Secure WirelessAdvanced, Secure, Certified, Proven
Kurt Sauter – Product Specialist - Mobility
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Agenda • Introduction• Gigabit Wi-Fi • New Products• Management• CSfC• Q&A
33
Digital Transformation Accelerate Business Processes, Introduce New Innovative Offerings
UPS Tracking
Data Driven Business Intelligence
Mobile Point of Sale
Payments on Phone or Tablet
StarbucksApps
Customer Loyalty and Transactions
PhilipsConnectedLighting
Custom Settings Building
IntelligenceNike Digital
SportDigital Performance
Coaching
4
HealthcareGovernment Manufacturing Education Financial
Digitization Impacts All Sectors
Cisco Confidential
5
Evolution of the Open OfficeOpen Workspace
High Performance Wi-Fi While Leveraging Location-based Solutions
Like CMX
Reliably Connect Employees and Devices for Business Critical Applications such as
Wi-Fi Calling and Video Services
Dynamically adapting the network to provide optimal user experience
6
Internet of Things
Motion and Ambient Light
sensors
Troffer
DownLight
Wall ControlSwitchback
front
7
Improved Parking Experience
No Parking Zone
Monitor and Manage Parking Spaces Guidance to the Available Parking Space
Parking Sensor
Parking Sensor
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Increased Adoption and Uses
Increasing Efficiencies
Mobile Devices Security and Compliance Classrooms, Training, Briefing Centers
DISA STIG’s require WIDS to monitor the air
wired or wireless network DoD Instruction 8420.01
DoD Wireless Applications
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Increased Adoption and Uses
DoD Wireless Applications
New Applications Increased Efficiencies
Logistics / Retail Outdoor Command Centers
Barcode ScannersRFID Tags
CoC TentsReduce Cabling
Field DataRange Monitoring
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Increased Adoption and Uses
New Applications Increased Efficiencies
Wireless Asset Tracking Surveillance Flight Line
Perimeter SecurityHigh Value Asset TrackingTheft Prevention Maintenance Instructions
DoD Wireless Applications
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Increased Adoption and Uses
New Applications Increased Efficiencies
Barracks / MWR Pier Side Medical / Field Hospitals
Ship to shoreMaintenance work
Surveillance
DoD Wireless Applications
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Increased Adoption and Uses
New Applications Increased Efficiencies
Guest User Access Wireless/Wired Voice Wireless SIPRNet
CSfC Sponsor Guest UsersIsolate guest traffic
DoD Wireless Applications
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Tactical, Logistics
Outdoor
Outdoor Wireless
Rapid Deployment
1572Mesh Access Points
DoD Wireless Applications
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Expanding mobile use cases
BYOD
Company Purchased
Basic Communication
sTransforming
WorkMobile
Transactions
iOS dramatically
better on Cisco
networks
Enterprise voice integration with
iPhone
Seamless collaboration for mobile workers
PBXTelco
switch
LAN
Corporate WAN
VoIP Internet
Cisco Collaboration Cloud
iPhone integrated with enterprise voice
Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco and Apple Togetherfor a Better End-User Experience
Improve device efficiency
through joint tested
standards-based
functionality
Analyze and prioritize Apple-
based applications
Minimize impact of Apple
upgrades by accessing local instances on Cisco® ASRs
Display content from Apple
devices Wirelessly
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Wireless Architecture Overview
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2020
Basic Wireless Deployment
Wireless Controller
Wireless Access Points
Intranet
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2121
Advanced Wireless Deployment
Wireless Controller
Wireless Access Points
Intranet
Location data
1. MSE detects Rogue APs and Threats 2. Provides Location Tracking of devices
Mobility Services Engine (MSE)Identity Services
Engine (ISE)
Authentication and Policy
Prime Wired and Wireless
Management
Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wireless Architecture
Access Points
• 3702 + Modules, 2702, 1702• 1552, 1572 Outdoor
Controllers
• 5508, 2504, 7500, 8500 HA modes• 3650, 3850, 4500, UA Switches Wireless Controller
Management
• Prime • MSE • ISE Can run as VM or Appliance
WIDS, CMX, Location Tracking
Mobility Services Engine (MSE)
Identity Services Engine (ISE)
One Policy, Authentication, Guest
Prime
One ManagementWired and Wireless
Access Points
Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SecureCertified Military-Grade Security
• Approved for Classified. DoD Accredited• Wired and Wireless IDS that work
together• End-to-End TrustSec Security
Widest Portfolio of ProductsSaves Money
• Large portfolio of indoor and outdoor APs
• Most controller options including Cloud-based
• Right-size for specific uses or environments One Management, One Policy
End-to-End Control, Wired + Wireless• Advanced Client, App and Network
Control• One User Policy for the entire network• Advanced BYOD + Guest User Access
Application EnablementAdvanced Analytics
• Engage users using the wireless network• Drive mobile apps for guests and
customers• Location Tracking Analytics and APIs
ArchitectureOne Network: Wired and Wireless
• Controller functionality in Cisco Switches• Deployment: Local, Flex, Cloud, Mesh• Mission Critical Redundancy, High
Availability
Best Wireless PerformanceFastest Wireless, The Most RF
Control• Designed and Built By Cisco • Advanced RF Innovation• Works best in the most difficult
environments
Why Cisco Wi-Fi ?
