zack schaefer - cisco© 2011 cisco and/or its affiliates. all rights reserved.© 2010 cisco and/or...
Post on 06-Feb-2020
7 Views
Preview:
TRANSCRIPT
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1
Zack Schaefer Mobility Technical Solutions Architect
September 2012
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Twitter:
• @Cisco_Mobility
Facebook:
• www.facebook.com/CiscoWireless
Web
• cisco.com/go/wireless
TechWiseTV
• techwisetv.com
Mark Your Calendars! Next Webinar:
High Density Wireless for Higher Education: September 27th 8:AM (PDT)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
2
1 Mobility Best Practices for BYOD Deployments
Security Solutions for BYOD Deployments
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
The Evolving Workplace Landscape
Executive
Employee
IT
• Anywhere, anytime,
any device usage
• Work is a function
—Globally
dispersed, mixed
device ownership
• Change in IT control
and management
paradigm
• Enterprise
provided mobile
devices
• Work is a place
you go to—
limited off
campus access
• IT visibility and
control into user
devices and
applications
NEW SCHOOL OLD SCHOOL
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Driven by Demand for Mobility
Traditional Modernized Revolutionize
Apps Apps
WinXP WinXP
Virtual Apps
Thick Client HVD HVD
Zero
Client
Thin
Client
HVD
Mobile
Client
Virtual
Apps
Virtual
Apps
Virtual
Apps
Centralized provisioning, management
and security for users and applications
Virtualized Platforms
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 6 Cisco Confidential 6 © 2010 Cisco and/or its affiliates. All rights reserved.
TIME
• 7.7 billion new Wi-Fi enabled devices will enter the market in the next five
years.*
• 1.2 billion Smartphones will enter the market over the next five years,
about 40% of all handset shipments.*
• Smartphone adoption growing 50%+ annually.**
• By 2012, more than 50% of network devices will ship without a wired
port.***
• A 7x increase in capacity with the Introduction of 802.11n
Source: *ABI Research, **IDC, *** Morgan Stanley Market Trends
• Unified Access is a reality – Not wired or wireless anymore
• BYOD (Bring Your Own Device) phenomena is here
• Increase in capacity = increase in applications
• Device (corporate or private) On-boarding is a challenge for companies
• Mobile collaboration applications are here
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 7
Mobility Best Practices for BYOD Deployments
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Some Questions to Consider
Do I have the WLAN capacity to support increase in mobile devices?
How do I ensure business critical WLAN reliability?
How do I enforce security policies on non compliant devices?
How do I grant different levels of access to protect my network?
How do I ensure data loss prevention on devices where I don’t have visibility?
How should I address the cool kids (tech-savvy) who trade-up to new devices? New Policy?
How do I protect my Intellectual Property/personal information?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
1
2
3
4
5
6
Follow these steps:
Start Migration to 802.11n to Enhance Network Performance
Properly Configure for High Density Wireless Deployments
Improve Reliability and Coverage with Cisco ClientLink2.0
Detect and Mitigate RF Interference with Cisco CleanAir
Improve Video Applications with VideoStream
Implement Cisco Radio Resource Management
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• 802.11n optimizes high bandwidth data, voice and video applications on Wi-Fi enabled devices
7x higher throughput
More reliable and predictable coverage
• Backwards compatibility with 802.11a/b/g clients
Advantage
Challenge
• Scaling a growing number of tablets and mobile devices accessing bandwidth intensive applications across the WLAN
Primary 802.11n Components
Multiple Input Multiple Output (MIMO)
• Maximal Ratio Combining
• Beam forming
• Spatial multiplexing
40 MHz Channels
