zack schaefer - cisco© 2011 cisco and/or its affiliates. all rights reserved.© 2010 cisco and/or...

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1

Zack Schaefer Mobility Technical Solutions Architect

September 2012

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Twitter:

• @Cisco_Mobility

Facebook:

• www.facebook.com/CiscoWireless

Web

• cisco.com/go/wireless

TechWiseTV

• techwisetv.com

Mark Your Calendars! Next Webinar:

High Density Wireless for Higher Education: September 27th 8:AM (PDT)


2

1 Mobility Best Practices for BYOD Deployments

Security Solutions for BYOD Deployments


The Evolving Workplace Landscape

Executive

Employee

IT

• Anywhere, anytime,

any device usage

• Work is a function

—Globally

dispersed, mixed

device ownership

• Change in IT control

and management

paradigm

• Enterprise

provided mobile

devices

• Work is a place

you go to—

limited off

campus access

• IT visibility and

control into user

devices and

applications

NEW SCHOOL OLD SCHOOL


Driven by Demand for Mobility

Traditional Modernized Revolutionize

Apps Apps

WinXP WinXP

Virtual Apps

Thick Client HVD HVD

Zero

Client

Thin

Client

HVD

Mobile

Client

Virtual

Apps

Virtual

Apps

Virtual

Apps

Centralized provisioning, management

and security for users and applications

Virtualized Platforms

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 6 Cisco Confidential 6 © 2010 Cisco and/or its affiliates. All rights reserved.

TIME

• 7.7 billion new Wi-Fi enabled devices will enter the market in the next five

years.*

• 1.2 billion Smartphones will enter the market over the next five years,

about 40% of all handset shipments.*

• Smartphone adoption growing 50%+ annually.**

• By 2012, more than 50% of network devices will ship without a wired

port.***

• A 7x increase in capacity with the Introduction of 802.11n

Source: *ABI Research, **IDC, *** Morgan Stanley Market Trends

• Unified Access is a reality – Not wired or wireless anymore

• BYOD (Bring Your Own Device) phenomena is here

• Increase in capacity = increase in applications

• Device (corporate or private) On-boarding is a challenge for companies

• Mobile collaboration applications are here


Mobility Best Practices for BYOD Deployments


Some Questions to Consider

Do I have the WLAN capacity to support increase in mobile devices?

How do I ensure business critical WLAN reliability?

How do I enforce security policies on non compliant devices?

How do I grant different levels of access to protect my network?

How do I ensure data loss prevention on devices where I don’t have visibility?

How should I address the cool kids (tech-savvy) who trade-up to new devices? New Policy?

How do I protect my Intellectual Property/personal information?


1

2

3

4

5

6

Follow these steps:

Start Migration to 802.11n to Enhance Network Performance

Properly Configure for High Density Wireless Deployments

Improve Reliability and Coverage with Cisco ClientLink2.0

Detect and Mitigate RF Interference with Cisco CleanAir

Improve Video Applications with VideoStream

Implement Cisco Radio Resource Management


• 802.11n optimizes high bandwidth data, voice and video applications on Wi-Fi enabled devices

7x higher throughput

More reliable and predictable coverage

• Backwards compatibility with 802.11a/b/g clients

Advantage

Challenge

• Scaling a growing number of tablets and mobile devices accessing bandwidth intensive applications across the WLAN

Primary 802.11n Components

Multiple Input Multiple Output (MIMO)

