Free Mobility Overview

Definition

Free mobility is a solution that allows a user to obtain the same network access policy regardless of the user's location and IP address changes.

Background

On an enterprise network, different network access policies can be deployed for users on access devices to meet different network access requirements. On traditional campus networks, users' network access rights are controlled using the NAC technology with VLAN and ACL technologies. Requirements of these technologies are as follows:

1. Employees must connect to the campus network through specified switches, VLANs, or network segments, so that they have the same network access rights.
2. ACLs for controlling users' network access rights need to be preconfigured. In the ACLs, at least the destination IP addresses that are prohibited or allowed to access are configured. Therefore, if the IP address of a user is not fixed and the user's host is both a source and a destination, an ACL is not applicable.
3. The association between ACLs and users only takes effect on the authentication device. Therefore, for a non-authentication device, such as the firewall deployed at the boundary of an enterprise campus network, IP address-based policies must be configured.
4. VLANs and ACLs need to be preconfigured on a large number of authentication switches, bringing huge workload for deployment and maintenance.

Mobile office requires that these limitations be removed and employees access the network from any location, any VLAN, or any IP network segment with controlled network access rights. Therefore, free mobility is introduced. By using a controller and agile switches, network access rights can automatically migrate when user locations change, improving mobile office experience.

The free mobility solution solves problems faced by traditional campus networks from the following perspective:

1. Decoupling of service policies and IP addresses

   Using a controller, the administrator can divide users and resources on the entire network into different security groups based on different dimensions. In addition, agile devices in the free mobility solution use an innovative software and hardware design. An agile device can match the source and destination IP addresses of packets with source and destination security groups, and then finds the matching inter-group policy based on the source and destination groups.

   Through the innovative design, all the user- and IP address-based service policies used on traditional networks can be migrated to security group-based policies. When predefining service policies, the administrator does not need to consider users' actual IP addresses, decoupling service policies from IP addresses.

2. Centralized management of user information

   A controller centrally manages authentication and online information about users and obtains mappings between network-wide users and IP addresses. Non-authentication devices on the network can actively obtain information about source and destination security groups from the Agile Controller based on the source and destination IP addresses of packets.

3. Centralized management of policies

   A controller is not only the authentication center on campus networks, but also the management center of service policies. The administrator can use the controller to centrally manage service policies on network-wide policy enforcement devices. After being configured for one time, these service policies can be automatically delivered to policy enforcement devices on the entire network. These policies include rights policies (for example, group A is forbidden to access group B) and experience guarantee policies (for example, traffic forwarding bandwidth and priority of group A are controlled).

Benefits

1. Simplified network planning: The administrator does not need to consider IP addresses of users when configuring policies.
2. Enhanced control capability: User authentication information can be synchronized between network devices.
3. Improved management efficiency: The administrator does not need to configure devices one by one.