• Two adjacent 20 MHz channels are combined to create a single 40 MHz channel
Improved MAC Efficiency
• Packet aggregation
• Block Acknowledgements
Enables Throughput and Coverage Needed to Scale Mobile Devices
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• Avoids the crowded 2.4GHz Band
• Allows for wider Channels
Operating in the 5Ghz Band Only
• More potential bandwidth available Wider RF Channels: 80MHz and 160MHz
• Expect 3SS (Spatial Streams) initially with future implementation going to 4SS
Number of Spatial Streams: 1 to 8
• ~30% more efficient Modulation: 256 QAM
• APs can transmit to multiple downstream clients simultaneously
MU-MIMO (Multi-User MIMO) Support
• From a minimum of 290Mbps up to 6.9Gbps theoretical maximum
Data Rates
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
802.11ac module antennas
fully integrate into the AP for
aesthetics and excellent RF
performance
Leverages same modular
architecture as the Security
Monitor Module
Target FCS
Q1 CY13
Wave 1 (2013) - 290 Mbps - 1.3 Gbps
Wave 2 (2014) - 3.5 Gbps
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
AP Model
Wi-Fi Standards
Radio Design
Clean Air
Client Link
Band Select
Video Stream
Rogue AP Detection
Adaptive wIPS
OfficeExtend
FlexConnect
Wireless Mesh
Autonomous IOS
Data Rate
3600 Series 2600 Series 600 Series
1.3 Gbps
✔ ✔
✔ ✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
450 Mbps 300 Mbps
802.11a/b/g/n 802.11a/b/g/n 802.11a/b/g/n
4X4:3 3X4:3 2X2:2
Client Link 2.0 Client Link 2.0
Mod. Support (Mon./11ac) ✔
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• These RF design best practices help fine tune the network in advance to accommodate high density areas
i. Assess the application’s Bandwidth Requirements Per user
ii. Define the supported wireless protocols—calculate required channels
iii. Optimize the Installation
Advantage
Challenge
• Properly configuring the WLAN to provide reliable network access to Wi-Fi enabled devices users in increasingly concentrated areas
Efficient RF Design Improves Coverage for Mobile Devices in Concentrated Areas
36 48 60 100 132 149
116 64 52 44 104 36
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Assess Application Bandwidth
Requirements and Protocols that will be
supported
• Determine the bandwidth required for each user of the target application
Determine the minimum acceptable
throughput applications require—
design for the highest bandwidth
requirement
• Multiply this number by the number of connections/seats that you need to support
• This is the aggregate bandwidth you will require in your space
• Divide the aggregate by the protocol throughput to determine number of channels required in the space
Application Use Case Throughput
(Mbps)
Web – Casual 500 Kbps
Web – Instructional 1 Mbps
Audio – Casual 100 Kbps
Audio – Instructional 1 Mbps
Video – Casual 1 Mbps
Video – Instructional 2-4 Mbps
Printing 1 Mbps
File Sharing – Casual 1 Mbps
File Sharing – Ins. 2-8 Mbps
Device Backups 10-50 Mbps
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Protocol Selection—Important? Why?
802.11 b/g/a/n and Duty Cycle
1
250 300 200 100 DSSS 350
Beacon Size (Bytes)
2
5.5
11
896
496
241
169
1969
896
387
241
2096
1096
460
276
2496
1296
532
314
2896
1496
605
351
OFDM
6
12
24
54
153
87
53
35
287
153
87
50
353
187
103
57
420
220
120
64
487
253
137
72
130
300
26
23
32
25
35
27
38
28
42
29
Time µS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Optimize the Installation
• Configure 2.4 GHz for 20MHz and three non-overlapping channels/cells
Provides greater flexibility for access point placement for optimal coverage and capacity
• Disable lower data rates in 2.4GHz
• Encourage clients to use 5-GHz by enabling Cisco BandSelect
BandSelect directs clients to 5 GHz optimizing RF usage
Better usage of the higher capacity 5GHz band
Frees up 2.4 GHz for single band clients
• Consider using DFS Channels— Supported by Apple iPad, Intel 5100/5300/6200/6300 radios, Androids such as Samsung Galaxy DO NOT support DFS channels yet.
