byod overview - mobility - byod - unified access

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

George Nazarey Security Consulting System Engineer

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 


Trends 2014 1997

BYOD / Unified Access

BYOD / Unified Access

Mobility / WLAN

Mobility / WLAN

Mobility / WLAN


Drivers •  Majority of new network devices will have no wired port

•  Users are starting to bring in more than one Mobile/WLAN device

•  Mobile devices have become an extension of our personality

•  Users will change devices more frequently than in the past

•  Users will want to access more than Mobilemail on their devices

•  Guest access with accountability has become a business requirement

•  Finance sees cost savings / productivity in subsidizing personal devices


Assumptions

•  Plug in any device that does not move (printer, smartboards, etc.)

•  Plug in any device that requires fixed high bandwidth (telepresence, etc.)

•  Users will have 3 or more Mobile/WLAN devices (laptop, tablet, phone)

•  Users will expect Wireless to become as predictable as the Wired Network

•  Users will expect to simply onboard any Mobile/WLAN device they want

•  You have to apply security policy to every user and device

•  Guest Access must be isolated and accounted for at all times


Advanced BYOD Basic Mobility Basic BYOD

Use Cases

•  Guest Wi-Fi •  Corporate Wi-Fi •  Mobilemail •  Personal Mobile

Device with Profiling •  Restricted Corporate

resource access (HTTPS/ VLAN/ACL)

•  Guest Wi-Fi •  Corporate Wi-Fi •  Mobilemail •  Personal Mobile Device

with Profiling and Provisioning

•  VPN Access •  Unrestricted Corporate

resource access •  Wired BYOD •  Voice / Video everywhere •  VDI / VXI •  MDM

•  Guest Wi-Fi •  Corporate Wi-Fi •  Mobilemail only


Use Cases + Key Functionality

AAA

Guest Management

Wi-Fi Profiling

Wi-Fi Provisioning

Wired Profiling

Wired Provisioning


Use Cases + Critical Tasks

Scale Wi-Fi for Capacity

Scale DHCP, DNS, AAA, PP, Guest Servers / Services for Capacity

Implement automatic Wi-Fi Interference Mitigation

Tune Wi-Fi for Performance (Voice , Video, Location)

Unify Wired and Wireless Policy and Network Management

Implement ability to Manage and Troubleshoot both IPv4 and IPv6 devices


Example Walkthrough—Wireless

Policy Engine

My Device Page

Personal Wireless Capable Device

Wireless LAN Controller SSID

Directory PKI CA

Corporate Resources

Internet


Example Walkthrough—Wired

My Device Page

Personal Wired Capable Device

Switch

Corporate Resources

Internet

Policy Engine

Directory PKI CA


Account Sponsorship

Account Notification

Credentials Automatically Provided to Guest Via Email,

SMS, or Printed Receipt Web Browser Redirects to Login Screen

User Can Manage Access for Their Own Device

Successful Authentication •  Isolated Guest Network on DMZ •  Role Based Policy Applied •  User granted access to Internet

Example Walkthrough—Guest

Approved Sponsor Creates Account.

Captive Portal

Access Granted

ISE

Policy / Guest Engine

Internal WLC

Anchor WLC

Guest User on DMZ

DMZ

Internet


Checklist / Timeline for Success—driven by Use Case and Business Need

Scale Wi-Fi for Capacity

Scale Servers / Services (DHCP, DNS, AAA, PP, Guest)

Implement Wireless (AAA+Profiling+Guest)

Tune Wi-Fi for Performance (Voice, Video, Location)

Unify Wired+Wireless Policy and Network Management - IPv4+IPv6

Implement Wireless (AAA+Profiling+Provisioning+Guest)

Implement Wireless+Wired (AAA+Profiling+Provisioning+Guest)


•  Single pane of glass view of all Users and Devices by IT (Visibility)

•  Unified Policy Management of all Users and Devices by IT (Control)

•  Ability for a User to choose and simply get any device on the network (Choice)

•  The Wireless experience is as reliable as the Wired experience (Predictability)

•  Operational and economic balance between security and simplicity Guests easily get access and are isolated and accounted for, but do not consume too much bandwidth Personal devices access and use only what productivity demands and corporate policy permits

•  Operational and economic balance between Wireless and Wired

1–2 Wired ports per user on average 20–25 users per Wireless radio on average

What is Success?


Cisco’s Mobility Architectures and Extended Mobility / BYOD / Unified Access Portfolio


Choice and Flexibility

WLAN Controller

Cisco Prime-Network Control System

•  Centralized Control Plane •  Centralized Data Plane •  Centralized Policy •  Central RF Management •  Central Config

Management

•  Higher AP Scalability •  Survivability

/Client Resiliency

•  Central Image Management

•  Centralized IDS Management

•  Guest Tunneling •  Survivability

•  Distributed Control Plane

•  Distributed Data Plane

•  Independent Operation

•  Central Control Plane •  Distributed Data Plane •  Distributed Policy

Cloud Controller (FlexConnect)

CAPWAP Plug & Play

Access Points

Autonomous Access Point


Who? What? When? Where? How?

