《您的企业网络是否为 P5G 做好了准备.pdf》由会员分享,可在线阅读,更多相关《您的企业网络是否为 P5G 做好了准备.pdf(60页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWelcome to our session!Please tell us more about yourself and Scan the QR CodeJoin #BRKSEC-2950BRKSEC-29502#CiscoLiveErrol Roberts-Distinguished Sales ArchitectGino Corleto-Industry Solutions ArchitectBRKENS-2950Is
2、 your enterprise ready for Private 5G?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussi
3、on”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12344https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-29504Agenda 2023 Cisco and/or its affiliates.Al
4、l rights reserved.Cisco PublicIntroductionEnterprise Architecture ConsiderationsSecurity ConsiderationsEnterprise IntegrationSummaryBRKSEC-29505Introduction 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDigital trends shaping the future of businessHybrid work Work from h
5、ome|Work from anywhere|Work from office Industry 4.0 Automation|Internet of Things|AI/ML Hybrid cloud Private cloud|Hybrid cloud|Public cloud BRKSEC-29507 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is 5G?Massive scale IoTIndoor coverageAR/VRCellular Radio Technol
6、ogy2GDigitalVoice5G3GVoiceand Data1GAnalogVoice4GBroadbandData and VideoNew Radio called 5G NR(New Radio)Ultra-Reliable Low Latency connectivityNew Spectrum Integrating Unlicensed BandsNew Core Networks(N/W Slicing)Defined by 3GPP(3rd Generation Partnership Project)Operated in Regulated SpectrumUses
7、 SIM based Authentication Sophisticated features(e.g.,macro-mobility,carrier roaming)EvolutionVoice to data to Business focused capabilitiesSP-only spectrum to Options for Private/Shared SpectrumDomain of SPs to Viable option for Private NetworksBRKSEC-29508 2023 Cisco and/or its affiliates.All righ
8、ts reserved.Cisco Public#CiscoLiveWhat is Private 5G?A private cellular private cellular network that is built using 3GPP3GPP 5G technology,5G technology,dedicateddedicated to carrying traffic from a specific entitytraffic from a specific entity(e.g.,an enterpriseenterprise)in licensed radio spectru
9、mlicensed radio spectrumDevicesMobile packet coreRadioSpectrumAccess networkBRKSEC-29509 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnterprise 5G-3 Classes of ServiceLow latency services will drive maximum 5G demand in the near-future“We get there when we get there!”1
10、0BRKSEC-2950Mobile BroadbandMobile BroadbandHigh data rates,high traffic volumesMassivMassive IoTMassive number of smalldevices,low energyLow LatencyLow LatencyUltra-high reliability&very low latency5G services are optimized for capacity,reliability or massive connectivityURLLC and eMBB are most rel
11、evant in Campus eMBBeMBBmMTCmMTCURLLCURLLCVideo surveillanceProcess automationEnergy meters uRLLCuRLLCeMBBeMBBmMTCmMTCUse Cases Use Cases Manufacturing,Industrial,WarehousesCarpeted EnterpriseSmart City,SensorsRequirementRequirementOptimized for Optimized for Latency Latency(1ms)and reliability(99.9
12、999%)Optimized for Optimized for CapacityCapacity(10-20Gbps peak data rate)Optimized for Optimized for Density Density of devices(1 mill/km2)N/W NeedsN/W NeedsTiming,QoS,UPF flexibilityBandwidth,UPF flexibilityTiming,Bandwidth10 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco
13、LivePrivate 5G-Why Now?Enabling customers digitization journey Precision robotic control High speed SW downloads AGVs and driverless vehicles Distribution line automation Video surveillance Unmanned autonomous vehicles Efficient and reliable backhaul for Wi-Fi-connected endpoints Clean spectrum for
14、venue operatorsIndustrial/ManufacturingIndustrial/ManufacturingDistribution/WarehouseDistribution/WarehousePort/Hubs/EnergyPort/Hubs/EnergyVenuesVenuesRegulatory changes open cellular spectrum for private use Unique 5G capabilities compliment Wi-Fi(Ultra low latency,high reliability,broad reach)BRKS