5 2.4
802.11n
Dual-Band Client Radio 2.4/5GHz
Discovery Probes
Looking for AP
Discovery
Response
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Up to 65% Increase
in Throughput
Up to 27% Improvement
in Channel Capacity
802.11a/g Without ClientLink
and Beam Forming
Existing 802.11n
Solutions Beam Strength
Not Directed to Client
802.11a/g With ClientLink and
Beam Forming
Increases Overall Wireless System Capacity in Mixed Client Environment
38% Less
Battery Drop
Cisco ClientLink Improves Performance
Dis
ab
led
En
ab
led
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
• CleanAir uses silicon-level intelligence in the
access point to improve Air Quality and mobility
experience of end-users
Detects and classifies interference
Locates problem sources
Automatically avoids interference
Advantage
Challenge
• Identifying and managing sources of RF interference that impact application performance on mobile devices
Improves Connectivity of Mobile Devices by Eliminating Impact of Interference
Maintain Air Quality
GOOD POOR
CH 1 CH 11
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• CleanAir Radio ASIC
• Detect Wi-Fi and
non-Wi-Fi interference
sources
• Assess impact
to Wi-Fi performance
• Proactively change
channels when
interference occurs
• Monitor air quality
100
63
97
35
20
Detect | Classify | Locate | Mitigate
90
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• Provides HD multicast video by protecting QoS of all streams with Prioritization and RRC
Advantage
Challenge
• Delivering high quality multicast video on mobile devices at scale
Primary 802.11n Components
Efficiently Scales Enterprise-Class Video Collaboration on Mobile Devices
Stream Prioritization Resource Reservation Control
MULTICAST STREAM
AP
UNICAST STREAMS
AP WLC
COMPANY ALL HANDS
TRAINING PROGRAM
LIVE SPORTING EVENT
AP
VIDEO NOT AVAILABLE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Challenge - Simplifying RF Management to improve coverage and network performance
• Dynamic Channel Assignment Changes in “channel / air quality” are monitored, and Access Point channel assignment is changed when deemed appropriate to preserve predictability
• Transmit Power Control Transmit Power is adjusted down or up based on radio to radio pathloss calculation when deemed appropriate to preserve predictability
• Coverage Hole Detection and Mitigation Transmit Power is adjusted up on Access Points when coverage holes are detected and deemed appropriate to preserver predictability
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 23
Security Solutions for BYOD Deployments
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Some Questions to Consider
How do I keep this flood of new devices off my network?
How do I grant different levels of access to protect my network?
How do I deal with people who trade-up to new devices?
How do I ensure data loss prevention and malware protection?
How do I enforce security policies on non compliant devices?
How does remote access differ from local LAN access?
Do I have the WLAN capacity to support increase in mobile devices?
How do I ensure business critical WLAN reliability?
How do I enforce security policies on non compliant devices?
How do I grant different levels of access to protect my network?
How do I ensure data loss prevention on devices where I don’t have visibility?
How should I address the cool kids (tech-savvy) who trade-up to new devices? New Policy?
How do I protect my Intellectual Property/personal information?
How do I keep this flood of new devices off my network?
How do I grant different levels of access to protect my network?
How do I deal with people who trade-up to new devices?
How do I ensure data loss prevention and malware protection?
How do I enforce security policies on non compliant devices?
How do I keep this flood of new devices off my network?
How do I grant different levels of access to protect my network?
How do I enforce security policies on non compliant devices?
How do I deal with people who trade-up to new devices?
How do I ensure data loss prevention and malware protection?
How do I enforce security policies on non compliant devices?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• Security?
• Which are corporate devices?
• What corporate data is on these devices?
• Are there any legal concerns?
• Friend or Foe?
• Managed vs. UnManaged
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Supply Partner
Unmanaged desktop; complex support issues
Requires limited access to corporate resources
Contractor, Temp
Access requirements vary greatly. Unmanaged or managed devices; access needs to be limited
Employee
Managed desktop; potentially unmanaged
personal devices
Full access for managed devices
Teleworker
Managed desktop; unmanaged
personal devices
Requires consistent LAN-like performance
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Employee
Partial
Corporate
LAN Access
Full
Corporate
LAN Access
Guestnet /
Deny
Managed /
UnManaged
Asset
Role
Contractor
Vendor /
Guest
Managed
UnManaged
Managed
UnManaged
UnManaged
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
IDENTITY PROFILING
VLAN 10
VLAN 20
Wireless LAN Controller
DHCP
RADIUS
SNMP
NETFLOW
HTTP
DNS
ISE
Unified Access Management
Single SSID
802.1x EAP User Authentication
1
HQ
2:38pm
Profiling to identify device
2
6
Full or partial access granted
Personal asset
Company asset
3
Posture of the device
Policy Decision
4
5
Enforce policy in the network
Corporate
Resources
Internet Only
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Reduced Burden on IT Staff
Device On-boarding, Self Registration, Supplicant Provisioning *
Self Service Model
My Device Registration Portal*, Guest Sponsorship Portal
On-Boarding Differentiators Supplicant provisioning on all major platforms
In-band and out-of-band asset registration portal
Self-service, user based registration portal
Flexible dot1x profiles—Common profile for all platforms or platform specific
Provisioning of certs with additional attributes like UDID, MAC add etc
Certificate based differentiation of service and anti-cert copying
Black-listing and re-instating of devices
Reduced Burden on Help Desk Staff
Seamless, Intuitive End user experience
New Features for zero touch on-boarding
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Some Questions to Consider
How do I keep this flood of new devices off my network?
