink 2.0 —Improves Predictability and Performance
Reduces Coverage Holes/Improves both Upstream and Downstream
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Automatic Band Steering and Selection For 5GHz Capable Devices
BEFORE All clients crowd the 2.4GHz
spectrum lowering performance
AFTER 5GHz capable clients are automatically
moved to cleaner 5GHz spectrum
Cisco BandSelect—Improves Predictability and Performance
Wireless Client Performance
2.4GHz Capable Speed
5GHz Capable Speed
5GHz Capable Speed
2.4GHz Capable Speed
5GHz Capable Speed
5GHz Capable Speed
2.4GHz 2.4GHz 2.4GHz 2.4GHz 5 GHz 5 GHz
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Simplify IT Operations with Automatic/Dynamic RF Management
BEFORE Manual RF management
AFTER Dynamic RF management
Cisco RRM—Improves Predictability and Performance
Simplify RF Performance
Manual Channel Assignment Manual Transmit Power Adjustment Manual Coverage Hole Detection/Mitigation
LWAPP LWAPP LWAPP
Channels
Power
Coverage
Dynamic Channel Assignment Dynamic Transmit Power Adjustment Dynamic Coverage Hole Detection/Mitigation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• DCA—Dynamic Channel Assignment Changes in “channel / air quality” are monitored, and Access Point channel assignment is changed when deemed appropriate to preserve predictability
• TPC—Transmit Power Control Transmit Power is adjusted down or up based on radio to radio pathloss calculation when deemed appropriate to preserve predictability
• CHDM—Coverage Hole Detection and Mitigation
Transmit Power is adjusted up on Access Points when coverage holes are detected and deemed appropriate to preserve predictability
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Wired-Like Video Delivery over Wireless
BEFORE Manual RF Management
AFTER Dynamic RF Management
Cisco VideoStream—Improves Predictability and Performance
Global Enterprise
CEO Meeting
M&A Negotiation
Sports Event
CEO Meeting
M&A Negotiation
Sports Event
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
We Optimize End-to-End Video Starting at the Access Point
Multicast to Unicast Conversion at the AP
Tested for 30X Less Bandwidth Consumed and Double the Performance of Competitors
Resource Reservation Prevents Oversubscription
Selectable Stream Prioritization
Multicast Stream
AP
WLC AP
VIDEO NOT
AVAILABLE
AP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Industry’s First Context-Based and Persistent VPN Connectivity
BEFORE Unmanaged devices—
risk of data loss and lack of access
AFTER Always-on VPN connectivity
Cisco AnyConnect—Always On VPN Connectivity
Mobile Worker
Acceptable Use Access Control Data Loss Prevention
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Cisco’s Leadership
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
802.11ad (60GHz) WiGig
802.11af (TVWS)
802.11ac (>1Gb/s) Wi-Fi VHT5G
802.11y (3.6GHz)
802.11ae (QoS for management)
802.11 amendment Wi-Fi certification
Blue = complete Red = in development
Cisco Active
802.11n (>100Mb/s) Wi-Fi 11n
802.11w (MFP) MFP
802.11u Hotspot 2.0
802.11aa (Video)
802.11v (Manage) WNM
802.11j (Japan)
802.11a/g (54Mb/s) Wi-Fi 11a/g
802.11i (Security) WPA2
802.11r (Roaming) Voice-Enterprise
802.11h (DFS) Standard Wi-Fi
802.11e (QoS) WMM, WMM-AC
802.11k (Measure) Voice-Enterprise
CONNECTIVITY
SECURITY
SEAMLESS
SPECTRUM
APPLICATIONS
MANAGEMENT
Cisco Driven
CCX Driven
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
• Over 90% of the Mobility/WLAN industry silicon is CCX compatible
• Over seventy-five (75) Partners license CCX in the CDN Program
• Over 350 Devices and Tags are CCX Certified (“Cisco Compatible”)
• Over 730 Companies in the CDN Program across Cisco CDO
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
• Cisco Provided the wireless network for IPv6 World Congress 2012 http://blogs.cisco.com/sp/touch-and-feel-ipv6-wi-fi/
• Network deployment–WLC 5508’s Aironet 1140’s, NCS 1.1 and ISE 1.1 providing unique device profiling
World Congress Wireless Network—“V6 World Congress 2012”
NCS Prime Report Graphics:
• 1068 Unique Clients • Around 560 simultaneous Clients
• 46,09% Dual-Stack Clients • 46,41% IPv4-Only Clients • 7.5% IPv6-Only Clients
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Mobility / WLAN market credentials Mobility / WLAN industry credentials
• 10+ years of market share leadership
• $1.5+ Billion fast growth business
• 300,000+ enterprise customers
• Most Access Points shipped in the industry
• Most Controllers shipped in the industry
• 95% Fortune 1000 selected Cisco WLAN
• 10+ years of Gartner MQ leadership
• Largest patent portfolio in the industry
• Largest development team in the industry
• Largest IEEE involvement in the industry
• Co-founder of the Wi-Fi Alliance
• FIPS, Common Criteria, PCI certified
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Top Related