Cisco Secure Mobility- CLLE
 

Cisco Secure Mobility- CLLE

on

  • 1,041 views

Cisco Secure Mobility offers application visibility and control.

Cisco Secure Mobility offers application visibility and control.
Cisco Live SLED East: Cisco Live Local Edition (CLLE)

Statistics

Views

Total Views
1,041
Views on SlideShare
1,039
Embed Views
2

Actions

Likes
0
Downloads
26
Comments
0

2 Embeds 2

http://pinterest.com 1
http://www.pinterest.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cisco Secure Mobility- CLLE Cisco Secure Mobility- CLLE Presentation Transcript

  • Local Edition
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionSecure Mobility
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicWhat is Application Visibility & Control ?On Wireless ControllersReal TimeInteractiveNon-Real TimeBackgroundNBAR2 LIBRARYDeep Packet inspectionNETFLOW (STATIC TEMPLATE)provides Flow ExportPOLICYPacket Mark and DropTrafficCISCO PRIME 2.0TROUBLESHOOTINGCAPACITY PLANNINGCOMPLIANCETHIRD PARTY NETFLOWCOLLECTOR
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicApplication Visibility & ControlOffering Wired and Wireless Application Insight and ControlISR G2 RoutersWLAN ControllersASR 1000Prime AssuranceNAMNew on WLC
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicNBAR supported featuresNBAR as a feature can perform following tasks on WLC:• Classification : Identification of Application/Protocol, supports Stateful L4 - L7classification. WLC can classify 1039 applications.• AVC (Application Visibility Control): Provides visibility of classified traffic and also gives anoption to control the same, using – Drop OR Mark (DSCP) action.• Action DROP (Traffic for that application will be dropped)• Action MARK (Particular applications can be marked with different QOS profiles available on WLCOR administrator can custom define DSCP value for that application)• AVC Marking overrides all other QoS markings• NetFlow: Updating NBAR stats to Netflow collector like Cisco Prime Assurance Manager(PAM).• NBAR is supported on 2500, 5500, 7500, 8500 and WiSM2 controllers on Local and FlexMode APs• WLC can support 16 AVC profiles• WLAN can support only 1 AVC profile and each profile can contain 32 rules, thus eachWLAN can support 32 application actions of mark or drop.
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicEnabling AVC• AVC enabled on per WLAN basis• Global summary of topapplications on Controller Monitorscreen
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicAVC Application• 1000 + applications can be detected by default
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicAVC Profile• Custom AVC Profiles created to do traffic shaping• Apply the custom profile per WLAN
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public• Client AVC statistics on the WLAN
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public• Configuring Netflow Exporter on the Controller and apply to WLAN
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicAVC Summary• Application Statistics per WLAN with more details UP/Down Streams
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco Prime- AVC Monitoring• AVC monitoring of Client and Application statisticsNote: PAM Assurance license is required on PI 2.0 for NetFlow Monitoring - available in bundlesizes of 15, 50, 100, 500, 1,000, and 5,000 NetFlow-enabled interfaces.
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicThe Protocol Problem• Why Bonjour services need modifications?Bonjour• Apple service discovery protocol• mDNS packets advertise and discover servicesclients• Does not cross subnets or VLANs.Result: Clients can’t see services on other subnets
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicCAPWAP TunnelApple TV224.0.0.251Bonjour is Link-Local Multicast and can’t beRouted224.0.0.251VLAN XVLAN XVLAN YDeployment Challenges• Bonjour is link local multicast and thus forwarded on Local L2 domain• AirPlay (Apple TV) and AirPrint supported only on a single VLAN• mDNS operates at UDP port 5353 and sent to the reserved group addresses:IPv4 Group Address – 224.0.0.251IPv6 Group Address – FF02::FB
  • Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 15• mDNS -AP• LSS – Location Specific Services• Priority MAC of Bonjour service• Origin Based service discovery
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicCAPWAP TunnelApple TV224.0.0.251With mDNS-AP Bonjour services can beseen from any VLAN224.0.0.251VLAN XVLAN X VLAN YDeployment Changes with Bonjour Services Phase 2• Bonjour is link local multicast and thus forwarded on Local L2 domain• mDNS AP snoop Bonjour services behind the Router or not L2 adjacent VLANs and forwardsthem to WLC in CAPWAP tunnel.Apple ServicesmDNS APCAPWAP TunnelVLAN YVLAN Y
