Remote Access

/
Extended
Workplace VPN
Solution
Cisco on Cisco
Technology Tutorial
Plamen Nedeltchev
Ph.D. Sr. Member of Technical Staff, Cisco IT
Bob Scarbrough
IT Program Manager, Cisco IT, (Host)

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

1

RAEX Agenda
ACCESS MARKET CHALLENGES AND DEMANDS.
RAEX PROGRAM AND ITS COMPONENTS.
TOTAL COST OF OWNERSHIP (TCO)
NG ECT NETWORK AS A PLATFORM:
End to end VPN model and TCO
End to End Security
End to End Connectivity
End to End Provisioning with Cisco Security Manager (CSM)
End to End Deployment with Cisco Security Manager (CSM)
End to End Management with Cisco Security Manager (CSM)

SERVICE ORIENTED ARCHITECTURE OVER VPN.
QOS, IP SLA and Lessons learned
Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2

Enterprise Class Teleworker (ECT)
VPN Technologies of Cisco.

Residential
BRODBAND
penetration

IP Phone

Cisco 8XX
Router

Data

VPN Head-end
Router

Corporate
Network

Broadband Internet

Wi-Fi

Encrypted VPN Tunnel

Voice
Video

Enterprise Class
Services – encrypted
data, IPT, video,
WIFI
Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Full office replica
Near office or
equal office user
experience..
Cisco Confidential

ZTD, Automated
Management,
manageable TCO.

3

ƒ The residential broadband offerings are ranging from typical 1. Presentation_ID © 2006 Cisco Systems.The Telecommunication industry transition and the broadband explosion. Cisco Confidential 4 . The lead times for permanent circuits for sales offices in the emerging markets continue to be between 3 months and 9 months.5 Mbps for DSL to 6 Mbps for Cable. ƒ Industry’s transitioning from permanent circuits to broadband connections is finally gaining speed. All rights reserved. Some providers offer FTTH to the home and it is expected most of the ISP providers to reach 15-25 Mbps in the next 2 years on the access layers of their networks. The pricing in some cases is a showstopper. Inc.

The Telecommunication industry transition and the broadband explosion.oecd. published this year. in Y2006. Cisco Confidential 5 . ƒ Based on statistics provided by the OECD. All rights reserved.) ƒ Telecommuting lifestyle is expected to continue to grow to up to 50 million people by Y2008.org/sti/ict/broadband © 2006 Cisco Systems. Internet over broadband continue to be a hostile environment as 70% of attacks are coming across Internet. www. the number of broadband subscribers globally has increased 26% from 157 million in December 2005 to 197 million in December 2006.Organization for Economic Co-operation and Development. Inc. It is about adding another dimension of freedom for the employees to better balance their personal live and business. ƒ Presentation_ID SOURCE . (Contd. Telecommuting as a trend is not only about productivity and business resiliency.

ƒ Business resiliency management. SMB. NG ECT will create a demand for differentiated services and it will allow the ISPs to offer them for their customers on the Access Layer of their network. Cisco Confidential 6 . Branch. Commercial networking ƒ Next Generation ECT. part time telecommuters and day extenders.provides the platform for Enterprise class services for home users and home offices. By partnering with ISP. NG ECT is positioned as one of the major Cisco technologies for crisis management and business continuity management. Presentation_ID © 2006 Cisco Systems. The point to point connections are not longer the only option Branch to Branch connectivity. All rights reserved. ƒ Site to site VPN over broadband provides the framework for the next generation Site to site VPN. Inc.The RAEX model is applicable for Telecommuter’s office. ƒ Teleworker QoS ("Enabling "Guaranteed Internet"). It addresses the needs of full time telecommutes.

Inc. two data and one mgmt ISP Internet ƒ Traffic is routed over data tunnels in failover model Secondary Data Tunnel Mgmt Tunnel Mgmt GW Primary Data Tunnel Data Data GW1GW #1 CSM 3.0 PKI Servers PKI Registrar Presentation_ID © 2006 Cisco Systems.1 IE2100/CE 2. Data GW#2 ƒ Management subnet is separate from data subnet and can be geographically isolated Cisco Cisco Confidential 7 . All rights reserved. SMB or ISP models Home Network ƒ Spoke router in home network has two or three VPN tunnels.NG ECT Solution Cisco IOS-Based Site-to-Site VPN ƒ Enterprise.

25.0.Cisco 870 Series Integrated Services Router Dual.2. All rights reserved.224. Inc. Removable Antennae WAN Port: 871 = 100 MB Ethernet 876 = ADSL over ISDN 877 = ADSL 878 = G. Cisco Confidential WAN Port: Reset 8 .SHDSL (4-wire) ISDN S/T Port (876 and 878 Only) Trusted Pool 10.0/24 Memory Flash Default: 24 MB Max: 52 MB DRAM Default: 128 MB Max: 256 MB 4-Port 10/100 Managed Switch Presentation_ID © 2006 Cisco Systems.16/28 Security Cable Lock Console Port/Virtual AUX Port Non-trusted Pool 10.

