15. UC becomes a network app…
…And in doing so exposes its soft underbelly
Old Approach New Approach
• Offered physical security – • UC apps exposed to TCP/IP security
risks on data networks
only commonality is at the
physical level • DoS, Eavesdropping
(VOMIT), Spoofing, VoIP 15
16. Voice and Video Collaboration
Requires more intelligence in wiring closets
RADI
US VLAN, QoS ?
Multi-service applications creates new challenges
1. How to securely authenticate multiple devices on a port ?
2. How to easily deploy device configuration ?
3. How to proactively monitor and deliver a reliable network ?
4. How to demonstrate regulatory compliance ?
Convergence requires more intelligence and control at the
edge where users and devices connect
16
17. What organizations need today
1. Leverage capabilities in the network
• More security with less complexity
2. Enable network access control
• Mitigate fraud & DoS attacks, by allowing
only trusted clients onto the network
3. Protect the entire wired & wireless
network, not just a few strategic
points
• Unified secure wire & wireless
management
4. Provide automated network
response to security attacks
• Assure uninterrupted real-time services
17
18. Multimedia Security Requirements
Layer 2 Hardening
• Secure management access (SSHv2, SSL, SNMPv3, TACACS+, etc)
• Prevent man-in-the-middle attacks (ARP inspection, IP lockdown, DHCP)
Network Access Control (NAC / NAP)
• Multi-User, Multi-Role Access Control (802.1X, Web-auth, MAC-auth)
• Port-based policy based on centrally deployed NAC / RADIUS
QoS & Bandwidth Limits
• Flexible QoS policy engine, with ability to remark 802.1p/DSCP for trust
• Guaranteed minimums, maximum bandwidth to limit problem clients
Layer 3
• Granular, flexible Access Control List (ACL) policy engine at full wire speed
• Best-in-breed threat management solutions distributed within the network
Network Resiliency
• Leverage built-in DoS prevention features to limit effect of attacks
• Monitoring technologies, such as sFlow, for broad security visibility
18
19. VoIP Security Summary
Business Needs Security Solution
Maximize
availability • Use multi-layer security approach to
protect the entire network
Regulatory
compliance
• Log and report network access …
Users, phones, dates/times, usage
Investment
protection • Use best-in-breed solutions based on
open industry standards
Affordability • Leverage security within network
devices, to minimize costs
19
28. Enterprise Video Network Trends
Video has doubled from 2 years ago and expected to double again
a year from now
Companies are likely to say they will spend more on video
conferencing, Telepresence, and digital security cameras
Expected spending on video
applications in the next year
Median percent of total network traffic that is video 100
90
Will spend
30 more
80
Will spend
25 70
about the
60
same
20 Will spend
50
less
15 Will not spend
40
10 30
Don't know
20
5
10
0
Two years Last year Current Expected in Expected in 0
ago one year two years e ng video e eras all
nc enci ag oc
se g ign cam ick t
re fer in
tal
s ty
cl
lep con tream igi ecu
ri at/
Source: Cisco Business video study — December, 2009 Te eo op s D s ch
Vid skt git
al eo
De Di Vid
28
29. Business Video
Increasing demands on the network
Streaming Digital Media Telepresence
Bandwidth Bandwidth
5 0
50
4 0
40
3 0
30
2 0
Concurrent Sessions Latency,Loss,Jitter
20
1 0
Concurrent Sessions Latency,Loss,Jitter
10
0
0
Dynamic Sessions Multicast Dynamic Sessions Multicast
Digital Signage TelePresence
Video on Demand Conferencing
IP Video Surveillance Desktop Collaboration
Bandwidth
Bandwidth 50
50
40
40
30
30
20
20
Concurrent Sessions Latency,Loss,Jitter
Concurrent Sessions Latency,Loss,Jitter 10
