Вы находитесь на странице: 1из 30
Case Study : MBDA 802.1X Campus CCS-1001 Sylvie PHALIPPOU Network Engineer MBDA / France
Case Study : MBDA 802.1X Campus CCS-1001 Sylvie PHALIPPOU Network Engineer MBDA / France

Case Study :

MBDA

802.1X Campus

CCS-1001

Case Study : MBDA 802.1X Campus CCS-1001 Sylvie PHALIPPOU Network Engineer MBDA / France
Case Study : MBDA 802.1X Campus CCS-1001 Sylvie PHALIPPOU Network Engineer MBDA / France

Sylvie PHALIPPOU Network Engineer MBDA / France sylvie.phalippou@mbda-systems.com

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

1

Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions

Please remember this is a 'non-smoking' venue!

Please switch off your mobile phones

Please make use of the recycling bins provided

Please remember to wear your badge at all times including the Party

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

Agenda

MBDA : Company Overview Network Architecture 802.1X overview Deploying 802.1X

Company Goals Network and security requirements Design constraints Implementation schedule Deployment workshops Features selections Implementation Tools and procedures Benefits/Lessons learned

Current Status and future plan Conclusion

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

MBDA : Company Overview

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

4

MBDA : History/Shareholders/Products

Created in 2001 MBDA is a leading global world-wide missiles and missile systems prime contractor

Extensive unrivalled product portfolio covering the whole range of requirements

45 products in service / 30 products under development

Extensive experience of international programs e.g. Storm Shadow/SCALP, Taurus, Aster, Meteor, Milan

Supported by major shareholders:

BAE SYSTEMS, EADS, Finmeccanica

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

5

MBDA Group Structure

EADS BAE SYSTEMS FINMECCANICA 37.5 37.5 25 % % % MBDAMBDA 100% 100% 100% MBDA
EADS
BAE SYSTEMS
FINMECCANICA
37.5
37.5
25
%
%
%
MBDAMBDA
100%
100%
100%
MBDA DEUTSCHLAND
MBDA France
MBDA UK
Integrated organisation

100%

MBDA France MBDA UK Integrated organisation 100 % MBDA ITALIA CCS-1001 © 2009 Cisco Systems, Inc.
MBDA France MBDA UK Integrated organisation 100 % MBDA ITALIA CCS-1001 © 2009 Cisco Systems, Inc.

MBDA ITALIA

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

6

MBDA – European Centers

10,400 people worldwide, 60% in Technical/Engineering functions Lostock Stevenage UK 2,900 Production
10,400 people worldwide,
60% in Technical/Engineering functions
Lostock
Stevenage
UK 2,900
Production
R&D/Integration
Bristol
Ulm
Software & Systems
GE 1,100
R&D
USA 100
Schrobenhausen
Management/R&D/
Production/ Integration
FR 4,800
Unterschleißheim
Management/R&D
Compiègne
Electronic
La Spezia
R&D/Integration
Le Plessis-Robinson
Management/R&D
Rome
Management/R&D
Centre Region
R&D/Production/Integration
Fusaro
IT 1,500
Production/Integration

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

7

MBDA : Network Architecture

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

8

Network Architecture

Campus Corporate & Business Networks :

Campus : 3 tiers architecture (Core, Distribution, Access)

Cisco switches : Cat3750/Cat4500/Cat6500

3 VRF-Lite :

1 for office and ToIP,

1 for Guest VLAN ,

1 for Video Surveillance/Physical Security

No communications between VRF

802.1X deployment on the Office VRF corporate Networks

WAN : Cisco router 7200 / Leased line

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

9

MBDAF – LAN Physical View

MBDAF – LAN Physical View ACTUAL CAMPUS LAN CCS-1001 © 2009 Cisco Systems, Inc. All rights

ACTUAL CAMPUS LAN

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

MBDAF – LAN Logical View

MBDAF – LAN Logical View VRF Corporate V R F V i d e o VRF

VRF Corporate

MBDAF – LAN Logical View VRF Corporate V R F V i d e o VRF
MBDAF – LAN Logical View VRF Corporate V R F V i d e o VRF

VRF Video

– LAN Logical View VRF Corporate V R F V i d e o VRF Guest
– LAN Logical View VRF Corporate V R F V i d e o VRF Guest

