You are on page 1of 69

Remote Access

Workplace VPN
Cisco on Cisco
Technology Tutorial
Plamen Nedeltchev
Ph.D. Sr. Member of Technical Staff, Cisco IT
Bob Scarbrough
IT Program Manager, Cisco IT, (Host)


© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential


RAEX Agenda
End to end VPN model and TCO
End to End Security
End to End Connectivity
End to End Provisioning with Cisco Security Manager (CSM)
End to End Deployment with Cisco Security Manager (CSM)
End to End Management with Cisco Security Manager (CSM)

QOS, IP SLA and Lessons learned

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential


Enterprise Class Teleworker (ECT)
VPN Technologies of Cisco.


IP Phone

Cisco 8XX


VPN Head-end


Broadband Internet


Encrypted VPN Tunnel


Enterprise Class
Services – encrypted
data, IPT, video,

© 2006 Cisco Systems, Inc. All rights reserved.

Full office replica
Near office or
equal office user
Cisco Confidential

ZTD, Automated
manageable TCO.


The Telecommunication industry transition and the broadband explosion. The pricing in some cases is a showstopper. The lead times for permanent circuits for sales offices in the emerging markets continue to be between 3 months and 9 months. Inc.5 Mbps for DSL to 6 Mbps for Cable. Some providers offer FTTH to the home and it is expected most of the ISP providers to reach 15-25 Mbps in the next 2 years on the access layers of their networks. Presentation_ID © 2006 Cisco Systems. Cisco Confidential 4 . ƒ The residential broadband offerings are ranging from typical 1. All rights reserved. ƒ Industry’s transitioning from permanent circuits to broadband connections is finally gaining speed.

ƒ Based on statistics provided by the OECD.) ƒ Telecommuting lifestyle is expected to continue to grow to up to 50 million people by Y2008. It is about adding another dimension of freedom for the employees to better balance their personal live and business. ƒ Presentation_ID SOURCE . Internet over broadband continue to be a hostile environment as 70% of attacks are coming across Internet. Inc.The Telecommunication industry transition and the broadband explosion. published this year. (Contd. All rights reserved. the number of broadband subscribers globally has increased 26% from 157 million in December 2005 to 197 million in December © 2006 Cisco Systems.Organization for Economic Co-operation and Development. www.oecd. in Y2006. Telecommuting as a trend is not only about productivity and business resiliency. Cisco Confidential 5 .

ƒ Site to site VPN over broadband provides the framework for the next generation Site to site VPN. By partnering with ISP. Inc.provides the platform for Enterprise class services for home users and home offices.The RAEX model is applicable for Telecommuter’s office. part time telecommuters and day extenders. NG ECT is positioned as one of the major Cisco technologies for crisis management and business continuity management. All rights reserved. NG ECT will create a demand for differentiated services and it will allow the ISPs to offer them for their customers on the Access Layer of their network. The point to point connections are not longer the only option Branch to Branch connectivity. ƒ Business resiliency management. SMB. Branch. Cisco Confidential 6 . Commercial networking ƒ Next Generation ECT. ƒ Teleworker QoS ("Enabling "Guaranteed Internet"). It addresses the needs of full time telecommutes. Presentation_ID © 2006 Cisco Systems.

Inc.0 PKI Servers PKI Registrar Presentation_ID © 2006 Cisco Systems. All rights reserved.NG ECT Solution Cisco IOS-Based Site-to-Site VPN ƒ Enterprise. Data GW#2 ƒ Management subnet is separate from data subnet and can be geographically isolated Cisco Cisco Confidential 7 .1 IE2100/CE 2. two data and one mgmt ISP Internet ƒ Traffic is routed over data tunnels in failover model Secondary Data Tunnel Mgmt Tunnel Mgmt GW Primary Data Tunnel Data Data GW1GW #1 CSM 3. SMB or ISP models Home Network ƒ Spoke router in home network has two or three VPN tunnels.

SHDSL (4-wire) ISDN S/T Port (876 and 878 Only) Trusted Pool Inc. Removable Antennae WAN Port: 871 = 100 MB Ethernet 876 = ADSL over ISDN 877 = ADSL 878 = G. All rights reserved.0/24 Memory Flash Default: 24 MB Max: 52 MB DRAM Default: 128 MB Max: 256 MB 4-Port 10/100 Managed Switch Presentation_ID © 2006 Cisco Systems.16/28 Security Cable Lock Console Port/Virtual AUX Port Non-trusted Pool 10. Cisco Confidential WAN Port: Reset 8 .2.Cisco 870 Series Integrated Services Router Dual.

. Amsterdam Tel Aviv San Jose Boxborough RTP Tokyo Richardson Bangalore Hong Kong Singapore Sydney Management and Data Hub Presentation_ID © 2006 Cisco Systems. Inc.5 Management Hubs. Expected number of users – 30.11 pairs of Data Hubs.NG ECT is the RAEX enabler. Cisco Confidential Data Hub 9 . Cisco IT Deployment . All rights reserved.000 +.

