You are on page 1of 69

Remote Access

/
Extended
Workplace VPN
Solution
Cisco on Cisco
Technology Tutorial
Plamen Nedeltchev
Ph.D. Sr. Member of Technical Staff, Cisco IT
Bob Scarbrough
IT Program Manager, Cisco IT, (Host)

Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

1

RAEX Agenda
ACCESS MARKET CHALLENGES AND DEMANDS.
RAEX PROGRAM AND ITS COMPONENTS.
TOTAL COST OF OWNERSHIP (TCO)
NG ECT NETWORK AS A PLATFORM:
End to end VPN model and TCO
End to End Security
End to End Connectivity
End to End Provisioning with Cisco Security Manager (CSM)
End to End Deployment with Cisco Security Manager (CSM)
End to End Management with Cisco Security Manager (CSM)

SERVICE ORIENTED ARCHITECTURE OVER VPN.
QOS, IP SLA and Lessons learned
Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2

Enterprise Class Teleworker (ECT)
VPN Technologies of Cisco.

Residential
BRODBAND
penetration

IP Phone

Cisco 8XX
Router

Data

VPN Head-end
Router

Corporate
Network

Broadband Internet

Wi-Fi

Encrypted VPN Tunnel

Voice
Video

Enterprise Class
Services – encrypted
data, IPT, video,
WIFI
Presentation_ID

© 2006 Cisco Systems, Inc. All rights reserved.

Full office replica
Near office or
equal office user
experience..
Cisco Confidential

ZTD, Automated
Management,
manageable TCO.

3

The lead times for permanent circuits for sales offices in the emerging markets continue to be between 3 months and 9 months.5 Mbps for DSL to 6 Mbps for Cable. The pricing in some cases is a showstopper. Presentation_ID © 2006 Cisco Systems. Cisco Confidential 4 . All rights reserved.The Telecommunication industry transition and the broadband explosion. ƒ The residential broadband offerings are ranging from typical 1. Some providers offer FTTH to the home and it is expected most of the ISP providers to reach 15-25 Mbps in the next 2 years on the access layers of their networks. ƒ Industry’s transitioning from permanent circuits to broadband connections is finally gaining speed. Inc.

) ƒ Telecommuting lifestyle is expected to continue to grow to up to 50 million people by Y2008. All rights reserved. Internet over broadband continue to be a hostile environment as 70% of attacks are coming across Internet. Cisco Confidential 5 .Organization for Economic Co-operation and Development.org/sti/ict/broadband © 2006 Cisco Systems. (Contd. Inc.oecd. in Y2006. ƒ Based on statistics provided by the OECD. It is about adding another dimension of freedom for the employees to better balance their personal live and business. the number of broadband subscribers globally has increased 26% from 157 million in December 2005 to 197 million in December 2006. www. published this year. Telecommuting as a trend is not only about productivity and business resiliency.The Telecommunication industry transition and the broadband explosion. ƒ Presentation_ID SOURCE .

ƒ Teleworker QoS ("Enabling "Guaranteed Internet"). By partnering with ISP. It addresses the needs of full time telecommutes. Commercial networking ƒ Next Generation ECT. NG ECT will create a demand for differentiated services and it will allow the ISPs to offer them for their customers on the Access Layer of their network. Inc. ƒ Business resiliency management. part time telecommuters and day extenders. Presentation_ID © 2006 Cisco Systems.The RAEX model is applicable for Telecommuter’s office. NG ECT is positioned as one of the major Cisco technologies for crisis management and business continuity management. Branch. SMB. ƒ Site to site VPN over broadband provides the framework for the next generation Site to site VPN.provides the platform for Enterprise class services for home users and home offices. The point to point connections are not longer the only option Branch to Branch connectivity. Cisco Confidential 6 . All rights reserved.

All rights reserved. Inc.0 PKI Servers PKI Registrar Presentation_ID © 2006 Cisco Systems. two data and one mgmt ISP Internet ƒ Traffic is routed over data tunnels in failover model Secondary Data Tunnel Mgmt Tunnel Mgmt GW Primary Data Tunnel Data Data GW1GW #1 CSM 3.NG ECT Solution Cisco IOS-Based Site-to-Site VPN ƒ Enterprise.1 IE2100/CE 2. Data GW#2 ƒ Management subnet is separate from data subnet and can be geographically isolated Cisco Cisco Confidential 7 . SMB or ISP models Home Network ƒ Spoke router in home network has two or three VPN tunnels.

0. All rights reserved.25.0/24 Memory Flash Default: 24 MB Max: 52 MB DRAM Default: 128 MB Max: 256 MB 4-Port 10/100 Managed Switch Presentation_ID © 2006 Cisco Systems.224. Removable Antennae WAN Port: 871 = 100 MB Ethernet 876 = ADSL over ISDN 877 = ADSL 878 = G.Cisco 870 Series Integrated Services Router Dual.16/28 Security Cable Lock Console Port/Virtual AUX Port Non-trusted Pool 10. Inc.SHDSL (4-wire) ISDN S/T Port (876 and 878 Only) Trusted Pool 10.2. Cisco Confidential WAN Port: Reset 8 .