VRF Guest

View VRF Corporate V R F V i d e o VRF Guest 11 CCS-1001 ©
View VRF Corporate V R F V i d e o VRF Guest 11 CCS-1001 ©

11

View VRF Corporate V R F V i d e o VRF Guest 11 CCS-1001 ©

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Actual Campus LAN

Cisco Public

Scale and Figures

Corporate & Business Networks :

3000 users in 5 Buildings

Access : 230 Cat3750 in 38 cabinets with IOS 12.2(46)SE

Distribution : 8 Cat4500 SUP5-10G with IOS 12.2(31)SGA

Core : 2 Cat6500 SUP720-10G with IOS 12.2(18)SXF6

Server farms : 3 Cat6500 SUP720-10G with IOS

12.2(18)SXF6

9000 Ethernet Ports

4000 IP phones

5000 Workstations and PCs

OSPF as a routing protocol within VRF

PVST+ between access Layer and distribution Layer

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

12

802.1X overview

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

Why 802.1X ? Because it is better to know who is connected…

Why 802.1X ? Because it is better to know who is connected… CCS-1001 © 2009 Cisco

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

Network Access Control Model

CS-ACS RADIUS Microsoft Active Directory
CS-ACS RADIUS
Microsoft
Active Directory

CCS-1001

Model CS-ACS RADIUS Microsoft Active Directory CCS-1001 Request for Service (Connectivity) Backend Authentication

Request for Service (Connectivity)

Active Directory CCS-1001 Request for Service (Connectivity) Backend Authentication Support Identity Store Integration

Backend Authentication Support

Identity Store Integration

LAN media independence User authentication Device authentication

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

15

MBDA – France Deploying 802.1X

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

16

Company Goals

Allow cost reduction and workforce collaboration : CY2005 1- Aggregate THREE Paris offices in a new & modern campus

Aggregate THREE Paris offices in a new & modern campus Velizy La Source Chatillon Velizy Villacoublay

Velizy La Source

Paris offices in a new & modern campus Velizy La Source Chatillon Velizy Villacoublay Le Plessis

Chatillon

Velizy Villacoublay

modern campus Velizy La Source Chatillon Velizy Villacoublay Le Plessis Robinson 2- Allow a greater mobility

Le Plessis Robinson

La Source Chatillon Velizy Villacoublay Le Plessis Robinson 2- Allow a greater mobility for the project

2- Allow a greater mobility for the project teams 3- Reach Security requirements 4- Deploy IP telephony 5- Increase campus availability Deliver new design for Network architecture in Q1 CY2007

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

17

Network & Security requirements

Where I am? What is my new address?
Where I am?
What is
my new address?

Architecture based on VRF-lite and VLAN segmentation

2 Office Vlans per Floor for generic users

2 ToIP VLAN per floor for IP phones

For One Project team => One VLAN in one building

Move from static/manual MAC authorization to DEVICE and/or USER 802.1x authentication

Shared resources using specifics VLANs/VRF :

VoIP Network administration Servers Video etc…

VLANs/VRF : VoIP Network administration Servers Video etc… Internet access LAN Guest access in Meeting rooms
VLANs/VRF : VoIP Network administration Servers Video etc… Internet access LAN Guest access in Meeting rooms
VLANs/VRF : VoIP Network administration Servers Video etc… Internet access LAN Guest access in Meeting rooms
VLANs/VRF : VoIP Network administration Servers Video etc… Internet access LAN Guest access in Meeting rooms
VLANs/VRF : VoIP Network administration Servers Video etc… Internet access LAN Guest access in Meeting rooms

Internet access

LAN Guest access in Meeting rooms

Flexible authentication for any Devices

WIFI as a Rogue AP detector only

for any Devices WIFI as a Rogue AP detector only CCS-1001 © 2009 Cisco Systems, Inc.