Amsterdam Tel Aviv San Jose Boxborough RTP Tokyo Richardson Bangalore Hong Kong Singapore Sydney Management and Data Hub Presentation_ID © 2006 Cisco Systems. Cisco IT Deployment .000 +.11 pairs of Data Hubs.NG ECT is the RAEX enabler. . Expected number of users – 30. Inc. Cisco Confidential Data Hub 9 .5 Management Hubs. All rights reserved.

Corp Office Corporate Resources Located in HQ It allows the secure ECT architecture to integrate the security with Unified Communications and Mobility solutions under the centralized management : WAN T1 ADSL Access Router ƒ It reduces provisioning lead times. ƒ It allows jump start of the branch offices and faster penetration into emerging markets. Presentation_ID © 2006 Cisco Systems. All rights reserved. Internet LAN ƒ It allows significant WAN cost and OPEX reduction.Site-to-Site VPN over Broadband A Fully Integrated. ƒ Reduces the dependency on ISP. Cisco Confidential 10 . Inc. Flexible and Secure Cisco Enterprise Branch Architecture extends Headquarter Applications in real-time to remote sites.

All rights reserved.Enabling "Guaranteed Internet": The service is as good as its weakest link Access Network Edge Core Border Another SP From/to Unmanaged To PE-ASBR CE Managed CE From/to Unmanaged of Another SP L3VPN (L3VPN-PE) P PE-ASBR CE Managed CE U-PE PE-Agg L2VPN ATM/FR/Metro P N-PE To CsC-PE For this traffic. the QoS marking will be honored and/or the traffic will be contention free N-PE Broadband DSL (L3VPN PE) of Another SP CsC-CE To CsC-CE CPE DSLAM PE-Agg P From/to Unmanaged CE Branch Router = or QoS Reference Points of Another SP CsC-PE BRAS TECRST-106 11101_05_2005_c1 © 2005 Cisco Systems. All rights reserved. Inc. Inc. Cisco Confidential 11 11 . Presentation_ID © 2006 Cisco Systems.

VoIP. Full Office Replication UC and collaboration tools for key executives. decision makers and business critical resources.Communications Requirements for Business Resiliency Management Communications Services Solution Suite Enabling Technologies VPN. Cisco Confidential 12 . Inc. Conferencing Cisco Anywhere Office Data Connectivity Cisco Anywhere Office Voice & Data Connectivity Best effort services Cisco ECT Presentation_ID © 2006 Cisco Systems. All rights reserved.

VPN solutions have evolved from business convenience to business critical. ƒ The Next generation ECT (part of RAEX) is making Service Oriented Architecture the next step up. Besides. NG ECT offers an IP SLA to Cisco users and metrics to assess the quality of the provided services. ECT – like managed security solutions are the preferred ones vs. deploying next generation services and Cisco gear. Unified communications and Collaboration. non managed solutions due to their specifics and advantages. building the service oriented network. from remote access solution to remote UC. from technology to service. enabling mobility and presence. building new business models. ƒ The future of RAEX will be about equal user User Experience Business Models experience. ECT has proven to be a big cost saver for Cisco IT and Cisco customers. ƒ The first generation Enterprise Class Teleworker Solution Network as a platform Presentation_ID © 2006 2007 Cisco Systems. Inc. for the Enterprise Environments. It provides not only VPN access over the public networks for the remote users. From industry prospective. 13 . Cisco Confidential build the remote network architecture and became a platform for the next generations. All rights reserved. wireless and video. but adds Enterprise class quality for data. voice.

ROI Improves Total Cost Of Ownership (TCO) Return on investment (ROI) Years 1 2 3 4 5 35% 20% Operational Acquisition Costs Costs Life Time of the Asset Maintain a Low TCO by Using ƒ Lower costs of provisioning. All rights reserved.ECT Reduces TCO Total Cost of Ownership (TCO) Is the Sum of Acquisition Costs. ƒ Lower costs of management ƒ Utilizing reusable components ƒ Automation of routine operations Presentation_ID © 2006 Cisco Systems. IT 12-14 % savings for ZTD for CPE. Cisco Confidential 45% Management Costs 14 . Plus All the Operational and Support Costs Over the Lifetime of an Asset—generally 3–5 Years. Inc. as TCO Decreases. ƒ Low cost of deployment.

Cisco All rights reserved. © 2006 Cisco Systems. Inc. All rights reserved. Inc.NG ECT Solution: End to End VPN Model and TCO Presentation_ID Presentation_ID © 2003 Systems. Cisco Confidential 15 15 .

