Archive

Posts Tagged ‘Security Group Tags’

CiscoLive 2012 – Day 3

Though I was a day late on the last post, hopefully I wasn’t a dollar short in what I was
able to share. I cannot stress enough how valuable CiscoLive is for any Cisco partners or
customers. The contacts you make and the information you can glean are incredible. If you
can’t make it, I would recommend signing up for an account at http://www.ciscolive365.com. It’s
free, and you can download most of the presentations from CiscoLive.

Yesterday, I only sat on two sessions, Cisco TrustSec and Security Group Tagging” and
“Understanding and Deploying the CleanAir Technology to Improve Enterprise WLAN Spectrum
Management” (that’s a mouthful.)

Although I haven’t yet deployed Security Group Tags, it’s an interesting idea to me. I
believe it is vital to continue to learn about new technologies and frameworks so that you
can communicate intelligently about them as they become more mainstream. Of course, some
don’t get to that point, but the concepts help us to grow in our overall system thought
process. Again, some of the highlights for me from this session were:

1. Security Group Tags (SGTs) are an enabler for enforcing policies, and specifically
security policies at this point.

2. While VLANs and static or downloadable ACLs are useful, they are not scalable. Changing
subnets, additional VLANs, and changing or new host IP address add to the complexity. SGTs
can abstract that complexity.

3. A key principle of SGT based access control is to classify at ingress and filter at
egress. So, a user/device is tagged at ingress, and an SGT ACL is used at the egress
device.

4. Since not all devices support SGT, the SXP protocol is a way of migrating between the
two. Also, there are ways of mapping VLANs and subnets to SGTs, to help in the transition.

Of course, there was more – download the presentation!

I missed a session because I was enjoying the World of Solutions too much. I was able to
talk with a number of different vendors, some of whom we resell (like Tessco), some whose
tools we use (Ekahau – hopefully!), and others that our customers use (LiveAction).

The afternoon session on CleanAir was presented by the masterful Jim Florwick. He’s another “must go see” presenter. While I’ve seen much of what was presented before, it was still valuable, with some great reminders about RF and 802.11.

1. 802.11 is Listen Before Talk (LBT or CSMA/CA). And, it’s very, very polite in doing that. So much so, that it won’t talk unless the sensed power is below a certain threshold.

2. How does it sense the RF power levels in the air? Clear Channel Assessment (CCA) using either Energy Detect (ED) (quick, low power, prone to false positives) and/or Preamble (takes time, more power, less prone to false positives). The required power levels for the air space to be seen as “clear” can vary by band, year, client, etc.

3. Of course, non-Wifi devices don’t participate in 802.11 Collision Avoidance (CA). So they will often stomp on 802.11 devices, which will then wait to transmit. So, the more noise, the longer clients have to wait to send due to congestion. Now, there are two Responses to congestion. Either retransmit a packet or rate shift if the client retransmits too many times or SNR is too poor.

4. Since retransmits add to the time that other clients need to wait before sending, busy networks are even less tolerant to interference or noise.

5. Persistent Device Avoidance in 7.2 is a cool feature. It allows CleanAir APs to send information about interfering devices to non-CleanAir APs that are seen as neighbors. Be careful with this, though, as the RSSI or dBm values for neighbors is not adjustable for this feature. And, the bias to not use the channel used by that persistent device is for 7 days, which is also not configurable. Also, PDA does not mean that an AP won’t use the channel. It just adds a factor to not use the channel when that device is there.

The day was capped off with the CCIE Party on th USS Midway aircraft carrier. What an awesome time! Talking with old friends, riding in flight simulators, and decent food made for a terrific night. Much better than last year’s party. Cudos to those who planned it.

Advertisements