$
24
Importance of 802.11ac Wave 2
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Addressing Growth 802.11ac Wave 2
Highest Wi-Fi Performance Ever
Better End Device Efficiency
For Highly Demanding Environments
Higher Data Rate Than Previous Standard
Allows For More Wireless Data With Wider Channels
Simultaneously Deliver Data to Multiple Devices
Conserve End-Device Battery
Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wi-Fi Connectivity Speed Timeline Gigabit Wi-Fi As Primary Access 3SS Desktops / Laptops
2SS Laptops / Tablets
1SS Tablets / Smartphones
*Assuming 80 MHz channel is available and suitable
**Assuming 160 MHz channel is available and suitable
802.11 802.11n802.11b802.11a/
g 802.11acWave 1
802.11acWave 2
2630**
1730**
290*
= Connect Rates (Mbps)
= Spatial StreamsSS
20162015
Gig
abit
Ethe
rnet
U
plin
k
2 G
igab
it E
ther
net
Upl
inks
Minimum
Typi
cal
Prod
uct
Max
1 SpatialStream
2 SpatialStream
3Spatial
Streams
20132007200319991997
211
24
54 65
450
300
1300*
290*
870*
5260**
3500**
600*
Dual 5GHz
Mul
ti-G
igab
it U
plin
ks
Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Better Traffic Handling 802.11ac Wave 2 with 160MHZ - Wider Channels
Wider Channels Allows More Traffic
to Pass
Multi-User MIMO Uses the Channel to
Max Capacity
20–40 MHz 80-160 MHz
Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Simultaneous Data Delivery to Many DevicesMulti-User, Multi-In, Multi-Out
Devices Get On and Off the Network Quicker, Allowing More Devices to Be Served
Multi-User MIMO (MU-MIMO)
Single-User MIMO (SU-MIMO)
29
Cisco’s Wave 2Offerings
Cisco Confidential 30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
802.11ac Wave 23x3 antenna with 3 spatial streamsSupport for MU-MIMO
Dedicated third radioAir Marshal, Auto RF, CMX
Fourth Bluetooth LE radioEnabling Beacon engagement & BLE scanning
PoE+ 802.3at power for full operationSleek industrial design of MR32/34
Meraki MR42802.11ac Wave 2
Shipping 9 Feb
$1,099 list
Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Aironet PortfolioPositioned to Capture the 802.11ac Wave 2 Transition
Enterprise Class Mission Critical Best in Class
1830(I)1850(I,E)
2800(I,E)3800(I,E,P)
• 802.11ac Wave 2: Most Cost-effective,
870 Mbps. • 3x3:2SS 80MHz.
• Spectrum Analysis*• Tx Beam Forming
• 1 GE Port• USB 2.0
• Centralized, FlexConnect and Mobility Express
• 802.11ac Wave 2: Cost-effective, 1.7
Gbps • 4x4:3SS 80Mhz.
• Spectrum Analysis*• Tx Beam Forming
• 2 GE Ports• USB 2.0
• Centralized, FlexConnect and Mobility Express
• 802.11ac Wave 2: High-Performance 5Gbps
• 2.4, 5GHZ or Dual 5GHZ.• 4x4:3SS 160 MHz
• MU-MIMO• 2 GE Ports
• USB 2.0• Enhanced Location*
(External Antenna)• CleanAir 160MHz
• ClientLink 4.0• Smart Antenna Connector
• Centralized, FlexConnect and Mobility Express*
• 802.11ac Wave 2: High-Performance 5Gbps.