re-deployment and audit NAT ƒ Multicast (CS- End-to-end management Ongoing Management Cisco Security Manager (CSM) Cisco IE2100 based CNS Notification Engine QoS ƒ Wi-Fi ƒ Video Cisco Security Manager M) Firewall ƒ QoS © 2006 Cisco Systems. Resiliency ƒ Full support of IP applications ƒ Data ƒ VoIP Cisco CNS 2100 Series Intelligence Engine: ƒ CNS Configuration Engine ƒ CNS Configuration Engine ƒ CNS Notification Engine ƒ CNS Notification Engine ƒ CNS Image engine ƒ CNS Image management engine Automated Zero Touch Deployment (ZTD) ƒ Bootstrap Configuration and PKI certificates (SDP) ƒ Off-line (CSM CA Proxy) ƒ In-house (RA engineer) ƒ Automated user service application and entitlement ƒ Automated configuration/preconfiguration and audit ƒ Automated image Management. Transport and Tunnel modes ƒ Multiple DMVPN clouds per head-end router. monitoring and security management NBAR Cisco Confidential EMAN Framework Integration Automated policy deployment. DMVPN/ IPSec ƒ Automated control. Sub-CS modes) ƒ PKI-AAA Integration ƒ Auto-enrolment ƒ Multiple Trust Points ƒ Underlying security features ƒ IPSec (3DES or AES) ƒ Stateful Firewall ƒ NBAR and IDS Presentation_ID End-to-end connectivity DMVPN ƒ Failover/Load-balancing/SLB ƒ Dynamic routing ƒ Full – mesh and partial . IPSec. Permanent and on-demand tunnels ƒ mGRE.NG ECT and End-to-End VPN Model and TCO E2EVPN End-to-end security Device and User Authentication and anti-theft protection ƒ Secure RSA Lock Key ƒ Secure ARP-proxy ƒ Auth-Proxyƒ AAA IEEE 802.mesh topologies. Inc.1X-AAA. NHRP. ƒ IOS-Based PKI ƒ Certificate Server (CA&RA. All rights reserved. ƒ Hub-to-spoke and spoke-tospoke tunnels. End-to-end deployment ƒInteractive/ Automated decision making and service termination ƒ Automated event log management 16 .

1x User-level authentication (layer 2) Cisco IOS® PKI Support and PKI. All rights reserved. Presentation_ID © 2006 Cisco Systems. scalable solution enables quick addition and deletion of AAA Integration spoke routers utilizing existing AAA servers Cisco IOS® Stateful Firewall (CBAC) Maintains state info per application. Inc. will combine with CBAC to perform deep packet inspection with single lookup Network Based Application Recognition (NBAR) Addresses IP QoS classification requirements by classifying application-level protocols so that QoS policies can be applied.End-to-End IOS Layered Security Feature Benefit RSA Key Loss Due to Password Recovery Guards against unauthorized configuration changes Secure RSA Private Key Prevents VPN connection after theft Secure ARP Anti-spoofing of IP addresses assigned to devices Authentication-Proxy User-level authentication (layer 3) 802. Cisco Confidential 17 . will provide deep packet inspection and off-board URL filtering Cisco IOS® IPS Multiple signatures.Secure.

All rights reserved. the RSA private key is permanently deleted The Router Cannot Establish a VPN Session Using the Installed Certificates After Password Recovery Presentation_ID © 2006 Cisco Systems. the RSA private key will become unusable ƒ If the user tries to change the hostname of the router.RSA Key Loss Due to Password Recovery ƒ If someone attempts password recovery on the router. Cisco Confidential 18 . Inc.

Inc. All rights reserved. Cisco Confidential 19 . the entry is secured in the ARP table ƒ Intruder cannot just clear the ARP cache and use the IP address to gain access to the Cisco network Secure ARP Is an Effective Anti-Spoofing Mechanism.Secure ARP ƒ When the spoke router assigns an IP address via DHCP. However the Best Approach for All Services Would Be to Require Device Certificates Presentation_ID © 2006 Cisco Systems.

All rights reserved. upon successful authentication. workstations. Cisco Confidential 20 .Authentication Proxy ƒ Authentication proxy enables user authentication at layer 3 of the network stack. and PCs. the user must authenticate in order to gain intranet access from laptops. Inc. an access list will be then downloaded to the router from the AAA RADIUS servers to enforce corporate access policies ƒ Authentication proxy can be implemented as a mechanism to prevent non-authorized users from accessing corporate network. ƒ User access to different areas of an intranet can be controlled via the group info on the RADIUS server or can be combined with NAC or user identity management systems Presentation_ID © 2006 Cisco Systems.

1x provides layer 2 port authentication of devices ƒ 2 VLANs on the spoke router Trusted (corporate routable) VLAN Non-trusted (home) VLAN Devices that pass 802. All rights reserved. Inc.1x ƒ IEEE 802.1x authentication assigned to trusted VLAN ƒ 802. Cisco Confidential 21 .802. authentication proxy Presentation_ID © 2006 Cisco Systems.IEEE port authentication .1x simplifies router configuration vs.

RA. ƒ IOS-CS supports CA. which significantly simplifies the management of the existing ECT environment. All rights reserved. full backup. Presentation_ID © 2006 Cisco Systems. and subCS server modes. ƒ It supports exportable and non-exportable keys. Cisco Confidential 22 . and auto-enroll ƒ IOS-CS permits storage of certificates on external databases or on local flash ƒ Cisco IOS PKI-AAA integration eliminates the need to manage CRLs. confidentiality and non – repudiation feature set and addresses the MIM attack.Cisco IOS Certificate Server PKI-AAA Integration ƒ Cisco IOS PKI solution provides the necessary encryption. Inc. restore.

