统一接入
One Policy – One Management – One Network
统一策略 – 统一管理 – 统一网络
董玉玲
无边界网络顾问工程师
©© 2012
2012 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved.
Cisco Confidential
1
•
•
•
•
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
User Profiles
Basic Mobility
访客/合作伙伴
Basic
BYOD
非正式员工
Advanced
员工BYOD
• Wired & Wireless
• 有线/无线/VPN
• Account sponsorship
• Account sponsorship
• User Directory ，VPN
• Internet access only
• Acceptable use
•
Wireless
• Rate & Time limited
• VDI / VXI access
agreement
• Data Loss Prevention…
广泛的设备支持？？
提供远程访问？？
© 2012 Cisco and/or its affiliates. All rights reserved.
access；
VPN/无线/有线
管理、策略
有线的安全？？
• Voice, Video, Data…
安全的数据保障？？
无线的攻击？？
Cisco Confidential
3
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
Cisco
WebEx
®
Cisco
Jabber
™
Cisco
Cisco
® ISE
Prime
情境感知的动态策略
™
NCS
行业落地
虚拟化VDI应用，
BYOA
可视化一体
管理
金融/FSI
移动金融保险，VIP
服务
教育/Edu. 移动教室/课件/书包
有线网
络
无线网
络
HQ
远程接入
网络
移动医务， 集中电
医疗/Healthcare
Cisco Cisco
ASA Prime™
企业/MNC 远程接入/高管远程
NCS
2:38
p.m.
Wired
Netwo
rk
Device
s
Office
Wired
用户/设备/
Access
链路可信
Cisco
CSM
and
ASDM
批文
Firewall
Office
Wireless
Remote Access
可信网络
Unified
Access 一体化网络
Access
.
© 2012 Cisco and/or its affiliates. All rights reserved.
子病历
零售/Retail在线销售/库存调配
/VIP服务
流水线管理，供应链
制造/Manu.
资源
Unified Workspace:
客户体验，生产力提升，
降低IT管理成本
Cisco Confidential
5
Cisco’s 统一接入网络基本概要
One Policy – One Management – One Network
©© 2012
2012 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved.
Cisco Confidential
6
AFTER
BEFORE
统一的基于内容的策略管理
独立的策略和访客管理
Improved
Control
Who? What? When? Where? How?
只让允许的设备通过
AAA + Profiling, Provisioning, and
Posturing = 安全的 BYOD
Wired | Wireless | VPN
Simple | Unified | Automated
Page:7
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco ISE–提供并行控制
Cisco Confidential
7
5 Dimensions of Policy
身份
(Who)
设备 (What)
访问方式
(Which)
位置
(Where)
时间
(When)
策略
访客
个人设备
无线
会议室
M–S
8 am–6 pm
Captive Portal
DMZ Guest Tunnel
访客 VLAN
合同工
员工
合同设备
有线
合同工座位
任何时间
合同工 VLAN
个人设备
无线
非 HR or
Finance spaces
M–S
8 am -6 pm
合同工ACL
公司设备
有线
任何地点
任何地点
员工
VLAN
个人设备
无线
任何地点
任何地点
员工ACL
VPN
Page:8
© 2012 Cisco and/or its affiliates. All rights reserved.
任何地点
IF $Identity AND $Device AND $Access
AND $Location AND $Time THEN $Policy
Cisco Confidential
8
Identity Services
Engine
我只允许正确的人和设备访问我的网络
Authentication
Services
我想让用户和设备接收适当的网络服务I
Authorization
Services
我允许访客进入网络，但是要控制他们
的行为
Guest Lifecycle
Management
我要allow/deny iPads 访问我的网络
(BYOD)
Simplified Policy
Management
Profiling
Services
我要确保访问我的网络设备是“干净”的
Posture
Services
我需要一个可以扩展的方式增强访问策
略在全网进行部署
Secure Groups
Access
Page:9
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
Single Pane of Glass View and Management of WLAN – LAN
AFTER
BEFORE
独立的管理
WLAN
综合的用户和接入设备的可视性&高级故障排除
Improved
Visibility
WLAN
LAN
LAN
WAN
Page:10
+
Identity
Siloed Inefficient Operational Model
Simple Improves IT efficiency
Repetitive Manual correlation of data
Unified Single view of all user access data
Error Prone Consumes time and resources
Advanced Troubleshooting Less time
and resources consumed
Cisco Prime Infrastructure – 提供并行的可视性
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
BYOD用户及应用的可视
终端和应用的可视
网络设备的全方位可视
网络设备接口全方位可视
Page:11
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
Control and Visibility for IT - Predictability for Users
Mobility Services Engine
Physical
or Virtual
3310 & 3355
Wireless LAN Controllers
Access Points
Indoor
Teleworker
1040 Series
600 Series
Branch Controller
2500 Series
Identity and Policy
Data Integration
Prime
Outdoor
WLC on SRE
Campus Controllers
5500 Series
WiSM2
1140 Series
3500i
Serie
1260sSeries
1550 Series
35/3600e Series
3500p Series
Density
Cloud Controller
Physical
or Virtual
ISE
Flex 7500
Distribution
Switches
6500 Series
© 2012 Cisco and/or its affiliates. All rights reserved.