• Maximal Ratio Combining

• Beam forming

• Spatial multiplexing

40 MHz Channels

• Two adjacent 20 MHz channels are combined to create a single 40 MHz channel

Improved MAC Efficiency

• Packet aggregation

• Block Acknowledgements

Enables Throughput and Coverage Needed to Scale Mobile Devices


• Avoids the crowded 2.4GHz Band

• Allows for wider Channels

Operating in the 5Ghz Band Only

• More potential bandwidth available Wider RF Channels: 80MHz and 160MHz

• Expect 3SS (Spatial Streams) initially with future implementation going to 4SS

Number of Spatial Streams: 1 to 8

• ~30% more efficient Modulation: 256 QAM

• APs can transmit to multiple downstream clients simultaneously

MU-MIMO (Multi-User MIMO) Support

• From a minimum of 290Mbps up to 6.9Gbps theoretical maximum

Data Rates


802.11ac module antennas

fully integrate into the AP for

aesthetics and excellent RF

performance

Leverages same modular

architecture as the Security

Monitor Module

Target FCS

Q1 CY13

Wave 1 (2013) - 290 Mbps - 1.3 Gbps

Wave 2 (2014) - 3.5 Gbps


AP Model

Wi-Fi Standards

Radio Design

Clean Air

Client Link

Band Select

Video Stream

Rogue AP Detection

Adaptive wIPS

OfficeExtend

FlexConnect

Wireless Mesh

Autonomous IOS

Data Rate

3600 Series 2600 Series 600 Series

1.3 Gbps

✔ ✔

✔ ✔

✔

✔

✔

✔

✔

✔

✔

✔

✔

✔

✔

✔

✔

✔

✔

450 Mbps 300 Mbps

802.11a/b/g/n 802.11a/b/g/n 802.11a/b/g/n

4X4:3 3X4:3 2X2:2

Client Link 2.0 Client Link 2.0

Mod. Support (Mon./11ac) ✔


• These RF design best practices help fine tune the network in advance to accommodate high density areas

i. Assess the application’s Bandwidth Requirements Per user

ii. Define the supported wireless protocols—calculate required channels

iii. Optimize the Installation

Advantage

Challenge

• Properly configuring the WLAN to provide reliable network access to Wi-Fi enabled devices users in increasingly concentrated areas

Efficient RF Design Improves Coverage for Mobile Devices in Concentrated Areas

36 48 60 100 132 149

116 64 52 44 104 36


Assess Application Bandwidth

Requirements and Protocols that will be

supported

• Determine the bandwidth required for each user of the target application

Determine the minimum acceptable

throughput applications require—

design for the highest bandwidth

requirement

• Multiply this number by the number of connections/seats that you need to support

• This is the aggregate bandwidth you will require in your space

• Divide the aggregate by the protocol throughput to determine number of channels required in the space

Application Use Case Throughput

(Mbps)

Web – Casual 500 Kbps

Web – Instructional 1 Mbps

Audio – Casual 100 Kbps

Audio – Instructional 1 Mbps

Video – Casual 1 Mbps

Video – Instructional 2-4 Mbps

Printing 1 Mbps

File Sharing – Casual 1 Mbps

File Sharing – Ins. 2-8 Mbps

Device Backups 10-50 Mbps


Protocol Selection—Important? Why?

802.11 b/g/a/n and Duty Cycle

1

250 300 200 100 DSSS 350

Beacon Size (Bytes)

2

5.5

11

896

496

241

169

1969

896

387

241

2096

1096

460

276

2496

1296

532

314

2896

1496

605

351

OFDM

6

12

24

54

153

87

53

35

287

153

87

50

353

187

103

57

420

220

120

64

487

253

137

72

130

300

26

23

32

25

35

27

38

28

42

29

Time µS


Optimize the Installation

• Configure 2.4 GHz for 20MHz and three non-overlapping channels/cells

Provides greater flexibility for access point placement for optimal coverage and capacity

• Disable lower data rates in 2.4GHz

• Encourage clients to use 5-GHz by enabling Cisco BandSelect

BandSelect directs clients to 5 GHz optimizing RF usage

Better usage of the higher capacity 5GHz band

Frees up 2.4 GHz for single band clients

• Consider using DFS Channels— Supported by Apple iPad, Intel 5100/5300/6200/6300 radios, Androids such as Samsung Galaxy DO NOT support DFS channels yet.