ƒ Reduces the dependency on ISP. Corp Office Corporate Resources Located in HQ It allows the secure ECT architecture to integrate the security with Unified Communications and Mobility solutions under the centralized management : WAN T1 ADSL Access Router ƒ It reduces provisioning lead times.Site-to-Site VPN over Broadband A Fully Integrated. Inc. ƒ It allows jump start of the branch offices and faster penetration into emerging markets. Presentation_ID © 2006 Cisco Systems. All rights reserved. Internet LAN ƒ It allows significant WAN cost and OPEX reduction. Flexible and Secure Cisco Enterprise Branch Architecture extends Headquarter Applications in real-time to remote sites. Cisco Confidential 10 .

All rights reserved. Presentation_ID © 2006 Cisco Systems. Inc. Cisco Confidential 11 11 . All rights reserved. the QoS marking will be honored and/or the traffic will be contention free N-PE Broadband DSL (L3VPN PE) of Another SP CsC-CE To CsC-CE CPE DSLAM PE-Agg P From/to Unmanaged CE Branch Router = or QoS Reference Points of Another SP CsC-PE BRAS TECRST-106 11101_05_2005_c1 © 2005 Cisco Systems.Enabling "Guaranteed Internet": The service is as good as its weakest link Access Network Edge Core Border Another SP From/to Unmanaged To PE-ASBR CE Managed CE From/to Unmanaged of Another SP L3VPN (L3VPN-PE) P PE-ASBR CE Managed CE U-PE PE-Agg L2VPN ATM/FR/Metro P N-PE To CsC-PE For this traffic. Inc.

All rights reserved. Cisco Confidential 12 . Full Office Replication UC and collaboration tools for key executives. VoIP. decision makers and business critical resources. Conferencing Cisco Anywhere Office Data Connectivity Cisco Anywhere Office Voice & Data Connectivity Best effort services Cisco ECT Presentation_ID © 2006 Cisco Systems. Inc.Communications Requirements for Business Resiliency Management Communications Services Solution Suite Enabling Technologies VPN.

ƒ The future of RAEX will be about equal user User Experience Business Models experience. non managed solutions due to their specifics and advantages. Inc. ECT – like managed security solutions are the preferred ones vs. 13 . building the service oriented network. It provides not only VPN access over the public networks for the remote users. enabling mobility and presence. wireless and video. NG ECT offers an IP SLA to Cisco users and metrics to assess the quality of the provided services. voice. ECT has proven to be a big cost saver for Cisco IT and Cisco customers. for the Enterprise Environments. from technology to service. deploying next generation services and Cisco gear. from remote access solution to remote UC. Cisco Confidential build the remote network architecture and became a platform for the next generations. Besides. Unified communications and Collaboration.VPN solutions have evolved from business convenience to business critical. From industry prospective. but adds Enterprise class quality for data. ƒ The first generation Enterprise Class Teleworker Solution Network as a platform Presentation_ID © 2006 2007 Cisco Systems. All rights reserved. building new business models. ƒ The Next generation ECT (part of RAEX) is making Service Oriented Architecture the next step up.

ROI Improves Total Cost Of Ownership (TCO) Return on investment (ROI) Years 1 2 3 4 5 35% 20% Operational Acquisition Costs Costs Life Time of the Asset Maintain a Low TCO by Using ƒ Lower costs of provisioning.ECT Reduces TCO Total Cost of Ownership (TCO) Is the Sum of Acquisition Costs. Inc. All rights reserved. IT 12-14 % savings for ZTD for CPE. ƒ Low cost of deployment. as TCO Decreases. ƒ Lower costs of management ƒ Utilizing reusable components ƒ Automation of routine operations Presentation_ID © 2006 Cisco Systems. Plus All the Operational and Support Costs Over the Lifetime of an Asset—generally 3–5 Years. Cisco Confidential 45% Management Costs 14 .

All rights reserved. Cisco Confidential 15 15 . Inc.Cisco All rights reserved. © 2006 Cisco Systems.NG ECT Solution: End to End VPN Model and TCO Presentation_ID Presentation_ID © 2003 Systems. Inc.