How do I grant different levels of access to protect my network?
How do I deal with people who trade-up to new devices?
How do I ensure data loss prevention and malware protection?
How do I enforce security policies on non compliant devices?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Internet
IronPort Web Security Appliance
Adaptive Security Appliance
AnyConnect
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Existing Architecture
Leverage Current Investments
Leverage On-Premise Security
Centralized Policy Enforcement
Malware Threat Protection
AnyConnect Always-On VPN
Remote User
Main Office
Data Center
Branch Office
CENTRALIZED SECURITY
Traffic Backhauled
IronPort Web Security
Appliance
Acceptable Use Policy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Main Office
Data Center
Internet Café
Internet Café
Mobile User
Mobile User
Cloud Security
Malware Threat Protection
Acceptable Use Policies
Security and VPN Clients
Distributed Policy Enforcement
VPN Data Center Access
Minimum Backhaul
DE-CENTRALIZED SECURITY
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Only Cisco can tie all the pieces together!
NCS Prime
ISE
Cisco WLAN
Controller
AC NAM (Win Only)
Wired Network Devices
Cisco Catalyst
Switches
AC NAM (Win Only)
3rd Party
MDM Appliance
CSM / ASDM
MDM Manager
AC VPN (All Mobile)
AC Cloud Web Security (All PC’s)
IronPort WSA
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
How do I keep this flood of new devices off my network?
How do I grant different levels of access to protect my network?
How do I deal with people who trade-up to new devices?
How do I ensure data loss prevention and malware protection?
How do I enforce security policies on non compliant devices?
Some Questions to Consider
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 36
Why Cisco?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
802.11ad (60GHz)
WiGig
802.11af (TVWS)
802.11ac (>1Gb/s)
Wi-Fi VHT5G
802.11y (3.6GHz)
802.11ae (QoS
for management)
Key
802.11 amendment
Wi-Fi certification
Blue = complete
Red = in development
Cisco Active
Cisco Driven
CCX Driven
802.11n (>100Mb/s)
Wi-Fi 11n
802.11w (MFP)
MFP
802.11u
Hotspot 2.0
802.11aa (Video)
802.11v (Manage)
WNM
802.11j (Japan)
802.11a/g (54Mb/s)
Wi-Fi 11a/g
802.11i (Security)
WPA2
802.11r (Roaming)
Voice-Enterprise
802.11h (DFS)
Standard Wi-Fi
802.11e (QoS)
WMM, WMM-AC
802.11k (Measure)
Voice-Enterprise
CONNECTIVITY
SECURITY
SEAMLESS
SPECTRUM
APPLICATIONS
MANAGEMENT
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
WLAN LAN
VPN
Web Security BYOD / NAC
Unified
Communications
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
• Prepare your wireless network for the heavy demands that BYOD will put on them
• Start with 802.11n and plan for 802.11ac
• Start developing BYOD policies now
• Tools such as ISE can help you embrace BYOD as well as enforce your policies
• Ensure that you have an architecture in place that is nimble enough to protect your mobile endpoints
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Twitter:
• @Cisco_Mobility
Facebook:
• www.facebook.com/CiscoWireless
Web
• cisco.com/go/wireless
TechWiseTV
• techwisetv.com
Mark Your Calendars! Next Webinar:
High Density Wireless for Higher Education: September 27th 8:AM (PDT)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Thank you. Thank you.
top related