[cisco-voip] Home user
Jerky
lists at jerkys.org
Wed Oct 17 13:52:52 EDT 2007
so it would be more like this:
Cisco 871
|
DSL CABLE
|
Internet
|
T1 Connection (Serial0/0/0)
|
_____ 3800 _____
| |
ethernet 0/0 ethernet 0/1
| |
PIX/ASA 3800 (Cisco 871 VPN's terminate here)
| |
LAN(computers) LAN (Voice)
Homefully my crude diagram makes sense. Do your home users have
access to any data on the computer network side. Or is the 87x VPNs
solely for getting to the voice network If users access things on the
"computer" side would you have a separate tunnel setup just for that?
Thanks for so much helping enlighten me. It's been very helpful.
jeff
On Oct 17, 2007, at 10:19 AM, Linsemier, Matthew wrote:
> In our environment we utilize PIX firewalls (still have to upgrade
> to ASA’s) to handle our firewall needs and then use the 3800 series
> router just to terminate the DMVPN home users. They are deployed
> in parallel and sit behind a perimeter screening router (another
> 3800 series router). We shied away from using the PIX for the
> simple fact that while it would preserve QoS markings, we couldn’t
> do any remarking or shaping in the device. Maybe this has changed
> in the ASA, but I don’t think you have the control like you do in
> IOS (such as qos pre-classify, shaping, policing, etc.).
> Depending on how many tunnels you plan on using, you could use a
> router much smaller than a 3800 series to terminate the end nodes.
>
>
>
> On the home user end we have the Cisco 871/877 routers configured
> to support wired and wireless connections using three VLANS. We
> have a VLAN configured for corporate connectivity, one VLAN
> configured as a voice VLAN, and then a VLAN configured for
> untrusted traffic. One Ethernet port on the router provides
> connectivity to the corporate and voice VLANS, while the remaining
> three are configured as untrusted. Similarly with Wireless, we
> extend PEAP authentication from the headquarters and authenticate
> users to the corporate VLAN, and use a WPA-PSK to secure the
> untrusted connections. This way the users plug in their phone,
> then their laptop/docking station to port 0, and any other home
> devices can be connected to port 1-3 or use the wireless WPA-PSK
> network and be logically segregated (using ACL’s) from any data on
> the corporate network. This way we can also control QoS and mark
> down all traffic that enters the router from the untrusted
> network. So when said employees son or daughter starts downing a 2
> gig torrent from a home PC, they don’t kill the voice or impact the
> corporate workflow. Eventually we will be implementing 802.1x on
> the corporate port for additional security, but have had mixed
> results of getting it to work with Windows XP.
>
>
> Hope this helps.
>
>
>
> Matt
>
>
>
>
>
> From: Jerky [mailto:lists at jerkys.org]
> Sent: Tuesday, October 16, 2007 6:32 PM
> To: Linsemier, Matthew
> Cc: Curt Shaffer; cisco-voip at puck.nether.net
> Subject: Re: [cisco-voip] Home user
>
>
>
> This has been kicked around for a while since we moved to
> CallManager but not much thought has been given to it. I'm trying
> to understand how your hardware is setup. How would it look,
> similar to one of these?
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <--Ethernet--> LAN
>
>
>
> or
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <---> ASA or PIX Firewall <--Ethernet--> LAN
>
>
>
> Is the 3800 used for all your firewalling needs in lieu of
> something like an ASA or PIX? Sonicwall's are currently in place
> and haven't worked very well for the remote users it was tested
> with. The Sonicwalls we have don't have anything similar to what
> the 871's seem to have in regards to vlans and packet tagging. We
> would probably kick the Sonicwalls out if something else would work
> better.
>
>
>
> jeff
>
>
>
> On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
>
>
>
>
> We currently have about 40 production remote home teleworkers that
> have been deployed using Cisco 871/877 wireless routers and a 7960
> phones. We are using a Cisco 3845 series router at the head-end so
> that we can control QoS tagging on the egress / ingress points of
> both sides of the VPN tunnel. We are using a phase 2 DMVPN
> solution dual-homed to two sites to provide secure redundant
> connectivity.
>
>
>
> It took me a bit to tweak my router configurations (I started on
> Cisco 831/837 routers) to get the results that we wanted, but all
> and all our users are happy. There is the occasional jitter and
> packet loss (it is the Internet mind you) but g.729 is working
> quite well coupled with business cable and DSL services.
>
>
>
> If you have any other questions, feel free to ask.
>
>
>
> Matt
>
>
>
> From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-
> bounces at puck.nether.net] On Behalf Of Curt Shaffer
> Sent: Monday, October 15, 2007 6:37 PM
> To: cisco-voip at puck.nether.net
> Subject: [cisco-voip] Home user
>
>
>
> I was wondering want everyone out there is using for the situation
> where you have someone on your CCM or CCME that has 1 phone at a
> home office. Something tells me an ASA is overkill and I haven’t
> found solid information that any of the 87x routers support tagging
> QoS of packets going through the VPN tunnel. We would obviously
> like to have QoS in place even though it’s not respected at their
> ISP just to make sure the VPN/Voice packets are leaving their
> routers first as a best effort to get some quality.
>
>
>
> Thanks
>
>
>
>
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely
> for the use of the addressee identified above. If you are not the
> intended recipient, any use, disclosure, copying or distribution of
> this communication is UNAUTHORIZED. Neither this information block,
> the typed name of the sender, nor anything else in this message is
> intended to constitute an electronic signature unless a specific
> statement to the contrary is included in this message. If you have
> received this communication in error, please immediately contact me
> and delete this communication from your computer. Thank you.
>
> _______________________________________________
>
> cisco-voip mailing list
>
> cisco-voip at puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely
> for the use of the addressee identified above. If you are not the
> intended recipient, any use, disclosure, copying or distribution of
> this communication is UNAUTHORIZED. Neither this information block,
> the typed name of the sender, nor anything else in this message is
> intended to constitute an electronic signature unless a specific
> statement to the contrary is included in this message. If you have
> received this communication in error, please immediately contact me
> and delete this communication from your computer. Thank you.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20071017/67c30389/attachment-0001.html
More information about the cisco-voip
mailing list