5 2.4

802.11n

Dual-Band Client Radio 2.4/5GHz

Discovery Probes

Looking for AP

Discovery

Response


Up to 65% Increase

in Throughput

Up to 27% Improvement

in Channel Capacity

802.11a/g Without ClientLink

and Beam Forming

Existing 802.11n

Solutions Beam Strength

Not Directed to Client

802.11a/g With ClientLink and

Beam Forming

Increases Overall Wireless System Capacity in Mixed Client Environment

38% Less

Battery Drop

Cisco ClientLink Improves Performance

Dis

ab

led

En

ab

led


• CleanAir uses silicon-level intelligence in the

access point to improve Air Quality and mobility

experience of end-users

Detects and classifies interference

Locates problem sources

Automatically avoids interference

Advantage

Challenge

• Identifying and managing sources of RF interference that impact application performance on mobile devices

Improves Connectivity of Mobile Devices by Eliminating Impact of Interference

Maintain Air Quality

GOOD POOR

CH 1 CH 11


• CleanAir Radio ASIC

• Detect Wi-Fi and

non-Wi-Fi interference

sources

• Assess impact

to Wi-Fi performance

• Proactively change

channels when

interference occurs

• Monitor air quality

100

63

97

35

20

Detect | Classify | Locate | Mitigate

90


• Provides HD multicast video by protecting QoS of all streams with Prioritization and RRC

Advantage

Challenge

• Delivering high quality multicast video on mobile devices at scale

Primary 802.11n Components

Efficiently Scales Enterprise-Class Video Collaboration on Mobile Devices

Stream Prioritization Resource Reservation Control

MULTICAST STREAM

AP

UNICAST STREAMS

AP WLC

COMPANY ALL HANDS

TRAINING PROGRAM

LIVE SPORTING EVENT

AP

VIDEO NOT AVAILABLE


Challenge - Simplifying RF Management to improve coverage and network performance

• Dynamic Channel Assignment Changes in “channel / air quality” are monitored, and Access Point channel assignment is changed when deemed appropriate to preserve predictability

• Transmit Power Control Transmit Power is adjusted down or up based on radio to radio pathloss calculation when deemed appropriate to preserve predictability

• Coverage Hole Detection and Mitigation Transmit Power is adjusted up on Access Points when coverage holes are detected and deemed appropriate to preserver predictability


Security Solutions for BYOD Deployments



How do I keep this flood of new devices off my network?


How do I deal with people who trade-up to new devices?

How do I ensure data loss prevention and malware protection?


How does remote access differ from local LAN access?

Do I have the WLAN capacity to support increase in mobile devices?

How do I ensure business critical WLAN reliability?



How do I ensure data loss prevention on devices where I don’t have visibility?

How should I address the cool kids (tech-savvy) who trade-up to new devices? New Policy?

How do I protect my Intellectual Property/personal information?













• Security?

• Which are corporate devices?

• What corporate data is on these devices?

• Are there any legal concerns?

• Friend or Foe?

• Managed vs. UnManaged


Supply Partner

Unmanaged desktop; complex support issues

Requires limited access to corporate resources

Contractor, Temp

Access requirements vary greatly. Unmanaged or managed devices; access needs to be limited

