Security Group Access

Report
Dan Schnour
Cat. 3K Product Manager
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
BYOD
IT
REQUIREMENTS
• Non IT Provided Devices
• Guest and Contractors
• Secure Access
© 2012 Cisco and/or its affiliates. All rights reserved.
•
•
•
COLLABORATION
VIRTUALIZATION
Reduce Travel Costs
Collaboration
Rich Media Services
• Business Productivity
• Ease of Deployment
• Low CAPEX/OPEX
with VDI
Securing Any Access
Managing Complexity And Scale
Delivering High-Quality Experience
$$
Ensuring Business Continuity with Lower TCO
Cisco Confidential
2
Securing Any
Access
On-Board
• How do I onboard devices and contextually authenticate users?
• How do I segment users, devices and applications?
• How do I protect my network infrastructure?
Segment
Protect
• Automatic discovery and device profiling with Device Sensor
On-Board
• Zero downtime deployment with .1x Monitor Mode
• Simplify user authentication with Flexible Authentication
Segment
• Flexible Role-based segmentation with Security Group Access.
• Simplified Layer 3 Segmentation with Easy Virtual Network.
• Prevent Eavesdropping with link layer encryption with MACsec
Protect
• First Hop IPv4/IPv6 Security for L2 threat defense
• Flexible NetFlow for real-time traffic flow analysis
• Protect CPU with Hardware-based Control Plane Policing.
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
Cat3k: Now Shipping
Cat4K: Now Shipping
On-Board
Segment
Protect
• Identify endpoints based on protocol information with Device Sensor
• Identify and Authenticate user with 802.1x (Flex auth)
• Classify context of access based on Device Type and User
Device
Aware
2
© 2012 Cisco and/or its affiliates. All rights reserved.
1
Location
aware
Corp PC
doctor
office
1
Personal laptop
doctor
office
2
Personal laptop
patient
hotspot
Printer
N/A
office
IP Phone
N/A
office
TelePresence
N/A
conf room
1
CDP
LLDP
DHCP
MAC
Identity
aware
1
Cisco Confidential
4
Cat3k: Now Shipping
Cat4K: Now Shipping
On-Board
Segment
Protect
Identity Differentiators
Monitor Mode
Authentication Features
Unobstructed Access
No Impact on Productivity
Gain Visibility
Cisco Catalyst® Switch
MAC Based Authentication
Flexible Authentication Sequence
Enables single configuration for most use cases
Flexible fallback mechanism and policies
Rich and Robust 802.1X
IP Telephony Support
Support for Virtual Desktop Environments
Single Host Mode
Multi-Host Mode
Authorized Users Tablets
IP Phones
802.1X
Network
Device
Guests
MAB
WebAuth
Multi-Auth Mode
Multi-Domain Authentication
Critical Data/Voice Authentication
Business Continuity in case of failure
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Cat3k: Now Shipping
Cat4K: Q3CY13
On-Board
Segment
Protect
• Role-Based Access Control and Segmentation with Security Group Access
Device
Aware
SGACL enforces policy at access,
campus edge, or DC
internet
facility
doctor
permit
permit
permit
patient
deny
permit
deny
voice
deny
ACL_v
deny
Location
aware
doctor
office
1
Personal laptop
doctor
office
2
Personal laptop
patient
hotspot
patient
Printer
N/A
office
facility
IP Phone
N/A
office
voice
TelePresence
N/A
conf room
video
CDP
LLDP
DHCP
MAC
SG Tag imposed to incoming
traffic
Secure
Group
Corp PC
1
Patient
record
Identity
aware
doctor
doctor
Cisco
Innovation
Security Group Access
X
2
• Simplifies ACL management
1
1
• Uniformly enforces policy
independent of topology
• Fine-grained access control
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
Managing
Complexity And
Scale
• How do I scale my network to meet device proliferation ?
• How do I future proof my network while protecting my investment?
• How do I provide consistent policies across networks and devices ?