re-deployment and audit NAT ƒ Multicast (CS- End-to-end management Ongoing Management Cisco Security Manager (CSM) Cisco IE2100 based CNS Notification Engine QoS ƒ Wi-Fi ƒ Video Cisco Security Manager M) Firewall ƒ QoS © 2006 Cisco Systems. Resiliency ƒ Full support of IP applications ƒ Data ƒ VoIP Cisco CNS 2100 Series Intelligence Engine: ƒ CNS Configuration Engine ƒ CNS Configuration Engine ƒ CNS Notification Engine ƒ CNS Notification Engine ƒ CNS Image engine ƒ CNS Image management engine Automated Zero Touch Deployment (ZTD) ƒ Bootstrap Configuration and PKI certificates (SDP) ƒ Off-line (CSM CA Proxy) ƒ In-house (RA engineer) ƒ Automated user service application and entitlement ƒ Automated configuration/preconfiguration and audit ƒ Automated image Management. Sub-CS modes) ƒ PKI-AAA Integration ƒ Auto-enrolment ƒ Multiple Trust Points ƒ Underlying security features ƒ IPSec (3DES or AES) ƒ Stateful Firewall ƒ NBAR and IDS Presentation_ID End-to-end connectivity DMVPN ƒ Failover/Load-balancing/SLB ƒ Dynamic routing ƒ Full – mesh and partial . IPSec.mesh topologies. Inc. Transport and Tunnel modes ƒ Multiple DMVPN clouds per head-end router.NG ECT and End-to-End VPN Model and TCO E2EVPN End-to-end security Device and User Authentication and anti-theft protection ƒ Secure RSA Lock Key ƒ Secure ARP-proxy ƒ Auth-Proxyƒ AAA IEEE 802. ƒ Hub-to-spoke and spoke-tospoke tunnels. All rights reserved. monitoring and security management NBAR Cisco Confidential EMAN Framework Integration Automated policy deployment. Permanent and on-demand tunnels ƒ mGRE. End-to-end deployment ƒInteractive/ Automated decision making and service termination ƒ Automated event log management 16 .1X-AAA. NHRP. DMVPN/ IPSec ƒ Automated control. ƒ IOS-Based PKI ƒ Certificate Server (CA&RA.

will provide deep packet inspection and off-board URL filtering Cisco IOS® IPS Multiple signatures. Cisco Confidential 17 . Inc. Presentation_ID © 2006 Cisco Systems. scalable solution enables quick addition and deletion of AAA Integration spoke routers utilizing existing AAA servers Cisco IOS® Stateful Firewall (CBAC) Maintains state info per application. All rights reserved.1x User-level authentication (layer 2) Cisco IOS® PKI Support and PKI. will combine with CBAC to perform deep packet inspection with single lookup Network Based Application Recognition (NBAR) Addresses IP QoS classification requirements by classifying application-level protocols so that QoS policies can be applied.Secure.End-to-End IOS Layered Security Feature Benefit RSA Key Loss Due to Password Recovery Guards against unauthorized configuration changes Secure RSA Private Key Prevents VPN connection after theft Secure ARP Anti-spoofing of IP addresses assigned to devices Authentication-Proxy User-level authentication (layer 3) 802.

the RSA private key is permanently deleted The Router Cannot Establish a VPN Session Using the Installed Certificates After Password Recovery Presentation_ID © 2006 Cisco Systems. Inc. All rights reserved. the RSA private key will become unusable ƒ If the user tries to change the hostname of the router. Cisco Confidential 18 .RSA Key Loss Due to Password Recovery ƒ If someone attempts password recovery on the router.

Cisco Confidential 19 . However the Best Approach for All Services Would Be to Require Device Certificates Presentation_ID © 2006 Cisco Systems. All rights reserved. the entry is secured in the ARP table ƒ Intruder cannot just clear the ARP cache and use the IP address to gain access to the Cisco network Secure ARP Is an Effective Anti-Spoofing Mechanism.Secure ARP ƒ When the spoke router assigns an IP address via DHCP. Inc.

workstations.Authentication Proxy ƒ Authentication proxy enables user authentication at layer 3 of the network stack. ƒ User access to different areas of an intranet can be controlled via the group info on the RADIUS server or can be combined with NAC or user identity management systems Presentation_ID © 2006 Cisco Systems. Inc. Cisco Confidential 20 . upon successful authentication. the user must authenticate in order to gain intranet access from laptops. and PCs. an access list will be then downloaded to the router from the AAA RADIUS servers to enforce corporate access policies ƒ Authentication proxy can be implemented as a mechanism to prevent non-authorized users from accessing corporate network. All rights reserved.

802.1x authentication assigned to trusted VLAN ƒ 802.1x ƒ IEEE 802. authentication proxy Presentation_ID © 2006 Cisco Systems. All rights reserved. Inc.1x simplifies router configuration vs.IEEE port authentication .1x provides layer 2 port authentication of devices ƒ 2 VLANs on the spoke router Trusted (corporate routable) VLAN Non-trusted (home) VLAN Devices that pass 802. Cisco Confidential 21 .

which significantly simplifies the management of the existing ECT environment. RA. All rights reserved. Cisco Confidential 22 . Inc. and subCS server modes. ƒ It supports exportable and non-exportable keys. ƒ IOS-CS supports CA. full backup.Cisco IOS Certificate Server PKI-AAA Integration ƒ Cisco IOS PKI solution provides the necessary encryption. restore. and auto-enroll ƒ IOS-CS permits storage of certificates on external databases or on local flash ƒ Cisco IOS PKI-AAA integration eliminates the need to manage CRLs. Presentation_ID © 2006 Cisco Systems. confidentiality and non – repudiation feature set and addresses the MIM attack.

Upon expiration of the default timeouts and if there is no more interesting traffic. Inc.Cisco IOS Firewall Features ƒ Cisco IOS provides a stateful firewall and CBAC (Context-Based Access Control) ƒ The firewall ACL will block any nonauthorized access inbound attempts (from Internet) ƒ CBAC will open temporarily some application associated ports for the return traffic if the connections initiated from the inside. also supports protocols like SIP. CBAC. SMTP. FTP. and more Presentation_ID © 2006 Cisco Systems. SCCP. ƒ Apart from standard TCP and UDP. All rights reserved. these ports will be closed. Cisco Confidential 23 .

