PI 3.0, ISE 2.0, CMX 10.2

Cisco Prime Infra, ISE a CMX

Jaroslav Čížek

Systems Engineer, Cisco

Listopad 2015

• Cisco Prime Infrastructure 3.0 & APIC-EM

• Zabezpečení WLAN infrastruktury - Cisco ISE 2.0

• Nadstavbové WLAN funkce - Cisco CMX10.2

Agenda

Cisco Prime Infrastructure 3.0 & APIC-EM

Cisco Prime Infrastructure Realizing the Vision of One Management

Campus Branch to DC Day 0 to Day N Application Centric

One Network

Converged wireless &

wired management with

integrated best practices

One Management

Automated deployment &

simplified Day 2

Operations

One Assurance

From users to

applications and

everything in-between

*requires Pro OVA or Gen2 hardware appliance

Lifecycle

Centralized lifecycle management - discovery, inventory, configuration, SWIM, and proactive/reactive monitoring

Advanced troubleshooting of wired and wireless infrastructure issues

Rapid device support through Device Packs for new Cisco® devices, routers, switches, controllers, access points, Nexus® technology, and more

Customizable configuration templates based on Cisco validated designs and guided workflows, including IWAN support

Cisco Unified Access™ management and client tracking

•Seamless integration with Cisco Identity Services Engine (ISE) for simplified troubleshooting

•Seamless integration with Cisco Mobility Services Engine (MSE) for location-based services, rogue detection, etc.

Enterprise Management 3.0 End-to-End Lifecycle Management

Compliance Baseline* – Audit device configurations

Assura

nce

End-to-end visibility for service-aware networking by

applications, services, and end users

Out-of-the-box support for Cisco® advanced technologies,

including AVC 2.0, NetFlow, Flexible NetFlow, NBAR2,

Performance Agent, Medianet, and more

Service health dashboard allows quick health check on your business-

critical applications

Simplified troubleshooting of applications and

client access issues

Multi-NAM management

• Traffic analysis

• Application response time metrics

• Packet capture and decode

Enterprise Management 3.0 Application Experience and End User Experience

QoS Configuration / Monitoring applied to

interfaces and class-based traffic patterns

Da

tace

nte

r M

anagem

ent

Extends One Management – Visibility of infrastructure and

assurance from Branches all the way through campus and

data center

Cisco UCS B and C series – Discovery, inventory of compute

infrastructure and mapping that back to the network elements

of the data center

Fault and Root cause analysis – Identify and isolate the source of the

problem. Help pin point the issues to the right network or compute

elements. Understand the impact of network problems onto the

compute infrastructure. Remediate the issues at its source

Availability and Performance – Monitor the availability status of the

UCS physical servers. Provides visibility to the UCS ports health

status and performance

Server 360 Degree view – Concise and easy to

consume server details accessible from any where in

the product. Allows for quick troubleshooting

Datacenter UCS Server and VM Management

Ops C

ente

r Distributed

• Supports up to 10 Prime Infrastructure instances

• Addresses geographic distribution, scalability, resiliency and

visibility

• Single pane of glass monitoring with click-through

management

Centralized

• Central view of assets, alarms and clients

• Single sign-on

• Dashlets aggregated from PI instances

• Central Virtual Domain Management – can add/delete domains

from OpCenter

Scalable

• Consolidated view of network health

• Consolidated view of health of each PI instance

• Reports scheduling from one interface

Operations Center Centralized Visualization of Multiple PI Instances

Prime Infrastructure 3.0 – What’s new

INTUITIVE MOBILE FRIENDLY USER INTERFACE

Application Performance

Overview

Enterprise Voice with

MS –Lync integration

Day 2 – Compliance

Validation

Day 0/1 – New

Platforms Managed Client Troubleshooting

Simplified

9

Modern User Interface • Tablet friendly

• Metrics widgets

• Same Menu Structure as 2.2

• Correlated Charts

• Dashboard Export

• Dashboard Tagging for favorites

• Application visibility with service health dashboard

• QoS monitoring and management

• PfR monitoring

• DMVPN monitoring

• Device and Interface health statistics

• WAAS application monitoring with NAM integration

IWAN Monitoring with Prime Infrastructure 3.0

Cisco Enterprise Management Consolidation of Licensing / Features

Enterprise Management 3.x

SDN Management for the Enterprise

Lifecycle Assurance Foundation

Apps Solution

Apps

Cisco Prime

Infrastructure 3.0

APIC-EM

Controller

Network Management Application Centric Policy Based Management

`

Cisco APIC-EM An Application Platform for Enterprise WAN and Access Networks

• Virtual (ISO VM) or appliance-based

• Provides user policy abstraction and automation

• Simplification of complex network configuration with Cisco® application best practices