Scale
Scale
Protect Investment
• 9 Member Stack
• 64Gbps Stacking BW
• Full POE/POE+/UPOE
•
•
•
•
Stack Capacity as you grow
5-7 years of life cycle
• 7-10 years of life cycle
• Legacy line-card support with new supervisor
• Feature enhancement with new supervisor
• Mix/Match different generation line cards with no impact to
system performance
Protect
Investment
Provide
Consistency
© 2012 Cisco and/or its affiliates. All rights reserved.
Provide Consistency
848 Gbps System Performance
384 Ports of 10/100/1000 & 40G uplinks
384p of PoEP & 192p of UPOE (9KW PS)
384p of Energy Efficient Ethernet
• Unified Management / Single Pane of Glass Management : Prime Infrastructure
• Single Policy Control Dashboard : Identity Services Engine [ISE]
Cisco Confidential
7
Scale
Protect Investment
Provide Consistency
Backward compatibility for all line cards with new supervisor
Cisco Catalyst 4500 E-Series
14 years
90% Transition to E-Series
Catalyst 4K
EOS
Cisco Catalyst 4500 (non-E)
EOL
Maintain Support
11 years
EOS
Cisco Catalyst 4000
1999
…
2004
EOL
Maintain Support
…
2007
…
2010
…
2015
…
2020
3750-X / 3560-X
9 years
Catalyst 3K
© 2012 Cisco and/or its affiliates. All rights reserved.
EOS
3750E / 3560E
Maintain Support
EOL
Cisco Confidential
8
Delivering
High-Quality
Experience
Assess
Assess
Visualize and Control
Monitoring &
Troubleshooting
© 2012 Cisco and/or its affiliates. All rights reserved.
• How do I know my network is ready for real time applications?
• What real time applications and devices are running on my network?
• How do I monitor and troubleshoot Application level traffic ?
Visualize and Control
Monitor/Troubleshoot
• Assess network readiness for real time media applications with IP SLA
• Differentiate video applications and optimize QoE with Media Services Proxy (MSP)/Metadata
• Improved Application visibility with Flexible NetFlow
• Automate monitoring and troubleshooting with Mediatrace
• Application level hop by hop statistics with Performance Monitor
Cisco Confidential
9
Assess
Visualize and Control
Monitor/Troubleshoot
• MediaTrace locates application performance
problems
Which end point has
poor video quality and
• Performance Monitor provides application level
How do I know what to
data using Flexible NetFlow
troubleshoot?
• Cisco Prime provides management
End points are capable
of High Definition
however they only work
• Wire
canDefinition.
capture raw, real-time
in Shark
Standard
packets directly
Why? on the switch
X
• Using MSI / MSP & Metadata the switch
How do I provide Quality
can now identify devices and applications
of Experience for all
for differential treatment
video applications?
© 2012 Cisco and/or its affiliates. All rights reserved.
Is my network ready for
100 HD Desktop
• IP-SLA VO injects synthetic media
Cameras, 30 IPVSC and
traffic to assess network
a new Telepresence
readiness
room?
Cisco Confidential
10
Assess
Visualize and Control
Monitor/Troubleshoot
Differential Traffic Treatment through Visibility
Quality of Experience
Device Type
Axis Camera
CTS3000
Jabber
Laptop
PC
Application Type
Surveillance
TelePresence
Soft client
HTTP/
You Tube
WebEx
NO
NO
NO
Yes
NO
• Media Services Interface & MSP
• Flow Metadata
Priority
• AVC on Wireless Controller
Rate Limiting
• Application based QoS
• Device/App based FnF*
Device/Application ID exported
to FnF
Endpoints embedded
with the Media
Services Interface
Campus
Cisco Prime Infrastructure
Catalyst
3K-X/4500E
Device and Application Identification using
MSI / MSP
© 2012 Cisco and/or its affiliates. All rights reserved.
Uniform QoS policies across network
Workflows to deploy and
provide location awareness
Cisco Confidential
11
$$
Business Continuity
with Lower TCO
• How can I make my network resilient to handle business SLAs ?