CBAC. Inc. and more Presentation_ID © 2006 Cisco Systems. ƒ Apart from standard TCP and UDP. also supports protocols like SIP. All rights reserved. these ports will be closed.Cisco IOS Firewall Features ƒ Cisco IOS provides a stateful firewall and CBAC (Context-Based Access Control) ƒ The firewall ACL will block any nonauthorized access inbound attempts (from Internet) ƒ CBAC will open temporarily some application associated ports for the return traffic if the connections initiated from the inside. Cisco Confidential 23 . SMTP. FTP. Upon expiration of the default timeouts and if there is no more interesting traffic. SCCP.

allowing the network to apply appropriate QoS controls.Network Based Application Recognition (NBAR) ƒ NBAR is an intelligent classification engine that recognizes applications including Web-based and client/server applications which dynamically assign TCP or UDP port numbers. Inc. All rights reserved.trusted to trusted and allows the time sensitive applications to be routed in the corporate network in a cohesive way with other time sensitive traffic. ƒ In NG ECT. In such way the NG ECT changes the status of this traffic from non . Cisco Confidential 24 . video. ƒ Improves VPN performance by ensuring identifying mission-critical traffic before it is encrypted. ƒ Mission critical application can be guaranteed bandwidth. Presentation_ID © 2006 Cisco Systems. NBAR is used to match and remark the time sensitive traffic (IPT. IPC) at the ingress interface and queue and prioritize the traffic based on the this marking.

© 2006 Cisco Systems. Inc.Cisco All rights reserved. All rights reserved.NG ECT Solution: End-to-End Connectivity Presentation_ID Presentation_ID © 2003 Systems. Cisco Confidential 25 25 . Inc.

End-to-End Connectivity Feature Benefit DMVPN Fundamentals Dynamic Multipoint VPN based upon IPSec. Cisco Confidential 26 . SLB DMVPN – Key Advantages SLB is much easier to configure and support. scales higher. and Multipoint GRE Routing with DMVPN Routing protocols in DMVPN cloud provide responsive failover DMVPN Key Differentiators Simplifies configurations. separates management and data traffic paths and builds on-demand full or partially meshed networks Server Load Balancing (SLB) Overall design The next generation DMVPN networks DMVPN and SLB design Server Load Balancing (SLB) design of DMVPN is an enhancement of DMVPN and can be delivered in two separate designs. provides higher tunnel creation rate. NHRP. and better redundancy. All rights reserved. Inc. Presentation_ID © 2006 Cisco Systems.

Inc.Next Hop Resolution Protocol (NHRP) Hub maintains a (NHRP) database of all the spoke’s routable (public interface) addresses Each spoke registers its routable address with the NHRP server (hub) after successful negotiation of the IPSec tunnel Spokes query NHRP database for routable addresses of destination spokes to build direct tunnels . ƒ Failover/Load-balancing/SLB ƒ Dynamic routing ƒ Full – mesh and partial . Cisco Confidential 27 .IPSec (RFC 2401) .mesh topologies. ƒ Hub-to-spoke and spoke-to-spoke tunnels.Multipoint GRE tunnel interface Presentation_ID Allows GRE interface to support multiple IPSec tunnels Simplifies size and complexity of configuration © 2006 Cisco Systems. ƒ Permanent and on-demand tunnels ƒ DMVPN is build on .DMVPN Fundamentals Dynamic Multipoint VPN (DMVPN) is a Cisco IOS-based solution which integrates the Cisco VPN solutions with Cisco dynamic protocols framework. All rights reserved.

Standard DMVPN Design Corporate network DMVPN hubs Corp. FWs Spokes Presentation_ID © 2006 Cisco Systems. Inc. Cisco Confidential 28 . All rights reserved.

Cisco Confidential 29 . All rights reserved. Inc. this frees the physical interface from a crypto map ƒ Management is performed over a separate VPN tunnel independent of the primary DMVPN data tunnels ƒ DMVPN allows for dynamic registration of spokes One tunnel interface on the hub side supports a single DMVPN cloud Eliminates static point-to-point configurations Reduces the complexity of the hub configuration ƒ DMVPN provides dynamic full and partial mesh capability Provides improved support for applications such as voice and video Presentation_ID © 2006 Cisco Systems.DMVPN: Key Differentiators ƒ DMVPN uses crypto profiles and tunnel protection.

Cisco Confidential 30 . All rights reserved. Inc.Server Load Balancing (SLB) Overall design Corporate network Aggregation router Hubs Cluster of DMVPN hubs Aggregates user tunnels Server Load Balancer SLB balances connections Owns virtual IP address GRE/IPsec tunnels IGP + NHRP Spokes Presentation_ID © 2006 Cisco Systems.

Cisco Confidential 31 . All rights reserved. A farm of 7200 Series routers are associated with the load balancer and handles all the tasks related to Next-Hop Resolution Protocol (NHRP) and multipoint generic routing encapsulation (mGRE) and IPSec encryption/decryption. A farm of 7200 Series routers are associated with the IPSec termination device and handles all tasks related to Next-Hop Resolution Protocol (NHRP) and multipoint generic routing encapsulation (MGRE). ƒ Both design solutions have their advantages and disadvantages and based on the existing documentation and lessons learned. ƒ Design two – DMVPN IOS SLB hub The front device – typically Cisco 7200 or Cisco 7600 Series router performs the role of Load Balancer.DMVPN and SLB design ƒ Server Load Balancing (SLB) design of DMVPN is an enhancement of DMVPN and can be delivered in two different ways: ƒ Design one – DMVPN High concentration hub Typically Cisco 7600 Series router or Cat65K acts like primary tunnel termination Hub and perform encryption and decryption functions. SLB design provides the following advanced enhancements for DMVPN: Presentation_ID © 2006 Cisco Systems. Inc.