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

802.1X Design Contraints

Identification of TWO machine class

Corporate PC

90% Windows XP PC – 10 % Linux

All corporate PC belong to MBDA Active Directory Domain

Guest PC

CISCO ACS servers as the AAA servers : 2 ACS 4.1 based on appliances

802.1X authentication for Corporate PC from Active Directory

Map AD PC groups to ACS groups per project - Authorization with VLAN assignment per Group

Other Devices (Guest PC) automatically fail in Guest VLAN

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

802.1X implementation schedule

1. 802.1X features tests : Q4 CY2005 (3 Months)

1. Main focus : PC and Machine authentication

2. Certificates provisioning

3. Scalability

4. Management of the BACKEND server.

2. Architecture final design : Q1 CY2006 (1 Month)

1. Three tiers architecture + VRF

2. ACS servers and MS Active Directory

3. ACL between VLANS in the Main VRF

3. Full Architecture test : Q3 CY2006 (3 Months)

4. New Site deployment: Q1 CY2007 (3 Months)

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

802.1X - Features Selection in 2006

MACHINE Dot1X Authentication – tested and deployed

Windows XP SP2 with Native Microsoft supplicant

PEAP then EAP-TLS

Apply Microsoft registery patches – deployment with GPO

http://support.microsoft.com/kb/309448/en-us

USER Dot1X Authentication - tested

Gina modification not possible in MBDA contextUSER Dot1X Authentication - tested MACHINE and USER Dot1x Authentication - tested Same VLAN

MACHINE and USER Dot1x Authentication - tested

Same VLAN must be assigned for both Machine and User at that time

IP Phone : No 802.1x Supplicant

MAC Authentication Bypass for non 802.1x corporate Devices – tested

Some issues when IP phone was removedBypass for non 802.1x corporate Devices – tested CCS-1001 © 2009 Cisco Systems, Inc. All rights

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

802.1X deployment workshops

Define all procedures for new site deployment

Change in the IT provisioning method for projects and guests

Macro used to ease Dot1X configuration on switches :

dot1x guest vlan

MAB:

interface FastEthernet1/0/47…

dot1x mac-auth-bypass

CCS-1001

….

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

22

802.1X implementation

802.1X facts and figures

4000 devices with 802.1x supplicant (Windows XP, SP2)

0 devices with MAB

96% dedicated PC, 4% shared PC for internet access

7500 Ethernet ports with 802.1x activated

2 ACS 4.1 Appliances for RADIUS

20 AD/Radius groups

650 VLANs

100 Meeting rooms with « wired only » Guest VLAN

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

23

802.1X Tools and procedures

LAN Admin based on CW2000 LMS : User Tracking to locate a specific MAC address

ACL and Security based on Solsoft/Netpartitionner (Exaprotect): for ACL management between VLANs

MS tools for all AD aspects

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

Benefits and lessons learned

Successful installation end of March 2007 All employees moved on time – early April 2007

Wired User mobility improvement : transparent for IT Before 802.1x :

20 moves a day as a maximum Lan access in Meetings rooms required manual changes

Guest network available (LAN in Meeting rooms) First two months with few problems … So far solved

• PEAP password expiration => EAP-TLS

• MAC Authentication Bypass : not mature enough in 2007 => Manual Port management • timeout of supplicant => IOS upgrade

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Current Status and Future Plan

Working State :

User mobility is effective no complains from user IT save configuration time Per project Organization is implemented 802.1x deployment in other sites Next Step :

802.1X for phones (VoIP is already deployed) 802.1x for Printers 802.1x in other countries TBD MBDA requests to CISCO :

Hierarchical VLAN allocation : ADMIN PC should join Admin VLAN if Admin VLAN is available. Otherwise, Admin PC should join User VLAN. 802.1x QoS inheritance Reduce 802.1x debugging impact on Cat3750

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

802.1x :

It works !

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

Recommended Reading

CCS-1001

Recommended Reading CCS-1001 Source: Cisco Press CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco

Source: Cisco Press

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

Recommended Reading CCS-1001 Source: Cisco Press CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco

28

Meet The Expert

To make the most of your time at Cisco Networkers 2009, schedule a Face-to-Face Meeting with a top Cisco Expert.

Designed to provide a "big picture" perspective as well as "in-depth" technology discussions, these face-to-face meetings will provide fascinating dialogue and a wealth of valuable insights and ideas.

Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions

CCS-1001

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

CCS-1001

CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2009 Cisco Systems, Inc. All rights reserved.

Cisco Public

CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
CCS-1001 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30

30