• Existing and new installations (Catalyst®, ISR, ASR, WLC)

Ready-to-deploy applications (October 2015):

IWAN (with a license)

Plug-n-Play (free)

Path Trace (free)

BENEFITS: Brownfield support

Ready-to-use-applications

Open, northbound API

`

APIC-EM Delivers IT Flexibility

Enabling Automation Through Innovative Management Principles

OPEN

Static Programmable

Expert CLI Policy + GUI

Greenfield Brownfield + Greenfield

SIMPLE

A B

Manual Automated

Box-Centric Network-wide

Provision in Months Hours

Applications

Network-Wide Abstractions Simplify the Network

Security Orchestration Automation Collaboration

SOUTHBOUND ABSTRACTION LAYER

REST API

CATALYST® CISCO NEXUS® ASR ISR WIRELESS ASA OTHER

SDN Ideal: Controller as the

Application Platform

The SDN

Ideal: Controller as

the Application

Platform

Virtualization

`

APIC-EM - Platform Architecture

Network PnP Network Inventory Path Trace IWAN

Advanced Topology Visualizer

APIC-EM

Applications

APIC-EM Controller

Northbound REST APIs

APIC-EM

Services

Grapevine

Inventory

Manager RBAC Policy Analysis

Policy

Programmer

Network PnP Data Access

Service

Topology

Services IWAN

Services

Elastic Service Infrastructure

APIC-EM

Applications

APIC-EM

Services

Addresses

Scale Out

and HA

Requirements

APIC-EM Path Trace Application Accelerate Trouble-Ticket Processing

User Trouble Ticket IT Path Trace

NETWORK

Open

Architecture

Network,

Applications

Monitoring

Simple Workflow

BENEFITS

SDN

Easy visual discovery of trouble spots in the

communication path based on 5-tuple info

OpEx for ticket processing decreased by 98%

from 1.6 hours to 1 minute

`

Path Trace App: Enhanced Application Flow Visibility

CAPWAP Tunnel

Visualization

Accuracy Note

(in a percentage)

Link Source

Information

Ingress/Egress

Interface

• PI 3.0 uses the PnP and PKI service from the APIC-EM via Rest API calls

• With this integration, all the actions are driven from PI – no need to logon to the APIC-EM GUI for PnP or PKI

• Add APIC-EM as a server within PI (Administration APIC-EM Controller)

PI integration with APIC-EM PnP and PKI

Enter the APIC-EM Admin

Credentials to Rest API

Calls

Enable the APIC-EM

Global Setting for PnP

and PKI

Zabezpečení WLAN infrastruktury - Cisco ISE 2.0

Network Resources Role-based policy

access

Tradition

al TrustSec

BYOD Access

Secure Access

Guest Access

Role-based Access

Identity Profiling

and Posture

Who

Compliant

What

When

Where

How

Quick Reminder – What is ISE? A centralized security solution that automates context-aware access to network resources and shares

contextual data

Network

Door

Contex

t ISE pxGrid

controller

The Different Ways Customers Use ISE

Guest Access Management Easily provide guests limited-time, limited-resource Internet access

BYOD and Enterprise Mobility Seamlessly & securely onboard devices with the right levels of access

Secure Access across the Entire Network Simplify & unify enterprise network access policy across wired, wireless, & VPN

With Cisco TrustSec® Identity-aware Network Segmentation and Access Policy Enforcement

ISE 2.0 is Here ! Simplified Solution Deployment

• Support for non-Cisco Switches & Wireless Phase 1

• New TrustSec Workcenter, Matrix & Dashboard

• Out-of-Box Default Policies

Simplified Operations

• TACACS+ => Device Admin Work Center, ACS Migration Phase 1 (License Based: $4.5K)

• MDM Enhancements (multiple MDM, tigher Meraki int.)