Inc. Presentation_ID © 2006 Cisco Systems. The peer IPSec IP (the termination device’s tunnel IP) acts like a cluster IP and does not change due to design or scalability considerations. since the EIGRP – based scalability restrictions are mitigated and the number of tunnels is virtually limitless. ƒ SLB scales higher.SLB DMVPN – Key Advantages ƒ SLB is much easier to configure and support. ƒ SLB provides higher tunnel creation rate. All rights reserved. since the configuration of the peer tunnel IP is always the same no matter how large is the deployment. recovers faster when cluster node becomes unavailable and provides spoke to spoke functionality as the standard DMVPN does. Cisco Confidential 32 .

Cisco Confidential 33 . Inc.SLB DMVPN – Key Advantages (Contd.) ƒ SLB provides better redundancy. In other words in its extreme the solution can allow CPE to fail over to another hub. where in dual SLB design the CPE can connect to a pair of farm hubs. ƒ Presentation_ID SLB design can provide fully redundant solution. In that case. The standard DMPVN design provides redundancy in pairs – the dual tunnel. the number of the primary hubs is actually equal to the number of the backup hubs and the total number is 2N. single layout design (from CPE) actually terminates the CPE to two separate SDGs. located in another geographical location. which are not geographically co – located. All rights reserved. or the SLB pair to fail over to another pair of hubs. in SLB if we assume the same number of CPEs per Hub (pair of hubs) the number of Hubs in SLB design should be N+2 (assuming dual SLB head end design). maintaining active-active status of the crypto tunnel connections. located in another part of the same campus. © 2006 Cisco Systems. Everything equal.

All rights reserved.NG ECT Solution and Low TCO – End-to-End Provisioning with Cisco Security Manager Presentation_ID © 2006 Cisco Systems. Inc. Cisco Confidential 34 .

SSL VPNs and Easy VPNs. HTTPS. activities and objects. Firewall Services manages firewall-related policies in Security Manager that apply to the adaptive security appliance (ASA). Cisco Confidential 35 . Firewall Services Module (FWSM) installed in a Catalyst 6500/7600 device. Telnet. FWSM and Cisco IOS routers ƒ It manages transport mechanisms. ƒ CSM Manages Policies. ASA.PIX Firewall. TMS and Cisco Networking Services (CNS) working with CE 2. and security routers running Cisco IOS (IOS). Presentation_ID © 2006 Cisco Systems. such as SSL. Inc. ƒ It manages Site to Site VPNs. All rights reserved.Cisco Security Manager ƒ CSM Manages Devices . Remote Access VPNs. ƒ CSM Manages Firewalls.0. HTTP. PIX Firewall (PIX).

manages deployment and manages FlexConfigs. Inc.Cisco Security Manager (Contd. ƒ Supports open XML/SOAP interface and NB APIs enabling integration with existing enterprise management framework ƒ Supports fully managed service functionality to notify the administrators for non-CSM initiated configuration changes ƒ CSM manages provisioning. Presentation_ID © 2006 Cisco Systems. All rights reserved.) ƒ It manages Intrusion Prevention System (IPS). Cisco Confidential 36 .

Inc.Configuring CSM . Cisco Confidential 37 . Presentation_ID © 2006 Cisco Systems. All rights reserved.The Sample Device and the Security Policies ƒ Create a sample device.

ƒ Configure the FW policies: .Configuring CSM .AuthProxy .Access Control .AAA Access Rules . Cisco Confidential 38 . Inc.Inspection Rules .The sample device and the security policies ƒ Create a sample device.Access Rules . All rights reserved.SLB config ƒ Quality Of Service ƒ Configure NAT – flex config based Presentation_ID •• Start Startwith withsingle singledevice device •• Assign Assignpolicies policies •• Define Definethe thepolicies policiesas as shared or local shared or local © 2006 Cisco Systems.Inspection ƒ Site to Site VPN – Large scale DMVPN .

Configuring CSM . All rights reserved. ƒ Attach 871 prepend config(s) •Start •Startwith withsingle singledevice device •Attach prepend and •Attach prepend andappend appendflex flex configs. Inc. based on expected granularity configs. Cisco Confidential 39 .The sample device and the flex configs ƒ Create a sample device. based on expected granularity ƒ Attach BASIC append config(s) ƒ Attach WIFI append config(s) ƒ Attach IPT append config(s) ƒ Attach VIDEO append config(s) ƒ Attach 871 append config(s) Presentation_ID © 2006 Cisco Systems.

ƒ Create Hub and Spoke VPN ƒ Edit Hub and Spoke. All rights reserved.Cisco Security Manager 3.1 SLB Hub configuration ƒ Configure a Hub device ƒ Configure SLB device and interfaces. Inc. ƒ Select devices for SLB Presentation_ID © 2006 Cisco Systems. Cisco Confidential 40 .