Best in Class and Best of Breed

Mobility Innovation (Reliability and Predictability) Policy & Network Management

CleanAir

Chip level proactive and automatic electronic beamforming

Simplified advanced RF management

Chip level wired multicast over a Wireless network

ClientLink

VideoStream

Chip level proactive and automatic interference mitigation

Radio Resource

Management

Persistent context-aware VPN connectivity AnyConnect

BandSelect Proactive and automatic band steering for 5GHz capable clients

ISE (Control)

NCS (Visibility)


Control and Visibility for IT / Device Choice and Reliability for Users

Access Switches

Compact 2960-S 3750-X/ 3560-X 4500E

Identity and Policy Data Integration

ISE

NCS

Distribution Switches

6500 Series

Wireless LAN Controllers Branch Controller

Campus Controllers

Cloud Controller

2500 Series

5500 Series

Flex 7500

WLC on SRE

WiSM2

Access Points

3500i Series Density

Outdoor

Teleworker Indoor

1040 Series

1140 Series

1260 Series

35/3600e Series 3500p Series

1550 Series

600 Series

Mobility Services Engine

3310 & 3355

Physical or Virtual

Physical or Virtual


Cisco’s Unified Policy and Network Management


Industry’s First Context-Based Wired+Wireless+VPN Policy/Guest Management

Wired | VPN | Wireless Simple | Unified | Automated

Who? What? When? Where? How?

AAA + PP = Secure BYOD

BEFORE Separate policy and guest management

AFTER Unified context-based policy management

for employees and guests across the network

Cisco ISE–Provides Unparalleled Control

Improved Control


Guest

Contractor

Employee

Personal Device

Contractor Device

Personal Device

Corporate Device

Personal Device

Wireless Conference Rooms

Captive Portal DMZ Guest Tunnel

Employee VLAN

5 Dimensions of Policy and Provisioning

Anytime

M – S 8 am -6 pm

Contractor VLAN

Contractor ACL

Wired

Wireless

VPN

Employee ACL

Guest VLAN

M–S 8 am–6 pm

Anywhere

Anywhere

Anywhere

Anywhere

Anywhere

Anywhere

Anywhere

Wired

Wireless


Single Pane of Glass View and Management of Wired+Wireless+Identity

BEFORE Separated management

AFTER Comprehensive user and access

visibility with advanced troubleshooting

Improved Visibility

Cisco Prime NCS–Provides Unparalleled Visibility

Wireless

Wired

Identity

Siloed Inefficient Operational Model Repetitive Manual correlation of data Error Prone Consumes time and resources

Wireless

Wired

Identity

Simple Improves IT efficiency Unified Single view of all user access data

Advanced Troubleshooting Less time and resources consumed


Unified Network

and Policy Management

Comprehensive Wireless Lifecycle

Management

Integration with Cisco Identity

Services Engine

Highly Scalable

•  Extends visibility beyond the edge to both wired and wireless users •  Unifies wired, wireless and security visibility into a single view •  Aligns to how networks and organizations are evolving for efficient

operations and faster troubleshooting

•  Comprehensive lifecycle management of 802.11n and 802.11a/b/g enterprise-class indoor and outdoor wireless networks

•  Delivers a wide array of tools and resources for effective planning, deployment, monitoring and troubleshooting, remediation, and optimization

•  Monitor thousands of switches and Manage hundreds of Cisco wireless LAN controllers and thousand of Aironet access points

•  Seamlessly integrates with Cisco context-aware software, Adaptive Wireless Intrusion Protections System (AWIPS), CleanAir, and the Cisco Integrated Services Router

•  Cisco Prime NCS retrieves information directly from clients: Wired, wireless and authenticated, unauthenticated

•  Enables client posture status and client profiled views

•  Directly links from Cisco Prime NCS to ISE


Cisco’s Mobility Innovations


Industry’s First Chip Level Proactive and Automatic Interference Protection

BEFORE Wireless interference decreases

reliability and performance

AFTER CleanAir mitigates RF interference

improving reliability and performance

Cisco CleanAir–Improves Performance and Predictability

AIR QUALITY PERFORMANCE AIR QUALITY PERFORMANCE

Wireless Client Performance


•  CleanAir Radio ASIC •  Detect Wi-Fi and

non-Wi-Fi interference sources

•  Assess impact to Wi-Fi performance

•  Proactively change channels when interference occurs

•  Monitor air quality

High Resolution Interference Detection, Classification, and Mitigation at Chip Level

63

97

35

20

Detect | Classify | Locate | Mitigate

90

100


Advanced Beam Forming Technology Improves Wireless Client Performance

BEFORE Beam not directed towards clients resulting inconsistent performance

AFTER Beam directed towards client resulting in

consistent experience and better performance

Cisco ClientLink—Improves Predictability and Performance

802.11a/g (ClientLink) 802.11a/g/n (ClientLink 2.0)