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicBonjour Phase 2 – mDNS AP• Given that mDNS Bonjour is a L2 multicast protocol and cannot be routed makes itenterprise unfriendly• In rel 7.5 any of the AP’s associated with the WLC as “mDNS-AP” forwards the mDNSpackets received at the AP from the switch• This enhancement allows the controller to have the visibility of wired service providers,which are on VLANs that are not visible to the controller.• VLAN visibility at the WLC is achieved by APs forwarding the mDNS advertisements to thecontroller.• The mDNS packet between AP and controller will be forwarded in CAPWAP data tunnelsimilar to mDNS packets from wireless client. Both capwap v4 and v6 tunnels will besupported.• APs can be either in access mode or trunk mode to learn the mDNS packets from wiredside and forward to the controller.• The maximum number of VLANs that AP can snoop is 10.
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicBonjour Phase 2 – mDNS AP• This feature is supported on local and monitor mode AP, and not onFlexConnect Mode APs• If a mDNS AP joins/resets (or) joins the same/another controller, thebehavior is as follows :• If the global snooping is disabled on the controller , then a payload will besent to AP to disable mDNS snooping.• If the global snooping is enabled on the controller, then the configuration ofthe AP previous to reset/join procedure will be retained.NOTE:• Disabling global snooping on WLC will disable the mDNS AP snooping as well;mDNS AP will retain configuration• mDNS AP will not forward advertisements if it joins another controller with Globalsnooping disabled• Configuring same VLANs on multiple mDNS APs can cause flapping, no two mDNS-APs can duplicate advertisements of the same VLAN.
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicConfiguring mDNS SnoopingEnable mDNS snooping globally and add servicesMaximum of 6400 on 5508 or WiSM-2 and 16000 on 7500/8500 services can beconfigured *
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicConfigure mDNS profile per WLANCreate custom profile per WLANEnable mDNS snooping profile onthe desired VLAN or WLAN
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicConfigure mDNS- AP from CLI ONLY1. Configure switch port for mDNS-AP in trunk mode or Access Mode2. Configure mDNS-AP Trunk Mode or :(WLC)> config mdns ap enable/disable <APName/all> vlan <vlan-id>(WLC) >show mdns ap summary(WLC) >config mdns ap vlan add/delete <vlanid> <AP Name>- no VLAN Config in Access Mode
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicSummary of Bonjour enabled devicesBonjour enabled devices advertising service is shown as Domain Name
  • Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 23• mDNS -AP• LSS – Location Specific Services• Priority MAC of Bonjour service• Origin Based service discovery
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicCAPWAP TunnelWith LSS Bonjour services can be locationspecificVLAN YDeployment Changes with LSS• WLC responds with the sub-set of SP-DB for the service being queried subject to the client profile• Wireless SP-DB entries are filtered based on the AP-NEIGHBOR-LIST if LSS is enabled for the serviceApple ServicesmDNS APCAPWAP TunnelLocalization can be anyservice specific
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicBonjour Phase 2 – Location Specific Service• Prior to rel 7.5 WLC responds with the complete SP-DB for the service being queriedsubject to the client profile – which could be overwhelming• With LSS all valid wireless only mDNS service advertisements received at the WLC willbe tagged with the MAC address of the AP associated with the service• In 7.5 rel wireless entries are filtered in the SP list based on the querying client locationusing the RRM database and respond sent with a subset of the SP-DB• Querying-client’s AP base radio MAC address is used to query the RRM-DB to get theAP-NEIGHBOR-LIST.• Wireless SP-DB entries are filtered based on the AP-NEIGHBOR-LIST if LSS is enabledfor the service.• If LSS is disabled for any service then the wireless SP-DB entries will not be filtered whileresponding to any query from a wireless client for the said service.• Wired SP-DB entries are never filtered.• LSS status cannot be enabled for services with ORIGIN set to WIRED and vice-versa.