IPC) at the ingress interface and queue and prioritize the traffic based on the this marking. Presentation_ID © 2006 Cisco Systems. Cisco Confidential 24 . Inc.trusted to trusted and allows the time sensitive applications to be routed in the corporate network in a cohesive way with other time sensitive traffic. video. All rights reserved. In such way the NG ECT changes the status of this traffic from non . allowing the network to apply appropriate QoS controls. ƒ In NG ECT.Network Based Application Recognition (NBAR) ƒ NBAR is an intelligent classification engine that recognizes applications including Web-based and client/server applications which dynamically assign TCP or UDP port numbers. NBAR is used to match and remark the time sensitive traffic (IPT. ƒ Improves VPN performance by ensuring identifying mission-critical traffic before it is encrypted. ƒ Mission critical application can be guaranteed bandwidth.

Inc. Inc. © 2006 Cisco Systems. Cisco Confidential 25 25 .Cisco All rights reserved.NG ECT Solution: End-to-End Connectivity Presentation_ID Presentation_ID © 2003 Systems. All rights reserved.

provides higher tunnel creation rate. and Multipoint GRE Routing with DMVPN Routing protocols in DMVPN cloud provide responsive failover DMVPN Key Differentiators Simplifies configurations. Inc. and better redundancy. NHRP. Presentation_ID © 2006 Cisco Systems. All rights reserved. SLB DMVPN – Key Advantages SLB is much easier to configure and support. scales higher. Cisco Confidential 26 . separates management and data traffic paths and builds on-demand full or partially meshed networks Server Load Balancing (SLB) Overall design The next generation DMVPN networks DMVPN and SLB design Server Load Balancing (SLB) design of DMVPN is an enhancement of DMVPN and can be delivered in two separate designs.End-to-End Connectivity Feature Benefit DMVPN Fundamentals Dynamic Multipoint VPN based upon IPSec.

IPSec (RFC 2401) . ƒ Permanent and on-demand tunnels ƒ DMVPN is build on . Cisco Confidential 27 .mesh topologies. Inc.Multipoint GRE tunnel interface Presentation_ID Allows GRE interface to support multiple IPSec tunnels Simplifies size and complexity of configuration © 2006 Cisco Systems.Next Hop Resolution Protocol (NHRP) Hub maintains a (NHRP) database of all the spoke’s routable (public interface) addresses Each spoke registers its routable address with the NHRP server (hub) after successful negotiation of the IPSec tunnel Spokes query NHRP database for routable addresses of destination spokes to build direct tunnels . All rights reserved.DMVPN Fundamentals Dynamic Multipoint VPN (DMVPN) is a Cisco IOS-based solution which integrates the Cisco VPN solutions with Cisco dynamic protocols framework. ƒ Hub-to-spoke and spoke-to-spoke tunnels. ƒ Failover/Load-balancing/SLB ƒ Dynamic routing ƒ Full – mesh and partial .

All rights reserved. FWs Spokes Presentation_ID © 2006 Cisco Systems. Cisco Confidential 28 .Standard DMVPN Design Corporate network DMVPN hubs Corp. Inc.

All rights reserved. Inc.DMVPN: Key Differentiators ƒ DMVPN uses crypto profiles and tunnel protection. Cisco Confidential 29 . this frees the physical interface from a crypto map ƒ Management is performed over a separate VPN tunnel independent of the primary DMVPN data tunnels ƒ DMVPN allows for dynamic registration of spokes One tunnel interface on the hub side supports a single DMVPN cloud Eliminates static point-to-point configurations Reduces the complexity of the hub configuration ƒ DMVPN provides dynamic full and partial mesh capability Provides improved support for applications such as voice and video Presentation_ID © 2006 Cisco Systems.

All rights reserved. Inc. Cisco Confidential 30 .Server Load Balancing (SLB) Overall design Corporate network Aggregation router Hubs Cluster of DMVPN hubs Aggregates user tunnels Server Load Balancer SLB balances connections Owns virtual IP address GRE/IPsec tunnels IGP + NHRP Spokes Presentation_ID © 2006 Cisco Systems.

A farm of 7200 Series routers are associated with the load balancer and handles all the tasks related to Next-Hop Resolution Protocol (NHRP) and multipoint generic routing encapsulation (mGRE) and IPSec encryption/decryption. ƒ Both design solutions have their advantages and disadvantages and based on the existing documentation and lessons learned.DMVPN and SLB design ƒ Server Load Balancing (SLB) design of DMVPN is an enhancement of DMVPN and can be delivered in two different ways: ƒ Design one – DMVPN High concentration hub Typically Cisco 7600 Series router or Cat65K acts like primary tunnel termination Hub and perform encryption and decryption functions. Inc. Cisco Confidential 31 . ƒ Design two – DMVPN IOS SLB hub The front device – typically Cisco 7200 or Cisco 7600 Series router performs the role of Load Balancer. All rights reserved. A farm of 7200 Series routers are associated with the IPSec termination device and handles all tasks related to Next-Hop Resolution Protocol (NHRP) and multipoint generic routing encapsulation (MGRE). SLB design provides the following advanced enhancements for DMVPN: Presentation_ID © 2006 Cisco Systems.