• Posture Enhancements (e.g., disk encryption check)

• BYOD & Certificate Enhancements

• Endpoint Identity - Visibility

Integrated Threat Defense

• Fire & ISE; Adaptive Network Control

• Location integration via Mobility Services Engine

• Extending PxGrid integration with other partners

Enhance control with location-based authorization

Location-based authorization

Admin defines location

hierarchy and grants users

specific access rights

based on their location.

Benefits

What’s new for ISE 2.0?

The integration of Cisco Mobility

Services Engine (MSE) allows

administrators to leverage ISE to

authorize network access based on

user location.

Enhanced policy enforcement

with automated location check

and reauthorization

Simplified management

by configuring authorization with

ISE management tools

Granular control

of network access with

location-based authorization for

individual users

Capabilities

• Enables configuration of location hierarchy across all location entities

• Applies MSE location attributes in authorization policy

• Checks MSE periodically for location changes

• Reauthorizes access based on new location

With the integration of Cisco Mobility Services Engine (MSE)

Lobby Patient

room Lab ER

Doctor

No access

to patient

data

Access to

patient

data

No access

to patient

data

Access to

patient

data

Patient

data Patient data

access locations

Patient

room

ER

Lab

Lobby

Enable Rapid Threat Containment With Cisco Firepower Management Center (FMC) and Identity Service Engine (ISE)

Rapid Threat Containment with FMC and ISE What’s new for ISE 2.0?

Cisco Firepower Management Center

integration with ISE identifies and

addresses suspicious activity, based

on pre-defined security policies.

Benefits

• Integrate with Cisco Advanced Malware

Protection (AMP) for malware protection

• Trigger quarantine actions, per policy with

Cisco FireSight and ISE integration

• Admit or deny access to contractor portal

Capabilities

FMC detects

suspicious file and

alerts ISE using pxGrid

by changing the

Security Group Tag

(SGT) to suspicious

Access denied per

security policy

Automate alerts

Leveraging ISE ANC to alert the

network of suspicious activity

according to policy

Detect threats early

FireSight scans activity and

publishes events to pxGrid

Corporate user

downloads file

New ISE and pxGrid ecosystem partners

Leverage a growing ecosystem

of partners that provide rapid

threat containment by integrating

with ISE

FMC scans the user

activity and file

Based on the new tag,

ISE enforces policy on

the network

Easy, Affordable Guest Services

Now Available: Entry-Level Bundle for the Market-Leading Cisco ISE

The Offer: One ISE VM with ISE Base Licenses for 150 Endpoints

for Single Site Deployment (non-distributed, no HA)

The Features: Guest, RADIUS/AAA, Unlimited Custom Portals

with ISE Portal Builder

The Price: $2,500 US List Price*

Cisco ISE Express Licensing Bundle Enterprise Guest for Less with No ATP Requirement

*Current as of Date of Recording, May 8, 2015

NEW

Nadstavbové WLAN funkce - Cisco CMX10.2

Gain Insights & Innovate with Cisco CMX

• Presence and location detection

• Visibility (Wi-Fi, BLE)

• Easy Wi-Fi login, custom or social

• Zone-based, custom

splash pages

• App-based mobile engagement

• Context-aware in-venue

experiences

DETECT CONNECT ENGAGE

Presence Location Social ANALYTICS

Number of people by venue and zones

Peak time in venue

New compared to repeat visitors

Common traffic patterns

Where people spend time

Understand How People Interact in the Location

DETECT

CMX 10.2 - Analytics

Analytics

Presence – Maps & PI not required, easy set up, ideal for smaller deployments; lends nicely to ME customers

Social Analytics

Verticalization & Zone Tagging

Auto Report Generation

New Analytics Widgets

CMX 10.2 Presence Analytics

CMX 10.2 - New Analytics Widgets

• CMX version 10.2 adds three new Widgets that can be added to a custom Analytics report.