000 +. Cisco IT Deployment . Amsterdam Tel Aviv San Jose Boxborough RTP Tokyo Richardson Bangalore Hong Kong Singapore Sydney Management and Data Hub Presentation_ID © 2006 Cisco Systems. Inc. All rights reserved. Expected number of users – 30. .5 Management Hubs. Cisco Confidential Data Hub 9 .NG ECT is the RAEX enabler.11 pairs of Data Hubs.

Cisco Confidential 10 . ƒ It allows jump start of the branch offices and faster penetration into emerging markets. Flexible and Secure Cisco Enterprise Branch Architecture extends Headquarter Applications in real-time to remote sites. Internet LAN ƒ It allows significant WAN cost and OPEX reduction. ƒ Reduces the dependency on ISP. Inc.Site-to-Site VPN over Broadband A Fully Integrated. Presentation_ID © 2006 Cisco Systems. All rights reserved. Corp Office Corporate Resources Located in HQ It allows the secure ECT architecture to integrate the security with Unified Communications and Mobility solutions under the centralized management : WAN T1 ADSL Access Router ƒ It reduces provisioning lead times.

All rights reserved. All rights reserved. the QoS marking will be honored and/or the traffic will be contention free N-PE Broadband DSL (L3VPN PE) of Another SP CsC-CE To CsC-CE CPE DSLAM PE-Agg P From/to Unmanaged CE Branch Router = or QoS Reference Points of Another SP CsC-PE BRAS TECRST-106 11101_05_2005_c1 © 2005 Cisco Systems. Inc. Presentation_ID © 2006 Cisco Systems. Cisco Confidential 11 11 . Inc.Enabling "Guaranteed Internet": The service is as good as its weakest link Access Network Edge Core Border Another SP From/to Unmanaged To PE-ASBR CE Managed CE From/to Unmanaged of Another SP L3VPN (L3VPN-PE) P PE-ASBR CE Managed CE U-PE PE-Agg L2VPN ATM/FR/Metro P N-PE To CsC-PE For this traffic.

decision makers and business critical resources. Conferencing Cisco Anywhere Office Data Connectivity Cisco Anywhere Office Voice & Data Connectivity Best effort services Cisco ECT Presentation_ID © 2006 Cisco Systems. All rights reserved.Communications Requirements for Business Resiliency Management Communications Services Solution Suite Enabling Technologies VPN. Inc. Cisco Confidential 12 . Full Office Replication UC and collaboration tools for key executives. VoIP.

VPN solutions have evolved from business convenience to business critical. NG ECT offers an IP SLA to Cisco users and metrics to assess the quality of the provided services. from remote access solution to remote UC. ƒ The first generation Enterprise Class Teleworker Solution Network as a platform Presentation_ID © 2006 2007 Cisco Systems. ƒ The future of RAEX will be about equal user User Experience Business Models experience. It provides not only VPN access over the public networks for the remote users. Besides. building the service oriented network. for the Enterprise Environments. ECT – like managed security solutions are the preferred ones vs. enabling mobility and presence. but adds Enterprise class quality for data. non managed solutions due to their specifics and advantages. Cisco Confidential build the remote network architecture and became a platform for the next generations. voice. ECT has proven to be a big cost saver for Cisco IT and Cisco customers. ƒ The Next generation ECT (part of RAEX) is making Service Oriented Architecture the next step up. deploying next generation services and Cisco gear. building new business models. Unified communications and Collaboration. From industry prospective. All rights reserved. 13 . from technology to service. Inc. wireless and video.

ƒ Low cost of deployment.ECT Reduces TCO Total Cost of Ownership (TCO) Is the Sum of Acquisition Costs. as TCO Decreases. Cisco Confidential 45% Management Costs 14 . ROI Improves Total Cost Of Ownership (TCO) Return on investment (ROI) Years 1 2 3 4 5 35% 20% Operational Acquisition Costs Costs Life Time of the Asset Maintain a Low TCO by Using ƒ Lower costs of provisioning. All rights reserved. Plus All the Operational and Support Costs Over the Lifetime of an Asset—generally 3–5 Years. Inc. ƒ Lower costs of management ƒ Utilizing reusable components ƒ Automation of routine operations Presentation_ID © 2006 Cisco Systems. IT 12-14 % savings for ZTD for CPE.

Cisco All rights reserved. All rights reserved. Inc. © 2006 Cisco Systems. Inc.NG ECT Solution: End to End VPN Model and TCO Presentation_ID Presentation_ID © 2003 Systems. Cisco Confidential 15 15 .