ƒ SLB provides higher tunnel creation rate. Inc.SLB DMVPN – Key Advantages ƒ SLB is much easier to configure and support. ƒ SLB scales higher. since the EIGRP – based scalability restrictions are mitigated and the number of tunnels is virtually limitless. Presentation_ID © 2006 Cisco Systems. recovers faster when cluster node becomes unavailable and provides spoke to spoke functionality as the standard DMVPN does. All rights reserved. since the configuration of the peer tunnel IP is always the same no matter how large is the deployment. The peer IPSec IP (the termination device’s tunnel IP) acts like a cluster IP and does not change due to design or scalability considerations. Cisco Confidential 32 .

In that case.SLB DMVPN – Key Advantages (Contd. Everything equal. in SLB if we assume the same number of CPEs per Hub (pair of hubs) the number of Hubs in SLB design should be N+2 (assuming dual SLB head end design). single layout design (from CPE) actually terminates the CPE to two separate SDGs. Cisco Confidential 33 . the number of the primary hubs is actually equal to the number of the backup hubs and the total number is 2N.) ƒ SLB provides better redundancy. located in another geographical location. In other words in its extreme the solution can allow CPE to fail over to another hub. © 2006 Cisco Systems. The standard DMPVN design provides redundancy in pairs – the dual tunnel. located in another part of the same campus. which are not geographically co – located. ƒ Presentation_ID SLB design can provide fully redundant solution. Inc. or the SLB pair to fail over to another pair of hubs. maintaining active-active status of the crypto tunnel connections. All rights reserved. where in dual SLB design the CPE can connect to a pair of farm hubs.

Cisco Confidential 34 . Inc. All rights reserved.NG ECT Solution and Low TCO – End-to-End Provisioning with Cisco Security Manager Presentation_ID © 2006 Cisco Systems.

activities and objects. ƒ CSM Manages Policies. HTTPS.0.PIX Firewall. ƒ It manages Site to Site VPNs. SSL VPNs and Easy VPNs. FWSM and Cisco IOS routers ƒ It manages transport mechanisms. HTTP. Firewall Services manages firewall-related policies in Security Manager that apply to the adaptive security appliance (ASA). All rights reserved. TMS and Cisco Networking Services (CNS) working with CE 2. ƒ CSM Manages Firewalls. PIX Firewall (PIX). Presentation_ID © 2006 Cisco Systems. such as SSL.Cisco Security Manager ƒ CSM Manages Devices . Remote Access VPNs. and security routers running Cisco IOS (IOS). Inc. Firewall Services Module (FWSM) installed in a Catalyst 6500/7600 device. ASA. Cisco Confidential 35 . Telnet.

All rights reserved. Cisco Confidential 36 . Inc. manages deployment and manages FlexConfigs. Presentation_ID © 2006 Cisco Systems. ƒ Supports open XML/SOAP interface and NB APIs enabling integration with existing enterprise management framework ƒ Supports fully managed service functionality to notify the administrators for non-CSM initiated configuration changes ƒ CSM manages provisioning.Cisco Security Manager (Contd.) ƒ It manages Intrusion Prevention System (IPS).

Configuring CSM . Cisco Confidential 37 .The Sample Device and the Security Policies ƒ Create a sample device. All rights reserved. Inc. Presentation_ID © 2006 Cisco Systems.

Inc. Cisco Confidential 38 .Inspection Rules .AAA Access Rules .SLB config ƒ Quality Of Service ƒ Configure NAT – flex config based Presentation_ID •• Start Startwith withsingle singledevice device •• Assign Assignpolicies policies •• Define Definethe thepolicies policiesas as shared or local shared or local © 2006 Cisco Systems.The sample device and the security policies ƒ Create a sample device. ƒ Configure the FW policies: .Access Rules .Access Control .Configuring CSM .AuthProxy .Inspection ƒ Site to Site VPN – Large scale DMVPN . All rights reserved.

based on expected granularity configs. based on expected granularity ƒ Attach BASIC append config(s) ƒ Attach WIFI append config(s) ƒ Attach IPT append config(s) ƒ Attach VIDEO append config(s) ƒ Attach 871 append config(s) Presentation_ID © 2006 Cisco Systems. ƒ Attach 871 prepend config(s) •Start •Startwith withsingle singledevice device •Attach prepend and •Attach prepend andappend appendflex flex configs.The sample device and the flex configs ƒ Create a sample device.Configuring CSM . Cisco Confidential 39 . All rights reserved. Inc.

ƒ Create Hub and Spoke VPN ƒ Edit Hub and Spoke.Cisco Security Manager 3.1 SLB Hub configuration ƒ Configure a Hub device ƒ Configure SLB device and interfaces. Inc. All rights reserved. Cisco Confidential 40 . ƒ Select devices for SLB Presentation_ID © 2006 Cisco Systems.