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicConfigure LSS services from CLI1. Once the basic bonjour gateway setup is configured the LSS can be enabled by accessing the WLC CLI, LSS isdisabled by default on the WLC2. Configure LSS services from CLI:(WLC) >config mdns service lss <enable / disable> <service_name/all>
  • Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 27• mDNS -AP• LSS – Location Specific Services• Priority MAC of Bonjour service• Origin Based service discovery
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicBonjour Phase 2 – Priority MAC• Prior to rel 7.5 we had a limitation of 100 service providers per 64 service types and thiswas insufficient for some services• In rel 7.5 implementation this restriction is removed and there is only a global service-provider limit per platform i.e.6400 on WLC 2500/5500/WiSM-2 and 16000 onWLC7500/8500.• In addition there is provision to configure up to 50 MAC addresses per service and thesemac addresses are the SP MACs that need priority• Priority MAC guarantees that any service advertisements originating from these MACs forthe configured services will be learnt even if the SP-DB is full• Priority MAC configured with an optional parameter “ap-group” which only applies towired Service Providers to associate a sense of location to the wired SP devices• Priority MAC configured with “ap-group” places that wired SP higher in the orderthan the other wired devices• Wired SP with “ap-group” matching the client’s “ap-group” are higher up in order.Meaning the client will see wired devices nearby first.• Please note only the order is changing and not the contents for the wired SP.
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicConfigure Priority MAC services from CLIOnce the basic bonjour gateway setup is configured Priority MAC can be enabled byaccessing the WLC CLI1. Command “show mdns service detailed <service_name>” will show the priority MACaddresses configured for the service.2. Configure Priority MAC from CLI:(WLC) >config mdns service priority-mac <add /delete> <mac address> <service_name>[ap-group <group-name]
  • Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 30• mDNS -AP• LSS – Location Specific Services• Priority MAC of Bonjour service• Origin Based service discovery
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicBonjour Phase 2 – Origin Based Services• Prior to rel 7.5 once a service is configured and it is learned from wired /wireless and there is no option to restrict the learning to wired only orwireless only or all• In 7.5 rel the origin of the Bonjour service can be configured forwired/wireless/all• The origin is set to “All” by default for all the services• All services seen at the controller and not filtered will be added to thebonjour browserNote: 1. All services learnt from mDNS AP are treated as wired and similarly for guest also theyare treated as wired2. When the learn origin is WIRED then LSS cannot be enabled for the service, sinceLSS only applies to wireless services
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicConfigure Origin Based services from CLI1. Once the basic bonjour gateway setup is configured Origin Based Services are enabled by default2. Configure Origin Based Service from CLI:(WLC) >config mdns service origin <wired/wireless/all <service_name/all>
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public• NBAR2/AVC- - Cisco’s Application Visibility and Control• PAM services - Cisco Prime Assurance Manager• Apple mDNS-AP services explained• LSS – Location Specific Services explained• Priority MAC of Bonjour service explained• Origin Based service discovery explained
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicClient Profiling• ISE offers a rich set of BYOD features: e.g. deviceidentification, onboarding, posture and policy• Customers who do not deploy ISE but still requiresome of ISE features directly in WLC:• Native profiling of identifying network end devices based onprotocols like HTTP, DHCP• Device-based policies enforcement per user or per devicepolicy on the network.• Statistics based on per user or per device end points andpolicies applicable per device.
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicClient Profiling• WLC-based local policy consists of 2 separate elements.‒ Profiling can be based on:• Role - defining user type or the user group the user belongs to.• Device type – e.g. Windows, OS_X, iPad, iPhone, Android, etc.• EAP Type - check what EAP method the client is getting connected to.‒ Action is policy that can be enforced after profiling:• VLAN - override WLAN interface with VLAN id on WLC• QoS level – override WLAN QoS• ACL – override with named ACL• Session timeout – override WLAN session timeout value• Time of day – policy override based on time of the day, else default to WLAN.
