© 2019 Cisco and/or its affiliates. All rights reserved. Page 4 of 43
●
Increased bandwidth needs—Bandwidth needs are doubling potentially multiple times over the lifetime of a network,
resulting in the need for new networks to aggregate using 10 Gbps Ethernet to 40 Gbps to 100 Gbps capacities over
time.
●
Increased capacity of wireless access points—The bandwidth demands on wireless access points (APs) with the latest
802.11ac Wave 2 technology now exceed 1 Gbps, and the IEEE has now ratified the 802.3bz standard that defines 2.5
Gbps and 5 Gbps Ethernet. Cisco Catalyst® Multigigabit technology supports that bandwidth demand without requiring
an upgrade of the existing copper Ethernet wiring plant.
●
Additional power requirements from Ethernet devices—New devices, such as lighting, surveillance cameras, virtual
desktop terminals, remote access switches, and APs, may require higher power to operate. Your access layer design
should have the ability to support power over Ethernet with 60W per port, offered with Cisco Universal Power Over
Ethernet, and the access layer should also provide Power over Ethernet (PoE) perpetual power during switch upgrade
and reboot events. The Cisco Catalyst 9000 family of access layer switches is perpetual PoE-capable and hardware-ready
for 100W per port, as that technology becomes available.
Integrated services and security
●
Consistent wired and wireless security capabilities—Security capabilities described below should be consistent
whether a user is connecting to a wired Ethernet port or connecting over the wireless LAN.
●
Network assurance and analytics—Proactively predict network-related and security-related risks by using telemetry to
improve the performance of the network, devices, and applications, even with encrypted traffic.
●
Identity services—Identifying users and devices connecting to the network provides the contextual information
required to implement security policies for access control, network segmentation by using SGTs for group membership,
and mapping of devices into virtual networks (VNs).
●
Group-based policies—Creating access and application policies based on user group information provides a much easier
and scalable way to deploy and manage security policies. Traditional access control lists (ACLs) can be difficult to
implement, manage, and scale because they rely on network constructs such as IP addresses and subnets.
●
Software-defined segmentation—Scalable group tags assigned from group-based policies can be used to segment a
network to achieve data plane isolation within physical and virtual networks.
●
Network virtualization—The capability to share a common infrastructure while supporting multiple VNs with isolated
data and control planes enables different sets of users and applications to be isolated securely.
SD-Access Use Case for Healthcare Networks: Secure Segmentation and Profiling
Our healthcare records are just as valuable to attackers as our credit card numbers and online passwords. In the wake of recent
cyber-attacks, hospitals are required to have HIPAA-compliant wired and wireless networks that can provide complete and
constant visibility into their network traffic to protect sensitive medical devices (such as servers for electronic medical records,
vital signs monitors, or nurse workstations) so that a malicious device cannot compromise the networks.
A patient’s mobile device, when compromised by malware, can change network communication behavior to propagate and
infect other endpoints. It is considered abnormal behavior when a patient's mobile device communicates with any medical
device. SD-Access can address the need for complete isolation between patient devices and medical facility devices by using
macro-segmentation and putting devices into different overlay networks, enabling the isolation.
How is a similar scenario addressed for the case of a compromised medical professional's mobile device requiring connectivity
to information systems for some tasks, but not requiring connectivity to other medical devices? SD-Access can take this need
for segmentation beyond simple network separation by profiling devices and users as they come onto the network and
applying micro-segmentation within an overlay network. Flexible policy creation provides the ability to have groups of device
更多资源请访问鸿鹄论坛:http://bbs.hh010.com/