End-to-end deployment ƒInteractive/ Automated decision making and service termination ƒ Automated event log management 16 . Inc. ƒ Hub-to-spoke and spoke-tospoke tunnels. DMVPN/ IPSec ƒ Automated control.1X-AAA. NHRP. Resiliency ƒ Full support of IP applications ƒ Data ƒ VoIP Cisco CNS 2100 Series Intelligence Engine: ƒ CNS Configuration Engine ƒ CNS Configuration Engine ƒ CNS Notification Engine ƒ CNS Notification Engine ƒ CNS Image engine ƒ CNS Image management engine Automated Zero Touch Deployment (ZTD) ƒ Bootstrap Configuration and PKI certificates (SDP) ƒ Off-line (CSM CA Proxy) ƒ In-house (RA engineer) ƒ Automated user service application and entitlement ƒ Automated configuration/preconfiguration and audit ƒ Automated image Management.NG ECT and End-to-End VPN Model and TCO E2EVPN End-to-end security Device and User Authentication and anti-theft protection ƒ Secure RSA Lock Key ƒ Secure ARP-proxy ƒ Auth-Proxyƒ AAA IEEE 802. Sub-CS modes) ƒ PKI-AAA Integration ƒ Auto-enrolment ƒ Multiple Trust Points ƒ Underlying security features ƒ IPSec (3DES or AES) ƒ Stateful Firewall ƒ NBAR and IDS Presentation_ID End-to-end connectivity DMVPN ƒ Failover/Load-balancing/SLB ƒ Dynamic routing ƒ Full – mesh and partial . Transport and Tunnel modes ƒ Multiple DMVPN clouds per head-end router.mesh topologies. All rights reserved. re-deployment and audit NAT ƒ Multicast (CS- End-to-end management Ongoing Management Cisco Security Manager (CSM) Cisco IE2100 based CNS Notification Engine QoS ƒ Wi-Fi ƒ Video Cisco Security Manager M) Firewall ƒ QoS © 2006 Cisco Systems. IPSec. monitoring and security management NBAR Cisco Confidential EMAN Framework Integration Automated policy deployment. ƒ IOS-Based PKI ƒ Certificate Server (CA&RA. Permanent and on-demand tunnels ƒ mGRE.

scalable solution enables quick addition and deletion of AAA Integration spoke routers utilizing existing AAA servers Cisco IOS® Stateful Firewall (CBAC) Maintains state info per application.Secure.1x User-level authentication (layer 2) Cisco IOS® PKI Support and PKI.End-to-End IOS Layered Security Feature Benefit RSA Key Loss Due to Password Recovery Guards against unauthorized configuration changes Secure RSA Private Key Prevents VPN connection after theft Secure ARP Anti-spoofing of IP addresses assigned to devices Authentication-Proxy User-level authentication (layer 3) 802. All rights reserved. will combine with CBAC to perform deep packet inspection with single lookup Network Based Application Recognition (NBAR) Addresses IP QoS classification requirements by classifying application-level protocols so that QoS policies can be applied. Cisco Confidential 17 . Inc. will provide deep packet inspection and off-board URL filtering Cisco IOS® IPS Multiple signatures. Presentation_ID © 2006 Cisco Systems.

the RSA private key will become unusable ƒ If the user tries to change the hostname of the router. the RSA private key is permanently deleted The Router Cannot Establish a VPN Session Using the Installed Certificates After Password Recovery Presentation_ID © 2006 Cisco Systems.RSA Key Loss Due to Password Recovery ƒ If someone attempts password recovery on the router. Inc. All rights reserved. Cisco Confidential 18 .

Secure ARP ƒ When the spoke router assigns an IP address via DHCP. Cisco Confidential 19 . All rights reserved. the entry is secured in the ARP table ƒ Intruder cannot just clear the ARP cache and use the IP address to gain access to the Cisco network Secure ARP Is an Effective Anti-Spoofing Mechanism. Inc. However the Best Approach for All Services Would Be to Require Device Certificates Presentation_ID © 2006 Cisco Systems.

upon successful authentication. workstations.Authentication Proxy ƒ Authentication proxy enables user authentication at layer 3 of the network stack. Cisco Confidential 20 . the user must authenticate in order to gain intranet access from laptops. an access list will be then downloaded to the router from the AAA RADIUS servers to enforce corporate access policies ƒ Authentication proxy can be implemented as a mechanism to prevent non-authorized users from accessing corporate network. ƒ User access to different areas of an intranet can be controlled via the group info on the RADIUS server or can be combined with NAC or user identity management systems Presentation_ID © 2006 Cisco Systems. and PCs. All rights reserved. Inc.

1x simplifies router configuration vs.IEEE port authentication . Inc.1x ƒ IEEE 802.1x authentication assigned to trusted VLAN ƒ 802.1x provides layer 2 port authentication of devices ƒ 2 VLANs on the spoke router Trusted (corporate routable) VLAN Non-trusted (home) VLAN Devices that pass 802. authentication proxy Presentation_ID © 2006 Cisco Systems. Cisco Confidential 21 . All rights reserved.802.

Cisco IOS Certificate Server PKI-AAA Integration ƒ Cisco IOS PKI solution provides the necessary encryption. which significantly simplifies the management of the existing ECT environment. Inc. ƒ IOS-CS supports CA. full backup. restore. confidentiality and non – repudiation feature set and addresses the MIM attack. RA. Presentation_ID © 2006 Cisco Systems. All rights reserved. ƒ It supports exportable and non-exportable keys. and auto-enroll ƒ IOS-CS permits storage of certificates on external databases or on local flash ƒ Cisco IOS PKI-AAA integration eliminates the need to manage CRLs. and subCS server modes. Cisco Confidential 22 .