• How can I easily onboard my network infrastructure ?
• How can I reduce IT energy expenses and align with corporate ‘Green’ goals?
Resiliency
Resiliency
Plug and Play
Energy Management
© 2012 Cisco and/or its affiliates. All rights reserved.
Plug n Play
Energy Efficiency
•
•
Power & data resiliency with StackPower and Stackwise+ (3K-X)
No impact to voice/video for planned and unplanned downtime with ISSU, NSF/SSO and
VSS*
•
•
•
•
Zero Touch deployment - Smart Install, Auto QoS, Auto Smart Ports
Programmability with EEM, XML, SDN*
Built in sniffer capabilities with Wireshark
Efficient Planning & troubleshooting with IPSLA, FnF
• Visibility, Control and Reporting of enterprise wide energy usage
• Save up to $65 per Switch Port**
• $0 SKU for Energy Visibility & Basic Control on 3K/4K
Cisco Confidential
12
Best in class Fixed resiliency !
Resiliency
Simplify and Scale with
StackWise+
Plug n Play
Fan Redundancy
Energy Efficiency
Maximize Power Redundancy with
StackPower
In-Chassis FRU
Redundant PSU
Innovative Inter-Chassis Power Interconnect
Common power pool for distributed power redundancy
Highly Resilient
Zero-Footprint of RPS. PS Backup within Stack
Flexible
Non-Stop communication. Variant in sizes (AC/DC)
Intelligent Load Shedding
Preserve critical network during power failure
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
Best in class modular resiliency !
Seamless
Resiliency
Plug n Play
Energy Efficiency
ISSU License No Long Required
NSF available in IP Base Now!
Si
Ent Svc
Redundant Redundant PS
Sup
Campus
Si
NSF
System
LAN
IP Base
ISSU Lic
2+2 uplinks
Redundant Fans
© 2012 Cisco and/or its affiliates. All rights reserved.
Network
HSRP/VRRP/GLBP
VSS (Jan 2013)
Distribution Layer
ISSU
SSO
CoPP
ISSU
NSF/SSO
Smart Call Home
Link
Fast Detect:
TDR, DOM UDLD
CoPP,
Basic HA
Access Layer
Fast Converge: Flexlink+,
RPVST
Cisco Confidential
14
Resiliency
Plug n Play
Energy Efficiency
3K, 4K, 6k * (“Director”)
Access
Switches
Smart Install
Zero Touch Deployments
and Maintenance
New Switch Connected
Software image downloaded;
Configuration automatically
applied
© 2012 Cisco and/or its affiliates. All rights reserved.
Auto Smart Ports
Plug and Play for End Devices
Smart Call Home
IPSLA, WireShark
Programmability
Control Your Network
Monitor & Troubleshoot
New Device Attached
Port Configuration: Applied
QoS Policy:
Enforced
Security Policy:
Enforced
Anomaly Detected
Proactive diagnostics
Real time Alerts
Web-based reports
Routed to TAC team
Cost Savings: $15,000 (or 230 Hours) per 100 Switches*
EEM
XML
Software Defined Network
(OnePK)*
Cisco Confidential
15
Special $0 EW Fast-Start SKU’s for Cisco Customers with 4K/3K
Resiliency
Plug n Play
Energy Efficiency
• Cisco EnergyWise is an IOS-based intelligent energy management protocol
What’s New with Fast-Start $0 SKU’s?
• Enhance customer ROI with a $0 SKU
• Available only with 4K, 3K PoE/PoE+/UPOE
Product ID
EW-JX-50SW
Activation Key of JouleX Energy Manager for
Cisco EnergyWise
EW-VER-50SW
Verdiem Surveyor Accelerator Key for Cisco
EnergyWise
EW-CA-50SW
Key for Nimsoft (CA-Technology) Management
SW for Cisco EnergyWise
• Features vary by partner, but
-
Visibility, Monitoring of energy for free (up to 5 years)
-
Limited control of devices
How to Order?