15、EC-295011 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveComplementary technologiesWi-Fi and Private 5GLow-latency applications Broad geographic coverageHigh-client and endpoint densityGuest access,BYODLocalized mobilityManaging a developing IOT device ecosystem Addressin
16、g spectrum management complexityNew technology with higher operational complexityPrivate 5GWi-Fi 6Additional considerations MSPs can addressBusiness value accelerated|Complexity minimizedWideWide-area area coveragecoverageLarge coverageProcess Process automationautomationE2E latency 10 msAutomated A
17、utomated guided vehicleguided vehicleMinimize roaming delaysEnhanced mobile Enhanced mobile broadbandbroadbandImmersive experiencesDigital healthDigital healthTelemedicine and mobile health Digital campus Digital campus AR/VRE-learning BRKSEC-295012 2023 Cisco and/or its affiliates.All rights reserv
18、ed.Cisco Public#CiscoLiveSimplifying Private 5GPrivate 5G simplified Private 5G simplified 5G Cloud Core Spectrum Planning Sim provisioning Installation/integration Operations Edge and Cloud Apps Security Automatedupgrades and updates UX/APIcommon visibility and control 24/7 supportDevicesApplicatio
19、nsRadios4G/5G Session ManagementUPF4G/5G DU4G/5G Mobility Management4G/5G CURadio ManagementUDM+HSSUPF5G Mobility ManagementPolicy and Service ConfigurationUDRAUSF5G Session ManagementSubscriber ProvisioningUsage ReportingAutomation ToolsSoftware Lifecycle ManagementSLA ManagementSim ProvisioningRBA
20、CProvisioningLoggingMetrics/EventsFrom this:From this:Enterprise premisesTo this:Enterprise IT and OT4G/5G Radio5G/4G Converged Core Network and Device ManagementPublic/Private CloudProvided by PartnerHosted and Managed by CISCODelivered as a ServiceBRKSEC-295013 2023 Cisco and/or its affiliates.All
21、 rights reserved.Cisco Public#CiscoLiveCiscos Private 5G architectureA dedicated mobile network connecting people,machines,and applications.Automatic upgrades and enhancementsIntuitively simple operations and management Integrating with enterprise systems for common visibility and controlDedicated R
22、adioDedicated Radioclean spectrum-private or shared4G/5G Converged Core4G/5G Converged Coreprivate cloud,installed and integrated on-premises for enterprise enforced policies and SLAsNetwork and Device ManagementPublic/Private CloudCloud AppsEdge AppsEnterprise premisesHosted and managed by CiscoBRK
23、SEC-295014 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Endpoint/IoT GW IntegrationCisco P5G Integrated Enterprise Architecture VisionEnd-end Automation and PolicyComprehensive Telemetry and AssuranceConsistent Security and Segmentation5G5GAccessAccessWifiAccessWA
24、NWANCampusCampusWiredAccessCloudDCUnified Identity FrameworkCommon Enterprise PolicyUnified EN OperationsConsolidated Insights&AnalyticsJoint TransportEnterprise Security IntegrationPrivate&Public MobilityBRKSEC-295015Enterprise Architecture Considerations 2023 Cisco and/or its affiliates.All rights
25、 reserved.Cisco Public#CiscoLiveConnected DevicesCiscoMeraki/DNA CenterAutomationand AnalyticsIdentityand PolicyCiscoISEDigitizationCiscoDNA Spaces9800 SeriesIndustrys only modular WLCWirelessControllerCatalystCatalystCampus Optimized 25G/40G/100GAgg/CoreSwitches9200/9300/9400Most comprehensive mGig
26、 portfolio802.3bt Ready48P 5G+25G/40G uplinksCatalystAccessSwitches9500/9600 SeriesCatalystWi-Fi 6AccessPoints9100 SeriesUnified intent-based infrastructure for Enterprise Wi-Fi6+5GWi-Fi 65G RU*5G RU*5G RU*5G RU*RAN partnershipsConnect|Secure|AutomateCisco SDWAN5G/4G Converged CoreCiscoControl Cente
27、r5G Identity 5G Identity&Policy&Policy 5G ORAN Functions 5G ORAN Functions(DU/CU)(DU/CU)Enterprise Stack BRKSEC-295017 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivate 5G Deployment modelsFull Private Full Private DeploymentDeploymentLocal or SPLocal or SPSpectrumgN
28、odeBEnterprise LAN5G CNFs5G CNFsAMFAMFSMFSMFUPFUPFPCFPCFUDMUDMxxFxxFEdge Router&FWMgmt&OrchMgmt&OrchPublic,Public,Private or Private or SP CloudSP CloudHybrid Cloud Hybrid Cloud Private DeploymentPrivate DeploymentLocal or SPLocal or SPSpectrumgNodeBEnterprise LANEDGE PoDEDGE PoDAMFAMFSMFSMFUPFUPFPC