User Request for NG ECT Service Presentation_ID © 2006 Cisco Systems. Cisco Confidential 41 . Inc. All rights reserved.

Eleven Steps to Provision and Deploy a Remote Router ƒ User submits the NG ECT request (changing/saving/etc) REQUESTED STATE ƒ Mgr approval triggers the processes APPROVED STATE ƒ EMAN Create ACS account on the ACS server as part of PKI&AAA config. Cisco Confidential 42 . ƒ EMAN Host Management: Host record is created in EMAN for monitoring/tracking Presentation_ID © 2006 Cisco Systems. ƒ EMAN Address Management: AM agent assigns /28 to every user. All rights reserved. Inc.

configuration downloaded to the CPE router & the state changes to OPERATIONAL Presentation_ID © 2006 Cisco Systems. Inc. Cisco Confidential 43 .Eleven Steps to Provision and Deploy a Remote Router (Cont…) ƒ EMAN Template Management – the device is associated with the predefined set of templates. ƒ CS-M cloning (6 sub-steps within the CS-M): ƒ CNS configuration staged ƒ SDM/SDP process . ƒ TFTP IP address supplied by EMAN out of TNM. All rights reserved. ƒ EMAN Address Management: AM agent assigns /32 ip address for the tunnel interface.

Cisco IT Implementation – CSM Integration using APIs. Cisco Confidential 44 . All rights reserved. Inc. Presentation_ID © 2006 Cisco Systems.

All rights reserved. Cisco Confidential 45 .Cisco Security Manager 3. Inc.1 6 Easy CPE Provisioning Steps ƒ Clone a device from SAMPLESJC-871-ONE ƒ Set device properties – Transport protocol ƒ Set device properties – Interface roles ƒ Set device properties – Set Networks/Hosts ƒ Set device properties – Set Text Objects ƒ Edit QoS policy ƒ Submit and Deploy Presentation_ID © 2006 Cisco Systems.

Inc. All rights reserved.NG ECT Solution and Low TCO – End-to-End Deployment with Cisco Security Manager Presentation_ID © 2006 Cisco Systems. Cisco Confidential 46 .

All rights reserved. router configured by IT ƒ Outsource to ISP. Cisco Confidential 47 . router configured at staging facility or on-site All Three Methods Add Excessive Cost to the Deployment Process! Presentation_ID © 2006 Cisco Systems.Conventional Deployment of Spoke Routers ƒ In-house. router configured at staging facility ƒ Outsource to 3rd party. Inc.

Special cases/configurations and pilot environments ƒ Regardless of the deployment option. All rights reserved. spoke router provisioning process is automated to minimize TCO Presentation_ID © 2006 Cisco Systems. Inc.NG ECT Offers Four Deployment Options ƒ Zero Touch Deployment. User responsible for configuring router for Internet access and running SDP (Secure Device Provisioning) Policy configurations are pushed over the CNS transport mechanism ƒ On-line (Cert-Proxy) Allows engineer to configure router remotely ƒ E-Token Based Secure Device Provisioning Allows engineer to configure router remotely ƒ Off-line . Cisco Confidential 48 .

“calls home” and sends CNS “connect” event to CE Engine.ECT CPE ZTD Deployment ƒ Spoke router performs SDP and obtains keys and certificates. gains access to corporate resources ƒ VPN tunnel established w/Data GW2 and stays active for failover. VoIP: Phase 2 WLAN: Phase 3 ƒ Management GW authenticates spoke router using PKI-AAA integration Internet Management Tunnel Secondary Data Tunnel Management GW Primary Data Tunnel ƒ CE pushes & audits policy over management tunnel Data GW2 Data GW1 Internal Network CS-M. CE 2. Inc. Cisco Confidential ƒ Spoke router establishes mgmt tunnel. All rights reserved. Access to Corporate Resources ƒ Spoke router establishes VPN tunnel w/Data GW1. 49 .0 Presentation_ID © 2006 Cisco Systems.

Cisco Confidential Access to Corporate Resources ƒ Today the ECT solution uses ‘Auth Proxy’ to authorize PC’s to corporate resources ƒ Auth Proxy uses a userid and Active Directory (AD) password through a browser ƒ Once the user has successfully authenticated. corporate resources (email. the PC can still access the internet 50 .ECT Architecture-Today-Auth Proxy Spouse and Kids? Auth Proxy Internet Management Tunnel Secondary Data Tunnel Management GW Primary Data Tunnel Data GW2 Data GW1 Internal Network CS-M. etc) can be accessed) ƒ If the authorization is not successful. Inc. All rights reserved.0 Presentation_ID © 2006 Cisco Systems. CE 2. IM.

TCO and ZTD Cumulative Cost Savings Presentation_ID © 2006 Cisco Systems. Cisco Confidential 51 .ROI. Inc. All rights reserved.

