cisco - secure enterprise wlan

New Capabilities. Cisco NGE for secure networks

Cisco – Secure Enterprise WLAN

Jay Pitcher – Technical Solutions [email protected]

Importance of 802.11ac Wave 2

Addressing Growth 802.11ac Wave 2

Highest Wi-Fi Performance Ever

Better End Device Efficiency

For Highly Demanding Environments

Higher Data Rate Than Previous Standard

Allows For More Wireless Data With Wider Channels

Simultaneously Deliver Data to Multiple Devices

Conserve End-Device Battery

Wi-Fi Connectivity Speed Timeline Gigabit Wi-Fi As Primary Access 3SS Desktops / Laptops

2SS Laptops / Tablets

1SS Tablets / Smartphones

*Assuming 80 MHz channel is available and suitable

**Assuming 160 MHz channel is available and suitable

802.11 802.11n802.11b 802.11a/g 802.11acWave 1

802.11acWave 2

2630**

1730**

290*

= Spatial StreamsSS

20162015

Gig

abit

Eth

erne

t U

plin

k

2 G

igab

it E

ther

net

Upl

inks

1 SpatialStream

2 SpatialStream

3Spatial

Streams

20132007200319991997

2 1124

54 65

450

300

1300*

290*

870*

5260**

3500**

600*

Dual 5GHz

Mul

ti-G

igab

it U

plin

ks

Better Traffic Handling 802.11ac Wave 2 with 160MHZ - Wider Channels

Wider Channels Allows More Traffic to Pass

Multi-User MIMO Uses the Channel to Max Capacity

20–40 MHz 80-160 MHz

Simultaneous Data Delivery to Many DevicesMulti-User, Multi-In, Multi-Out

Devices Get On and Off the Network Quicker, Allowing More Devices to Be Served

Multi-User MIMO (MU-MIMO)Single-User MIMO (SU-MIMO)

New Products and Certifications

Wired & Wireless Network

Scalable network policy management for all forms of network access: LAN, WLAN & VPN

Secure Group Access (SGA): simplified role-based access control and enforcement based on context, avoids manual ACL/VLAN configs

Comprehensive guest management

Cisco Unified Access PillarsUnified Policy Unified Management Unified Network

Single view for managing wired and wireless network elements

Application visibility and assurance: deterministic end user application experience across wired and wireless

Third-party device management

Common IOS Operating System

Common programmable Fabric (UDAP ASIC) – SDN Ready

Consistent functionality across wired and wireless

Application Visibility & Control (AVC)

Subsecond stateful Switchover (SSO)

CertCert

Cert

Identity Services Engine (ISE)

Prime Infrastructure

Single Wired/Wireless Platform

Up to 200 APs in a mobility group

Certified Cisco Unified Access = Portfolio Leadership

Converged Access WLAN Controllers WLAN Access Points

Large Enterprise

Cert3850

Cert3650

8540 Cert8510

5520

Medium Locations

Small Locations

5508

Cert2504 ME

Cert

Cert

3702

2702Cert

Indoor APs

Outdoor APs

Cert

1700

1850/30

1572 1532

Cert Cert

Next

Next

Next

Cisco Wireless Government CertificationsWhat’s Certified:

• All Cisco 11ac and 11n Access Points • All appliance and integrated

controllers• MSE 8.0 and PI 2.2• APL Listing for WLAS, WAB,WIDS

Predictable wireless certification – MD SW release gets certifiedCommon release both Enterprise and Government customers

Feature consistency and deployment flexibility

Certification 7.0 8.0 IOS 3.6

FIPS

CC

UCAPL

CSfC

Comprehensive certified end-end solution

Cisco Wireless Government Certifications -Tomorrow

What will be Certified• All current controllers & .11n/.11ac

APs• New .11ac Wave 2 APs, 3802/2802• 5520/8540 Controller• New controller/mesh platforms

Predictable wireless certification – MD SW release gets certifiedCommon release both Enterprise and Government customers

Feature consistency and deployment flexibility

Certification 8.3 16.3

FIPS

CC

UCAPL

CSfC

Comprehensive certified end-end solution

§ Right To Use Licensing, Ease of Enablement and Portability§ Utilizes the NEW WLAN Express WEBGUI with best practices enabled§ Allows administrator to easily migrate config from previous WLC

Simplified Migration and Manageability

§ Ability to host multiple services such as Application Visibility and Control, Bonjour Services Directory, TrustSec, Guest, High Availability with SSO