29、FPCFUDMUDMEdge Router&FWMgmt&OrchyyFyyFPublic,Public,Private or Private or SP CloudSP CloudMacros Slice Macros Slice DeploymentDeploymentSPSPSpectrumgNodeBNSSFNSSFUDMUDMAMFAMFEnterprise Traffic“Enterprise”“Enterprise”SliceSlicePublic“Consumer”Public“Consumer”SliceSliceSMFSMFUPFUPFPCFPCFSMFSMFUPFUPFP
30、CFPCFBRKSEC-295018 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDURUCUUPFRadio Access NetworkLocal Packet CoreeCPRIGTPGTPRemote Packet CoreRadio Unit(RU)Radio Unit(RU)Description:Provides the L1 radio(RF)interface to User Equipment.Converts radio signals into L2 eCPRIfr
31、ames and sends to DU for processing.Distributed/Centralized Unit(DU/CU)Distributed/Centralized Unit(DU/CU)Description:DU serves the L1/L2 RLC,MAC and parts of the PHY layer and sends GTPv2 to the CU.CU hosts RRC and L3 PDCP and sends GTPv2 to UPF and 5G Core.User Plane Function(UPF)User Plane Functi
32、on(UPF)Description:Supports functions to facilitate user-plane operation,including packet routing and forwarding,data buffering,connection to the data network and policy enforcement.Placement Impact:RAN Scale,BandwidthPlacement Impact:Local UPF:for high-bandwidth&low-latencyRemote UPF:for low-bandwi
33、dth&capacityPlacement Impact:DU:Latency,Scale,BandwidthCU:Mobility,Slicing19UPFEnterprise P5G vRAN ArchitectureDeployment Flexibility,easier scaling and lower costBRKSEC-295019 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnterprise 5G Flexible vRAN DeploymentConsiderat
34、ions for latency,scale or mobilityDistributedDistributed(Split)CentralizeCentralized d(Combined)Latency Split the CU&DU and move DU closer to the RUs move DU closer to the RUs Access for lowest latency,Access for lowest latency,or Distro medium,Core high Local UPF for lowest latencyLocal UPF for low
35、est latency,Remote for medium-highScale Split the CU&DU Split the CU&DU and centralize compute nodes Distribution for medium scale,or Core for highestCore for highest Local UPF for highest scaleLocal UPF for highest scale,Remote for small-mediumMobility/Cost Combine CU+DU Combine CU+DU to cover mult
36、iple groups of RUs Distribution for medium mobility,or Core for highestCore for highest Local UPF for highest mobilityLocal UPF for highest mobility,Remote for small-mediumGMDUDUCURURURURUCUUPFBCBCTCUPF20BRKSEC-295020 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWithout
37、 PTPWith PTPPTP/TSN(for 5G)GM+/-100nsBC+/-100nsBCSLDUDUCURURURURUPTP PTP DomaiDomain nGMDUDUCURURURURUPTP synch+/-100nsBCRU Frequency Synch requires Time DU/CU.No PTP requires 1 GM x DU/CU GMCU-DUNGFI-1DU-RUNGFI-2G.8275.1&2 PTP support is a must have for successful 5G DeploymentBRKSEC-295021 2023 Ci
38、sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive(SD)WANDistributionCampusFH/AccessRAN EMSDU/CUGPS GMRUCloudRAN FirewallWAN FirewallDC/CampusFirewallWAN FirewallUCS220 AMFCEESec.PrxUPFMMESMFCNISE Prx5G Prx4G PrxControl CenterCisco CloudCNDP CloudAWSTLSRBACPortalsPoliciesUE LCMComp
39、ute StatusRAN UIAUSFUDM+HSSUDRCHF5GC NF LCMCI/CDRBACCompute MgmtDeployAutom.MonitorOps GWAPI GWTLSThe Cisco P5G Architecture in DetailFH/AccessgNBIndoorOutdoorFH Front Haul/Access switchToR Top of rack/Aggregation Core switch BRKSEC-295022 2023 Cisco and/or its affiliates.All rights reserved.Cisco P
40、ublic#CiscoLiveEnterprise P5G xHaulTraditional-CU/DU Distribution/Core-UPF 5G CoreFTTXPoEPoE10G/s10G/s100G/s5G/s25G/s100G/s100G/s100G/s25G/sAPIsAPIsSecurity&OnboardingSecurity&Onboarding Secure the transport Secure the transport point to point with MACSEC for compliance&privacy Authenticate and onbo
41、ard Authenticate and onboard 5G RUs with Access Control Capabilities(ACLs,dot1x)Ready for UE Auth integration with ISE/SwitchingTransport&SlicingTransport&SlicingWide Range of Slicing options Wide Range of Slicing options(SDA,EVPN-VXLAN,MPLS,SR)Flexible Connectivity Options Flexible Connectivity Opt