All rights reserved. and more Presentation_ID © 2006 Cisco Systems.Cisco IOS Firewall Features ƒ Cisco IOS provides a stateful firewall and CBAC (Context-Based Access Control) ƒ The firewall ACL will block any nonauthorized access inbound attempts (from Internet) ƒ CBAC will open temporarily some application associated ports for the return traffic if the connections initiated from the inside. FTP. these ports will be closed. Upon expiration of the default timeouts and if there is no more interesting traffic. Inc. also supports protocols like SIP. SCCP. CBAC. SMTP. ƒ Apart from standard TCP and UDP. Cisco Confidential 23 .

ƒ Mission critical application can be guaranteed bandwidth. Inc. allowing the network to apply appropriate QoS controls. video. ƒ In NG ECT.Network Based Application Recognition (NBAR) ƒ NBAR is an intelligent classification engine that recognizes applications including Web-based and client/server applications which dynamically assign TCP or UDP port numbers. NBAR is used to match and remark the time sensitive traffic (IPT.trusted to trusted and allows the time sensitive applications to be routed in the corporate network in a cohesive way with other time sensitive traffic. Cisco Confidential 24 . IPC) at the ingress interface and queue and prioritize the traffic based on the this marking. In such way the NG ECT changes the status of this traffic from non . ƒ Improves VPN performance by ensuring identifying mission-critical traffic before it is encrypted. All rights reserved. Presentation_ID © 2006 Cisco Systems.

Inc. Inc. © 2006 Cisco Systems.NG ECT Solution: End-to-End Connectivity Presentation_ID Presentation_ID © 2003 Systems.Cisco All rights reserved. All rights reserved. Cisco Confidential 25 25 .

provides higher tunnel creation rate.End-to-End Connectivity Feature Benefit DMVPN Fundamentals Dynamic Multipoint VPN based upon IPSec. and Multipoint GRE Routing with DMVPN Routing protocols in DMVPN cloud provide responsive failover DMVPN Key Differentiators Simplifies configurations. and better redundancy. All rights reserved. Presentation_ID © 2006 Cisco Systems. NHRP. separates management and data traffic paths and builds on-demand full or partially meshed networks Server Load Balancing (SLB) Overall design The next generation DMVPN networks DMVPN and SLB design Server Load Balancing (SLB) design of DMVPN is an enhancement of DMVPN and can be delivered in two separate designs. SLB DMVPN – Key Advantages SLB is much easier to configure and support. Inc. scales higher. Cisco Confidential 26 .

All rights reserved. ƒ Permanent and on-demand tunnels ƒ DMVPN is build on .IPSec (RFC 2401) . Cisco Confidential 27 .Multipoint GRE tunnel interface Presentation_ID Allows GRE interface to support multiple IPSec tunnels Simplifies size and complexity of configuration © 2006 Cisco Systems. ƒ Hub-to-spoke and spoke-to-spoke tunnels.Next Hop Resolution Protocol (NHRP) Hub maintains a (NHRP) database of all the spoke’s routable (public interface) addresses Each spoke registers its routable address with the NHRP server (hub) after successful negotiation of the IPSec tunnel Spokes query NHRP database for routable addresses of destination spokes to build direct tunnels . ƒ Failover/Load-balancing/SLB ƒ Dynamic routing ƒ Full – mesh and partial . Inc.mesh topologies.DMVPN Fundamentals Dynamic Multipoint VPN (DMVPN) is a Cisco IOS-based solution which integrates the Cisco VPN solutions with Cisco dynamic protocols framework.

All rights reserved.Standard DMVPN Design Corporate network DMVPN hubs Corp. Cisco Confidential 28 . FWs Spokes Presentation_ID © 2006 Cisco Systems. Inc.

Cisco Confidential 29 . All rights reserved. this frees the physical interface from a crypto map ƒ Management is performed over a separate VPN tunnel independent of the primary DMVPN data tunnels ƒ DMVPN allows for dynamic registration of spokes One tunnel interface on the hub side supports a single DMVPN cloud Eliminates static point-to-point configurations Reduces the complexity of the hub configuration ƒ DMVPN provides dynamic full and partial mesh capability Provides improved support for applications such as voice and video Presentation_ID © 2006 Cisco Systems. Inc.DMVPN: Key Differentiators ƒ DMVPN uses crypto profiles and tunnel protection.

Inc.Server Load Balancing (SLB) Overall design Corporate network Aggregation router Hubs Cluster of DMVPN hubs Aggregates user tunnels Server Load Balancer SLB balances connections Owns virtual IP address GRE/IPsec tunnels IGP + NHRP Spokes Presentation_ID © 2006 Cisco Systems. All rights reserved. Cisco Confidential 30 .

ƒ Both design solutions have their advantages and disadvantages and based on the existing documentation and lessons learned. A farm of 7200 Series routers are associated with the IPSec termination device and handles all tasks related to Next-Hop Resolution Protocol (NHRP) and multipoint generic routing encapsulation (MGRE). SLB design provides the following advanced enhancements for DMVPN: Presentation_ID © 2006 Cisco Systems. All rights reserved. Cisco Confidential 31 . ƒ Design two – DMVPN IOS SLB hub The front device – typically Cisco 7200 or Cisco 7600 Series router performs the role of Load Balancer. A farm of 7200 Series routers are associated with the load balancer and handles all the tasks related to Next-Hop Resolution Protocol (NHRP) and multipoint generic routing encapsulation (mGRE) and IPSec encryption/decryption. Inc.DMVPN and SLB design ƒ Server Load Balancing (SLB) design of DMVPN is an enhancement of DMVPN and can be delivered in two different ways: ƒ Design one – DMVPN High concentration hub Typically Cisco 7600 Series router or Cat65K acts like primary tunnel termination Hub and perform encryption and decryption functions.

