Cloud Services, SaaS Pose WAN Bandwidth Challenges

Cisco exec Pat Calhoun discusses the challenges of ensuring enough bandwidth over wired and wireless networks to handle the needs of a modern enterprise.

Lorna Garey

May 17, 2011

11 Min Read
NetworkComputing logo in a gray background | NetworkComputing

As Interop 2011 in Las Vegas, a UBM TechWeb event, was winding down I got a chance to speak with Pat Calhoun, vice president and general manager of the security systems unit at Cisco, about the company's efforts to help enterprises secure branch office communications while conserving WAN bandwidth, even as they use more SaaS and cloud-based services. He also discussed ways IT managers will be able to impose policy on the multiple devices connecting to enterprise networks and unify management of wired and wireless traffic.

InformationWeek: What are the significant Borderless Networks announcements coming out of the show for Cisco?

Pat Calhoun: We announced the integration of ScanSafe [Cloud Web Security] in the ISR [Integrated Service Router]. So really it addresses a trend that we're seeing in the industry among enterprises that have a lot of branch remote offices. Currently what they do is send all the traffic through the WAN interface back into corporate, the main campus. The trend that we're seeing is that people really want to be splitting off traffic that's destined to the Internet--the Salesforce.com or other SaaS and cloud-based applications--and go directly to the Internet as opposed to leverage the WAN bandwidth to go back to the campus. But they want to make sure that they're doing the proper level of policy enforcement and security monitoring of all the traffic.

So with the integration of ScanSafe in the ISR, all traffic now gets sent to one of the ScanSafe towers. Through the ScanSafe tower we can do content inspection and a variety of different security capabilities that we can actually provide on the traffic itself. So it now give you peace of mind where you can actually define a single policy on how you want to monitor and enforce your traffic, and it gets enforced for the traffic that goes into the campus and the traffic that goes directly to the Internet from the branch office. From an optimization standpoint of the traffic, it's much better. You don't have to send everything back [to the main data center].

InformationWeek: Because that gets expensive.

Calhoun: Exactly. The second announcement that we did is our new policy management platform called Identity Services Engine. So what we've seen in the industry is there's been a huge push toward securing users, understanding who the users are that are connecting to the network, a desire to have more visibility into what type of devices are connecting into the network. This has been spurred by the introduction of iPads and all the different tablets, [and the fact that] a lot of enterprise customers actually don't have a view into what's connected to the network. Are they enterprise devices, are they consumer devices?

What Identity Services Engine allows you to do is to get that level of visibility and enforcement. So an enterprise can now define a policy that says, "Only corporate assets are allowed on the network. Employee devices are not allowed on the network." Or you can have a policy that says, "If it's a consumer device you're allowed on the network, but there's only certain things that you can do." Perhaps you can't download corporate IP, and maybe you can get your email. We're seeing a variety of different types of policies that are being enforced with these types of capabilities.

The Identity Services Engine is integrating five policy servers that Cisco had: guest server; profiling; posture, which is the ability to set a policy on the health of the device, is it running the right firewall, does it have the right Windows patches, and so on; as well as the actual authentication of the user.

It's really a first in the industry in terms of integration of all those types of capabilities into a single console, a single view.

InformationWeek: Why are customers coming to Cisco for these products?

Calhoun: One driver is compliance. What I'm finding out as I talk to our customers is that most customers have a policy around who is allowed on the network, but very few even have a way to determine who is on their network. There's just thousands and thousands of devices. In fact, one customer that we worked with thought that they had about 75,000 devices. Turns out they had 125,000 devices.

People just want to know: What's on my network, how do I control it, and do I have the tools that I need to be able to report back to my auditors that I'm actually enforcing the policy that I've created?

InformationWeek: How many of the functions that would normally require a specialized mobile device management tool can you take care of here?

Calhoun: Identity Services Engine is more on infrastructure management side, less on the endpoint management side. We do have AnyConnect that's part of our offering. It's basically our endpoint that runs on traditional laptops and well as smartphones. I have it on my iPhone. It's available on Apple [App] Store. But basically what it does is it's a connectivity tool, and it ensures that I'm always securely connected to my enterprise. So it's a VPN client [and] part of our overall solution that hooks back into how Identity Services Engine authenticates the endpoint. But ISE itself is not a device management platform. It's more of a policy management platform.

InformationWeek: You have a wireless background, obviously, from Airespace. What are Cisco's plans around controllers, on how [802.11n] can be a helper technology to 3G/4G and how people are going to make the best use of all that in the enterprise?