42、ions with Fiber and Copper from 1G to 100G with mGig&PoEMeet Time/Clock requirementsMeet Time/Clock requirements*with Precision Time Protocol(PTP)profiles.G8275.1 PTP profile for 5GControl&VisibilityControl&Visibility Identify and control Identify and control 5G Traffic Prioritize 5G Control traffic
43、Prioritize 5G Control trafficwith LLQ&2-level SPQ Prioritize 5G User trafficPrioritize 5G User trafficat RAN granularity level Meet Service Level AgreementsMeet Service Level Agreementswith SLA probes and sensorsManage&ServicesManage&Services Centralized ManagementCentralized Managementwith Cisco DN
44、A Center and ISE Application Hosting Application Hosting ready infrastructure for MEC or lean CU/DU hosting close to RUDUInternet5G CoreDC AppsRUAPIsCUUDMAMFSMFPCFPTPUPFvManageDNACISEACIFRONTMIDBACKeCPRISCTP/GTPHigh AvailabilityHigh Availability Sub Second Convergence Sub Second Convergence for CU/D
45、U and RU uplink L2 and L3 High Availability L2 and L3 High Availability for 5G control&data plane Highly available HW and SW Highly available HW and SW uninterrupted service for data,as well as Links,PoE,etc.100G/s5G UEBRKSEC-295023 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C
46、iscoLiveEnterprise Campus and Public VenuesHigh-bandwidth and QoS are most relevant for Enterprise Venues and BranchesFloor1,Bldg 1Enterprise WAN DistributionDistributionCoreCoreDU/CUDU/CURURUUPFUPFC9600Floor2,Bldg 1Floor1,Bldg 2Floor2,Bldg 2UPFUPFCloud/DCOn Campus for On Campus for latency latency
47、sensitive appssensitive appsRemote Remote for for BranchesBranchesC9500C8KNetwork NeedsNetwork NeedsDeploymentDeploymentC9K ValueC9K Value 2Gbps Bandwidth per Radio UnitCU/DU in DistributionHigh BW downlink&uplinkHigh-density MultiGigabit1-10GbaseT RJ45 Copper portsLow Latency Queuing Hop-by-Hop2 St
48、rict Priority Queues,with 6 normal queues and 4 thresholdsAudio/Video ServicesPTP across CampusPTPv2 with AVB/TSN(Time Sensitive Networking)to support QoS stream reservationSecurity&Segmentation to isolate tenantsStandard L2/L3 or MPLS,EVPN or SDA for VRF&SGTMacro and/or Micro-segmentation with SGT
49、and/or VNIDVLAN or VRF segments,at CU/DU or UPF levelHigh BW Venue to DC/Cloud for Apps/ServicesCU/DU in DistributionUPF Local(Campus)High-density Multi-Rate 40-100G QSFP Fiber portsLow BW Branch to DC/Cloud for Apps/ServicesCU/DU in CoreUPF Remote(DC/Cloud)High-density Multi-Rate 1-25G SFP Fiber po
50、rtsSecure TransportHop-by-Hop or Over-the-TopLine-rate MACsec(or WAN-MACsec)with AES-GCM 128/256-bit encryption99.9999%availabilityFixed with Stacking or SVL Modular with 2 Sup or SVLMultiple levels of resiliency with features such as SSO/NSF,ISSU/xFSU,SVL,ECMP,MLAG and Perpetual PoE and hot patchin
51、gRURURURURURUC930024BRKSEC-295024 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveManufacturing&Industrial deploymentLow latency services are most relevant for process and workflow automationNetwork Needs Network Needs DeploymentDeploymentC9K ValueC9K Value 8ms E2E latency
52、Combined CU/DU in DistributionFlexible deployment options with RAN module on C9k ex:module on C9400,C9600Easy MobilitySame-FloorCross-Floor Roaming managed by CUCU in DistributionCU in CoreClassify/mark eCPRI and GTPv2 frames for 5G prioritizationPriority Queueing to prioritize critical services(e.g
53、.control traffic)Precise Timing1 s between DU and RUDU in DistributionPTPv2 with AVB/TSN(Time Sensitive Networking)to support nano-second time and phase synchronizationSlicingmix of low latency and high throughput applicationsVLAN or VRF segmentsDeep header parsing(256 bytes)and flexible UADP ASIC p
54、ipeline can parse GTP for UE&Tunnel ID8Q4T with Dynamic Threshold Scheduler(DTS)99.9999%availabilityFixed with Stacking or SVL Modular with 2 Sup or SVLMultiple levels of resiliency with features such as SSO/NSF,SVL,ECMP,MLAG and Perpetual PoEZone levels 0-2Zone levels 0-2Zone levels 0-2Industrial Z