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicConfiguring Client Profiles• Client profiling uses pre-existing profiles in the controller‒ Custom profiles are not supported in this release• Wireless clients are profiled based on the MAC OUI, DHCP,HTTP useragent‒ DHCP is required for DHCP profiling, Webauth for HTTP user agent• 7.5 release contains 88 pre-existing profiles:(Cisco Controller) >show profiling policy summaryNumber of Built-in Classification Profiles: 88ID Name Parent Min CM Valid==== ================================================ ====== ====== =====0 Android None 30 Yes1 Apple-Device None 10 Yes2 Apple-MacBook 1 20 Yes3 Apple-iPad 1 20 Yes4 Apple-iPhone 1 20 Yes…/…
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal Client Profiling Configuration• At the WLAN level, enable Local Client Profiling (DHCP and HTTP)‒ DHCP required is checked automatically when selecting DHCP profilingconfig wlan profiling {local | radius} {dhcp | http | all} <wlan ID>(Cisco Controller) >config wlan profiling local all enable 1
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicClient Profiles• When profiling is enabled, a client Device Type can be shown on WLAN.(Cisco Controller) >show client summary devicetypeNumber of Clients................................ 3MAC Address AP Name Status Device Type----------------- ---------------- ------------- --------------------------------14:10:9f:ea:b8:c2 AP3600MM AssociatedOS_X-Workstationc8:d7:19:34:7e:dd AP3600MM AssociatedWindows7-Workstationd8:d1:cb:9a:28:f8 AP3600MM Associated
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicSecurity Local Policies• When profiling is enabled, a clientDevice Type can be shown on WLAN.• Up to 64 policies per WLC• Can be applied to WLAN or AP Group• Multiple matching criteria per policy;any match will trigger policy• Policy action overrides WLAN setting;use WLAN default if action attribute isnot defined
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicSecurity Local Policies Match - How to Identify aDevice• Role• EAP Type• Device TypeAction - Policy to Enforce• VLAN• QoS• Session Timeout• Sleeping Client Timeout• Time of Day
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicConfigure Policies on WLANWLAN Policy Mapping• Up to 16 policies per WLAN• Only the first Policy rule which matches isapplied.• Profiling and policy actions may happen morethan once per client.
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicApplying Policies to an AP Group• Apply the policies based on user location using AP-groups.‒ -The AP group policy overrides the general WLAN policies(Cisco Controller) >config wlan apgroup policy {add | delete} <priority index> <policy name> <apgroup name> <WLAN ID>
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicVerifying Local Profiling and Policy Enforcement• Once clients associate, you can verify the policies• Policy action will be done after:‒ L2 authentication‒ L3 authentication‒ When device sends http traffic and gets the deviceprofiled.PolicyVLAN Override
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLimitations• When local profiling is enabled radius profiling is not allowed.• If AAA override is enabled, the AAA override attributes will have higherprecedence.• Wired clients behind the WGB won’t be profiled and policy action will not bedone.• Only the first Policy rule which matches is applied,• Up to 16 policies per WLAN can be configured and globally 64 policies will beallowed.• Policy action will be done after any of the following:o L2 authentication is completeo L3 authenticationo When device sends http traffic and gets the device profiled: profiling and policyactions may happen more than once per client.
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicFeedback• Give us your feedback and you could win fabulousprizes. Winners announced daily.‒ Receive 20 Passport points for each session evaluationyou complete‒ Complete your session evaluation online now(open a browser throughour wireless network to access our portal) or visit one ofthe Internet stations throughout the Convention Center.• Don’t forget to activate your Cisco Live Virtualaccount for access to all session material,communities, and on-demand and liveactivities throughout the year.Activate your account at the Cisco booth in theWorld of Solutions or visit www.ciscolive.com.45
  • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicRegister for Cisco Live - OrlandoCisco Live - OrlandoJune 23 – 27, 2013www.ciscolive.com/us4646