Inc. All rights reserved.User Request for NG ECT Service Presentation_ID © 2006 Cisco Systems. Cisco Confidential 41 .

Cisco Confidential 42 . All rights reserved. Inc. ƒ EMAN Address Management: AM agent assigns /28 to every user. ƒ EMAN Host Management: Host record is created in EMAN for monitoring/tracking Presentation_ID © 2006 Cisco Systems.Eleven Steps to Provision and Deploy a Remote Router ƒ User submits the NG ECT request (changing/saving/etc) REQUESTED STATE ƒ Mgr approval triggers the processes APPROVED STATE ƒ EMAN Create ACS account on the ACS server as part of PKI&AAA config.

ƒ EMAN Address Management: AM agent assigns /32 ip address for the tunnel interface.configuration downloaded to the CPE router & the state changes to OPERATIONAL Presentation_ID © 2006 Cisco Systems. All rights reserved. Inc. ƒ TFTP IP address supplied by EMAN out of TNM. Cisco Confidential 43 .Eleven Steps to Provision and Deploy a Remote Router (Cont…) ƒ EMAN Template Management – the device is associated with the predefined set of templates. ƒ CS-M cloning (6 sub-steps within the CS-M): ƒ CNS configuration staged ƒ SDM/SDP process .

Cisco Confidential 44 .Cisco IT Implementation – CSM Integration using APIs. Presentation_ID © 2006 Cisco Systems. All rights reserved. Inc.

Cisco Confidential 45 . Inc. All rights reserved.1 6 Easy CPE Provisioning Steps ƒ Clone a device from SAMPLESJC-871-ONE ƒ Set device properties – Transport protocol ƒ Set device properties – Interface roles ƒ Set device properties – Set Networks/Hosts ƒ Set device properties – Set Text Objects ƒ Edit QoS policy ƒ Submit and Deploy Presentation_ID © 2006 Cisco Systems.Cisco Security Manager 3.

Inc.NG ECT Solution and Low TCO – End-to-End Deployment with Cisco Security Manager Presentation_ID © 2006 Cisco Systems. Cisco Confidential 46 . All rights reserved.

router configured by IT ƒ Outsource to ISP. router configured at staging facility or on-site All Three Methods Add Excessive Cost to the Deployment Process! Presentation_ID © 2006 Cisco Systems. Inc. All rights reserved. router configured at staging facility ƒ Outsource to 3rd party. Cisco Confidential 47 .Conventional Deployment of Spoke Routers ƒ In-house.

Cisco Confidential 48 .Special cases/configurations and pilot environments ƒ Regardless of the deployment option. spoke router provisioning process is automated to minimize TCO Presentation_ID © 2006 Cisco Systems. Inc. User responsible for configuring router for Internet access and running SDP (Secure Device Provisioning) Policy configurations are pushed over the CNS transport mechanism ƒ On-line (Cert-Proxy) Allows engineer to configure router remotely ƒ E-Token Based Secure Device Provisioning Allows engineer to configure router remotely ƒ Off-line . All rights reserved.NG ECT Offers Four Deployment Options ƒ Zero Touch Deployment.

Inc. VoIP: Phase 2 WLAN: Phase 3 ƒ Management GW authenticates spoke router using PKI-AAA integration Internet Management Tunnel Secondary Data Tunnel Management GW Primary Data Tunnel ƒ CE pushes & audits policy over management tunnel Data GW2 Data GW1 Internal Network CS-M. gains access to corporate resources ƒ VPN tunnel established w/Data GW2 and stays active for failover.0 Presentation_ID © 2006 Cisco Systems. CE 2.ECT CPE ZTD Deployment ƒ Spoke router performs SDP and obtains keys and certificates. “calls home” and sends CNS “connect” event to CE Engine. All rights reserved. Cisco Confidential ƒ Spoke router establishes mgmt tunnel. Access to Corporate Resources ƒ Spoke router establishes VPN tunnel w/Data GW1. 49 .

Cisco Confidential Access to Corporate Resources ƒ Today the ECT solution uses ‘Auth Proxy’ to authorize PC’s to corporate resources ƒ Auth Proxy uses a userid and Active Directory (AD) password through a browser ƒ Once the user has successfully authenticated. corporate resources (email.0 Presentation_ID © 2006 Cisco Systems. All rights reserved. the PC can still access the internet 50 . CE 2. Inc. IM. etc) can be accessed) ƒ If the authorization is not successful.ECT Architecture-Today-Auth Proxy Spouse and Kids? Auth Proxy Internet Management Tunnel Secondary Data Tunnel Management GW Primary Data Tunnel Data GW2 Data GW1 Internal Network CS-M.

TCO and ZTD Cumulative Cost Savings Presentation_ID © 2006 Cisco Systems. Cisco Confidential 51 .ROI. Inc. All rights reserved.

