Extended
Workplace VPN
Solution
Cisco on Cisco
Technology Tutorial
Plamen Nedeltchev
Ph.D. Sr. Member of Technical Staff, Cisco IT
Bob Scarbrough
IT Program Manager, Cisco IT, (Host)
Presentation_ID
Cisco Confidential
RAEX Agenda
ACCESS MARKET CHALLENGES AND DEMANDS.
RAEX PROGRAM AND ITS COMPONENTS.
TOTAL COST OF OWNERSHIP (TCO)
NG ECT NETWORK AS A PLATFORM:
End to end VPN model and TCO
End to End Security
End to End Connectivity
End to End Provisioning with Cisco Security Manager (CSM)
End to End Deployment with Cisco Security Manager (CSM)
End to End Management with Cisco Security Manager (CSM)
Cisco Confidential
Residential
BRODBAND
penetration
IP Phone
Cisco 8XX
Router
Data
VPN Head-end
Router
Corporate
Network
Broadband Internet
Wi-Fi
Voice
Video
Enterprise Class
Services encrypted
data, IPT, video,
WIFI
Presentation_ID
ZTD, Automated
Management,
manageable TCO.
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Cisco Confidential
NG ECT Solution
Cisco IOS-Based Site-to-Site VPN
Enterprise, SMB or
ISP models
Home
Network
ISP
Internet
Secondary
Data Tunnel
Mgmt
Tunnel
Mgmt
GW
Primary
Data Tunnel
Data
Data GW1GW #1
CSM 3.1
IE2100/CE 2.0
PKI Servers
PKI Registrar
Presentation_ID
Data
GW#2
Management subnet is
separate from data
subnet and can be
geographically
isolated
Cisco
Cisco Confidential
WAN Port:
871 = 100 MB Ethernet
876 = ADSL over ISDN
877 = ADSL
878 = G.SHDSL (4-wire)
Trusted Pool
10.25.224.16/28
Security
Cable Lock
Console
Port/Virtual
AUX Port
Non-trusted Pool
10.0.2.0/24
Memory
Flash
Default: 24 MB
Max: 52 MB
DRAM
Default: 128 MB
Max: 256 MB
4-Port 10/100
Managed Switch
Presentation_ID
Cisco Confidential
WAN Port:
Reset
Amsterdam
Tel Aviv
San Jose
Boxborough
RTP
Tokyo
Richardson
Bangalore
Hong
Kong
Singapore
Sydney
Cisco Confidential
Data Hub
9
Corp Office
Corporate
Resources
Located in HQ
WAN
T1
ADSL
Access Router
Internet
LAN
Presentation_ID
Cisco Confidential
10
Edge
From/to Unmanaged
To PE-ASBR
CE
Managed CE
From/to Unmanaged
of Another SP
L3VPN
(L3VPN-PE)
PE-ASBR
CE
Managed CE
U-PE
PE-Agg
L2VPN ATM/FR/Metro
N-PE
To CsC-PE
of Another SP
CsC-CE
To CsC-CE
CPE
DSLAM
PE-Agg
From/to Unmanaged
CE
Branch
Router
= or
QoS
Reference
Points
of Another SP
CsC-PE
BRAS
TECRST-106
11101_05_2005_c1
2005
Cisco
Systems,
Inc. All rights
reserved.
Presentation_ID
2006 Cisco Systems,
Inc.
All rights
reserved.
Cisco
Confidential
11
11
Solution Suite
Enabling Technologies
VPN, VoIP, Conferencing
Cisco Anywhere Office
Data Connectivity
Presentation_ID
12
User Experience
Business Models
Service Oriented
Architecture
Network as a
platform
Presentation_ID
2006
2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Return on
investment
(ROI)
Years
35%
20%
Operational Acquisition
Costs
Costs
Cisco Confidential
45%
Management
Costs
14
NG ECT Solution:
End to End VPN
Model and TCO
Presentation_ID
Presentation_ID
2003
Systems,
Inc. All rights
reserved.
2006 Cisco Systems,
Inc.Cisco
All rights
reserved.
Cisco
Confidential
15
15
End-to-end connectivity
DMVPN
Failover/Load-balancing/SLB
Dynamic routing
Full mesh and partial - mesh
topologies.