Pat Moore. Well. I dreaded the process. Inc. I hooked everything up (including my home equipment) and had the new router configured in 15 minutes! Let me repeat that.The Eser’s Experience I wanted to let you know my first hand experience with my new ECT router and getting it set up. the router was set up to be configured and connecting to the site for configuration was easy. Mgr. Cisco Confidential 52 . The instructions on the Web and the printed material was easy for a nontechnical person to understand. The new router sat in a box next to my desk for about 4 days because I was planning to dedicate a full weekend to the process of hooking it up and getting it configured. Wala! 15 minutes later I am back in business. It even amazes me that I was able to do it without hassle. Workplace Resources Presentation_ID © 2006 Cisco Systems. much to my surprise. 15 minutes. My last ECT router was shipped to me with a very large book on how to configure it. Now back to work!!!!! But from home!!!!! Sincerely yours. All rights reserved.

NG ECT Solution and Low TCO – End-toEnd Management with Cisco Security Manager Presentation_ID © 2006 Cisco Systems. All rights reserved. Inc. Cisco Confidential 53 .

. . .Event .Scheduled deployments . Cisco Confidential 54 . Automated Decision making Automated Deployment options: EMAN/CSM/CE based. Inc.triggered deployments .Rapid deployments .IOS management is based on EMAN/CNS-CE functionality Presentation_ID © 2006 Cisco Systems.TCO and Lower Costs of Management TCO and Utilizing Reusable Components ƒ ƒ ƒ ƒ ƒ Integration of CSM and CNS-CE into EMAN Monitoring – EMAN based Analyzing / Grouping – static and dynamic groups.push/pull policies and ACLs. Example .over night password management. All rights reserved.Regular deployments – once per 24 hours.

Cisco Confidential 55 . Presentation_ID © 2006 Cisco Systems.TCO and Automation of routine operations MAJOR AUTOMATION WINS ƒ Migration from one device/platform to another. Inc. All rights reserved. ƒ Connection Type change ƒ Upload speed change – UP or DOWN. ƒ Service MOVE from one location to another.

Cisco Confidential 56 . All rights reserved. Platform A to Platform B Migration Presentation_ID © 2006 Cisco Systems. Inc.ISC to CS-M Migration.

ZTD IPT Deployment (HOME) Presentation_ID © 2006 Cisco Systems. Cisco Confidential 57 . Inc. All rights reserved.

ZTD of IPT for Remote Access
ƒ

ƒ
ƒ

ƒ

Presentation_ID

User applies for the IPT service as part of their ECT
service and upon approval orders their IP Phone or
installs IP Communicator (IPC); an additional instance
of a phone is configured for the employees Dialed
Number (DN) on the Cisco Call Manager (CM)
IPT device is shipped from factory.
ECT router is successfully configured and has
established data tunnels; user connects the IPT
device to the ECT router
When the IPT connects to the fully functional ECT
router, the universal loader will be loaded to the IPT
and the IPT will boot and obtain an IP.
© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

58

ZTD of IPT for Remote Access (Contd.)
ƒ

ƒ

ƒ
ƒ

Presentation_ID

The CCM will register the MAC address of the IPT
and it will assign a random DN to the phone, which
will appear of the IPT’ screen.
The user will use URL application to connect to a
server. The user will be authenticated and prompted
for user credentials.
Upon successful authentication the user will enter the
random DN, shown on the screen on the IPT.
The backend script will replace the random DN with
the previously assigned DN to the user. The IPT will
obtain the associated profile from TFTP server and it
will connect and register with the CCM.
© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

59

Service Oriented Architecture
over VPN. QOS, IP SLA and
Lessons Learned

Presentation_ID
Presentation_ID

© 2003
Systems,
Inc. All rights
reserved.
© 2006 Cisco Systems,
Inc.Cisco
All rights
reserved.
Cisco
Confidential

60
60

All rights reserved. latency. MeetingPlace Best effort . Interactive Video as real-time) • Service Classes will have separate loss. SAP. End-to-End Business BE 9 9 9 9 9 9 Cisco Confidential Real Time 9 9 9 9 9 Business BE 9 9 9 9 9 9 61 .g. WebEx. Interactive Video Business critical class—Oracle.Internet access. Voice. file transfer Scavenger class – TLM and Streaming video • Every map class later is associated with a separate policy. PoP-to-PoP Real Time Loss Delay Jitter Availability Contracted BW (cBW) Presentation_ID 9 9 9 9 © 2006 Cisco Systems.QOS and Minimum SLA Requirements • Applications with similar QoS requirements are grouped into a service (traffic) class (e. Inc. jitter requirements: Time Sensitive class—Voice..

reporting methodology (web.IP SLA Metrics Minimum SLA Attributes Related to QoS Other SLA Attributes related to QoS Latency (Delay) Availability Packet Loss Mean Time to Repair (MTTR) Delay Variation (Jitter) Mean Time Between Failure (MTBF) Contracted Bandwidth Per-Flow Packet Sequence Preservation Throughput Admission Control Criteria Contention Ratio ISP supported QoS at the edge SLA measurement/reporting tools . failure criteria and penalty clauses. All rights reserved. methodology. Presentation_ID © 2006 Cisco Systems.measurement points. Inc. Cisco Confidential 62 . report contents. e-mail) reporting interval.