55、one 0-3(plant wide network)Industrial DMZEnterprise Zone 4-5EnterpriseFWFW(Lines,machines,equipment)(Lines,machines,equipment)(Lines,machines,equipment)FWFW(Lines,machines,equipment)Zone levels 0-2IESDU/CUDU/CUUPFUPFC9400RURURURURURURURUC9300CoreCoreC9600C8KDistributionDistribution25BRKSEC-295025 20
56、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Enterprise is ready for P5GHigh Bandwidth,Low Latency with Quality of Service,Segmentation and High Availability Centralized ManagementCentralized Management with Cisco DNA Center,Cisco ISE,RAN and UE managerApplication H
57、osting Application Hosting infrastructure closer to RUManagement&Orchestration Secure the TransportSecure the Transportwith point-to-point MACSEC for privacy&compliance Authenticate&Onboard Authenticate&Onboard RUs with Access Control,and ready for AUSF&AAA integration with Cisco ISE,SGT based polic
58、ies Protect the RANProtect the RANwith VLAN/VNI SegmentsSecurity&Onboarding Wide Range of Slicing Options Wide Range of Slicing Options with SDA,EVPN,MPLS or SR Flexible Connectivity Options Flexible Connectivity Options with Fiber and Copper from 10G-100G with mGig&UPoE Meet Timing Requirements Mee
59、t Timing Requirements with Precision Time Protocol(PTP)1588 profilesTransport&Slicing Identify&Control Identify&Control 5G Traffic Ensure LowEnsure Low-Latency QoSLatency QoSwith LLQ&2-level SPQ Prioritize 5G data trafficPrioritize 5G data trafficat RAN/Slice granularity Meet Service Level Agreement
60、sMeet Service Level Agreementswith SLA probes&SensorsControl&Visibility SubSub-Second Convergence Second Convergence for 5G user data traffic L2&L3 High Availability L2&L3 High Availability for 5G protocol traffic FaultFault-Tolerant PathsTolerant Pathswith ECMP and MLAG AlwaysAlways-On Platforms On
61、 Platforms uninterrupted service and PoEHigh AvailabilityBRKSEC-295026Security Considerations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivate 5G Security-3GPP&Enterprise5G SecurityRAN SecurityEnterprise Security requirements:Zero TrustEnterprise Security PolicyEnte
62、rprise Data ProtectionIdentity Management and Access ControlBRKSEC-295028 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco ISECisco Identity Services Engine(ISE)is an industry leading,Network Access Control and Policy Enforcement platformACCESS POLICYfor endpointsfor
63、networkCISCO ISEWHOWHATHOWWHENWHEREHEALTHTHREATSCVSSRole-based Access Control|Guest Access|BYOD|Secure AccessWIREDWIRELESSVPNVPVPN NPartner Eco SystemSIEM,MDM,NBA,IPS,IPAM,etc.pxGRID&APIsSeeSeeUsers,endpoints and applicationsSecureSecureBy controlling network access and segmentationShareShareContext
64、 with partners for enhanced operations29 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveP5G Access Policies with Cisco ISEIdentity and PolicyPrimary 3GPP Authentication4G/5GWi-FiMobility Mgmt.UPFSession Mgmt.Converged coreAuthenticationSubscriber Mgmt.Single point for ide
65、ntity-based enterprise policies For Private 5G,Wi-Fi Wired NetworksEnterprisePolicyAuthorizationOptional secondary authorization21Mandatory authenticationISE-AAAAuthenticationBRKSEC-295030Enterprise Integration 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConverged Secu
66、rity Architecture FrameworkISEISEpxGRIDpxGRIDP5G CoreP5G CoreWireless solutionsWireless solutionsVisibility Access Visibility Access and Controland ControlContext ReuseContext ReuseFirewallFirewallWiFi WiFi ControllerControllerNetwork ResourcesNetwork ResourcesIntrusion Intrusion PreventionPreventio
67、nFlow Flow AnalyticsAnalyticsAnti Anti MalwareMalwareSGTSGT-InlineInlineSGTSGT-SXPSXPSWITCHSWITCHROUTERROUTERIntegration into EN SecurityHas been coveredBRKSEC-295032 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveP5G-traffic flow Whats the problem?ISEEnterprise SwitchPri
68、vate 5G solutionPrivate 5G solutionVisibility Access Visibility Access and Controland ControlContext ReuseContext ReuseEN NetworkAnd now And now what?what?P5G Edge P5G Edge CoreCoreAGV ForkliftBRKSEC-295033 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec Policy&En