10
0
0
Dynamic Sessions Multicast Dynamic Sessions Multicast
Collaboration
IP Video Surveillance CCTV
WebCam
29
30. Enterprise Video Services
Medianet Architecture
webex
Cisco Video & Voice Applications • End-to-End
Medianet Service Interface APIs Architecture
Enable Rich Optimize User
Media Experience • Intelligent
Solutions
Multicast NetFlow Media Monitoring endpoints/apps
Media Aware
Routing RSVP integrated with
the intelligent
SAF
IPSLA network
Content virtualization PfR QoS Media Optimization
• Any device,
anywhere
• Optimized
Seamless Security
experience
30
31. Cisco Catalyst QoS Model
QoS is overlooked/challenged with Gig/10G Networks
Stack Egress
Policer Marker Ring Queues
Ingress
Policer Marker Queues
Traffic Classify SRR SRR
Policer Marker
Policer Marker
Ingress Egress
Ingress Queue/ Egress Queue/
Schedule Schedule
Classification Policing Marking
Congestion Congestion
Control Control
• Inspect • Act on
• Ensure • SRR (vs WRR) or shaped
policer • Two queues/port
incoming conformance to servicing
decision • One queue is
packets based a specified rate • Egress queue shaping
• Reclass or configurable for
on ACLs or on an • Egress port rate limiting
drop strict priority
policy aggregate or
out-of-policy servicing
individual flow SRR Benefits:
packets • WTD for
basis Balanced traffic flow to
congestion control
prevent high priority queues
(three thresholds
impacting low priority queues
per queue)
• SRR to service
queues
31
32. Network Traffic vs. Network Capacity
Network
Traffic
Network
Capacity
Overprovisioning Congestion Control Admission Control
Adjust network capacity Adapt elastic traffic flows Reject traffic flows that
to accommodate peak to their share of network exceed network capacity
traffic capacity or violate policy
32
33. Cisco’s CAC Solution
Policy and Differentiation
by Media Type by Call Type + User Type
Direction
Call Room
Voice Video Internal Center Trader Desktop System Telepresence
Voice Voice Voice Video Video Video
33
34. Service Advertisement Framework (SAF)
Simplifying Service Routing with “Call Control Discovery”
Call Agent Call Agent Call Agent Call Agent
Call Agent
Call Agent
Call Agent
Call Agent Configuration
Call Agent
Call Agent
Call Agent
Call Agent
complexity,
IP Network Speed of
IP Network Call Agent G
K
GK
Call Agent
Call Agent Call Agent
deployment
Call Agent
Call Agent
Call Agent
Call Agent
High
Toda
Call Agent
Call AgentCall Agent
Call Agent Call Agent
Call AgentCall Agent
Call Agent
operational
y ith
W costs, TCO
Call Agent Call Agent
Call Agent
Call agents discover each other
SAF Call Agent
Availability,
through the SAF network by:
Consume
Advertise
Call Agent
Call Agent Business
Advertising their call control service
SAF-enabled Call Agent
Continuity
Requesting call control services
Call Agent
IP Network Call agents dynamically route calls to
Call Agent
Call Agent remote destinations based on received
Call Agent
advertisements
Call Agent
Call AgentCall Agent
34
35. Packet Loss & Video Impairment Test
50/500 ms network outage causes 500/1000 ms impairment
Video streams impacted 2-10X longer than network outages
35
36. HA Design Considerations
L2/L3 rapid convergence, RSTP and nonstop
forwarding, for network disruptions
Resilience via Cross-stack EtherChannel to mitigate
switch failover
36
37. Medianet: Making the Video Experience
Resource Reservation and Prioritization, QoS, Context-Aware
Poor Collaboration Experience High Quality, Real-Time Video
High Business Travel Cost Collaboration, Sports Blocked
CEO M&A CEO M&A
Meetin NegotiatioSports Meetin NegotiatioSports
g n Event g n Event
Global Business,
WW Offices
Introducing: Medianet on Catalyst switching and ISR portfolio
37