Beam Strength X

802.11a/g (ClientLink) 802.11a/g/n (ClientLink 2.0) Wireless Client

Performance

802.11n 802.11n


Cisco ClientLink 2.0 —Improves Predictability and Performance

Reduces Coverage Holes/Improves both Upstream and Downstream


Automatic Band Steering and Selection For 5GHz Capable Devices

BEFORE All clients crowd the 2.4GHz

spectrum lowering performance

AFTER 5GHz capable clients are automatically

moved to cleaner 5GHz spectrum

Cisco BandSelect—Improves Predictability and Performance

Wireless Client Performance

2.4GHz Capable Speed

5GHz Capable Speed

5GHz Capable Speed

2.4GHz Capable Speed

5GHz Capable Speed

5GHz Capable Speed

2.4GHz 2.4GHz 2.4GHz 2.4GHz 5 GHz 5 GHz


Simplify IT Operations with Automatic/Dynamic RF Management

BEFORE Manual RF management

AFTER Dynamic RF management

Cisco RRM—Improves Predictability and Performance

Simplify RF Performance

Manual Channel Assignment Manual Transmit Power Adjustment Manual Coverage Hole Detection/Mitigation

LWAPP LWAPP LWAPP

Channels

Power

Coverage

Dynamic Channel Assignment Dynamic Transmit Power Adjustment Dynamic Coverage Hole Detection/Mitigation


•  DCA—Dynamic Channel Assignment Changes in “channel / air quality” are monitored, and Access Point channel assignment is changed when deemed appropriate to preserve predictability

•  TPC—Transmit Power Control Transmit Power is adjusted down or up based on radio to radio pathloss calculation when deemed appropriate to preserve predictability

•  CHDM—Coverage Hole Detection and Mitigation

Transmit Power is adjusted up on Access Points when coverage holes are detected and deemed appropriate to preserve predictability


Wired-Like Video Delivery over Wireless

BEFORE Manual RF Management

AFTER Dynamic RF Management

Cisco VideoStream—Improves Predictability and Performance

Global Enterprise

CEO Meeting

M&A Negotiation

Sports Event

CEO Meeting

M&A Negotiation

Sports Event


We Optimize End-to-End Video Starting at the Access Point

Multicast to Unicast Conversion at the AP

Tested for 30X Less Bandwidth Consumed and Double the Performance of Competitors

Resource Reservation Prevents Oversubscription

Selectable Stream Prioritization

Multicast Stream

AP

WLC AP

VIDEO NOT

AVAILABLE

AP


Industry’s First Context-Based and Persistent VPN Connectivity

BEFORE Unmanaged devices—

risk of data loss and lack of access

AFTER Always-on VPN connectivity

Cisco AnyConnect—Always On VPN Connectivity

Mobile Worker

Acceptable Use Access Control Data Loss Prevention


Cisco’s Leadership


802.11ad (60GHz) WiGig

802.11af (TVWS)

802.11ac (>1Gb/s) Wi-Fi VHT5G

802.11y (3.6GHz)

802.11ae (QoS for management)

802.11 amendment Wi-Fi certification

Blue = complete Red = in development

Cisco Active

802.11n (>100Mb/s) Wi-Fi 11n

802.11w (MFP) MFP

802.11u Hotspot 2.0

802.11aa (Video)

802.11v (Manage) WNM

802.11j (Japan)

802.11a/g (54Mb/s) Wi-Fi 11a/g

802.11i (Security) WPA2

802.11r (Roaming) Voice-Enterprise

802.11h (DFS) Standard Wi-Fi

802.11e (QoS) WMM, WMM-AC

802.11k (Measure) Voice-Enterprise

CONNECTIVITY

SECURITY

SEAMLESS

SPECTRUM

APPLICATIONS

MANAGEMENT

Cisco Driven

CCX Driven


•  Over 90% of the Mobility/WLAN industry silicon is CCX compatible

•  Over seventy-five (75) Partners license CCX in the CDN Program

•  Over 350 Devices and Tags are CCX Certified (“Cisco Compatible”)

•  Over 730 Companies in the CDN Program across Cisco CDO


•  Cisco Provided the wireless network for IPv6 World Congress 2012 http://blogs.cisco.com/sp/touch-and-feel-ipv6-wi-fi/

•  Network deployment–WLC 5508’s Aironet 1140’s, NCS 1.1 and ISE 1.1 providing unique device profiling

World Congress Wireless Network—“V6 World Congress 2012”

NCS Prime Report Graphics:

•  1068 Unique Clients •  Around 560 simultaneous Clients

•  46,09% Dual-Stack Clients •  46,41% IPv4-Only Clients •  7.5% IPv6-Only Clients


Mobility / WLAN market credentials Mobility / WLAN industry credentials

•  10+ years of market share leadership

•  $1.5+ Billion fast growth business

•  300,000+ enterprise customers

•  Most Access Points shipped in the industry

•  Most Controllers shipped in the industry

•  95% Fortune 1000 selected Cisco WLAN

•  10+ years of Gartner MQ leadership

•  Largest patent portfolio in the industry

•  Largest development team in the industry

•  Largest IEEE involvement in the industry

•  Co-founder of the Wi-Fi Alliance

•  FIPS, Common Criteria, PCI certified

byod overview - mobility - byod - unified access

Technology

cisco andor

cisco confidential

device guest access

devices guest access

wired network users

guesttune wifi

wired port users

ipv6 devices