• 3 SKUs available in Cisco GPL and ordering tool
• Each SKU license for up to 50 users
• For more information on Cisco EnergyWise contact ask-
[email protected]
© 2012 Cisco and/or its affiliates. All rights reserved.
Product Description
Visibility (Monitoring)
Basic Control
Cisco Switches and Routers
√
√
Wireless access points
VoIP phones
√
√
√
√
EnergyWise-enabled devices
√
√
Windows PCs/Laptops
√
√
Upgrade
Upgrade
Upgrade
PoE
Unlimited devices forever
Unlimited devices 1 Yr
Cisco Switches
Unlimited devices forever
Unlimited devices 1 Yr
Monitors, Printers
All other campus/data center
devices
PC/Laptops
Unlimited devices 1 Yr
Upgrade
Cisco
Confidential
1000
devices
1 16
Yr
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
4510R+E
4507R+E
4506-E
4503-E
848Gbps Switching Capacity
4 x SFP+/SFP uplinks
384 10/100/1000 Ports
520Gbps Switching Capacity
2 x 10G SFP+/SFP uplink
240 10/100/1000 Ports
WS-X4748-UPOE+E
WS-X4648-RJ45-E
• UPOE 60W, IEEE
• 30W/port on all 48 ports
WS-X4648-RJ45V+E
24G
48G
WS-X4748-RJ45-E
• 30W/port on 24 ports
Data
2 LineCards
5 LineCards
Single Supervisor
5 LineCards
8 LineCards
Dual Supervisor
<200ms ISSU
POE, POE+ and Cisco UPOE
Dual Core CPU for 3rd Party Apps (Wireshark)
1+1 Power Redundancy
N+1 Fan Redundancy
Scales up to 384p POE/PoEP & 192p of UPOE
PoE
UNDISPUTED MARKET LEADERSHIP
3rd party validation
110M+ Ports, 800K+ Systems
70% PoE/PoEP Port share
80% Adoption by Cisco Top Customers
© 2012 Cisco and/or its affiliates. All rights reserved.
“Powerful stuff: New Cisco switch
delivers 60 watts to the desktop”
Cisco Confidential
18
Stand-Alone Switch Portfolio
Stackable Switch Portfolio
Catalyst 3750 v2
Catalyst 3750-X
Catalyst 3560 v2
Catalyst 3560-X
Data or PoE
StackWise
Fixed 1G Uplinks
Single PS
LLW
Data / PoE(+)
StackWise Plus
Modular 1G/10G Uplinks
Dual FRU PS and Fans
E-LLW
Data or PoE
Fixed 1G Uplinks
Single PS
LLW
Data / PoE(+)
Modular 1G/10G Uplinks
Dual PS
E-LLW
Fast Ethernet
Gigabit Ethernet
Fast Ethernet
Gigabit Ethernet
Network And Service Modules
NEW
UPOE coming
soon!!