Hub-to-spoke and spoke-tospoke tunnels. Permanent and
on-demand tunnels
mGRE, IPSec, NHRP.
Transport and Tunnel modes
Multiple DMVPN clouds per
head-end router. Resiliency
Full support of IP
applications
Data
VoIP
DMVPN/ IPSec
NBAR
Cisco Confidential
NAT
Multicast
(CS-
End-to-end management
Ongoing Management Cisco
Security Manager (CSM) Cisco
IE2100 based
CNS Notification Engine
QoS
Wi-Fi
Video
Firewall
QoS
End-to-end deployment
16
Benefit
Secure ARP
Authentication-Proxy
802.1x
Cisco IOS PKI Support and PKI- Secure, scalable solution enables quick addition and deletion of
AAA Integration
spoke routers utilizing existing AAA servers
Cisco IOS Stateful Firewall
(CBAC)
Presentation_ID
Cisco Confidential
17
Cisco Confidential
18
Secure ARP
When the spoke router assigns an IP address via
DHCP, the entry is secured in the ARP table
Intruder cannot just clear the ARP cache and use the IP
address to gain access to the Cisco network
Cisco Confidential
19
Authentication Proxy
Authentication proxy enables user authentication
at layer 3 of the network stack; the user must
authenticate in order to gain intranet access from
laptops, workstations, and PCs; upon successful
authentication, an access list will be then downloaded
to the router from the AAA RADIUS servers to enforce
corporate access policies
Authentication proxy can be implemented as
a mechanism to prevent non-authorized users
from accessing corporate network.
User access to different areas of an intranet can be
controlled via the group info on the RADIUS server or
can be combined with NAC or user identity
management systems
Presentation_ID
Cisco Confidential
20
Presentation_ID
Cisco Confidential
21
Cisco Confidential
22
Cisco Confidential
23
Presentation_ID
Cisco Confidential
24
NG ECT Solution:
End-to-End Connectivity
Presentation_ID
Presentation_ID
2003
Systems,
Inc. All rights
reserved.
2006 Cisco Systems,
Inc.Cisco
All rights
reserved.
Cisco
Confidential
25
25
End-to-End Connectivity
Feature
Benefit
DMVPN Fundamentals
Presentation_ID
Cisco Confidential
26
DMVPN Fundamentals
Dynamic Multipoint VPN (DMVPN) is a Cisco IOS-based solution
which integrates the Cisco VPN solutions with Cisco dynamic
protocols framework.
Failover/Load-balancing/SLB
Dynamic routing
Full mesh and partial - mesh topologies.
Hub-to-spoke and spoke-to-spoke tunnels.
Permanent and on-demand tunnels
DMVPN is build on
- IPSec (RFC 2401)
Cisco Confidential
27
Corp. FWs
Spokes
Presentation_ID
Cisco Confidential
28
Presentation_ID
Cisco Confidential
29
Hubs
GRE/IPsec tunnels
IGP + NHRP
Spokes
Presentation_ID
Cisco Confidential
30
Cisco Confidential
31
Presentation_ID
Cisco Confidential
32
Presentation_ID
SLB design can provide fully redundant solution, where in dual SLB
design the CPE can connect to a pair of farm hubs, which are not
geographically co located. In other words in its extreme the
solution can allow CPE to fail over to another hub, located in
another part of the same campus, or the SLB pair to fail over to
another pair of hubs, located in another geographical location.
Cisco Confidential
33
Presentation_ID
Cisco Confidential
34
Cisco Confidential
35
Presentation_ID
Cisco Confidential
36
Presentation_ID
Cisco Confidential
37
Presentation_ID
Start
Startwith
withsingle
singledevice
device
Assign
Assignpolicies
policies
Define
Definethe
thepolicies
policiesas
as
shared
or
local
shared or local
Cisco Confidential
38
Start
Startwith
withsingle
singledevice
device
Attach
prepend
and
Attach prepend andappend
appendflex
flex
configs,
based
on
expected
granularity
configs, based on expected granularity
Attach BASIC
append
config(s)
Attach WIFI
append
config(s)
Attach IPT
append
config(s)
Attach VIDEO
append
config(s)
Attach 871
append
config(s)
Presentation_ID
Cisco Confidential
39
Presentation_ID
Cisco Confidential
40
Presentation_ID
Cisco Confidential
41
Presentation_ID
Cisco Confidential
42
Presentation_ID
Cisco Confidential
43
Cisco IT Implementation
CSM Integration using APIs.