• 2.4, 5GHZ or Dual 5GHZ. • 4x4:3SS 160MHz.
• MU-MIMO• 2 GE or 1 GE + 1 mGig
(5G)• USB 2.0
• Enhanced Location* (External Antenna)
• CleanAir 160 MHz• ClientLink 4.0 • Smart Antenna
Connector• StadiumVision
• Modularity• Centralized, FlexConnect
and Mobility Express*
*Post-FCS
May May
Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Next-Generation Wave 2 802.11ac Access Points
Cisco Aironet® 3800 Series
* Post-FCS
• Industry leading 4x4 MIMO:3 spatial streams (SS) Wave 2 802.11ac access points
• Dual radio, 802.11ac Wave 2, 160 MHz• Combined Data Rate of 5.2Gbps• 2 x 5 GHz: 4x4: 3SS supporting
• SU-MIMO / MU-MIMO• Flexible Radio Assignment: 2.4GHz, Dual-5GHz, Wireless
Security Monitoring, Wireless Service Assurance*, or Enhanced Location*
• Gigabit Ethernet and multi-Gigabit Ethernet (1G, 2.5G, 5G)
• HDX Technology• Enhanced Location using External Antennas*
• USB 2.0 • Internal and external antenna models
• Smart Antenna Connector - 2nd Antenna Connector• Modularity: Side Mount ModularMulti-Gigabit Wi-Fi has fully
arrived.
May
Cisco Confidential 33© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Default operating mode• Serve Clients on both 2.4GHz and 5GHz
Flexible Radio Assignment5GHz
Serving 2.4GHzServing
Wireless Security Monitor
Wireless Service
Assurance*
• Dual 5GHz Support, both radios serving clients on 5GHz
• Maximum over the air data rate up to 5.2Gbps
• Wireless Security Monitoring• Scan both 2.4GHz and 5GHz for security
threats• Serve Client of 5GHz• Wireless Service Assurance*• Proactively monitors the network
performance• Serve Client of 5GHz
* Denotes feature availability post-FCS
5GHzServing
5GHzServing
5GHzServing
5GHzServing
Enhanced Location*
• Enhanced Location*• Improves the client location accuracy• Serve Client of 5GHz
5GHzServing
Cisco Confidential 34© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Self Optimizing Network Flexible Radio Assignment
2.4GHzServing
2.4-5GHzMonitoring
5GHz.Serving
5GHz.Serving
CleanAIr
CleanAIr
!2.4GHzServing
5GHz.Serving
CleanAIr
Cisco Confidential 35© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Self Optimizing Network Flexible Radio Assignment
2.4GHzServing
2.4-5GHzMonitoring
5GHz.Serving
5GHz.Serving
2.4GHzServing
5GHz.Serving
5GHzServing
5GHzServing
2.4GHzServing
Cisco Confidential 36© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Self Optimizing Network Flexible Radio Assignment
5GHzServing
2.4GHzServing
5GHz.Serving
5GHz.Serving
5HzServing
5GHz.Serving
2.4GHzServing
2.4GHzServing
2.4-5GHzMonitoring
Cisco Confidential 37© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Dual 5GHz – Improves Client Performance and Capacity
• Improves the Effective Spectrum Usage of the Cell
• Micro-Radio• 802.11ac Clients near the AP
• High Performance Wi-Fi Clients at 802.11ac data rates
• Excellent speed and performance • Macro-Radio
• All legacy Clients join macro-cell• Future of wireless
Users have a better overall experience on a Dual 5GHz Access Point
Micro Macro
Cisco Confidential 38© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Smart AntennaConnector
Primary Antenna Connectors – Dipole and Cabled Antennas
Smart Antenna Connector – 2800 / 3800
Second Cabled or Location Antenna*
*Post-FCS
• Cisco pioneered intelligent antenna connection
• Sleek design• Allows a second cabled antenna to be
connected to the Access Point• Dual 5 GHz
• Band specific antennas• Location antennas*
• Antenna versatility for challenging coverage deployments - High Density
locations, auditorium classrooms, stadiums, arenas, convention centers,
…
Cisco Confidential 39© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Dual 5GHz – 2x the Coverage Area and Capacity
• Provide 2x the coverage area from a single Access Point
• Improve the total Network Performance
• Utilizes Smart Antenna Connector • Mix and match all Cisco Supported
Antennas
Cisco Confidential 40© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Meet Any Wi-Fi Use CaseExpandability and Investment Protection
Custom Application Using Linux
Adv. Security and Spectrum
Analysis
Bluetooth Beacon
location Antennas
Directional Antennas
Stadium Panel
Antenna
SMART ANTENNA
PORT
MODULEPORT
Self-Discover / Self-Configure
Other
Other
PRIMARY ANTENNAS
Potential Future Expandability
Future Wi-Fi Standard
Video Surveillance
Custom Application Using Linux
BluetoothBeaconing
3G and LTE
Small CellOffload
Other
Cisco Confidential 42© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Greater Scalability Turbo Performance
5 10 15 20 25 30 35 40 45 50 55 6001234567
Rate Cisco Out Performs It's Near Compeittor
5.9x faster thannearest competitor
TCP Downlink Throughput 5GHz Multi-Client: 802.11ac Clients
Number of Clients
Rat
e C
isco
Out
Per
form
s It'
s N
eare
st C
ompe
titor
Cisco Confidential 43© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Optimize the Wi-Fi Environment CleanAir for 160MHz.