§ Support for centralized, distributed and Mesh deployments

Services Ready

§ 5520 scales up to 1500 AP & 20,000 clients§ 8540 scales up to 6000 AP & 64,000 clients

Built for addressing Scale of BYOD

§ 5520 supports 20 Gig of throughput§ 8540 supports 40 Gig of throughput

Throughput to address needs of Wave-2 11ac

5520

8540

Introducing the Cisco 5520 and 8540Feature-Rich, Multi-mode and Ready for Wave 2 8011ac

Hardware Mechanical Details 5520 WLC

Form Factor 1 RU

IO Interface Dual 1G or 10G with LAG

Operating Temperature 5°C to 35°C

Storage Temperature - 40°C to 65°C

HDD Solid State Drive (SSD)

Power Options 770W AC w/ Optional Redundant PSU ( hot-swappable)

Hardware Mechanical Details 8540 WLC

Form Factor 2 RU

IO Interface Four 1G or 10G with LAG

Operating Temperature 5°C to 35°C

Storage Temperature - 40°C to 65°C

HDD Hot-swappable SSD w/ RAID

Power Options 1200W AC, 930W DCRedundant PSU

Evolution of Wireless LAN Controllers Enterprise Campus and Full-Service Branch

500 APs, 7000 Clients8 Gbps Throughput

THEN 5508

NOW 5520

500 AP Groups100 FlexConnect Groups25 APs/FCG

512 VLANs, 64 Interface Groups14000 PMK Cache

2000 Rogue APs, 2500 Rogue Clients 5000 RFIDs 1000 APs/RRM Group100000 AVC Flows


4095 VLANs, 512 Interface Groups40000 PMK Cache

24000 Rogue APs, 32000 Rogue Clients25000 RFIDs3000 APs/RRM Group320000 AVC Flows

1500 AP Groups1500 FlexConnect Groups,100 Flex APs/FCG

Evolution of Wireless LAN Controllers Enterprise Large Campus, SP Wi-Fi and Large Branch Operations


THEN 8510

NOW 8540

6000 AP Groups2000 FlexConnect Groups100 APs/FCG

4095 VLANs40000 PMK Cache

24000 Rogue APs, 32000 Rogue Clients 50000 RFIDsAVC Flows 320000


4095 VLANs64000 PMK Cache

24000 Rogue APs, 32000 Rogue Clients50000 RFID320000 AVC Flows

6000 AP Groups2000 FlexConnect Groups100 Flex APs/FCG

Innovations Only Cisco DeliversCustom Engineered Hardware for Business Flexibility

Optimized RoamingIntelligently Connects the Proper Access Point as People Move

Turbo PerformanceScales to Support More Devices Running High Bandwidth Apps.

Cisco CleanAir®

Remediates Device Impacting Interference

Cisco ClientLink Improves Performance of Legacy and 802.11ac Devices.

Expandability Add Functionality Via Module, Smart Antenna Port or USB Port

Radio Resource Management (RRM)Automatic frequency and output power configuration and adjustments

High AvailabilityController Stateful Switchover for

mission critical reliability

Application Visibility & ControlProvides visibility and control over applications

that are used on the network.

Video StreamReliable and Scalable support for

broadcast of rich media.

Cisco Hyperlocation Technology & SolutionAfter: Determine direction (AoA) to client in addition to

distance => ±1 meter accuracyBefore: Location approximated based on RSSI -

±5 to 10 meter accuracy

Granular indoor location accuracy to contextually connect users

Engage & Improve Guest Experience

Room Level Accuracy

Range Inferred -Prone to errors

Only RSSI calculation

Blue dot spotlight projected at the user’s feet

High Accuracy

Multi locating technologyAoA, RSSI

Improved Calculation

Recent Innovations

Innovation: Angle of Arrival(AOA) = ~+/-1 meter accuracy

• Different antenna elements hear the signal a little earlier/later than others, measured by the phase of the signal

• Favors line-of-sight with high degree of accuracy in cone under AP

AP antenna array

90 de

gree c

one

Client

Wavefront (rays with a

common distance)

Each antenna element is a fraction of a wavelength closer/farther to the client than its neighbor, and the exact value depend on the client location (if underneath => 0, if side on => element spacing)

Recent Innovations

Cisco Aironet PortfolioPositioned to Capture the 802.11ac Wave 2 Transition

Enterprise Class Mission Critical Best in Class

1850• 4x4:3SS 80Mhz; 1.7

Gbps• Spectrum Analysis*• Internal or External

antenna• Tx Beam Forming • 2 GE Ports• USB 2.0• Centralized, FlexConnect

and Mobility Express

2800• 4x4:3SS 160 MHz; 5 Gbps• 2.4, 5GHz or Dual 5GHz• 2 GE Ports• Internal or External antenna• Smart Antenna Connector• Enhanced Location*

(External Antenna)• CleanAir 160MHz • ClientLink 4.0• USB 2.0• Centralized, FlexConnect

and Mobility Express*

3800

• 4x4:3SS 160 MHz; 5 Gbps• 2.4, 5GHz or Dual 5GHz• 1 GE + 1 mGig (5G)• Internal or External antenna• Smart Antenna Connector• Enhanced Location* (External

Antenna)• CleanAir 160 MHz• ClientLink 4.0 • StadiumVision• USB 2.0• Modularity• Centralized, FlexConnect and

Mobility Express*

1810 Wall Plate• 2x2:2SS 80 MHz; 867 Mbps• Tx Beam Forming• 1 GE Port uplink• 3 GE Local Ports, including 1

PoE out• Local ports 802.1x ready• Integrated BLE Gateway*

1830• 3x3:2SS 80MHz;

867Mbps• Spectrum Analysis*• Internal antenna• Tx Beam Forming• 1 GE Port• USB 2.0• Centralized, FlexConnect

and Mobility Express1810 Teleworker

• 2x2:2SS 80 MHz; 867 Mbps• 3 GE Local Ports downlink,

including 1 PoE out• One or Two Local Ports can be

tunneled back to corporate

* Future availability

• 5 Gbps PHY• 4x4:3SS – 160 MHZ – MU-

MIMO• 2 Ethernet Ports, GbE + mGig

(1G, 2.5G, 5G)• Dual 5 GHz• HDX Technology• USB 2.0• StadiumVision• CleanAir 160MHz, ClientLink

4.0, Videostream• Side Mount Modular

Architecture

Best in Class

3800

• 802.11ac W2 • 870 Mbps PHY• 3x3:2SS• Spectrum Analysis*• Tx Beam Forming• USB 2.0

Enterprise Class

1830

Mission Critical

2800

• 802.11ac W2 • 2.0 Gbps PHY• 4x4:4SS• Spectrum Analysis*• Tx Beam Forming • 2 GE Ports, USB 2.0

Enterprise Class

1850

Enterprise Best In ClassMission Critical

Cisco Aironet Indoor Access Points PortfolioIndustry’s Best 802.11ac Series Access Points

NewNew

• 5 Gbps PHY• 4x4:3SS – 160 MHZ – MU-

MIMO• 2 Ethernet Ports, 2xGbE • Dual 5 GHz• HDX Technology• USB 2.0• StadiumVision• CleanAir 160MHz, ClientLink

4.0, Videostream

Comparing the Cisco Wave 2 AP Portfolio

MAX DATA RATE 1.087Gbps. 2.4Gbps. 5Gbps. 5Gbps.

GIGABIT / MULTIGIGABIT PORTS1Gig 2Gig 2Gig 2Gig or 1Gig / 1MGig

(1Gig, 2.5Gig, 5Gig)

USB 2.0 PORT 1 1 1 1Spectrum Analysis

TX Beam Forming

CleanAir / ClientLinkDual 5GHz RadiosOptimized Roaming

ANTENNAS: SPATIAL STREAMS 3X3:2SS - 80MHz. 4X4:4SS – 80MHz.

FlexSmart: Optimized Radios

Cisco Aironet 1830

Cisco Aironet 1850

Cisco Aironet2800

Cisco Aironet 3800

Side Mount Modularity

Smart Antenna Connector

4X4:3SS – 160MHz. 4X4:3SS – 160MHz.

