[cisco-voip] Home user
Linsemier, Matthew
MLinsemier at apcapital.com
Wed Oct 17 11:19:07 EDT 2007
In our environment we utilize PIX firewalls (still have to upgrade to
ASA's) to handle our firewall needs and then use the 3800 series router
just to terminate the DMVPN home users. They are deployed in parallel
and sit behind a perimeter screening router (another 3800 series
router). We shied away from using the PIX for the simple fact that
while it would preserve QoS markings, we couldn't do any remarking or
shaping in the device. Maybe this has changed in the ASA, but I don't
think you have the control like you do in IOS (such as qos pre-classify,
shaping, policing, etc.). Depending on how many tunnels you plan on
using, you could use a router much smaller than a 3800 series to
terminate the end nodes.
On the home user end we have the Cisco 871/877 routers configured to
support wired and wireless connections using three VLANS. We have a
VLAN configured for corporate connectivity, one VLAN configured as a
voice VLAN, and then a VLAN configured for untrusted traffic. One
Ethernet port on the router provides connectivity to the corporate and
voice VLANS, while the remaining three are configured as untrusted.
Similarly with Wireless, we extend PEAP authentication from the
headquarters and authenticate users to the corporate VLAN, and use a
WPA-PSK to secure the untrusted connections. This way the users plug in
their phone, then their laptop/docking station to port 0, and any other
home devices can be connected to port 1-3 or use the wireless WPA-PSK
network and be logically segregated (using ACL's) from any data on the
corporate network. This way we can also control QoS and mark down all
traffic that enters the router from the untrusted network. So when said
employees son or daughter starts downing a 2 gig torrent from a home PC,
they don't kill the voice or impact the corporate workflow. Eventually
we will be implementing 802.1x on the corporate port for additional
security, but have had mixed results of getting it to work with Windows
XP.
Hope this helps.
Matt
From: Jerky [mailto:lists at jerkys.org]
Sent: Tuesday, October 16, 2007 6:32 PM
To: Linsemier, Matthew
Cc: Curt Shaffer; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Home user
This has been kicked around for a while since we moved to CallManager
but not much thought has been given to it. I'm trying to understand how
your hardware is setup. How would it look, similar to one of these?
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
<--Ethernet--> LAN
or
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <--->
ASA or PIX Firewall <--Ethernet--> LAN
Is the 3800 used for all your firewalling needs in lieu of something
like an ASA or PIX? Sonicwall's are currently in place and haven't
worked very well for the remote users it was tested with. The Sonicwalls
we have don't have anything similar to what the 871's seem to have in
regards to vlans and packet tagging. We would probably kick the
Sonicwalls out if something else would work better.
jeff
On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
We currently have about 40 production remote home teleworkers that have
been deployed using Cisco 871/877 wireless routers and a 7960 phones.
We are using a Cisco 3845 series router at the head-end so that we can
control QoS tagging on the egress / ingress points of both sides of the
VPN tunnel. We are using a phase 2 DMVPN solution dual-homed to two
sites to provide secure redundant connectivity.
It took me a bit to tweak my router configurations (I started on Cisco
831/837 routers) to get the results that we wanted, but all and all our
users are happy. There is the occasional jitter and packet loss (it is
the Internet mind you) but g.729 is working quite well coupled with
business cable and DSL services.
If you have any other questions, feel free to ask.
Matt
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Curt Shaffer
Sent: Monday, October 15, 2007 6:37 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Home user
I was wondering want everyone out there is using for the situation where
you have someone on your CCM or CCME that has 1 phone at a home office.
Something tells me an ASA is overkill and I haven't found solid
information that any of the 87x routers support tagging QoS of packets
going through the VPN tunnel. We would obviously like to have QoS in
place even though it's not respected at their ISP just to make sure the
VPN/Voice packets are leaving their routers first as a best effort to
get some quality.
Thanks
________________________________
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may be
protected by one or more legal privileges. It is intended solely for the
use of the addressee identified above. If you are not the intended
recipient, any use, disclosure, copying or distribution of this
communication is UNAUTHORIZED. Neither this information block, the typed
name of the sender, nor anything else in this message is intended to
constitute an electronic signature unless a specific statement to the
contrary is included in this message. If you have received this
communication in error, please immediately contact me and delete this
communication from your computer. Thank you.
________________________________
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may
be protected by one or more legal privileges. It is intended
solely for the use of the addressee identified above. If you
are not the intended recipient, any use, disclosure, copying
or distribution of this communication is UNAUTHORIZED. Neither
this information block, the typed name of the sender, nor
anything else in this message is intended to constitute an
electronic signature unless a specific statement to the
contrary is included in this message. If you have received this
communication in error, please immediately contact me and delete
this communication from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20071017/2b181061/attachment.html
More information about the cisco-voip
mailing list