Quickly Identify and Mitigate Wi-Fi
Impacting Interference
Channel 48
48
4848
48
48
48
4848
48
4848
Cisco Confidential 44© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Maximize Channels When Radar Is PresentFlexible Dynamic Frequency Selection
5170MHz
5330MHz
36 40 44 48 52 56 60 64
20MHz.
40MHz.
80MHz.
160MHz.
5490MHz
5710MHz
100
104
108
112
116
120
124
128
132
136
140
Channel Used by Air Traffic
Radar
See it on 160MHZ
Band
Dynamic Frequency Selection
FlexibleDynamic
Frequency Selection
Cisco Confidential 45© 2013-2014 Cisco and/or its affiliates. All rights reserved.
2.5-5 Gigabit
Port
Offload Wireless Traffic FasterMultigigabit Technology
Cisco MultigigabitStandard Cat 5e/Cat6
Cables1
Gigabit Port
Delivers up to 5X Speeds in Enterprise WithoutReplacing Cabling Infrastructure
Supports PoE Up to 60W
2.5-5 Gigabit
Port
Cisco
Available on 3800
Cisco Confidential 46© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst 3850 ─ Multigigabit Versions
48 Port Version 24 Port VersionDownlinks:
36 x 1G LineRate 10/100/1000BASE-T, 12 x GE/mGig/10GT Line Rate
PoE/PoE+/UPoE, EEE, MACSecUplinks:
4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G SFP+ (NEW)
Downlinks:24 x GE/mGig/10GT
PoE/PoE+/UPoE, EEE, MACSec
Uplinks: 4x10GE SFP+, 2 x 40G QSFP (NEW),
8x10G SFP+ (NEW)
All 3850 Versions Can Stack with Each Other
Cisco Confidential 47© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Catalyst 3850 mGig
C3850 24 port mGig Switch24p mGig/10GT PoE+/UPOE. Line rate at 72 byte packet sizes
C3850 48 port mGig Switch12p mGig/10GT PoE+, 36p 1GE UPOE. Line rate
Investment Protection – mGig speeds with Cat 5e, 10G with Cat 6a
DATA
PoE+
UPOE
Fiber
New Member to the stacking Family
MGIG
Cisco Confidential 48© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The New Compact Multigigabit Switch
6 x 1G/PoE+ 2 x Multigigabit PoE+ 2 x 10G SFP+
Multiple Use Cases
1
2
multi-gigabit for 11ac AP Deployments
multi-gigabit as Uplinks Connected to Access Switches (Cat 3K/4K)
3
Instant Access (IA) Client providing multi-gigabit connectivity4
multi-gigabit as 10G Links for Horizontal Stacking
Cisco Confidential 49© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Zero Impact Application Visibility and Control
Maintain performance with zero-impact AVC
Gain visibility into the network
Monitor critical applications
Control application performance
APP APP APP APP
APP APP APP APP
APP APP APP APP
APP APP APP APP
Cisco Confidential 50© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Improve Connectivity to All Devices Cisco ClientLink 4.0
Improves device performance
802.11ac Wave 2 Access Point: TX beamforming
• 802.11a• 802.11g• 802.11n
• 802.11ac Wave 1• 802.11ac Wave 2
• 802.11ac Wave 2
802.11ac Wave 2 Access Point:
ClientLink
Cisco
Cisco Confidential 51© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The World’s Most Versatile Access Points All The Benefits of 802.11ac Wave 2
HigherData Rate
WiderChannels
SimultaneousData Delivery
BetterBattery Life
Highest Wi-Fi Performance Ever Better End Device Efficiency
New Flexible Radio Assignment
ImprovedModularity
ImprovedCleanAir
Plus Cisco Innovations for High Density Environments
ImprovedClientLink
New Multi-GigabitUplinks
New ZeroImpact AVC
TurboPerformance
OptimizedRoamingImproved
Enhanced Location*
Flexible DynamicFrequency Selection
Self-Optimizing Network Optimized Mobile User Experience