Appliance & Virtualized Control




Power Over Ethernet• AP2800/3800 is fully supported under 30W

(802.11at/PoE+) power

• LAG is supported on 2800/3800 or mGig could be used on 3800

• New AIR-PWRINJ6 (low cost 30W .3at injector) works w/ GbE for 2800/3800

• Local power supply for 3800 (AIR-PWR-50)

Reforming 5 GHz to Optimize for 802.11ac

• More non-overlapping channels enabling better 802.11ac experience

• 6x 80 MHz channels (5 in Canada and Europe)

• 2x 160 MHz channels (1 in Canada)

• Additional 5GHz spectrum liberalization (5.35-5.47 GHz and 5.85-5.925 GHz) allows:

ChannelBandwidth (MHz)

No. of Non-overlapping Channels

20 37

40 18

80 9

160 4

Future 5GHz Opportunity

• FCC§ New “-B” regulatory domain version of existing APs coming in 1H CY16

− 3600/2600/1600/702i/702w, 3700/2700/1700, and 3800/2800 Series− 1530/1570 and only H/S/WU from the 1550 Series− 1830/1850 and 1570 already support –B reg domain

§ -B opens new channels 120, 124, 128, and catchup for 144 § Higher power allowed in UNII-1, some lower power limits in UNII-3

• Recent Country migrations § Vietnam, Thailand, Macau moving to –S § Algeria, Kuwait, Tunisia moving to –I § Malaysia moving to –K§ Pakistan moving to –G

Regulatory Domain Update

Dynamic Bandwidth Selection (DBS)

Radio Resource Management (RRM)

selects channel only

Difficult to find non-overlapping channels

80 MHz Channel 52/56/60/64

Interference impacts 80 MHz…what canI use?

52 56 60 64

RRM selects channeland channel width

Automatic detectionof non-overlapping

channels

Primary20

Secondary 20

Secondary40

• 80-MHz channel 52/56/60/64• Interference is impacting only channel 60 • 3x20 MHz channels still available or

1x40 MHz and 1x20 MHz

52 56 60 64

AfterAutomatic and intelligent use of spectrum

BeforeComplex configuration and inefficient use of spectrum

52 56 60 64

Gives confidence in deploying wider channels

Improve Connectivity to All Devices ClientLink 4.0

Improves Device Performance

802.11ac Wave 2 Access Point: TX

Beamforming

• 802.11a• 802.11g• 802.11n

• 802.11ac Wave 1• 802.11ac Wave 2

• 802.11ac Wave 2

802.11ac Wave 2 Access Point: ClientLink

Radio Role FlexibilityAdjust Radio Bands to Better

Serve the Environment.

Innovations Only Cisco DeliversCustom Engineered Hardware for Business Flexibility

Optimized RoamingIntelligently Connects the Proper Access Point as People Move

Turbo PerformanceScales to Support More Devices Running High Bandwidth Apps.

Zero Impact AVCHardware Based Application Visibility and Control

without Impact to Performance.

Cisco CleanAir®

Remediates Device Impacting Interference

Cisco ClientLink Improves Performance of Legacy and 802.11ac Devices.

Expandability Add Functionality Via Module, Smart Antenna Port or USB Port

Multigigabit UplinksFree Up Wireless With Faster

Wired Network Offload Gb+

Flex Dynamic Frequency SelectionAutomatically Adjusts So Not to Interfere With Other Radio Systems

• 2.4 GHz and 5 GHz on the same silicon• Allows serving of either 2.4 GHz or 5 GHz channel• Allows Serial scanning of all 2.4 and 5 GHz channels• Role selection is manual or Automatic – RRM

What is an XOR Radio?

5GHzServing

2.4GHzServing 5GHz

Serving 5GHz

Serving

• Default operating mode• Serve Clients on both 2.4GHz and 5GHz

Flexible Radio Assignment5GHz

Serving 2.4GHzServing

Wireless Security Monitor

Wireless Service

Assurance*

• Dual 5GHz Support, both radios serving clients on 5GHz• Maximum over the air data rate up to 5.2Gbps

• Wireless Security Monitoring• Scan both 2.4GHz and 5GHz for security threats• Serve Client of 5GHz

• Wireless Service Assurance*• Proactively monitors the network performance• Serve Client of 5GHz

* Denotes feature availability post-FCS

5GHzServing

5GHzServing

5GHzServing

5GHzServing

Enhanced Location*

• Enhanced Location*• Improves the client location accuracy• Serve Client of 5GHz

5GHzServing

Dual 5GHz - Macro/Micro cell Architecture

• Common in cellular deployments • Method for addressing Non Linear Traffic

requirements• Allows more bandwidth to be applied to an

area within a larger coverage cell• Significantly increases Airtime Efficiency

and Capacity

AP2800/3800 Internal Antenna HardwarePreviously in the controller Access Point radios were defined as…

Radio 0 = 2.4 GHzRadio 1 = 5.0 GHz

Using “Flexible Radio Assignment”Radio “0” can be configured as 2.4 GHz (default) or as an additional 5 GHz radio.