Calhoun: CleanAir, which is our offering that now does .11n, has spectrum intelligence, and so on, is radically changing how people are thinking about 802.11 in the enterprise. In part it's because the performance that you get with the platform itself is much greater than what we've seen in the past. But also, it actually provides you with a view into how your spectrum is actually faring. So one of the challenges we've always had as an industry is you have all this RF going on, but you can't really see the RF. And if there's a performance bottleneck, you're not really sure exactly what's causing it. So from a user standpoint, I may be trying to access a video or perhaps even a critical application, and if it's not working very well, the process of trying to troubleshoot is extremely complex. What we've done now is that with CleanAir, by integrating all of these capabilities into the access point, we now have a view into what is radiating RF in the environment.What I'm seeing is people are just feeling a lot more comfortable now with .11n because it has these capabilities and it gives you the tools you need to be able to deploy with peace of mind. So within an enterprise, a huge push toward CleanAir.

InformationWeek: Cisco CIO Rebecca Jacoby talked about how people have seven devices now, but soon they're going to have 11. We see the whole open office movement, that people want to be able to walk around. Do you see us cutting the cord to the desktop?

Calhoun: I think .11n has that performance that you generally need [to do that]. Even if you have 11 devices, chances are you're not using 11 at the same time. But what we've seen in the industry over the past 10 years is that as the capacity demand increases for the network, generally you reduce your cell size. By reducing your cell size, you're reducing the number of users on an access point, and that gives you that performance boost that you need, because you're sharing less spectrum per user. So that definitely is a strategy that the industry has adopted and I think is going to continue to adopt.

When I take a look at the seven or 11 devices--I don't know if I'm ever going to have 11 devices on me, I mean, just plugging two in for battery is a pain--but video is where the challenge comes in. It's video more than anything. Normal applications generate a fair amount of traffic, but not to the point where it can actually congest a network. Video, on the other hand, definitely can present a lot of challenges from a Wi-Fi standpoint. And that's one of the reasons why, with CleanAir, we've optimized our platform for video delivery. Whether it's multicast traffic or unicast traffic, we actually have the means to transmit the traffic in a way that's highly optimized, and we're actually definitely seeing a significant increase in the amount of video going on over wireless.

InformationWeek: How are you optimizing? Can you give us any details?

Calhoun: There's a couple ways, but one of them is, obviously, it's recognizing that you have video to begin with. And that in itself is a difficult technical challenge. But once you've actually gotten through that, we have ways where, if multiple endpoints are actually trying to access the same video contents--let's say this would be a live streaming event, as an example--as opposed to sending multiple instances of the same video to the multiple users on the same access point, we have a way to deliver the traffic through a single stream. That requires us to have a lot of understanding of the type of traffic and the type of video traffic. That type of video content doesn't work for all types of video content. For instance, if you're going to YouTube, it's not all that useful, right? Because even if we're watching the same YouTube video, you're watching it before I am, so we're offset, so I can't really do that. But in a live streaming event, we can absolutely do that.

If I can add one thing, you were asking a second ago about wireless controllers. A wireless controller was announced yesterday as part of the ScanSafe news: Cisco Flex 7500 Cloud Controller.

InformationWeek: Can you tell us something about that?

Calhoun: That would be our next-generation service module for wireless; this is the first next-generation platform that actually fits inside a Catalyst switch.

We actually announced a customer--Bass Pro Shops--that's deploying the 7500 Cloud Controllers. They're able to take the controller out of each one of their retail shops. There are 54 retail shops in the U.S. and Canada that have one 7500 Cloud Controller from that to the corporate headquarters that manages the wireless networks.

InformationWeek: It's a little bit against the trend of where things are going, decentralizing the control.

Calhoun: There's two trends, and we support both: We have platforms that allow a customer that wants to have local controllers in the branch, obviously. We have controllers that fit in the ISR as well as smaller appliances. But then there are some customers that really are looking to centralize everything and try to minimize the number of devices that actually sit in the branch, or a retail store in this particular case. So either one, we actually have the offering for people to do that. In this particular example, very large stores, lots of access points, so the scaling properties required on the controller itself is extreme high. That's one of the reasons why we're seeing a lot of traction, is the fact that it can support so many access points.

InformationWeek: One question we're asking everybody is, leaving aside your products, as you've walked the show floor, what has struck you as the most interesting trend that you're seeing here?

Calhoun: I'm actually going to be walking the show floor this afternoon, so that's a tough question. I've only spent time inside the Cisco booth because I had a lot of meetings yesterday.

But one thing I'll actually mention that I've seen as I was walking around, I've seen a significant number of people get really excited around was Identity Services Engine that we talked about earlier, but also our new NCS Prime, our new network management platform that we just announced. If you have a chance to go down there and take a look, you'll see that Cisco is definitely taking a huge leap forward in terms of providing a network management platform for our customers to be able to get visibility and do troubleshooting of potential issues that may exist on their networks, both wired and wireless. It's an opportunity for them to really treat both wired and wireless as a single network.

Recommended Reading:


Vendors are fighting it out in the market for integrated network, computer, and storage systems. In the new all-digital issue of Network Computing, we go ringside to help you pick a winner. Download the issue now. (Free with registration.)

About the Author

Lorna Garey

Content Director, InformationWeek Digital Media

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights