如何用建構校園網絡迎接e-learning時代v2.10

Clement Tam

How to build Campus Network to

embrace e-Learning Era 2.10

Unified Access for Education

One Policy – One Management – One Network

Andy Lam

15th June, 2013

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Internet Floor 4

Floor 3

Floor 2

Floor 1

Core Switch & Wireless

Controller One Management

Tool for Wired and Wireless

Identity Services Engine

Hall (High Density AP)

Building / Classroom

Playground (Outdoor AP)

Application Firewall

Perfect Campus Infrastructure

Edge Switches

Access Point (AP)


Preparing students for

success in the global

economy

Keeping students fully

engaged – Adaptive Learning

Obsoleting traditional

textbooks for E-Textbooks

Implementing mandated

Online Testing

Protecting student and

school district data

Providing safe learning

environments

BYOD for faculty, staff, students, and

parents

Tech savvy students


Wish List

Authentication Services I only want to allow the “right” users

and devices on my network

Authorization Services I want user and devices to receive

appropriate network services

Guest Lifecycle

Management

I want to allow guests into the

network and control their behavior

Profiling Services I need to allow/deny iPads

in my network (BYOD)

Posture Services I want to ensure that devices

on my network are clean

Secure Groups Access I need a scalable way of enforcing

access policy across the network

Identity

Services

Engine

Simplified

Policy

Management


Wired+Wireless+WAN Policy/Guest Management

AFTER Unified Context-based Policy Management for

Employees and Guests Across The Network

Account for every device and

block unwanted devices

AAA + profiling, provisioning,

and posturing = secure BYOD

Simple | Unified | Automated

Who? What? When? Where? How?

Provides Unparalleled Control

BEFORE Separate Policy And Guest Management

Wired | Wireless | WAN

Improved

Control


Policy

Guest

Student

Faculty

Personal Device

Personal Device

Faculty Device

Personal Device

Wireless Classrooms Captive Portal

DMZ Guest Tunnel

Faculty VLAN

5 Dimensions of Policy and Provisioning

Anytime

Anytime

Student VLAN

Student ACL

Wired

Wireless

VPN

Faculty ACL

Guest VLAN

M–S 8 am–6 pm

Time Location Access Method

Device User

Anywhere

Anywhere

Anytime

Anytime

Anytime

Anywhere

Anywhere

Wired

Wireless

IF $Identity AND $Device AND $Access

AND $Location AND $Time THEN $Policy

Library


Account

Sponsorship

Account Notification

Credentials Automatically Provided to Guest Via Email,

SMS, or Printed Receipt Web Browser Redirects to Login Screen

User Can Manage Access for Their Own Device

Successful Authentication

• Isolated Guest Network on DMZ

• Role Based Policy Applied

• User granted access to Internet

Example K-12 Education Walkthrough—Guest

Approved Sponsor Creates Account.

Captive

Portal

Access

Granted

ISE

Policy / Guest Engine

Internal WLC

Anchor WLC

Guest User on DMZ

DMZ

Internet


Wish List

Planning Services I want clear visibility in

to the RF environment

Discovery Services I want to discover and inventory any

and all devices attached to the network

Deployment Services I want flexible and easy to use

templates and deployment tools

Monitoring Services I want to monitor the LAN, WLAN, and

WAN with a single application

Troubleshooting Services I want to troubleshoot the LAN, WLAN,

and WAN from a single application

Compliance Services I need to monitor and audit system-wide

configurations for compliance purposes

Prime

Infrastructure

Simplified

Network

Management


Single Pane of Glass View and Management of WLAN – LAN - WAN

AFTER Comprehensive User and Unified Access Network

Visibility and Advanced Troubleshooting

Provides Unparalleled Visibility

BEFORE Separated management

Improved

Visibility WLAN

LAN

WAN

+

Identity

Simple Improves IT efficiency

Unified Single view of all user access data

Advanced Troubleshooting Less time

and resources consumed

×

×

×

Siloed Inefficient operational model

Repetitive Manual correlation of data

Error Prone Consumes time and resources

WLAN

LAN

WAN


• You can use to column grid for laying out slides with more

Grey:

Disconnected

AP

Yellow: AP w/

unresolved

non-critical

alarms

Red: AP

w/ critical

alarms

Active

rogue

APs

802.11u

location

specific

service

Zoom &

Pan

controls

Next-Gen Maps • Reduced Clutter • Faster Loading • Better Navigation • Scalable Vector

Graphics • High quality

images with zoom in/out


Experience

Analy

sis

Server


Control and Visibility for IT—Predictability for Users

Access Switches

Compact 3750-X/3560-X 2960-S 4500E

Core Switches

6500 Series

Access Points

600 Series

Teleworker

3600 Series

Density

1550 Series

Outdoor

1600

2600

2600e

3600

Indoor

Mobility Services Engine

3310 and 3355

Physical or Virtual

Wireless LAN Controllers

2500 Series WLC on SRE

5500 Series WiSM2

7500

Identity and Policy Data Integration

ISE

PI

Physical

or Virtual

8500

http://www.cisco.com/en/US/products/ps11579/index.html

















BEFORE Wireless Interference Decreases

Reliability and Performance

AFTER Cleanair Mitigates RF Interference

Improving Reliability and Performance

Wireless Client

Performance

Chip Level Proactive and Automatic Interference Protection

Improves Performance and Predictability

Air Quality Performance Air Quality Performance


High Resolution Interference Detection, Classification, and Mitigation at Chip Level