Presentation_ID © 2006 Cisco Systems. ƒ SLB provides higher tunnel creation rate.SLB DMVPN – Key Advantages ƒ SLB is much easier to configure and support. Inc. since the configuration of the peer tunnel IP is always the same no matter how large is the deployment. ƒ SLB scales higher. since the EIGRP – based scalability restrictions are mitigated and the number of tunnels is virtually limitless. All rights reserved. The peer IPSec IP (the termination device’s tunnel IP) acts like a cluster IP and does not change due to design or scalability considerations. Cisco Confidential 32 . recovers faster when cluster node becomes unavailable and provides spoke to spoke functionality as the standard DMVPN does.

or the SLB pair to fail over to another pair of hubs. the number of the primary hubs is actually equal to the number of the backup hubs and the total number is 2N. Cisco Confidential 33 . where in dual SLB design the CPE can connect to a pair of farm hubs.) ƒ SLB provides better redundancy. single layout design (from CPE) actually terminates the CPE to two separate SDGs. located in another part of the same campus. Inc. in SLB if we assume the same number of CPEs per Hub (pair of hubs) the number of Hubs in SLB design should be N+2 (assuming dual SLB head end design). In that case. maintaining active-active status of the crypto tunnel connections. located in another geographical location. which are not geographically co – located. © 2006 Cisco Systems. ƒ Presentation_ID SLB design can provide fully redundant solution. Everything equal. The standard DMPVN design provides redundancy in pairs – the dual tunnel. All rights reserved.SLB DMVPN – Key Advantages (Contd. In other words in its extreme the solution can allow CPE to fail over to another hub.

All rights reserved. Inc. Cisco Confidential 34 .NG ECT Solution and Low TCO – End-to-End Provisioning with Cisco Security Manager Presentation_ID © 2006 Cisco Systems.

ƒ It manages Site to Site VPNs. and security routers running Cisco IOS (IOS). Presentation_ID © 2006 Cisco Systems. Firewall Services Module (FWSM) installed in a Catalyst 6500/7600 device. HTTPS. such as SSL. TMS and Cisco Networking Services (CNS) working with CE 2. Telnet. ASA. ƒ CSM Manages Firewalls.PIX Firewall.Cisco Security Manager ƒ CSM Manages Devices . Remote Access VPNs. ƒ CSM Manages Policies. FWSM and Cisco IOS routers ƒ It manages transport mechanisms. SSL VPNs and Easy VPNs. PIX Firewall (PIX).0. All rights reserved. Inc. HTTP. activities and objects. Cisco Confidential 35 . Firewall Services manages firewall-related policies in Security Manager that apply to the adaptive security appliance (ASA).

) ƒ It manages Intrusion Prevention System (IPS). Presentation_ID © 2006 Cisco Systems. All rights reserved. ƒ Supports open XML/SOAP interface and NB APIs enabling integration with existing enterprise management framework ƒ Supports fully managed service functionality to notify the administrators for non-CSM initiated configuration changes ƒ CSM manages provisioning.Cisco Security Manager (Contd. Cisco Confidential 36 . Inc. manages deployment and manages FlexConfigs.

Configuring CSM .The Sample Device and the Security Policies ƒ Create a sample device. Inc. Cisco Confidential 37 . All rights reserved. Presentation_ID © 2006 Cisco Systems.

Access Control .The sample device and the security policies ƒ Create a sample device.AAA Access Rules .Access Rules .AuthProxy . Inc. All rights reserved.Inspection ƒ Site to Site VPN – Large scale DMVPN . ƒ Configure the FW policies: .SLB config ƒ Quality Of Service ƒ Configure NAT – flex config based Presentation_ID •• Start Startwith withsingle singledevice device •• Assign Assignpolicies policies •• Define Definethe thepolicies policiesas as shared or local shared or local © 2006 Cisco Systems.Configuring CSM . Cisco Confidential 38 .Inspection Rules .

ƒ Attach 871 prepend config(s) •Start •Startwith withsingle singledevice device •Attach prepend and •Attach prepend andappend appendflex flex configs. Inc. All rights reserved.Configuring CSM . Cisco Confidential 39 . based on expected granularity ƒ Attach BASIC append config(s) ƒ Attach WIFI append config(s) ƒ Attach IPT append config(s) ƒ Attach VIDEO append config(s) ƒ Attach 871 append config(s) Presentation_ID © 2006 Cisco Systems. based on expected granularity configs.The sample device and the flex configs ƒ Create a sample device.

Cisco Confidential 40 .1 SLB Hub configuration ƒ Configure a Hub device ƒ Configure SLB device and interfaces. ƒ Select devices for SLB Presentation_ID © 2006 Cisco Systems. ƒ Create Hub and Spoke VPN ƒ Edit Hub and Spoke.Cisco Security Manager 3. Inc. All rights reserved.