NEW: Cisco Aironet 2800 NEW: Cisco Aironet 3800
*Future
New Smart Antenna
Connector
Cisco Confidential 52© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Aironet Outdoor Access PointsIndustry’s Best 802.11n & 802.11ac Series
Base
1530High-Functionality
1550Best in Class
1570
• Low Profile, Low Price• Europe: Low Profile• Emerging SP: Low Price• Enterprise: Low profile &
Price• 11n, 2G: 3x3:3; 5G: 2x3:2• Int/External Antennas
• Multiple models & features• Enterprise, MSO• DOCSIS3.0 8x4• 11n, 2x3:2• Int/External Antennas
• High-end Enterprise, MSO• 11ac, 4x4:3 • NG-Cable: 24x8• Int/External Antennas• Modular: Future Proof
NEW
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Aironet 1532
802.11abgn modes
Supports up to 200 clients
1532I internal antenna
1532E External antenna
PoE+ or DC power
-30 to 65 °C temperature range
Aironet 1552
802.11abgn modes
Supports up to 400 clients
1552I/E Internal/External Antenna
1552C/CU Cable Modem
1552H Hazardous / 1552S Sensor
-40 to 55 °C temperature range
Cisco Outdoor Access Point Leadership
New
New Paintable Cover
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
IW3702-4E CloseupN-type antenna ports for 4x4 MIMO with three spatial streams and support for up to 13 dBi gain antennas
10/100/1000Base-T, PoE and PoE+ in (M12)10/100/1000Base-T, PoE out (M12)
10 to 60 VDC in (M12)Management console port (RJ-45 serial)
Integrated wall/panel mount
Diecast aluminum chassis with integrated heatsink
Cisco Confidential 55© 2013-2014 Cisco and/or its affiliates. All rights reserved.
2500 Virtual WLC Flex 7500
85405760 WISM2
Catalyst 3850 Mobility Express
• 300 to 1000 APs• 15,000 clients
• 20 Gbps
• 25 to 1000 APs• 12,000 clients
• 60 Gbps
• 100 to 6000 APs• 64,000 clients
• 40 Gbps
Large Campus and Service Provider
Small Campus / Branch (Controller on Premise) Branch (Controller in DC)
• 5 to 75 APs• 1000 clients
• 1 Gbps
• 5 to 3k APs• 20k clients• 500 Mbps
• 1-100 APs per stack Directly connected APs
• 2K clients per stack• 40 Gbps per switch
• Up to 25 APs• 750 clients
• 300 to 6000 APs• 64,000 clients
• 1 Gbps
• 1-50 APs per switch/stack Directly connected APs• 1000 clients per stack
• 40 Gbps per switch
Catalyst 3650 Catalyst 4500-E SUP
• 1-100 APs per SUP Indirectly connected APs
• 2K clients per stack• 40 Gbps per switch
5520
• 10-1500 APs• 20,000 clients
• 20 Gbps
5508
• 12 to 500 APs• 7000 clients
• 8 Gbps
8510
• 100 to 6000 APs• 64,000 clients
• 10 Gbps
The Industries Most Versatile Controller Portfolio
Cisco Confidential 56© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Previous 12 Months5520 WLAN Controller 8540 WLAN Controller
WLC 5520 and WLC8540 Controllers
Access Points 6,000Clients 64,000Deployment Modes Centralized, FlexConnect and
MeshForm Factor 2 RUIO Interface Four port 1G or 10G with LAGPower Options AC or DCRedundancy Dual Power supply and HDD
w/RAID
Access Points 1,500Clients 20,000Deployment Modes Centralized, FlexConnect and
MeshForm Factor 1 RUIO Interface Dual 1G or 10G ports with LAGPower Supply AC w/Optional Redundant
Power Supply
HighestScalabili
ty
57
ManagementInnovations
Cisco Confidential 58© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Mobility Express: Investment ProtectionSame Access Point hardware regardless of where the WLAN Controller function is located – Access Point, Appliance, Switch, Router, Virtual Machine, etc.