Access Switches
4500E
3750-X/
3560-X
2960-S
Compact
Cisco Confidential
12
统一接入-无线篇
新产品，新功能为BYOD保驾护航
©© 2012
2012 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved.
Cisco Confidential
13
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
Features / Performance
NEW
WiSM2
Multiarchitecture
Capable
8500
(SP Wi-Fi)
5500
2500
SRE –
WLCM2
FlexConnect
NEW
Virtual
Controller
Flex 7500
(Lean
Branch)
Scale (# of clients, APs)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
Cisco CUWN in a BOX
7.3 功能:
vWLC
vNCS
vMSE
支持 Flexconnect本地转发和集中转发
每个虚拟机最大支持200 AP
ESX ESXi Hypervisor
UCS /x86 Servers
可以用在
中小学K-12、零售门店等
成本敏感的场景
Virtual CUWN
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
 SP 大规模部署特性
Access Points
300-6,000
Clients
64,000
Branches/locations
6,000 (2000 groups)
Access Points per
FlexConnect group
100
Deployment Model
Local, FlexConnect and
mesh
• 支持室外AP
Form Factor
1 RU
• 其他关键特性:
IO Interface and
redundancy
两个冗余万兆口
Power options
交流和直流供电
Power redundancy
双冗余电源
© 2010 Cisco and/or its affiliates. All rights reserved.
•
4K vlan
•
最大可以支持6000 AP和 64,000无线客
户端
 7.3版本支持的特性(7.3 release)
• 控制器AP状态化热备
• FlexConnect模式、Local模式和MESH模式
流量速率限制,
Video Stream特性
Cisco Confidential
17
Roadmap is highly confidential and reflects current plan. Subject to change without notice
•
无线控制器HA说明
•
备用无线控制器可以扩展到支持该型号的最大数量AP！
•
目前7.3版本只支持1+1热备以及 两层相连、通过以太网线物理连接
•
通过命令行将无线控制器调整为standby 模式
•
备用无线控制器的license不可导出
•
7.3版本可以支持
AP 可以快速从主用控制器切换到备用控制器
SSID保持连续，CAPWAP 隧道无需重新建立，客户端现阶段仍需要重新认证.
•
•
Model
下列无线控制器支持AP
SSO Details
5508, Flex7500 and 8500
1:1热备
WiSM2
机框内和跨机框VSS
7.3版本不支持
•控制器没有物理连接和两层连接的情况
•2500, SRE/WLCM2， 虚拟控制器
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
Active Controller
• 5500/7500/8500 WLC 需要专
WLC 5500
门使用RP口进行同步配置
• 每隔100毫秒通过RP口发送握
手信令检查主用控制器的存
活情况.
RP 1
Redundancy
Port
Connectivity
• 每隔1秒发送ICMP数据包检查
Hot Stand-by Controller
RP 2
接口网关的存活情况
Flex 7500
Redundancy
Port
Active Controller
Hot Stand-by Controller
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
• WiSM-2的无线控制器需要特
定的 Redundancy Vlan，这
个VLAN用来从主用控制器到
备用控制器同步配置
• 每隔100毫秒通过RP VLAN发送
握手信令检查主用控制器的存
活情况.
• 要实现WiSM2的HA，WiSM2需
要部署在一个机框内，或者
部署在VSS的两台65的机框
上 ， 两 台 65 之 间 需 要 使 用
Trunk连接允许RP VLAN通过
Slot 8: Active WiSM-2
Slot 9: Hot Stand-By WiSM-2
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
• 7.2版本以前不能对单个WLAN进行限速，基于用户的为下行限速
• 7.3版本可以针对Per-User 和Per-SSID 两种场景分别对上行和下行数据进行限速
• 原先的4 个QoS Profile 仍然有效–
© 2010 Cisco and/or its affiliates. All rights reserved.