Inc. Cisco Confidential 41 .User Request for NG ECT Service Presentation_ID © 2006 Cisco Systems. All rights reserved.

ƒ EMAN Address Management: AM agent assigns /28 to every user. Cisco Confidential 42 .Eleven Steps to Provision and Deploy a Remote Router ƒ User submits the NG ECT request (changing/saving/etc) REQUESTED STATE ƒ Mgr approval triggers the processes APPROVED STATE ƒ EMAN Create ACS account on the ACS server as part of PKI&AAA config. Inc. All rights reserved. ƒ EMAN Host Management: Host record is created in EMAN for monitoring/tracking Presentation_ID © 2006 Cisco Systems.

ƒ TFTP IP address supplied by EMAN out of TNM. Cisco Confidential 43 . Inc.Eleven Steps to Provision and Deploy a Remote Router (Cont…) ƒ EMAN Template Management – the device is associated with the predefined set of templates. ƒ EMAN Address Management: AM agent assigns /32 ip address for the tunnel interface.configuration downloaded to the CPE router & the state changes to OPERATIONAL Presentation_ID © 2006 Cisco Systems. All rights reserved. ƒ CS-M cloning (6 sub-steps within the CS-M): ƒ CNS configuration staged ƒ SDM/SDP process .

Cisco IT Implementation – CSM Integration using APIs. Inc. Cisco Confidential 44 . Presentation_ID © 2006 Cisco Systems. All rights reserved.

Cisco Security Manager 3. Cisco Confidential 45 . All rights reserved.1 6 Easy CPE Provisioning Steps ƒ Clone a device from SAMPLESJC-871-ONE ƒ Set device properties – Transport protocol ƒ Set device properties – Interface roles ƒ Set device properties – Set Networks/Hosts ƒ Set device properties – Set Text Objects ƒ Edit QoS policy ƒ Submit and Deploy Presentation_ID © 2006 Cisco Systems. Inc.

Cisco Confidential 46 . Inc.NG ECT Solution and Low TCO – End-to-End Deployment with Cisco Security Manager Presentation_ID © 2006 Cisco Systems. All rights reserved.

router configured at staging facility ƒ Outsource to 3rd party. router configured at staging facility or on-site All Three Methods Add Excessive Cost to the Deployment Process! Presentation_ID © 2006 Cisco Systems. Inc. All rights reserved. Cisco Confidential 47 .Conventional Deployment of Spoke Routers ƒ In-house. router configured by IT ƒ Outsource to ISP.

NG ECT Offers Four Deployment Options ƒ Zero Touch Deployment. Cisco Confidential 48 . All rights reserved. spoke router provisioning process is automated to minimize TCO Presentation_ID © 2006 Cisco Systems. Inc.Special cases/configurations and pilot environments ƒ Regardless of the deployment option. User responsible for configuring router for Internet access and running SDP (Secure Device Provisioning) Policy configurations are pushed over the CNS transport mechanism ƒ On-line (Cert-Proxy) Allows engineer to configure router remotely ƒ E-Token Based Secure Device Provisioning Allows engineer to configure router remotely ƒ Off-line .

CE 2. 49 . gains access to corporate resources ƒ VPN tunnel established w/Data GW2 and stays active for failover.ECT CPE ZTD Deployment ƒ Spoke router performs SDP and obtains keys and certificates.0 Presentation_ID © 2006 Cisco Systems. Cisco Confidential ƒ Spoke router establishes mgmt tunnel. “calls home” and sends CNS “connect” event to CE Engine. Inc. VoIP: Phase 2 WLAN: Phase 3 ƒ Management GW authenticates spoke router using PKI-AAA integration Internet Management Tunnel Secondary Data Tunnel Management GW Primary Data Tunnel ƒ CE pushes & audits policy over management tunnel Data GW2 Data GW1 Internal Network CS-M. All rights reserved. Access to Corporate Resources ƒ Spoke router establishes VPN tunnel w/Data GW1.

0 Presentation_ID © 2006 Cisco Systems.ECT Architecture-Today-Auth Proxy Spouse and Kids? Auth Proxy Internet Management Tunnel Secondary Data Tunnel Management GW Primary Data Tunnel Data GW2 Data GW1 Internal Network CS-M. corporate resources (email. Cisco Confidential Access to Corporate Resources ƒ Today the ECT solution uses ‘Auth Proxy’ to authorize PC’s to corporate resources ƒ Auth Proxy uses a userid and Active Directory (AD) password through a browser ƒ Once the user has successfully authenticated. Inc. CE 2. All rights reserved. the PC can still access the internet 50 . etc) can be accessed) ƒ If the authorization is not successful. IM.

Inc. Cisco Confidential 51 .ROI. All rights reserved. TCO and ZTD Cumulative Cost Savings Presentation_ID © 2006 Cisco Systems.