Well. The instructions on the Web and the printed material was easy for a nontechnical person to understand. Inc. Cisco Confidential 52 . Mgr. the router was set up to be configured and connecting to the site for configuration was easy. Wala! 15 minutes later I am back in business. 15 minutes. My last ECT router was shipped to me with a very large book on how to configure it. I dreaded the process.The Eser’s Experience I wanted to let you know my first hand experience with my new ECT router and getting it set up. The new router sat in a box next to my desk for about 4 days because I was planning to dedicate a full weekend to the process of hooking it up and getting it configured. Workplace Resources Presentation_ID © 2006 Cisco Systems. I hooked everything up (including my home equipment) and had the new router configured in 15 minutes! Let me repeat that. All rights reserved. It even amazes me that I was able to do it without hassle. much to my surprise. Now back to work!!!!! But from home!!!!! Sincerely yours. Pat Moore.

NG ECT Solution and Low TCO – End-toEnd Management with Cisco Security Manager Presentation_ID © 2006 Cisco Systems. Inc. Cisco Confidential 53 . All rights reserved.

triggered deployments .Scheduled deployments . . Automated Decision making Automated Deployment options: EMAN/CSM/CE based. .Regular deployments – once per 24 hours. Cisco Confidential 54 . All rights reserved. Example . Inc.TCO and Lower Costs of Management TCO and Utilizing Reusable Components ƒ ƒ ƒ ƒ ƒ Integration of CSM and CNS-CE into EMAN Monitoring – EMAN based Analyzing / Grouping – static and dynamic groups. .IOS management is based on EMAN/CNS-CE functionality Presentation_ID © 2006 Cisco Systems.Event .Rapid deployments .push/pull policies and ACLs.over night password management.

Presentation_ID © 2006 Cisco Systems. Cisco Confidential 55 . ƒ Service MOVE from one location to another.TCO and Automation of routine operations MAJOR AUTOMATION WINS ƒ Migration from one device/platform to another. ƒ Connection Type change ƒ Upload speed change – UP or DOWN. Inc. All rights reserved.

Platform A to Platform B Migration Presentation_ID © 2006 Cisco Systems. Cisco Confidential 56 . Inc. All rights reserved.ISC to CS-M Migration.

All rights reserved.ZTD IPT Deployment (HOME) Presentation_ID © 2006 Cisco Systems. Cisco Confidential 57 . Inc.

ZTD of IPT for Remote Access




User applies for the IPT service as part of their ECT
service and upon approval orders their IP Phone or
installs IP Communicator (IPC); an additional instance
of a phone is configured for the employees Dialed
Number (DN) on the Cisco Call Manager (CM)
IPT device is shipped from factory.
ECT router is successfully configured and has
established data tunnels; user connects the IPT
device to the ECT router
When the IPT connects to the fully functional ECT
router, the universal loader will be loaded to the IPT
and the IPT will boot and obtain an IP.
© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential


ZTD of IPT for Remote Access (Contd.)




The CCM will register the MAC address of the IPT
and it will assign a random DN to the phone, which
will appear of the IPT’ screen.
The user will use URL application to connect to a
server. The user will be authenticated and prompted
for user credentials.
Upon successful authentication the user will enter the
random DN, shown on the screen on the IPT.
The backend script will replace the random DN with
the previously assigned DN to the user. The IPT will
obtain the associated profile from TFTP server and it
will connect and register with the CCM.
© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential


Service Oriented Architecture
over VPN. QOS, IP SLA and
Lessons Learned


© 2003
Inc. All rights
© 2006 Cisco Systems,
All rights


. Inc. Interactive Video as real-time) • Service Classes will have separate loss. Voice. All rights reserved. WebEx.QOS and Minimum SLA Requirements • Applications with similar QoS requirements are grouped into a service (traffic) class (e.g. file transfer Scavenger class – TLM and Streaming video • Every map class later is associated with a separate policy. PoP-to-PoP Real Time Loss Delay Jitter Availability Contracted BW (cBW) Presentation_ID 9 9 9 9 © 2006 Cisco Systems. latency. jitter requirements: Time Sensitive class—Voice. SAP. End-to-End Business BE 9 9 9 9 9 9 Cisco Confidential Real Time 9 9 9 9 9 Business BE 9 9 9 9 9 9 61 . Interactive Video Business critical class—Oracle.Internet access. MeetingPlace Best effort .

report contents. Cisco Confidential 62 . All rights reserved. methodology.IP SLA Metrics Minimum SLA Attributes Related to QoS Other SLA Attributes related to QoS Latency (Delay) Availability Packet Loss Mean Time to Repair (MTTR) Delay Variation (Jitter) Mean Time Between Failure (MTBF) Contracted Bandwidth Per-Flow Packet Sequence Preservation Throughput Admission Control Criteria Contention Ratio ISP supported QoS at the edge SLA measurement/reporting tools .measurement points. reporting methodology (web. e-mail) reporting interval. failure criteria and penalty clauses. Inc. Presentation_ID © 2006 Cisco Systems.