69、forcementCISCO DNA CENTERCISCO ISEAPIDNA Center automates TrustSec for CampusBRKSEC-295034 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec-Control Points-When to use WhatWhatWhatPurposePurposeDoesDoesAttribute Attribute PropagationPropagationSGT Inline taggingNetw
70、ork Segmentationwith CTS capable Network DevicesGroup information propagates SGTs across network devicesIP/SGTSGT-via SXP Control ProtocolNetwork SegmentationFor non-CTS Capable Devices,which need to support SXPSecurity group tag exchange protocol(SXP)Propagate the IP-to-SGT mapping database across
71、network devicesIP/SGTpxGRIDNetwork Segmentation Active peer to peer exchange and updates on clientsOver Cisco pxGrid(Platform Exchange Grid),multiple security products exchange knowledge about a device.This open,scalable,and IETF standards-driven platform helps to automate security to get answers an
72、d contain threats faster.pxGrid exposes all attributes about an endpointIP/SGT/device type/posture status/etc.Cisco Group Based Policy Platform and Capability MatrixBRKSEC-295035 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveClassification,SGT Lookup and EnforcementAGV F
73、orklift SGT(34)MAC:00:50:56:A0:56:2210.6.5.111Robot SGT(36)MAC:00:50:56:A0:FD:F210.6.5.110Cisco ISEAuthc/AuthzCisco DNA CenterRobotPermit AllDeny AllAGV ForkliftRobotForklift APPPermit AllDeny AllSourceDestinationEgress PolicyPolicy downloadPolicy downloadClassification:Dynamic/ISESrc SGT found,Dst
74、SGT foundEnforcement:At Egress BRKSEC-295036 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSXPForklift ApplicationTrustSec-SGT propagation InlineISEEnterprise SwitchP5G Edge P5G Edge CoreCorePrivate 5G solutionPrivate 5G solutionVisibility Access Visibility Access and Co
75、ntroland ControlContext ReuseContext ReuseASA-FWSDA NetworkSGT carried inline in the data trafficover CTS capable network devicesDATAIPPayroll ServerData CenterAGV ForkliftForklift ApplicationPayroll ServerPermit AllDeny AllSourceSourceDestinationDestinationEgress PolicyEgress PolicyDATAIPSGT Tag ad
76、ded on egress portIP-SGT Binding or VLAN-SGT shared to SwitchVLAN5AGV ForkliftSXPBRKSEC-295037 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec-SGT propagation via SXP Enterprise SwitchPrivate 5G solutionPrivate 5G solutionVisibility Access Visibility Access and Co
77、ntroland ControlContext ReuseContext ReuseIP-to-SGT data shared over control plane protocol.ISEIPSGTSGT-5 5P5G Edge P5G Edge CoreCoreForklift ApplicationASA-FWSDA NetworkPayroll ServerData CenterSXPDATAIPVLANDATAIPAGV ForkliftBRKSEC-295038 2023 Cisco and/or its affiliates.All rights reserved.Cisco P
78、ublic#CiscoLivePropagation examplesSGT Exchange Protocol(SXP)SGT Exchange Protocol(SXP)Not inlinecapableSwitch6 610.4.9.5IP-to-SGT binding exchange over 64999/TCPCisco ISE can be a SXP speaker/ListenerSwitchRouter55 510.0.1.210.0.1.26 610.4.9.55 510.0.1.2SXP aggregationSXP SpeakerSXP ListenerInline
79、MethodsInline MethodsETHERNETETHERNETSDA BorderEthernet Inline Tagging:Ethernet Inline Tagging:(EtherType:0 x8909)16-Bit SGT encapsulated within Cisco Meta Data(CMD)payload./L3 Crypto:/L3 Crypto:Cisco Meta Data(CMD)uses protocol 99,and is inserted to the beginning of the ESP/AH payload.SGT(16 bit)in
80、sertion in the Nonce field(24 bit)RouterVxLANVxLANIPSECIPSECSDA EdgeB BE EEthernetEthernetVxLANVxLANIPSecIPSecBRKSEC-295039 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFrom Campus to Data CenterACI Policy DomainACI Policy DomainTrustSec Policy DomainTrustSec Policy Dom
81、ainSwitchRouterRouterFirewallNexus9000Nexus9000ServersUserSGToverEthernetIPSec/DMVPN/GETVPN/SXPClassificationISE creates matching SGTs for EPGsISE exchanges IP-SGT/EPG Name bindingsIP-ClassId,VNI bindingsIP-Security Group bindings exchanged with networkSpineLeafCisco ISECisco ISECisco APICCisco APIC