If configured as a 5 GHz radio the 2.4 GHz radio is disabled and the 5 GHz micro-cell antennas are used.

Micro-cell antenna is 5 dBi @ 5 GHzMacro-cell antenna is 6 dBi @ 5 GHz

Difference in antenna designs allow for RF co-existence

Conventional AP footprint (Macro-Cell) uniform 360Degree coverage

Smaller AP footprint (Micro-Cell) uniform 360Degree but for smaller coverage area (high density) deployments

By using spatially-efficient and compact antenna design along with different channels & Tx RF power –BOTH radios can co-exist internally

Dual 5 GHz External Antenna Macro/Macro Cells

• Using the DART connector on the E Model enables Dual 5 GHz cells with external antenna’s

• Doubles the effective coverage for the cost of one additional antenna

• Double capacity on existing cable plan

• Multi-gigabit port on 3802 provides throughput investment

5GHzServing

5GHzServing

Dual 5 GHz External Antenna Macro-Macro cells

Cable allows for secondary 5 GHzradio antenna to be physically spaced away from the primary radio allowing for Macro-Macro operation

Stadium antenna deployments for different coverage areas or higher density areas

ANT-2566 in different directions or even back-to-back tilted downward for Factory and warehouse deployments

Omni + directional deployments

5GHzServing

5GHzServing

Smart AntennaConnector

Side MountModular Slot(3800 only)

Primary Antenna Connectors – Dipole and Cabled Antennas

3802e, 3802p and 2802e Smart Antenna Connector

Secondary 5 GHz Cabled AntennaSecond Cabled or Hyperlocation Antenna

5GHzServing

5GHzServing

Meet Any Wi-Fi Use CaseExpandability and Investment Protection

Future Wi-Fi Standard

IOTIntegration

Custom ComputePlatform

Adv. Security and Spectrum

Analysis3G & LTESmall Cell

Bluetooth Beacon

Hyperlocation Antenna

Stadium Panel

Antenna

Self-Discover / Self-Configure

3G/LTEBackhaul

Directional Antennas

BluetoothIntelligence

2.5-5 Gigabit Port

Offload Wireless Traffic FasterMultigigabit Technology

Cisco MultigigabitStandard Cat 5e/Cat6 Cables

1 Gigabit Port

Delivers up to 5X Speeds in Enterprise WithoutReplacing Cabling Infrastructure

Supports PoE Up to 60W

2.5-5 Gigabit Port

Available on 3800

Recently Announced

Components Cisco Unified Wireless • Components

• Wireless LAN controllers• Aironet access points• Management (Prime Infrastructure)• Mobility Service Engine (MSE)

Cisco Unified Wireless Principals• Components

• Wireless LAN controllers• Aironet access points

• Management (Prime Infrastructure)• Mobility Service Engine (MSE)

• Flex Connect

• Converged Access

• Components• Wireless LAN controllers• Aironet access points

• Management (Prime Infrastructure)• Mobility Service Engine (MSE)

• Flex Connect

• Converged Access

• Mesh Network• Seamless Roaming to Enterprise WLAN

• Bridging

Cisco Unified Wireless Principals

Recommended Certified Design• Deploy Controller Based on Scale

Requirements• Smallest Sites < 5 APs

• Flex Connect AP• Smaller Sites 5 – 25 APs

• 2504 WLAN Controller

• Medium Sites 25 – 300 APs• 5508 WLAN Controller

• Larger Sites 300+ APs• 8510 WLAN Controller

• Access Point Deployment• 2702/3702 802.11ac APs• 1572 Outdoor Mesh

• Services• Virtual Services on UCS Servers

• Single server for PI, MSE, ISE

• HA Server for redundancy

Add Guest Services…• Isolate Guest Traffic

• Utilize Anchor controller• Isolate Local or Enterprise traffic

• Client Bridges to Network at Anchor Controller

• Utilized Integrated controller guest portal or ISE Guest Portal• ISE Provides Rich on-boarding option• ISE Provides Rich Sponsor options

Wireless Security - a network solutionArchitecting “Network as a Sensor” and “Network as an Enforcer”

Network Sensor(Lancope)

NGFW

Wireless & Wired Infrastructure

Cisco Routers / Branch 3rd Vendor Devices

Threat

API

API (pxGrid)