Management Point WirelessController
Hardware Protection Flexible Migration Feature Protection
Investment Protection
Cisco Confidential 59© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Simple By Design: Deploy in MinutesWLAN Express Setup Wizard
• Simplified User Interface• Over-The-Air no cable needed
• Basic Employee and a Guest WLAN• Improved Guest captive-portal
Cisco’s Best Practices ON by default
• Internet only Guest Access Controls• Application Visibility
• Clean Air and intrusion detection• Band Select
• Radio Resource Management• Client Profiling
• Bonjour Service Directory• Best practice default settings
Built-in Analytics Dashboard
Cisco Confidential 60© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Prime 3.0 Modern User Interface
No Flash !!
Tablet-friendly
Metrics widgets
Same menu structure as 2.2
Correlated charts
Dashboard export
Dashboard tagging for favorites
Cisco Confidential 61© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Why Cisco for Digital Campus Analytics
• CMX = Location Analytics• Users & Devices• Location (Dwell Time)• Activity Patterns (Crossovers)
• Prime = Network Analytics• Device utilization• Interface utilization• Application utilization
Cisco Confidential 62© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco OnePortable, Perpetual & Inclusive license
WLAN Management and AnalyticsFull Visibility & Control
Prime Assurance – NetFlow Advanced Client TroubleshootingQuality of Infrastructure ReportsQuality of Experience Reports
Cisco Prime Infrastructure CMX ISE
Highly Accurate Location ServicesWi-Fi and Bluetooth location tracking
Connected Mobile ExperiencePresence AnalyticsLocation Analytics
CMX Connect- Onboarding
AAA Radius and data base Integration802.1x & CoA
Enhanced Guest Management PortalTrustSec Policy Control
Simplified License with Greater Value
Any Controller Any AP
63
Security
Cisco Confidential 64© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Certified WPA2 Enterprise (128bit AES crypto) - Today Elevating to 802.11ac Wave 2 (256bit AES crypto) – Tomorrow
Integrated WIDS Modular AP with security module – integrated monitor mode AP
Location based Access ISE Integration with MSE – Enforce access based on location
Integrated Spectrum Analysis Capabilities Detailed visibility into the Wi-Fi Spectrum with the ability to detect,
classify, identify and locate interferers
Enterprise WLAN Built on a Foundation of Security
Cisco Confidential 65© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wireless Security - a network solutionArchitecting “Network as a Sensor” and “Network as an Enforcer”
Network Sensor(Lancope)
NGFW
Campus/DCSwitches/WLC
Cisco Routers / Branch 3rd Vendor Devices
Threat
API
API (pxGrid)
ISE
Network Sensors Network EnforcersPolicy & Context
Sharing
TrustSecSecurity Group Tag
Cisco Collective Security Intelligence
ConfidentialData
NGIPS
Cisco Confidential 66© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Wireless Government CertificationsWhat’s Certified:
All Cisco 11ac and 11n Access Points All appliance and integrated
controllers MSE 8.0 and PI 2.2 APL Listing for WLAS, WAB,WIDS
What’s unique to Cisco: Cisco ONLY Wireless vendor with DCE
and Common Criteria Certification Predictable wireless certification – MD
SW release gets certified Common release both Enterprise and
Government customers – Feature consistency and deployment flexibility
Certification 7.0 8.0 IOS 3.6
FIPS
CC
UCAPL
CSfC
USGv6
Comprehensive end-end solution certified !
Cisco Confidential 67© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Granular Location Tracking - Cisco Hyperlocation
After: Determine direction (AoA) to client in addition to distance => ±1 meter accuracy
Before: Location approximated based on RSSI - ±5 to 10 meter accuracy
Granular indoor location accuracy to contextually connect users
Engage & Improve Guest Experience
Room Level Accuracy
Range Inferred - Prone to errors
Only RSSI calculation
Blue dot spotlight
projected at the user’s
feet
High Accuracy
Multi technology AoA, RSSI, BLE
Improved Calculation
Cisco Confidential 68© 2013-2014 Cisco and/or its affiliates. All rights reserved.
68
Security: Location Based AccessIdentity
ServicesEngine (ISE)
Wireless ControllerAccess Points
Location Tracking
MobilityServicesEngine
Clients
User Authentication
Cisco Confidential 69© 2013-2014 Cisco and/or its affiliates. All rights reserved.