Presentation_ID
Cisco Confidential
44
Presentation_ID
Cisco Confidential
45
Presentation_ID
Cisco Confidential
46
Conventional Deployment
of Spoke Routers
In-house; router configured by IT
Outsource to ISP; router configured at staging facility
Outsource to 3rd party; router configured at
staging facility or on-site
Cisco Confidential
47
On-line (Cert-Proxy)
Allows engineer to configure router remotely
Presentation_ID
Cisco Confidential
48
VoIP: Phase 2
WLAN: Phase 3
Management GW
authenticates spoke router
using PKI-AAA integration
Internet
Management
Tunnel
Secondary Data
Tunnel
Management GW
Primary Data
Tunnel
Data GW2
Data GW1
Internal
Network
CS-M, CE 2.0
Presentation_ID
Cisco Confidential
Access to
Corporate
Resources
Internet
Management
Tunnel
Secondary Data
Tunnel
Management GW
Primary Data
Tunnel
Data GW2
Data GW1
Internal
Network
CS-M,
CE 2.0
Presentation_ID
Cisco Confidential
Access to
Corporate
Resources
50
Presentation_ID
Cisco Confidential
51
Presentation_ID
Cisco Confidential
52
Presentation_ID
Cisco Confidential
53
Presentation_ID
Cisco Confidential
54
Presentation_ID
Cisco Confidential
55
Presentation_ID
Cisco Confidential
56
Presentation_ID
Cisco Confidential
57
Presentation_ID
Cisco Confidential
58
Presentation_ID
Cisco Confidential
59
Presentation_ID
Presentation_ID
2003
Systems,
Inc. All rights
reserved.
2006 Cisco Systems,
Inc.Cisco
All rights
reserved.
Cisco
Confidential
60
60
Loss
Delay
Jitter
Availability
Contracted BW
(cBW)
Presentation_ID
9
9
9
9
End-to-End
Business
BE
9
9
9
9
Cisco Confidential
Real
Time
9
9
9
9
9
Business
BE
9
9
9
9
9
9
61
IP SLA Metrics
Minimum SLA Attributes
Related to QoS
Latency (Delay)
Availability
Packet Loss
Contracted Bandwidth
Throughput
Contention Ratio
Presentation_ID
Cisco Confidential
62
Cisco Confidential
63
Presentation_ID
Cisco Confidential
64
QoS
Aware
Voice
Video
VPN
QoS
Jitter
VPN
Aware
Data
Transfer
UDP
Echo
Echo
FTP
Network
Response
Web
Traffic
Network
and
Application
Services
DNS
DHCP
Server
Traffic
DLSw
Layer 2
Services
Applications
(Beta)
Netmeeting
Real Player
Path
Echo
Presentation_ID
TCP
Connect
HTTP
Custom
TCL
eMail
Notes
SAP
News
Cisco Confidential
Frame Relay
ATM
LDAP
65
Index 10
RTT Values:
Number Of RTT: 1000
Jitter:
Number of Jitter Samples: 999
Source to Destination Jitter Min/Avg/Max: 1/1/13 milliseconds
Destination to Source Jitter Min/Avg/Max: 1/1/6 milliseconds
Cisco Confidential
66
Lessons Learned
Select hub locations to optimize latency and keep it under
certain threshold.
Start with limited pilot
Become familiar with technology, grow to 100.
Understand information requirements and system flow and scale.
Deploying the technology to multiple segments of the network allows IT
organizations to maintain low TCO.
Plan phased approach for new services. SLAs and IP SLAs for
the services is must.
Use CSM CE to deploy and manage the environment. For
large scale deployments use NB APIs to integrate these
management platforms into the existing management
environment.
Automate all the routine operations.
Develop a proactive monitoring and support. Allow the
support engineers to participate in the pilot phase.
Presentation_ID
Cisco Confidential
67
Other Resources
DMVPN Extends Business Ready Teleworker. http://www.cisco.com/en/US/about/ac123/ac114/ac173/Q204/dmvpn.html
Presentation_ID
Cisco Confidential
68
Presentation_ID
Cisco Confidential
69