ISE

Network Sensors Network EnforcersPolicy & Context

Sharing

TrustSecSecurity Group Tag

Cisco Collective Security Intelligence

ConfidentialData

NGIPS

Cisco Enterprise Network Visibility

Cisco AVC

Device Sensors/Platforms Orchestration/Management

3rd Party Visualization 3rd Party Security/Billing

Switch Router AP Controller FW VM

APIC-EM Prime Web GUI

Cisco Next-Generation Encryption Protocol Suite

46

Key Establishment ECDH-P256/384/521

Digital Signatures ECDSA-P256/384/521

Hashing SHA-256/384/512

Authenticated Encryption AES-128/256-GCM

Authentication HMAC-SHA-256/384/512

Entropy SP800-90

Cisco NGE and Suite B• NGE is a super set of “Suite B” – Cisco has additional Cipher Suites

• Upgrades all crypto mechanisms – New/Upgraded algorithms, key sizes, protocols and entropy

• Compatible with existing security architectures, e.g., DMVPN, GETVPN, P2P SAs

• Standards-based components, available today in next-generation solutions

• Targets Suite B (US), FIPS-140 (US/Canada), NATO

NGE(Cisco)

Suite B(NSA)

Commercial Solutions for Classified Program

• NSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS data

• This will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not years

• CSfC program requirements are customer-driven– CSfC vendors do not request features or drive requirements

– http://www.nsa.gov/ia/programs/csfc_program/index.shtml

CSfC “Layered” Architectures for Classified• Architectural, defense-in-depth (e.g. “layers”), approach to security

• SECRET require 2 Layers of ‘countable’ Crypto mLoS 128• TOP SECRET requires 2 layers of ‘countable’ Crypto mLoS 192

• Example: 1+1 = 2 ‘countable’ layers sufficient for protecting SECRET information

Suite B VPN / Countable Layer #1

Suite B Application Layer Security / Countable Layer #2

Approved Encryption Technologies can vary at each Layer

Outer Tunnel

NGE vs Suite B vs CSfC• NGE is a super-set of Suite B

• Includes older, transitional ciphers as well as Suite B compliant and stronger ciphers

• Suite B is a consistent and specific implementation of cryptographic ciphers

• CSfC is a layered architecture of Suite B compliant COTS equipment

NGE(Cisco)

Suite B(NSA)

CSfC(NSA)

Cisco Wireless Infrastructure APL ListedOver 20 Product Categories across 8 CSfC Components

Campus WLAN Capability Package• WLAN Provides outer layer of security

• Common Outer Layer can support multiple inner layers – based on 1.8 draft

• Tunnel to to unclass network

• Use VPN for Inner layer of security• Any Connect

WPA2

Suite B VPN Countable Layer

Outer Tunnel

AES-256 Encrypted CAPWAPOuter Tunnel

Inner Tunnel

Campus WLAN Capability Package Cont…• Potential Unwritten requirements

• 500m Standoff from facility perimeter• Over the air AES-256 Crytpo

• Requires an approved WLAN Client• Client hardening requirements

https://www.nsa.gov/resources/everyone/csfc/components-list/#wlan-client

Mobile Access Capability Package• Security traverses Unclassifed Network

• Security Enclave is relevant to LAN, WAN & WLAN

• CSfC Security is an Enterprise network resource

Suite B VPN/Application Layer Security / Countable Layer #2

Outer Tunnel

Suite B VPN / Countable Layer #1

Inner Tunnel

Mobile Access Capability Package Cont…• Primary CP being used for WLAN deployments

• Allows for the WLAN to stay black• Support Unclass networks

• Allows for Application layer security for 2nd tunnel• Secure VDI, Jabber, any application• Coexists with VPN Tunnel

• Cisco 5921 Now listed as approved VPN Client• Can now provide 2 layers of VPN

Cisco as the Single Vendor Multi-Platform for CSfC• Allows Cisco ASA to be used as an Inner or Outer VPN Gateway when

paired with an approved IOS/IOS-XE VPN router

Plan for CSfC Success

• Understand the effort for an approved solution• Engagement with CSfC• Registering the system

• Engage with CSfC Trusted Integrator• Keep Simple then grow (Crawl, Walk, Run, Fly….)

• Site to Site• Site to Site over Wireless mesh

• Portable solution over WLAN to client device• Laptop over WLAN• Mobile device over WLAN

Wrap up…

• 802.11ac Wave 2• The future Cisco Certified WLAN solution• 2800/3800 .11ac Wave 2 AP, the enterprise standard

• Dual radio capabilities• Secure Wireless deployment options

• Part of the secure network