69
Location-Based Network Access How Does It Work?
ISE
Wireless ControllerAccess Points
Location data
1. Client attempts to connect and authenticate with ISE2. ISE queries the MSE for location of client 3. If client is in a No-Connect Zone access is denied4. If client moves into a No-Connect Zone, MSE notifies
ISE and forces re-authentication
Clients
Zone-change event
Authenticate User
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
CSfC Commercial Solutions for ClassifiedUsing Suite-B Primitives to elevate Network Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Next Generation Encryption Protocol Suite
Security Briefings & Training
Key Establishment ECDH-P256/384
Digital Signatures ECDSA-P256/384
Hashing SHA-256/384
AuthenticatedEncryption AES-128/256-GCM
Authentication HMAC-SHA-256/384
Entropy SP800-90
Suite B
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
NSA Developing Policy
CSfC (Commercial Solutions for Classified) Packages at NSA• Site to Site VPN Policy• Campus WLAN Policy
o Developed to address tactical WLAN deploymentso Meant for small deployments, less than 50 clients
• Enterprise Mobility Policy (forthcoming)o Applicable to 3G/4G, WLAN and Wired Network
2 Layers of Suite B security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
CSfC “Layered” Architectures for Classified Architectural, defense in depth (e.g. “layers”), approach to security
–SECRET require 2 Layers of ‘countable’ Crypto mLoS 128–TS requires 2 layers of ‘countable’ Crypto mLoS 192
–Example: 1+1 = 2 ‘countable’ layers sufficient for protecting SECRET information
– Suite B VPN / 1 Countable Layer
Suite B Application Layer Security / 1 Countable Layer
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
The manufacturer diversity requirement for CSfC layered solutions has been modified to permit, subject to certain conditions, single-manufacturer implementations of both layers.
An Update to the Manufacturer Diversity Requirement
Source: CSfC Website (http://www.nsa.gov/ia/programs/csfc_program/ )
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
An Update to the Manufacturer Diversity Requirement
CSfC layered solutions, with a single vendor is now permitted under certain conditions
The manufacturer must document the similarities and differences between the two products, including: cryptographic HW components, SW code base (i.e. operating system), software cryptographic libraries, and development teams.
NSA will review the information of solutions and determine if they meet the requirements for independent layers
Cisco’s variation of OS’s, across certain platforms are targeting this “single-vendor” solution that is compliant with the CSfC guidelines
“ The manufacturer diversity requirement for CSfC layered solutions has been modified to permit, subject to certain conditions, single-
manufacturer implementations of both layers. “ Source: CSfC Website (http://www.nsa.gov/ia/programs/csfc_program/ )
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Cisco Achieves Single Vendor Multi-Platform for CSfC VPN Capability Package
Allows Cisco ASA to be used as an Inner or Outer VPN Gateway when paired with an approved IOS/IOS-XE VPN router
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 79Cisco Highly Confidential
Cisco Wireless CSfC scenario 1a – VPN CP
Black Network between client and Outer VPN, Gray network between VPN head ends
• IPSec with AES-256-GCM from EUD to Outer VPN head end
• IPSec with AES-256-GCM from EUD to Inner VPN head end
• WPAv2-Enterprise from the EUD to WLAS to comply with DoD Instruction 8420.01, but doesn’t impact CSfC two layer requirements.
IPSec AES-256-GCM IPSec AES-256-GCMWPA2 AES-128-CCMP
Unclass WPA2, Suite B VPN, Suite B VPN
Outer Suite B VPN # 1
Unclass WLANUnclass WLAN
Controller Inner Suite B VPN #2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80Cisco Highly Confidential
Cisco Wireless CSfC scenario 1b – VPN CP
Black Network between client and Outer VPN, Gray network between VPN head ends
• IPSec with AES-256-GCM from EUD to Outer VPN head end
• IPSec with AES-256-GCM from Wireless Router to Inner VPN head end
• WPAv2-Enterprise from the Wireless Router to WLAS to comply with DoD Instruction 8420.01, but doesn’t impact CSfC two layer requirements.