The reason is that jitter and out-of-order packets cause more audio signal damage with G. All rights reserved. ƒ One-way latency should be no more than 150 ms. ƒ Jitter should be no more than 30 ms. Cisco Confidential 63 . ƒ Call signaling traffic should be marked as AF31/CS3. (For example.IP SLA Requirements for IPT@Home and Interactive Video@Home ƒ Loss should be no more than one percent. a single 384 kbps video conferencing session requires 460 kbps of guaranteed priority bandwidth. ƒ The codec type should not be a factor when configuring IPT for Home. ƒ Voice (bearer) traffic should be classified as EF.711. ƒ Interactive video traffic should be classified as AF41 or marked with TOS=4/TOS=2 ƒ The minimum priority bandwidth guarantee (LLQ) or CBWFQ is the size of the video conferencing session plus 20 percent.) Presentation_ID © 2006 Cisco Systems. or with TOS=5.729 then G. Inc.

All rights reserved. e-mail. ƒ Routing and Network Management class. Loss should be no more than 2 percent. ƒ Scavenger class. and ISAKMP.Large file-transfers. It is an optional class of service and includes minimal bandwidth queue for routing and other network control applications. “less-than Best-Effort” services to certain applications. and NFS. ƒ Locally-Defined Mission-Critical class. Cisco Confidential 64 . EIGRP. Presentation_ID © 2006 Cisco Systems. network backups. NTP. video content distribution.Other QoS and IP SLA Requirements ƒ Streaming video (whether unicast or multicast) should be marked to CS3. such as SNMP. Syslog. The Transactional/Interactive class is a combination of two similar types of applications: transactional client-server applications and interactive-messaging applications. Bulk applications can dynamically take advantage of unused bandwidth and thus speed up their operations during non-peak periods. latency should be no more than 4–5 seconds (depending on video application’s buffering capabilities).Client-server applications. – Bulk/Non-Interactive . database syncs and replication. There are no significant jitter requirements. Inc. Transactional and interactive applications with a high business priority: – Transactional/Interactive . ƒ Best-Effort –It is recommended that at least 25 percent of a WAN link’s bandwidth be reserved for the default Best Effort class. messaging applications.

Radius and POP Path Jitter QoS Aware Voice Video VPN QoS Jitter VPN Aware Data Transfer UDP Echo Echo FTP Network Response © 2006 Cisco Systems.IP SLA Probe Types. All rights reserved. Web Traffic Network and Application Services DNS DHCP Server Traffic DLSw Layer 2 Services Applications (Beta) Netmeeting Real Player Path Echo Presentation_ID TCP Connect HTTP Custom TCL eMail Notes SAP News Cisco Confidential Frame Relay ATM LDAP 65 . Inc.

All rights reserved.837 PDT Sun Oct 7 2007 Latest operation return code: OK RTT Values: Number Of RTT: 1000 RTT Min/Avg/Max: 10/13/26 milliseconds Latency one-way time: Number of Latency one-way Samples: 1000 Source to Destination Latency one way Min/Avg/Max: 1/2/14 milliseconds Destination to Source Latency one way Min/Avg/Max: 9/11/17 milliseconds ƒ Jitter: Number of Jitter Samples: 999 Source to Destination Jitter Min/Avg/Max: 1/1/13 milliseconds Destination to Source Jitter Min/Avg/Max: 1/1/6 milliseconds ƒ Packet Loss Values: Loss Source to Destination: 0 Out Of Sequence: 0 Tail Drop: 0 Loss Destination to Source: 0 Packet Late Arrival: 0 ƒ Voice Score Values: Calculated Planning Impairment Factor (ICPIF): 1 Mean Opinion Score (MOS): 4.34 Presentation_ID © 2006 Cisco Systems. Inc.Example rcdn-user-871#show ip sla status Round Trip Time (RTT) for Index 10 Latest RTT: 13 milliseconds Latest operation start time: 19:27:34. Cisco Confidential 66 .IP SLA Statistics .

ƒ Plan phased approach for new services. Presentation_ID © 2006 Cisco Systems. ƒ Automate all the routine operations. Deploying the technology to multiple segments of the network allows IT organizations to maintain low TCO. Allow the support engineers to participate in the pilot phase. Inc. ƒ Start with limited pilot Become familiar with technology. All rights reserved. ƒ Develop a proactive monitoring and support. Understand information requirements and system flow and scale. grow to 100. SLAs and IP SLAs for the services is must. Cisco Confidential 67 . ƒ Use CSM – CE to deploy and manage the environment.Lessons Learned ƒ Select hub locations to optimize latency and keep it under certain threshold. For large scale deployments use NB APIs to integrate these management platforms into the existing management environment.

cisco.com/en/US/about/ac123/ac114/ac173/Q204/dmvpn.html Nedeltchev P.cisco.More Networked Home/Access Resources Case Studies http://www. ISBN: 1587050765. Cisco Confidential 68 .com/web/about/ciscoitatwork/case_studies. Cisco Press. Inc. All rights reserved. “Troubleshooting Remote Access Networks”.html Call to get Product. Solution and Financing Information 1-800-745-8308 ext 4699 Other Resources DMVPN Extends Business Ready Teleworker. Presentation_ID © 2006 Cisco Systems. http://www.

All rights reserved. Inc.Presentation_ID © 2006 Cisco Systems. Cisco Confidential 69 .