C3KX-NM-1G
C3KX-NM-10G
C3KX-NM-10GT
C3KX-SM-10G
Service Module
 Flexible Netflow
 MACsec
¼ Billion+ Ports and 7 Million+ Units sold worldwide
Data Redundancy using Stackwise+ (64 Gbps)*
9 member switch stack**
Power Redundancy using StackPower*
Enhanced video features, e.g., Mediatrace, built-in traffic generation
Field replaceable Power Supplies and Fans*
Enhanced Security features, e.g., SGT, Device Sensor
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
**available on 3750, *available on 3K-X
19
A technology pioneered by Cisco
2000
2003
2007
7W
15W
30W
60W
Inline Power
(PoE)
(PoE+)
UPOE
Industry
Standard:
IEEE 802.3af
(15W PoE)
2009
2011
Industry
Standard:
IEEE 802.3at
(30W PoE+)
Cisco Innovations Drive Industry Standards
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
CISCO 2960S PORTFOLIO
Layer 2 Only
Catalyst 2960SF
Catalyst 2960S
1G Uplinks
FlexStack
Full PoE,
E-LLW
10G/1G Uplinks
FlexStack
Full PoE, PoE+
E-LLW
Fast Ethernet
EASE-OF-USE
Competitive Features
• Security with 802.1x Monitor Mode
• Lower TCO with Energy Wise, Smart
Operations and Auto QoS
• Static Routing & Priority Queing
• FlexStack 2 x 10G ports (wire speed)
Differentiators of 4K/3K over 2K
• TrustSec: SGT, MACsec, Device Sensor
• Application Visibility: FnF, Mediatrace, Wireshark
• Resiliency: StackPower, ISSU, UPOE
• Scale: Stack up to 9 on 3750X, 10 Slot Chassis 4500E
Gigabit Ethernet
60M
PORTS
1.3M+
UNITS
ENERGY
EFFICIENCY
LOWER
TCO
Cisco Quality at Competitive Price
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
Fast Growing Catalyst Platform
• 22% Growth in FY12
Delivering Zero Touch BYOD Deployments
• POE+/UPOE Powered
4500E
3750X
• AC Power Option
• Smart Operations
• Smart Install
• Auto Smart Ports
• PoE
•PoE(+) and non PoE Models
Scalable and Proven
Deployments in Education,
Retail & Healthcare
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
Traditional Workspace
Data
Next Generation Workspace
BYOD
Voice
IP Base
Collaboration
Virtualization
Catalyst 3K
IP Base
LAN Base
Catalyst 2960
Scale & Performance
• Stacking (upto 192 port)
• POE/POE+
• Base Identity features
Lower TCO
• Lowest Power consumption
• Green / Energywise
• Smart Install Client
© 2012 Cisco and/or its affiliates. All rights reserved.
Scale & Performance
• 9 Member Stack (2X+ ports)
• 3 X Stacking BW (64 Gbps)
• Full POE/POE+
Resiliency
• StackPower, StackWise+
• FRU Power supplies and Fans
Energy Management & Green
• EnergyWise
• UPOE (60W) **
• EEE **
Scale & Performance
• Wired/wireless convergence*
TrustSec & Segmentation
• Device Sensor, Cisco TrustSec (SGA,
MACSec)
Dynamic routing protocol
• OSPF, EIGRP Stub, RIP
Application Visibility
• Flexible NetFlow & Medianet
• 3rd Party Apps (WireShark) *
Lower TCO
• EEM & IP SLA
* Only on IP Base
Cisco Confidential
• Smart Install Client & Director* Roadmap
23
Traditional Workspace
Data
Voice
Next Generation Business
BYOD
Collaboration
Virtualization
@96p base config with
Redundancy and UPOE Capability
Catalyst 4500E
Catalyst 2960
Scale & Performance
•
Stacking (upto 192 port)
•
POE/POE+
TrustSec
•
Identity
Lower TCO
•
Power consumption
•
Green / Energywise
•
Smart Install Client
© 2012 Cisco and/or its affiliates. All rights reserved.
Scale & Performance
• 848 Gbps System Performance
• 240p with 7 slot and 384p with 10 slot Chassis
• In Service Software Upgrade*
• VSS**
• Wired/wireless convergence **
TrustSec & Segmentation
• Device Sensor*
• VRF-Lite, EVN*
• Cisco TrustSec* (SGA**, MACSec)
Application Visibility
• Flexible NetFlow*, Medianet*
• 3rd Party Apps (WireShark*)
Energy Management and Green
• UPOE (60w)
• EnergyWise and EEE
Lower TCO
• AutoSmart Ports
• Longer Life Cycle (7-10 years)
• Smart Install Director**
* With IP Base
Cisco Confidential
** Roadmap
24
Flexibility of Choice
Breadth of the portfolio
across 2k, 3k and 4500E
Architecture and
Operations Agility
Features for current and Next
Generation Campus
• Trustsec
Investment Protection
Protect your current
investments while getting
ready for future in Access.
• SmartOps
• AVC
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25

similar documents