All rights reserved. My last ECT router was shipped to me with a very large book on how to configure it. Inc. Pat Moore. I hooked everything up (including my home equipment) and had the new router configured in 15 minutes! Let me repeat that. The instructions on the Web and the printed material was easy for a nontechnical person to understand. Mgr. Workplace Resources Presentation_ID © 2006 Cisco Systems. It even amazes me that I was able to do it without hassle. The new router sat in a box next to my desk for about 4 days because I was planning to dedicate a full weekend to the process of hooking it up and getting it configured. 15 minutes. I dreaded the process. Cisco Confidential 52 . Wala! 15 minutes later I am back in business. much to my surprise.The Eser’s Experience I wanted to let you know my first hand experience with my new ECT router and getting it set up. the router was set up to be configured and connecting to the site for configuration was easy. Now back to work!!!!! But from home!!!!! Sincerely yours. Well.

Inc.NG ECT Solution and Low TCO – End-toEnd Management with Cisco Security Manager Presentation_ID © 2006 Cisco Systems. All rights reserved. Cisco Confidential 53 .

Automated Decision making Automated Deployment options: EMAN/CSM/CE based.over night password management.IOS management is based on EMAN/CNS-CE functionality Presentation_ID © 2006 Cisco Systems.Event . .push/pull policies and ACLs. Cisco Confidential 54 . Example .triggered deployments . .Rapid deployments . All rights reserved. Inc.TCO and Lower Costs of Management TCO and Utilizing Reusable Components ƒ ƒ ƒ ƒ ƒ Integration of CSM and CNS-CE into EMAN Monitoring – EMAN based Analyzing / Grouping – static and dynamic groups. .Regular deployments – once per 24 hours.Scheduled deployments .

Presentation_ID © 2006 Cisco Systems. Cisco Confidential 55 . Inc. ƒ Service MOVE from one location to another. ƒ Connection Type change ƒ Upload speed change – UP or DOWN. All rights reserved.TCO and Automation of routine operations MAJOR AUTOMATION WINS ƒ Migration from one device/platform to another.

All rights reserved.ISC to CS-M Migration. Cisco Confidential 56 . Inc. Platform A to Platform B Migration Presentation_ID © 2006 Cisco Systems.

All rights reserved. Cisco Confidential 57 . Inc.ZTD IPT Deployment (HOME) Presentation_ID © 2006 Cisco Systems.

ZTD of IPT for Remote Access
ƒ

ƒ
ƒ

ƒ

Presentation_ID

User applies for the IPT service as part of their ECT
service and upon approval orders their IP Phone or
installs IP Communicator (IPC); an additional instance
of a phone is configured for the employees Dialed
Number (DN) on the Cisco Call Manager (CM)
IPT device is shipped from factory.
ECT router is successfully configured and has
established data tunnels; user connects the IPT
device to the ECT router
When the IPT connects to the fully functional ECT
router, the universal loader will be loaded to the IPT
and the IPT will boot and obtain an IP.
© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

58

ZTD of IPT for Remote Access (Contd.)
ƒ

ƒ

ƒ
ƒ

Presentation_ID

The CCM will register the MAC address of the IPT
and it will assign a random DN to the phone, which
will appear of the IPT’ screen.
The user will use URL application to connect to a
server. The user will be authenticated and prompted
for user credentials.
Upon successful authentication the user will enter the
random DN, shown on the screen on the IPT.
The backend script will replace the random DN with
the previously assigned DN to the user. The IPT will
obtain the associated profile from TFTP server and it
will connect and register with the CCM.
© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

59

Service Oriented Architecture
over VPN. QOS, IP SLA and
Lessons Learned

Presentation_ID
Presentation_ID

© 2003
Systems,
Inc. All rights
reserved.
© 2006 Cisco Systems,
Inc.Cisco
All rights
reserved.
Cisco
Confidential

60
60

Voice. latency.Internet access.g. WebEx. Interactive Video as real-time) • Service Classes will have separate loss. All rights reserved. file transfer Scavenger class – TLM and Streaming video • Every map class later is associated with a separate policy. jitter requirements: Time Sensitive class—Voice. PoP-to-PoP Real Time Loss Delay Jitter Availability Contracted BW (cBW) Presentation_ID 9 9 9 9 © 2006 Cisco Systems.QOS and Minimum SLA Requirements • Applications with similar QoS requirements are grouped into a service (traffic) class (e. Interactive Video Business critical class—Oracle. Inc. MeetingPlace Best effort .. SAP. End-to-End Business BE 9 9 9 9 9 9 Cisco Confidential Real Time 9 9 9 9 9 Business BE 9 9 9 9 9 9 61 .

reporting methodology (web. Inc. Presentation_ID © 2006 Cisco Systems. Cisco Confidential 62 .measurement points. e-mail) reporting interval. report contents. methodology. failure criteria and penalty clauses. All rights reserved.IP SLA Metrics Minimum SLA Attributes Related to QoS Other SLA Attributes related to QoS Latency (Delay) Availability Packet Loss Mean Time to Repair (MTTR) Delay Variation (Jitter) Mean Time Between Failure (MTBF) Contracted Bandwidth Per-Flow Packet Sequence Preservation Throughput Admission Control Criteria Contention Ratio ISP supported QoS at the edge SLA measurement/reporting tools .