- Path

- Associated Status

- Dwell Time Breakdown

CMX 10.2 - Location Analytics

CMX 10.2 - Social Analytics

Enable Location-Specific Guest Access

Simplify access with user opt-in

Offer clear terms and conditions

Multiple access methods

Custom or social media

Customized access and promotion

Proximity-based landing pages

and video

Understand who is in your location

Enhanced analytics

CONNECT

Work with Cisco and ecosystem

partners to align to business needs

Fully customizable applications with

zone-based captive portals and

enhanced advertising

Location-aware app for

personalized experience

Integrate with business systems

Engage Consumers Using Location Services

ENGAGE

Introducing the Cisco Hyperlocation Module

Improved Security Coverage

Integrated Wireless Security Module

Centralized Management

BLE and Wi-Fi visibility

Angle of Arrival (AoA) Triangulation

1-3 m accuracy, <1m with beacons

Integrated BLE Beacon

Reduce BLE deployment size

Enhanced FastLocate

Faster refresh rates

MSE 10.x and

WLC 8.1

Innovation: Angle of Arrival(AOA) = ~meter accuracy

• Different antenna elements hear the signal a little earlier/later than others, measured by the phase of the signal

• Favors line-of-sight with stellar accuracy in cone under AP

AP antenna

array

90 d

egre

e co

ne

Client

Wavefront

(rays with a

common distance)

Each antenna element is a fraction of a

wavelength closer/farther to the client than

its neighbor, and the exact value depend

on the client location (if underneath => 0,

if side on => element spacing)

Data RSSI + Angle of Arrival

• ~1-3m Accuracy

• <5 Seconds Timeliness

Data RSSI Location

• ~5-10m Accuracy

• ~5 Second Timeliness

Monitor Module NEW

Probe RSSI Location

• ~ 5-10m Accuracy

• ~ 40 Sec Timeliness

Cisco CMX Location Methods

BLE Aware BLE Capable BLE Gateway

• Combined WiFi + BLE Location and Analytics

• Integrated BLE radio with Hyperlocation module

• Reduce number of beacons

• Transmit multiple UUIDs

• Use CleanAir to detect BLE

• Check Beacon Health

• Track Assets with BLE

• Alert on rogue beacons

CMX BLE Offering

Future CMX 10.2 and above CMX 10.1 and above

Enhance Mobile Experiences with BLE

Consolidated Wi-Fi & BLE Management

Configuration & Provisioning*

Enriched Visitor Analytics

Supplement Location Analytics*

! BLE Beacon Monitoring

Beacon Health, Rogue Detection & Alerts

Inventory Management

Track Assets with BLE

Proximity Messaging

BLE SDK* enabled application experiences

41

Use Case: Location Engagement with Beacons

1. AP deployed in contextual area, configured as specific

Beacon.

2. User with context-aware mobile app walks by Beacon location.

3. App hears Beacon, alerts on lockscreen.

4. User launches app for location-related engagement.

5. (Optional) App communicates with backend systems for

dynamic content or analytics.

2

1

5 4 3

1 010 011010101110110 11010001001001001 100101011001111 100 1

Technical Capabilities of Cisco’s Enterprise CMX Optimized for Flexibility and Control

Real-time Analytics with 2 – 4 second

initial display and refresh

Real-time and Historical Analytics with

archiving up to 10 years

Deep API capabilities, including predesigned

industry specific applications

Multiple Data source integration – Wi-Fi,

iBeacon, Video, Enterprise systems, etc.

Up to 1 Square Meter accuracy with

Fast-Locate and Hyperlocation solution

Analytics

FastLocate: Critical to

actionable data

T=00s T=30s

Technical Capabilities of Cisco’s Cloud-Managed CMX Optimized for Ease of Management

Statistics on capture rate, engagement and

Appeal via Intuitive, Customizable Graphs

Built–in, centralized management with multi-

site comparisons, from a single dashboard

Out of the box client Proximity and Presence

information with full network visibility

Cloud CMX Location API can provide client

X,Y coordinates for user created apps

Unique integrated iBeacon capabilities

provide Proximity information

!