Employee

Managed desktop; potentially unmanaged

personal devices

Full access for managed devices

Teleworker

Managed desktop; unmanaged

personal devices

Requires consistent LAN-like performance


Employee

Partial

Corporate

LAN Access

Full

Corporate

LAN Access

Guestnet /

Deny

Managed /

UnManaged

Asset

Role

Contractor

Vendor /

Guest

Managed

UnManaged

Managed

UnManaged

UnManaged


IDENTITY PROFILING

VLAN 10

VLAN 20

Wireless LAN Controller

DHCP

RADIUS

SNMP

NETFLOW

HTTP

DNS

ISE

Unified Access Management

Single SSID

802.1x EAP User Authentication

1

HQ

2:38pm

Profiling to identify device

2

6

Full or partial access granted

Personal asset

Company asset

3

Posture of the device

Policy Decision

4

5

Enforce policy in the network

Corporate

Resources

Internet Only


Reduced Burden on IT Staff

Device On-boarding, Self Registration, Supplicant Provisioning *

Self Service Model

My Device Registration Portal*, Guest Sponsorship Portal

On-Boarding Differentiators Supplicant provisioning on all major platforms

In-band and out-of-band asset registration portal

Self-service, user based registration portal

Flexible dot1x profiles—Common profile for all platforms or platform specific

Provisioning of certs with additional attributes like UDID, MAC add etc

Certificate based differentiation of service and anti-cert copying

Black-listing and re-instating of devices

Reduced Burden on Help Desk Staff

Seamless, Intuitive End user experience

New Features for zero touch on-boarding


Internet

IronPort Web Security Appliance

Adaptive Security Appliance

AnyConnect


Existing Architecture

Leverage Current Investments

Leverage On-Premise Security

Centralized Policy Enforcement

Malware Threat Protection

AnyConnect Always-On VPN

Remote User

Main Office

Data Center

Branch Office

CENTRALIZED SECURITY

Traffic Backhauled

IronPort Web Security

Appliance

Acceptable Use Policy


Main Office

Data Center

Internet Café

Internet Café

Mobile User

Mobile User

Cloud Security

Malware Threat Protection

Acceptable Use Policies

Security and VPN Clients

Distributed Policy Enforcement

VPN Data Center Access

Minimum Backhaul

DE-CENTRALIZED SECURITY


Only Cisco can tie all the pieces together!

NCS Prime

ISE

Cisco WLAN

Controller

AC NAM (Win Only)

Wired Network Devices

Cisco Catalyst

Switches

AC NAM (Win Only)

3rd Party

MDM Appliance

CSM / ASDM

MDM Manager

AC VPN (All Mobile)

AC Cloud Web Security (All PC’s)

IronPort WSA


Why Cisco?


802.11ad (60GHz)

WiGig

802.11af (TVWS)

802.11ac (>1Gb/s)

Wi-Fi VHT5G

802.11y (3.6GHz)

802.11ae (QoS

for management)

Key

802.11 amendment

Wi-Fi certification

Blue = complete

Red = in development

Cisco Active

Cisco Driven

CCX Driven

802.11n (>100Mb/s)

Wi-Fi 11n

802.11w (MFP)

MFP

802.11u

Hotspot 2.0

802.11aa (Video)

802.11v (Manage)

WNM

802.11j (Japan)

802.11a/g (54Mb/s)

Wi-Fi 11a/g

802.11i (Security)

WPA2

802.11r (Roaming)

Voice-Enterprise

802.11h (DFS)

Standard Wi-Fi

802.11e (QoS)

WMM, WMM-AC

802.11k (Measure)

Voice-Enterprise

CONNECTIVITY

SECURITY

SEAMLESS

SPECTRUM

APPLICATIONS

MANAGEMENT


WLAN LAN

VPN

Web Security BYOD / NAC

Unified

Communications


• Prepare your wireless network for the heavy demands that BYOD will put on them

• Start with 802.11n and plan for 802.11ac

• Start developing BYOD policies now

• Tools such as ISE can help you embrace BYOD as well as enforce your policies

• Ensure that you have an architecture in place that is nimble enough to protect your mobile endpoints


Twitter:

• @Cisco_Mobility

Facebook:

• www.facebook.com/CiscoWireless

Web

• cisco.com/go/wireless

TechWiseTV

• techwisetv.com

Mark Your Calendars! Next Webinar:

High Density Wireless for Higher Education: September 27th 8:AM (PDT)


Thank you. Thank you.

zack schaefer - cisco© 2011 cisco and/or its affiliates. all rights reserved.© 2010 cisco and/or...

Documents