ƒ Interactive video traffic should be classified as AF41 or marked with TOS=4/TOS=2 ƒ The minimum priority bandwidth guarantee (LLQ) or CBWFQ is the size of the video conferencing session plus 20 percent. Inc. ƒ Voice (bearer) traffic should be classified as EF.711. ƒ One-way latency should be no more than 150 ms.) Presentation_ID © 2006 Cisco Systems. All rights reserved.IP SLA Requirements for IPT@Home and Interactive Video@Home ƒ Loss should be no more than one percent. Cisco Confidential 63 . (For example. a single 384 kbps video conferencing session requires 460 kbps of guaranteed priority bandwidth.729 then G. The reason is that jitter and out-of-order packets cause more audio signal damage with G. ƒ The codec type should not be a factor when configuring IPT for Home. or with TOS=5. ƒ Jitter should be no more than 30 ms. ƒ Call signaling traffic should be marked as AF31/CS3.

video content distribution. “less-than Best-Effort” services to certain applications. latency should be no more than 4–5 seconds (depending on video application’s buffering capabilities). Cisco Confidential 64 .Client-server applications. and NFS. messaging applications.Other QoS and IP SLA Requirements ƒ Streaming video (whether unicast or multicast) should be marked to CS3. ƒ Scavenger class. – Bulk/Non-Interactive . Bulk applications can dynamically take advantage of unused bandwidth and thus speed up their operations during non-peak periods. There are no significant jitter requirements. NTP. ƒ Locally-Defined Mission-Critical class. Inc. All rights reserved. Loss should be no more than 2 percent. Syslog. e-mail. Transactional and interactive applications with a high business priority: – Transactional/Interactive . and ISAKMP. EIGRP. Presentation_ID © 2006 Cisco Systems. ƒ Routing and Network Management class. such as SNMP. ƒ Best-Effort –It is recommended that at least 25 percent of a WAN link’s bandwidth be reserved for the default Best Effort class.Large file-transfers. network backups. The Transactional/Interactive class is a combination of two similar types of applications: transactional client-server applications and interactive-messaging applications. It is an optional class of service and includes minimal bandwidth queue for routing and other network control applications. database syncs and replication.

Radius and POP Path Jitter QoS Aware Voice Video VPN QoS Jitter VPN Aware Data Transfer UDP Echo Echo FTP Network Response © 2006 Cisco Systems.IP SLA Probe Types. All rights reserved. Web Traffic Network and Application Services DNS DHCP Server Traffic DLSw Layer 2 Services Applications (Beta) Netmeeting Real Player Path Echo Presentation_ID TCP Connect HTTP Custom TCL eMail Notes SAP News Cisco Confidential Frame Relay ATM LDAP 65 . Inc.

All rights reserved.Example rcdn-user-871#show ip sla status Round Trip Time (RTT) for Index 10 Latest RTT: 13 milliseconds Latest operation start time: 19:27:34.34 Presentation_ID © 2006 Cisco Systems. Cisco Confidential 66 .837 PDT Sun Oct 7 2007 Latest operation return code: OK RTT Values: Number Of RTT: 1000 RTT Min/Avg/Max: 10/13/26 milliseconds Latency one-way time: Number of Latency one-way Samples: 1000 Source to Destination Latency one way Min/Avg/Max: 1/2/14 milliseconds Destination to Source Latency one way Min/Avg/Max: 9/11/17 milliseconds ƒ Jitter: Number of Jitter Samples: 999 Source to Destination Jitter Min/Avg/Max: 1/1/13 milliseconds Destination to Source Jitter Min/Avg/Max: 1/1/6 milliseconds ƒ Packet Loss Values: Loss Source to Destination: 0 Out Of Sequence: 0 Tail Drop: 0 Loss Destination to Source: 0 Packet Late Arrival: 0 ƒ Voice Score Values: Calculated Planning Impairment Factor (ICPIF): 1 Mean Opinion Score (MOS): 4.IP SLA Statistics . Inc.

SLAs and IP SLAs for the services is must. ƒ Start with limited pilot Become familiar with technology. grow to 100.Lessons Learned ƒ Select hub locations to optimize latency and keep it under certain threshold. ƒ Use CSM – CE to deploy and manage the environment. ƒ Plan phased approach for new services. For large scale deployments use NB APIs to integrate these management platforms into the existing management environment. All rights reserved. ƒ Develop a proactive monitoring and support. Understand information requirements and system flow and scale. Cisco Confidential 67 . Deploying the technology to multiple segments of the network allows IT organizations to maintain low TCO. Inc. Presentation_ID © 2006 Cisco Systems. ƒ Automate all the routine operations. Allow the support engineers to participate in the pilot phase.

html Call to get Product. “Troubleshooting Remote Access Networks”.More Networked Home/Access Resources Case Studies http://www.com/web/about/ciscoitatwork/case_studies.cisco. ISBN: 1587050765.cisco. Cisco Press.html Nedeltchev P. http://www. Solution and Financing Information 1-800-745-8308 ext 4699 Other Resources DMVPN Extends Business Ready Teleworker. Presentation_ID © 2006 Cisco Systems.com/en/US/about/ac123/ac114/ac173/Q204/dmvpn. Inc. Cisco Confidential 68 . All rights reserved.

Presentation_ID © 2006 Cisco Systems. All rights reserved. Inc. Cisco Confidential 69 .