Detect | Classify | Locate | Mitigate

• CleanAir radio ASIC

• Detect Wi-Fi and non-Wi-Fi interference sources

• Assess impact to Wi-Fi performance

• Proactively change channels when interference occurs

• Monitor air quality

35

100

63

97

20 90


Identify, Analyze, and Optimize Application Traffic

AFTER Network Based Application Recognition –

NBAR2 Deep Packet Inspection and App ID

Provides Unparalleled Visibility and Control

BEFORE Application View and ControL Based

On L4 Firewall Sessions

NBAR2 LIBRARY

Deep Packet Inspection

Real Time

Interactive

Non-Real Time

Background

POLICY

Packet Mark

and Drop

First Generation

Firewall

Visibility to the port level interaction but not

the applications running within the port

View, Control and

Troubleshoot – End User Application Experience FW L4 Session Visibility and Control

HTTP = 75%

SMTP = 15%

FTP = 2%

Telnet = 1%

SNMP = 3%

Wireless LAN Controller

Traffic

Improved

Visibility and

Control

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ

http://images.google.fr/imgres?imgurl=http://www.nowhereelse.fr/wp-content/docs/youtube-logo5.jpg&imgrefurl=http://www.nowhereelse.fr/youtube-live-video-streaming-12525/&usg=__MyBsEJIR3joE8gm-rBq5Wel1qGA=&h=428&w=570&sz=33&hl=fr&start=1&sig2=z2krQGjzyqJMHPDfVwLLvg&um=1&tbnid=RKDnixEb39ds5M:&tbnh=101&tbnw=134&prev=/images?q=video+streaming+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=0czJSp79EcSD4QaBkoTHAQ

http://images.google.fr/imgres?imgurl=http://elbconsultingllc.com/images/SAP-Logo.jpg&imgrefurl=http://elbconsultingllc.com/index.html&usg=__ttrD8hVR0ZecJBAgUc1jjcxqsZQ=&h=551&w=945&sz=36&hl=fr&start=1&sig2=eDSzYadbfwaGzGedWvK1-g&um=1&tbnid=9f5hdQ6CnNYH3M:&tbnh=86&tbnw=148&prev=/images?q=sap+logo&hl=fr&safe=off&rlz=1T4GGLL_frFR328FR328&um=1&ei=reDBSv2WCZa7jAfWrvXgBQ


Reduces Coverage Holes/Improves Both Upstream and Downstream

Improves Predictability and Performance

ClientLink Disabled ClientLink Enabled

450 Mbps

300 Mbps

150 Mbps

65 Mbps

6 Mbps

450 Mbps

300 Mbps

150 Mbps

65 Mbps

6 Mbps Beacon Rate

Connection Rate


600 Mbps

450 Mbps

802.11

1999 2003 2007

2 Mbps

11 Mbps

802.11b

54 Mbps

802.11ag

24 Mbps

300 Mbps

65 Mbps

802.11n

6900 Mbps

1300 Mbps

870 Mbps

290 Mbps

6900 Mbps

3500* Mbps

1730* Mbps

290 Mbps

2013

Wave 1

802.11ac

2014

Wave 2

802.11ac

* Assumes 160MHz channel width is available and usable

802.11ac = game changer

802.11n 802.11ac

Band 2.4GHz & 5.0GHz 5.0GHz only

PHY Rate 65 Mbps – 600 Mbps 290 Mbps – 6.9 Gbps

MAC

Throughput 45 Mbps – 420 Mbps 194 Mbps – 4.8 Gbps

Spatial Streams 4 8

Modulation 64 QAM 256 QAM

Channel Width 20 or 40 MHz 20, 40, 80, *80+80, 160

MHz 1

Spatial

Streams

3

Spatial

Streams

8

Spatial

Streams

Key benefits:

• Increased speed

• Improved battery life

Gig

ab

it E

the

rne

t U

pli

nk

2 G

igab

it E

thern

et

Up

lin

ks


Wired-Like Video Delivery over Wireless

AFTER Dynamic RF Management

Improves Predictability and Performance

BEFORE Manual RF Management

High School

Superintendent | Classroom | K12 Superintendent | Classroom | K12


Apple Bonjour and other consumer protocol service gateway.

BEFORE Isolated Apple Bonjour Network

AFTER Bonjour Discovery, Advertisement & Policy

Bonjour Services Directory Apple Bonjour discovery, advertisement and policy

Enterprise / Higher

Education / K-12

Isolated

Services

No Network

Policy

L2

Only

Service

Cache and

advertise

VLAN and

WLAN Policy

Enforcement

Services

Across L3

boundary

Routed Network

Apple TV Apple TV

Printer

WLAN

X

mDNS & Bonjour Services NOT Routed

Routed Network

Apple TV Apple TV

Printer

WLAN

WLAN Controller

mDNS Profiles Policy & Control


Sub Second Recovery / Convergence for Both WLAN and LAN

AFTER WLAN and LAN Recovery / Convergence

Times Are Both Sub Second

Improves Predictability

BEFORE WLAN and LAN Recovery / Convergence

Times Significantly Different

×

WLAN 30+ second recovery / convergence

LAN Sub second recovery / convergence

AP

State

Sync AP Failover

N+1 Redundancy

WLAN Sub second recovery / convergence

LAN Sub second recovery / convergence

AP Resiliency

High Availability Provide Mission

Critical Support






Simplify IT Operations with One Policy –

One Management – One Network

Visualize and control what applications

are running on the network

Make sure that policy follows the user

wherever they go on the network?”

Easily manage onboarding and access rights

for students, faculty, staff and guests

Enables you to “say yes” to BYOD

without increasing your IT staff

Delivers the most predictable

user experience in the industry


Thank You

如何用建構校園網絡迎接e-learning時代v2.10

Technology