Two layers of Encryption maintained between EUD and Outer VPN
IPSec AES-256-GCM IPSec AES-256-GCMWPA2 AES-128-CCMP
Unclass WPA2, Suite B VPN, Suite B VPN
Outer Suite B VPN # 1
Unclass WLANUnclass WLAN
Controller Inner Suite B VPN #2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 81Cisco Highly Confidential
Cisco Wireless CSfC scenario 2 – Mobility CP
Black Network between client and Outer VPN, Applications located in Gray DMZ network
• IPSec with AES-256-GCM from EUD to VPN head end
• TLS Application Encryption with AES-256-GCM from EUD to Application Server
• WPAv2-Enterprise from the EUD to WLAS to comply with DoD Instruction 8420.01, but doesn’t impact CSfC two layer requirements.
WPA2 AES-128-CCMP IPSec AES-256-GCM TLS AES-256-GCM
Unclass WPA2, Suite B VPN, Suite B VPN
Outer Suite B VPN # 1
Unclass WLANUnclass WLAN
ControllerInner Suite B
Application Layer Security - TLS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82Cisco Highly Confidential
Cisco Wireless CSfC Scenario 3 – WLAN CP
Black Network from EUD to Wires Controller, Gray Network between WLC and VPN
• WPAv2 AES-128-CCMP for over the air encryption between EUD and AP
• CAPWAP Data encryption with DTLS AES-256-CBC between AP and WLC
• IPSec with AES-256-GCM to Inner VPN head end
WPA2 AES-128-CCMP IPSec AES-256-GCMCAPWAP DTLS AES-256-CBC
Unclass WPA2, S Suite B VPN Outer Suite B VPN
# 1Unclass WLAN
Unclass WLAN Controller
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
WLAN or VPN Package?
The First Countable layer of Suite B Security will classify that network Red.
• Therefore if WLAN L2 security is counted, that WLAN can only be used for Red communications
If Enterprise Environment requires Classified & Unclassified communications they must be deployed on 2 separate networks
Vendor diversity requirement eased
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Secure View
AFRL and AIS
Approved
Accredited
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
CSfC Enterprise Architecture
Unclass
PI ISE
SiSi
• Build on the foundation of the Enterprise Network
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
CSfC Enterprise Architecture
Unclass
PI ISE
SiSi
• Build on the foundation of the Enterprise Network
• Add a Security Enclave for access to Classified
VDI Voice Services
Classified
SiSi
ASA
ASR
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
CSfC Security for the Enterprise• VPN platform built for Scale – Multi-Gig Throughput
ASR 1001-X
ASA5585-SSP60
• Enterprise ResiliencyLocal & Geographical Redundancy
• Network High Availability
• Advanced Security IntegrationSourceFire
TrustSec
Netflow
• 3rd Party IntegrationLancope
Splunk
ASA
ASR
ASA
ASR
Classified
WLC - HA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
CSfC Enterprise Architecture
Unclass
PI ISE
SiSi
• Build on the foundation of the Enterprise Network
• Add a Security Enclave for access to Classified
Support for Classified WLAN
Support for Classified LAN
Support for Classified WAN
• Advanced Location resources can enable location based access
System Integration enables dynamic control of WLAN access
VDI Voice Services
Classified
SiSi
3G/4G
ASA
ASR
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
External
Cisco White Paper–https://supportforums.cisco.com/docs/DOC-40445
NSA CSfC website–http://www.nsa.gov/ia/programs/CSfC_program/index.shtml
List of NSA approved vendors (as of Feb 2014)
–http://www.nsa.gov/ia/_files/factsheets/CSfC_Components_List_FINAL_Public_19Feb2014.pdf
Disclaimer: The NSA does not recommend nor endorse the use of any Company's products over any other products nor does the Agency offer an opinion regarding whether the Company's Product Series should be used to satisfy any specific user requirement.
Additional Resources
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Cisco WLAN CSfC Product Listing
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Q&A Federal Wireless Webinar March 15th
Send email to: [email protected]
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Wired and Wireless Better togetherNew product Architectures allow even more seamless integration
• Cisco Wi-Fi now built into Access Switches• Cisco Wi-Fi is now as fast as wired Ethernet (802.11ac =860Mbps per radio)• Complete integration with Cisco Prime Network Management wired and wireless• A single Operating System for both wired and wireless products• A single policy for end users and Quality of Service• Easily monitor and troubleshoot wired and wireless end-to-end• Provide both wireless and wired Guest User Access from same management console• Only Cisco Can provide wireless + wired “MAC SEC” for end-to-end encryption • Cisco wired and wireless provide seamless support for Cisco Unified Communication