) Presentation_ID © 2006 Cisco Systems. or with TOS=5. a single 384 kbps video conferencing session requires 460 kbps of guaranteed priority bandwidth. All rights reserved. ƒ One-way latency should be no more than 150 ms.711. ƒ Interactive video traffic should be classified as AF41 or marked with TOS=4/TOS=2 ƒ The minimum priority bandwidth guarantee (LLQ) or CBWFQ is the size of the video conferencing session plus 20 percent. Cisco Confidential 63 .IP SLA Requirements for IPT@Home and Interactive Video@Home ƒ Loss should be no more than one percent. ƒ Call signaling traffic should be marked as AF31/CS3. ƒ Jitter should be no more than 30 ms. Inc. ƒ Voice (bearer) traffic should be classified as EF. (For example.729 then G. The reason is that jitter and out-of-order packets cause more audio signal damage with G. ƒ The codec type should not be a factor when configuring IPT for Home.

ƒ Scavenger class. messaging applications. – Bulk/Non-Interactive . NTP. Cisco Confidential 64 .Client-server applications. EIGRP. All rights reserved. It is an optional class of service and includes minimal bandwidth queue for routing and other network control applications.Large file-transfers. The Transactional/Interactive class is a combination of two similar types of applications: transactional client-server applications and interactive-messaging applications. latency should be no more than 4–5 seconds (depending on video application’s buffering capabilities). database syncs and replication. “less-than Best-Effort” services to certain applications. and ISAKMP. network backups. ƒ Routing and Network Management class. Transactional and interactive applications with a high business priority: – Transactional/Interactive . ƒ Best-Effort –It is recommended that at least 25 percent of a WAN link’s bandwidth be reserved for the default Best Effort class. and NFS. video content distribution. Bulk applications can dynamically take advantage of unused bandwidth and thus speed up their operations during non-peak periods. Syslog.Other QoS and IP SLA Requirements ƒ Streaming video (whether unicast or multicast) should be marked to CS3. ƒ Locally-Defined Mission-Critical class. Loss should be no more than 2 percent. There are no significant jitter requirements. Inc. such as SNMP. Presentation_ID © 2006 Cisco Systems. e-mail.

Inc. Radius and POP Path Jitter QoS Aware Voice Video VPN QoS Jitter VPN Aware Data Transfer UDP Echo Echo FTP Network Response © 2006 Cisco Systems. Web Traffic Network and Application Services DNS DHCP Server Traffic DLSw Layer 2 Services Applications (Beta) Netmeeting Real Player Path Echo Presentation_ID TCP Connect HTTP Custom TCL eMail Notes SAP News Cisco Confidential Frame Relay ATM LDAP 65 . All rights reserved.IP SLA Probe Types.

IP SLA Statistics .34 Presentation_ID © 2006 Cisco Systems. Inc. Cisco Confidential 66 .837 PDT Sun Oct 7 2007 Latest operation return code: OK RTT Values: Number Of RTT: 1000 RTT Min/Avg/Max: 10/13/26 milliseconds Latency one-way time: Number of Latency one-way Samples: 1000 Source to Destination Latency one way Min/Avg/Max: 1/2/14 milliseconds Destination to Source Latency one way Min/Avg/Max: 9/11/17 milliseconds ƒ Jitter: Number of Jitter Samples: 999 Source to Destination Jitter Min/Avg/Max: 1/1/13 milliseconds Destination to Source Jitter Min/Avg/Max: 1/1/6 milliseconds ƒ Packet Loss Values: Loss Source to Destination: 0 Out Of Sequence: 0 Tail Drop: 0 Loss Destination to Source: 0 Packet Late Arrival: 0 ƒ Voice Score Values: Calculated Planning Impairment Factor (ICPIF): 1 Mean Opinion Score (MOS): 4. All rights reserved.Example rcdn-user-871#show ip sla status Round Trip Time (RTT) for Index 10 Latest RTT: 13 milliseconds Latest operation start time: 19:27:34.

Cisco Confidential 67 . ƒ Use CSM – CE to deploy and manage the environment. ƒ Develop a proactive monitoring and support. All rights reserved. Deploying the technology to multiple segments of the network allows IT organizations to maintain low TCO. Inc. ƒ Plan phased approach for new services. Presentation_ID © 2006 Cisco Systems. SLAs and IP SLAs for the services is must. ƒ Automate all the routine operations. Allow the support engineers to participate in the pilot phase. grow to 100. Understand information requirements and system flow and scale. ƒ Start with limited pilot Become familiar with technology. For large scale deployments use NB APIs to integrate these management platforms into the existing management environment.Lessons Learned ƒ Select hub locations to optimize latency and keep it under certain threshold.

Solution and Financing Information 1-800-745-8308 ext 4699 Other Resources DMVPN Extends Business Ready Teleworker. http://www. All rights reserved. ISBN: Inc.html Nedeltchev P. “Troubleshooting Remote Access Networks”.More Networked Home/Access Resources Case Studies http://www. Presentation_ID © 2006 Cisco Systems.html Call to get Product. Cisco Confidential 68 .cisco. Cisco

Cisco Confidential 69 .Presentation_ID © 2006 Cisco Systems. All rights reserved. Inc.