[cisco-voip] Home user
Curt Shaffer
cshaffer at gmail.com
Sat Oct 20 07:40:15 EDT 2007
I tried searching on this on cisco.com. Do you have a part number or a more
direct name that may help? Is this something that is production ready or is
it still beta quality?
Thanks
Curt
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Scott Voll
Sent: Wednesday, October 17, 2007 2:05 PM
To: Jerky
Cc: Linsemier, Matthew; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Home user
no Cisco CPE required.
ip phone
|
internet connection
|
--------------------------- phone proxy
| |
| |
FW / router |
| |
internal network ------ voice network
basically you save the money of a cisco CPE by getting the phone proxy. let
the end users VPN in with the client for data purposes or use Citrix to get
around VPN all together.
the phone proxy has a north / South interface so the only thing going
through it is the authenticated voice traffic.
hope that's understandable.
scott
On 10/17/07, Jerky <lists at jerkys.org> wrote:
so it would be more like this:
Cisco 871
|
DSL CABLE
|
Internet
|
T1 Connection (Serial0/0/0)
|
_____ 3800 _____
| |
ethernet 0/0 ethernet 0/1
| |
PIX/ASA 3800 (Cisco 871 VPN's terminate here)
| |
LAN(computers) LAN (Voice)
Homefully my crude diagram makes sense. Do your home users have access to
any data on the computer network side. Or is the 87x VPNs solely for getting
to the voice network If users access things on the "computer" side would you
have a separate tunnel setup just for that?
Thanks for so much helping enlighten me. It's been very helpful.
jeff
On Oct 17, 2007, at 10:19 AM, Linsemier, Matthew wrote:
In our environment we utilize PIX firewalls (still have to upgrade to ASA's)
to handle our firewall needs and then use the 3800 series router just to
terminate the DMVPN home users. They are deployed in parallel and sit
behind a perimeter screening router (another 3800 series router). We shied
away from using the PIX for the simple fact that while it would preserve QoS
markings, we couldn't do any remarking or shaping in the device. Maybe this
has changed in the ASA, but I don't think you have the control like you do
in IOS (such as qos pre-classify, shaping, policing, etc.). Depending on
how many tunnels you plan on using, you could use a router much smaller than
a 3800 series to terminate the end nodes.
On the home user end we have the Cisco 871/877 routers configured to support
wired and wireless connections using three VLANS. We have a VLAN configured
for corporate connectivity, one VLAN configured as a voice VLAN, and then a
VLAN configured for untrusted traffic. One Ethernet port on the router
provides connectivity to the corporate and voice VLANS, while the remaining
three are configured as untrusted. Similarly with Wireless, we extend PEAP
authentication from the headquarters and authenticate users to the corporate
VLAN, and use a WPA-PSK to secure the untrusted connections. This way the
users plug in their phone, then their laptop/docking station to port 0, and
any other home devices can be connected to port 1-3 or use the wireless
WPA-PSK network and be logically segregated (using ACL's) from any data on
the corporate network. This way we can also control QoS and mark down all
traffic that enters the router from the untrusted network. So when said
employees son or daughter starts downing a 2 gig torrent from a home PC,
they don't kill the voice or impact the corporate workflow. Eventually we
will be implementing 802.1x on the corporate port for additional security,
but have had mixed results of getting it to work with Windows XP.
Hope this helps.
Matt
From: Jerky [mailto:lists at jerkys.org]
Sent: Tuesday, October 16, 2007 6:32 PM
To: Linsemier, Matthew
Cc: Curt Shaffer; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Home user
This has been kicked around for a while since we moved to CallManager but
not much thought has been given to it. I'm trying to understand how your
hardware is setup. How would it look, similar to one of these?
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
<--Ethernet--> LAN
or
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <---> ASA
or PIX Firewall <--Ethernet--> LAN
Is the 3800 used for all your firewalling needs in lieu of something like an
ASA or PIX? Sonicwall's are currently in place and haven't worked very well
for the remote users it was tested with. The Sonicwalls we have don't have
anything similar to what the 871's seem to have in regards to vlans and
packet tagging. We would probably kick the Sonicwalls out if something else
would work better.
jeff
On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
We currently have about 40 production remote home teleworkers that have been
deployed using Cisco 871/877 wireless routers and a 7960 phones. We are
using a Cisco 3845 series router at the head-end so that we can control QoS
tagging on the egress / ingress points of both sides of the VPN tunnel. We
are using a phase 2 DMVPN solution dual-homed to two sites to provide secure
redundant connectivity.
It took me a bit to tweak my router configurations (I started on Cisco
831/837 routers) to get the results that we wanted, but all and all our
users are happy. There is the occasional jitter and packet loss (it is the
Internet mind you) but g.729 is working quite well coupled with business
cable and DSL services.
If you have any other questions, feel free to ask.
Matt
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net ] On Behalf Of Curt Shaffer
Sent: Monday, October 15, 2007 6:37 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Home user
I was wondering want everyone out there is using for the situation where you
have someone on your CCM or CCME that has 1 phone at a home office.
Something tells me an ASA is overkill and I haven't found solid information
that any of the 87x routers support tagging QoS of packets going through the
VPN tunnel. We would obviously like to have QoS in place even though it's
not respected at their ISP just to make sure the VPN/Voice packets are
leaving their routers first as a best effort to get some quality.
Thanks
_____
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may be protected
by one or more legal privileges. It is intended solely for the use of the
addressee identified above. If you are not the intended recipient, any use,
disclosure, copying or distribution of this communication is UNAUTHORIZED.
Neither this information block, the typed name of the sender, nor anything
else in this message is intended to constitute an electronic signature
unless a specific statement to the contrary is included in this message. If
you have received this communication in error, please immediately contact me
and delete this communication from your computer. Thank you.
_____
_______________________________________________
cisco-voip mailing list
<mailto:cisco-voip at puck.nether.net> cisco-voip at puck.nether.net
<https://puck.nether.net/mailman/listinfo/cisco-voip>
https://puck.nether.net/mailman/listinfo/cisco-voip
_____
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may be protected
by one or more legal privileges. It is intended solely for the use of the
addressee identified above. If you are not the intended recipient, any use,
disclosure, copying or distribution of this communication is UNAUTHORIZED.
Neither this information block, the typed name of the sender, nor anything
else in this message is intended to constitute an electronic signature
unless a specific statement to the contrary is included in this message. If
you have received this communication in error, please immediately contact me
and delete this communication from your computer. Thank you.
_____
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20071020/3e213cef/attachment-0001.html
More information about the cisco-voip
mailing list