Platinum Gold Silver Bronze
Cisco Confidential
21
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
Teleworker
Business-Ready
Mission Critical
AP 2600
AP 1040
AP 3500
AP 1260
AP 1140
OfficeExtend
AP 600
Best in Class
Mission Critical
New
AP 3600
and
802.11ac
Module
With CleanAir
technology
802.11n + 802.11ac WiFi
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
Target FCS
Q4 CY2012
• 不需要单独安装的监控模式的AP，进行全频段的频谱分析
不需要再安装一个AP以及单独布线，减少成本
模块从AP3600取电
• 通过模块安装
单独模块支持2.4 GHz & 5 GHz
不需要进行配置– 模块自动扫描2.4G和5G所有频段
独立的的内置MIMO天线 0x4 (0 Tx antenna’s x 4 Rx Antenna’s)
• 有了安全监控模块以后，AP3600可以同时：
在2.4 和5 GHz 同时接入无线用户
同时在2.4G和5G所有信道进行wIDS/wIPS 安全扫描
同时在2.4G和5G所有信道进行频谱分析
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
802.11ac-2
3.5 Gbps
802.11ss
10Gbps
BANDWIDTH
802.11ac-1
1 Gbps
CLIENTS
/
802.11n
450 Mbps
802.11g
54 Mbps
802.11a
802.11b
11 Mbps
11Mbps
Early 2000
2002
© 2012 Cisco and/or its affiliates. All rights reserved.
2004
2006
2008
2010
2012
2014
2016
Cisco Confidential
25
• 和802.11n一样提供10米到30米的覆盖范围
• 3x 的无线吞吐量
• 1G吞吐量起– Wave 1
可以支持多路HD 视频流
• 802.11ac 客户端会从2012年底开始出现，一开始是 1x1 和2x2 的11ac无
线适配器
Number of SS
802.11ac
80 MHz with 64 QAM
802.11n
20 MHz with 64 QAM
1
290 Mbps
65 Mbps
2
650 Mbps
144 Mbps
• 平板和智能终端持续增长
更快的连接 = 更短的射频时间 = 更多的电池时间
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
Target FCS
Q1 CY13
802.11ac 模块集成在AP,内置天线
和安全监控模块用相同的架构
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
Target FCS
Q1 CY13
• 802.11ac Wave 1 – 5 GHz AP3600 模块
5 GHz 射频模块
向下兼容802.11a 和n的无线客户端
1.3 Gbps 速率 / ~1 Gbps MAC (吞吐量)
3 路空口串流, 80 MHz, 256 QAM
按照802.11ac标准，显式的波束成形
• AP3600 同时支持2.4 和5 GHz
2.4G支持 802.11 b/g/n 和5G 支持a/ac/n
• 802.11ac模块的供电要求
供电超过15.4 Watts (802.3af), 需要下列:
Enhanced PoE, 802.3at PoE+, Local Supply or Power Injector 4
• 安装支架需要为Universal Mounting Brackets (Bracket-
2) , 或者 Ceiling Mounting Brackets (Bracket-3)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
Cisco Switches
802.3af
PoE
802.3af Enhanced PoE
802.3at - PoE+
UPoE
802.11ac Ready
No
Yes
Yes
Yes
4500 E Series 47xx line card
√
No
√
√
4500 E Series all other
copper line cards
√
No
√
No
4500 non E Series
√
No
No
No
3750-X
√
No
√
No
3750-E
√
√
No
No
3750-G
√
No
No
No
3560-X
√
No
√
No
3560-E
√
√
No
No
3560-C
√
No
√
No
2960-S
√
No
√
No
2960-C
√
No
No
No
2960
√
No
No
No
Power
Injectors
© 2010 Cisco and/or its affiliates. All rights reserved.
AIR-PWR-INJ4
Cisco Confidential
29
• Aironet 2600i Access Point
• Aironet 2600e Access Point
• 用于室内办公环境
• 用于工厂、仓库和其他工业环境
• CleanAir技术
• CleanAir技术
• ClientLink 2.0
• ClientLink 2.0
• 内置双频天线
• 适应恶劣环境
f • 4外置双频天线
f
AIR-CAP2602I-x-K9
Dual-band 802.11 a/g/n
controller-based access point
AIR-CAP2602E-x-K9
Dual-band 802.11 a/g/n external
antenna controller-based access point
AIR-CAP2602I-xK910
10 Pack 802.11 a/g/n controller-based
access point
AIR-CAP2602E-xK910
10 Pack 802.11 a/g/n external
antenna controller-based access point
AIR-SAP2602I-x-K9
Dual-band 802.11 a/g/n
Standalone access point
AIR-SAP2602E-x-K9
Dual-band 802.11 a/g/n external
antenna Standalone access point
AIR-SAP2602I-xK9-5
5 Pack 802.11 a/g/n standalone
access point
AIR-SAP2602E-xK9-5
5 Pack 802.11 a/g/n external antenna
Standalone access point
© 2010 Cisco and/or its affiliates. All rights reserved.