82、-DCDCSecurity GroupsEnd Point GroupsAPAPICICWANWAN(GETVPN(GETVPN DMVPN IPSEC)DMVPN IPSEC)ASR 1KData plane integrationPolicy plane integrationBRKSEC-295040 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData CenterForklift ApplicationTrustSec propagation via pxGRIDEnterpri
83、se SwitchPrivate 5G solutionPrivate 5G solutionVisibility Access Visibility Access and Controland ControlContext ReuseContext ReuseIP-to-SGT data shared over control protocol.No SGT in the data planeISE pxGRIDP5G Edge P5G Edge CoreCoreFTD-FWSDA NetworkPayroll ServerpxGRID FMCFMCIPSGTSGT-5 5Device Ty
84、peDevice TypePosturePosture StatusStatusDATAIPVLANAGV ForkliftDATAIPBRKSEC-295041 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Network AnalyticsCisco Firepower Threat DefenseCisco UmbrellaCisco Identity Services EngineThreat Containment with pxGRIDAGV Forkl
85、iftApplicationDNSSecurityApplication Visibility Control(AVC)Identity PostureAssessmentAccess Control Using TrustSecFlow AnalyticsIntrusion PreventionNetworkAnti-MalwareP5G AccessWANpxGRID(secured by TLS)AddressedPartially addressedNot addressedCyber Security breachThreat DetectedQuarantineBRKSEC-295
86、042 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveP5G Security Architecture Design ConsiderationsRoute your traffic trough your Security InstancesMake your network ready for new trafficP5G possibly generate a high amount of data throughput due to Machine Vision,Camera ap
87、plications and AR/VRConsider how security will impact P5G URLLC communicationAutomate Segmentation and Context 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContext Build,Summarize,ExchangeVisibility and Access ControlISE builds context and applies access control restric
88、tions to users and devicesContext Reuseby eco-system partners for analysis&controlSecure Network AnalyticsSecure FirewallDNAC+3rdParty PartnerspxGridREST APISyslogWhoWhatWhenWhereHowPostureEndpointsMobility Services EngineVulnerability ScannersThreat IntelligenceThreatVulnerabilityMobile Device Mana
89、gersDirectory ServicesSystem managersScalable GroupISEBRKSEC-295044 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco pxGrid 2.0pxGrid 1.0pxGrid 2.0ProtocolXMPPWebSockets&RESTPortsTwo(TCP 5222&7400)One(TCP 8910)Service redundancyNo(No HA)YesScale and performanceLow Lim
90、ited integrations(5,000 KB/s for 4 subscribers)High Scalable integrations(100,000 KB/s agg.for 150 subscribers)Client-side developmentJava or CAny languageSupportFrom ISE 1.3From ISE 2.4More at http:/More at http:/bit.lybit.ly/pxgrid2/pxgrid2-0 0Not supported in 3.1Not supported in 3.1All Cisco prod
91、ucts now All Cisco products now support pxGrid 2.0!support pxGrid 2.0!ProductMin VersionCisco Firepower6.0Cisco Secure Network Analytics7.3.2Cisco Cyber Vision3.1.0Cisco Web Security Appliance11.7Cisco Industrial Network Director1.3Cisco DNA Center2.1.0ISE 3.1 Deprecates pxGrid 1.0 BRKSEC-295045Wher
92、e to position Firewalls 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProtecting the Enterprise with Cisco Firewalls(SD)WANCloudRAN FirewallWAN FirewallEN/Campus/DC FirewallCampus/DCOutdoorIndoorP5G Packet CoreDistribution SwitchFronthaul SwitchFH SwitchRANRadioAccessNet
93、workRANGTPGTPUEVPNVPNVPNVPNPolicy should allow only N1/N2/N3 Traffic and ManagementBRKSEC-295047 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKIOT-2010Operations&ControlOperations&ControlPurdue Level 3ProcessProcessPurdue Level 0-2I I-DMZDMZEnterpriseEnterpriseIndustr
94、ial CoreZone-1Zone-2SCADA/HMIHMISISPLC/RTU/IEDHMIPLC/RTU/IEDMESSensorSensorCisco IE Switch with Cyber Vision SensorSensorSensorSensorSIEMSecureXCisco Secure Industrial FirewallFMCSecureAnalyticsSensorCyber VisionHW SensorSPANISE Cyber VisionGlobal CenterISE Cisco Secure FirewallCyber VisionCenterExt
95、end security operations to OT-with P5GEnterpriseEnterpriseMESZone-4HMISISPLC/RTU/IEDCisco IR Router with Cyber Vision SensorSensorZone-3HMISISPLC/RTU/IEDCisco IR Router with Cyber Vision SensorSensor5G5G-PIMPIM5G5G-PIMPIMPrivate 5GRANEdge NodeI I-DMZDMZCisco Secure FirewallRANCisco SecureIndustrial