General Availability – Sept 2012
Cisco Confidential
30
• AP3600 提供了最优秀的无线性能
• AP3600适应高密度高容量要求的环境
• AP3600 模块化设计保证企业投资
• 安全监控模块
• 11ac模块
• 未来的其他模块
• AP3600是 4x4:3串流, 额外的一路发射流提升所有频段的无线终端
的下行性能
• AP3600更加坚固！
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
AP-2600 和
AP-3600 类似
但是
AP2600不是
4x4:3 也没有模
块支持
AP-2600
AP-3600
都支持
Client Link 2.0
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
2600和3600外观基本一样，
除了LOGO旁边有一个环形围绕
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33
Orange stripe
indicates
2.4 & 5 GHz
dual band antenna
不要用单频天线，除非要把它作为一根单频设备来用
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
34
Note: The PID in RED got changed – fixing this now in documentation
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
35
3600 Series
2600 Series
3500 Series
1260 Series
1140 Series
1040 Series
600 Series
Max Data Rate
1.3 Gbps
450 Mbps
300 Mbps
300 Mbps
300 Mbps
300 Mbps
300 Mbps
Radio Design
MIMO:Spatial Stream
11n: 4x4:3
11ac: 3x3:3
3X4:3
2X3:2
2x3:2
2x3:2
2X2:2
2X2:2
Module Option
802.11ac or Security
Monitor (FCS Q1CY13)
CleanAir
✔
✔
✔
ClientLink
ClientLink 2.0
EBF for 802.11ac
ClientLink 2.0
✔
✔
✔
BandSelect
✔
✔
✔
✔
✔
✔
VideoStream
✔
✔
✔
✔
✔
✔
Rogue AP Detection
✔
✔
✔
✔
✔
✔
Adaptive wIPS
✔
✔
✔
✔
✔
✔
✔
OfficeExtend
✔
✔
✔
✔
✔
✔
✔
FlexConnect
✔
✔
✔
✔
✔
✔
Data Uplink (Mbps)
10/100/1000
10/100/1000
10/100/1000
10/100/1000
10/100/1000
10/100/1000
10/100
Power
11n: 802.3af
11ac: Enhanced PoE,
802.3at or UPoE
802.3af
802.3af
802.3af
802.3af
802.3af
100 to 240
VAC, 50-60 Hz
Temperature Range
(i) 0 to 40° C
(e) 0 to 55°C
(i) 0 to 40° C
(e) -20 to 55°C
(i) 0 to 40° C
(e) -20 to 55°C
-20 to 55°C
0 to 40°C
0 to 40°C
0 to 40°C
WiFi Standards
802.11 a/ac/b/g/n
802.11 a/b/g/n
802.11 a/b/g/n
802.11 a/b/g/n
802.11 a/b/g/n
802.11 a/b/g/n
802.11 a/b/g/n
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
*List Price for Integrated Antenna version only, where applicable **Target Price
创新优势
©© 2012
2012 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved.
Cisco Confidential
37
Best in Class and Best of Breed
统一接入创新(可预见性)
CleanAir
统一策略& 管理
芯片级别的主动防护
Who?
What?
When? Where?
How?
ClientLink
Radio
Resource
Management
VideoStream
TrustSec - Secure
Group Access
芯片基本的主动行为，自动的波束成形
自动的RF管理
将有线组播高效的扩展到无线网络
ISE
(控制)
基于策略的标签，快速网络转发，提高转发效率
Application
识别, 分析, 优化应用流量
Control & Visibility
Stateful
Switchover
AnyConnect
快速WLAN & LAN 切换
永远在线的VPN链接
© 2012 Cisco and/or its affiliates. All rights reserved.
Prime
(可视化)
Cisco Confidential
38
统一接入 / 用户认可度
统一接入 / 市场认可度
• 20+ 年的市场领先
• 10+ Gartner 魔力象限的领导者
• 350,000+无线用户
• 新的统一接入的魔力象限的领导者
• 1,000,000+ 交换机用户
• 行业中最多的专利拥有者
• 最广泛的移动产品线
• 行业中具有最大的开发团队
• 最广泛的交换机产品线
• 行业中最多的 IEEE 参与者
• 95% Fortune 1000 选择Cisco
• FIPS, Common Criteria, PCI certified
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
39
Thank You
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40