96、FirewallBRKSEC-295048 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCyber Vision facilitates OT SegmentationCyber Vision CenterDNAC/ISEApplication FlowGroup-Based Access ControlNetFlowpxGridVisualize Zones&ConduitsGroup endpoints into zones to visualize aggregated flows
97、as conduits to inform segmentation policyDynamic SGT MappingCyber Vision grouping results in dynamic Group-based policy assignment to endpoints through ISEMonitor Before EnforcementVisualize Group-based network behavior in DNAC and enable enforcement when confident after monitoring1 1Visibility to i
98、nform segmentation 2 2Define policy andobserve behavior 3 3Enforce segmentation when readyPLC/RTU/IEDHMISensorCisco IE Switch with Cyber Vision SensorBRKSEC-295049Security Management 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYour InfrastructureSIEM/SOAROthers3rdparty
99、 toolsIntelligenceCiscoApplicationsCloudNetworkEndpointYour SOCCISOSecOps Analyst Incident responderClear prioritization Streamlined investigationsAutomation and response guidanceOpen and extensible Built on the Cisco security platformEmailIdentityExtended Detection and Response-XDR BRKSEC-295051Sum
100、mary 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSummaryEnterprise-ready private 5G network RAN architecture for various IT/OT environmentSimple Automation&Visibility for Transport,SecurityTrusted by enterprises with unified identity and policy via ISEMacro&Micro segme
101、ntationSecure Private 5G infrastructure delivering mission-critical use casesCisco Private 5GBRKSEC-295053 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLink CollectionZero Trust:Network and Cloud Security Design GuideCisco Platform Exchange GridCisco Platform Exchange G
102、ridCisco Group Based Policy Platform and Capability MatrixCisco Group Based Policy Platform and Capability MatrixCisco Secure Technical Alliance PartnersCisco Secure Technical Alliance PartnersISE Security Ecosystem Integration GuidesISE Security Ecosystem Integration GuidesBRKSEC-295054 2023 Cisco
103、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveJune 4|2:00 pmTECSPGTECSPG-24322432New Adventures in Wireless:The Journey of WiFi6 and Private 5G Networks for the EnterpriseJune 5|8:30 amBRKSPGBRKSPG-20422042Architecting Private 5G for resiliency,security,and enterprise network conve
104、rgenceJune 5|10:30 amBRKSPMBRKSPM-10061006The 5G System as a Spectrum Management SolutionJune 7|2:30 pmPSOGENPSOGEN-10331033Unlock business outcomes from connectivity with a Private 5G solutionStartStartCisco Private 5G Learning MapJune 5,|8:00 amBRKSECBRKSEC-20852085Architecting Enterprise Security
105、 in a Wi-Fi plus Private 5G WorldJune 5|11:00 amBRKENSBRKENS-29502950Is your Enterprise Network Ready for P5G June 8|09:30 amBRKSPGBRKSPG-204420445G Use Cases Flight Line of the Future and Smart Warehouse June 8|3:00 pmBRKEWNBRKEWN-20302030WiFi6 and Private 5G for the Enterprise a Better Together Jo
106、urneyJune 8|1:00 pmBRKGENBRKGEN-20012001Cisco P5G-A Robust and Secure ArchitectureJune 8|01:00 pmIBOSPGIBOSPG-20072007Getting Started with Private 5GJune 7|4:00 pmBRKSPGBRKSPG-30043004Monolithic or Polylithic packet cores?The case for specialized use-case-based mobile packet coresJune 5|11:30 amPSOS
107、PGPSOSPG-10021002Leading Your Digital Transformation with Cisco Private 5G Network OfferBRKSEC-295055 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will ge
108、t Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Game for every survey completed.BRKSEC-295056 2023 Cisco and/or its affiliates.All rights rese
109、rved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive#CiscoLive 2023 Cisco
110、and/or its affiliates.All rights reserved.Cisco Public#CiscoLive60Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123460 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2950