[cisco-voip] Home user
Michael Thompson
mthompson729 at gmail.com
Wed Oct 17 20:44:13 EDT 2007
the big reason I'm more of a fan of taking the 871 route is that you have
flexibility of creating a DMZ (using F0/3 I think) for the other home users
on the network (kids at home playing games, etc) and it creates a seperate
segment for SoHo users.
what's sexy about it is that you can be working from home, on your company
laptop for security reasons of course, on a site to site VPN
essentially. you can control what traffic from that VLANs / Subnets is
allowed across so that only specific application traffic is allowed (Citrix,
EMail, IP Voice, IPCC CAD, etc). The best part is that since you assign LLQ
to the tunnel interface, you have the full capabilities of the MQC at your
disposal no matter how QoS nutty you get with your DSCP markings (priority
markings, policing, variable drop precedence, etc)...it's all there. AND
the capper, and ABSOLUTELY critical when talking about using this from home,
you have absolute control over how the bandwidth is used to the internet.
i.e junior downloading music and playing World of Warcraft isn't crippling
your IPCC / Voice traffic.
essentially you create a VPN on the 871 that terminates on the outside
interface of the router. Then you have GRE terminate on a loopback inside
the router. You then apply policing on the GRE tunnel equivalent to the
approximate upstream bandwidth of your broadband. the exceed parameter
calls the MQC / LLQ configuration (it's not invoked unless you start to
approach bandwidth contention). the 871 is a beefy little box. we have
customers running this exact config with up to around 5 PCs in the house
(personal and work). all of the personal computers are on the DMZ and only
the work devices go on the inside interfaces.
all of that being said, you're still at the mercy of the idiot out at the
distribution box pulling your DSL wires because he doesn't get dial tone on
them and he needs copper for the neighbors new phone...but you can't totally
defend against the morons of the world.
On 10/17/07, Jerky <lists at jerkys.org> wrote:
>
> so it would be more like this:
>
> Cisco 871
> |
> DSL CABLE
> |
> Internet
> |
> T1 Connection (Serial0/0/0)
> |
> _____ 3800 _____
> | |
> ethernet 0/0 ethernet 0/1
> | |
> PIX/ASA 3800 (Cisco 871 VPN's terminate here)
> | |
> LAN(computers) LAN (Voice)
>
>
>
>
> Homefully my crude diagram makes sense. Do your home users have access to
> any data on the computer network side. Or is the 87x VPNs solely for getting
> to the voice network If users access things on the "computer" side would you
> have a separate tunnel setup just for that?
>
>
> Thanks for so much helping enlighten me. It's been very helpful.
>
>
> jeff
>
>
>
>
>
>
> On Oct 17, 2007, at 10:19 AM, Linsemier, Matthew wrote:
>
> In our environment we utilize PIX firewalls (still have to upgrade to
> ASA's) to handle our firewall needs and then use the 3800 series router just
> to terminate the DMVPN home users. They are deployed in parallel and sit
> behind a perimeter screening router (another 3800 series router). We shied
> away from using the PIX for the simple fact that while it would preserve QoS
> markings, we couldn't do any remarking or shaping in the device. Maybe this
> has changed in the ASA, but I don't think you have the control like you do
> in IOS (such as qos pre-classify, shaping, policing, etc.). Depending on
> how many tunnels you plan on using, you could use a router much smaller than
> a 3800 series to terminate the end nodes.
>
>
>
> On the home user end we have the Cisco 871/877 routers configured to
> support wired and wireless connections using three VLANS. We have a VLAN
> configured for corporate connectivity, one VLAN configured as a voice VLAN,
> and then a VLAN configured for untrusted traffic. One Ethernet port on the
> router provides connectivity to the corporate and voice VLANS, while the
> remaining three are configured as untrusted. Similarly with Wireless, we
> extend PEAP authentication from the headquarters and authenticate users to
> the corporate VLAN, and use a WPA-PSK to secure the untrusted connections.
> This way the users plug in their phone, then their laptop/docking station to
> port 0, and any other home devices can be connected to port 1-3 or use the
> wireless WPA-PSK network and be logically segregated (using ACL's) from any
> data on the corporate network. This way we can also control QoS and mark
> down all traffic that enters the router from the untrusted network. So when
> said employees son or daughter starts downing a 2 gig torrent from a home
> PC, they don't kill the voice or impact the corporate workflow. Eventually
> we will be implementing 802.1x on the corporate port for additional
> security, but have had mixed results of getting it to work with Windows XP.
>
>
> Hope this helps.
>
>
>
> Matt
>
>
>
>
>
> *From:* Jerky [mailto:lists at jerkys.org <lists at jerkys.org>]
> *Sent:* Tuesday, October 16, 2007 6:32 PM
> *To:* Linsemier, Matthew
> *Cc:* Curt Shaffer; cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] Home user
>
>
>
> This has been kicked around for a while since we moved to CallManager but
> not much thought has been given to it. I'm trying to understand how your
> hardware is setup. How would it look, similar to one of these?
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <--Ethernet--> LAN
>
>
>
> or
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <--->
> ASA or PIX Firewall <--Ethernet--> LAN
>
>
>
> Is the 3800 used for all your firewalling needs in lieu of something like
> an ASA or PIX? Sonicwall's are currently in place and haven't worked very
> well for the remote users it was tested with. The Sonicwalls we have don't
> have anything similar to what the 871's seem to have in regards to vlans and
> packet tagging. We would probably kick the Sonicwalls out if something else
> would work better.
>
>
>
> jeff
>
>
>
> On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
>
>
>
> We currently have about 40 production remote home teleworkers that have
> been deployed using Cisco 871/877 wireless routers and a 7960 phones. We
> are using a Cisco 3845 series router at the head-end so that we can control
> QoS tagging on the egress / ingress points of both sides of the VPN tunnel.
> We are using a phase 2 DMVPN solution dual-homed to two sites to provide
> secure redundant connectivity.
>
>
>
> It took me a bit to tweak my router configurations (I started on Cisco
> 831/837 routers) to get the results that we wanted, but all and all our
> users are happy. There is the occasional jitter and packet loss (it is the
> Internet mind you) but g.729 is working quite well coupled with business
> cable and DSL services.
>
>
>
> If you have any other questions, feel free to ask.
>
>
>
> Matt
>
>
>
> *From:* cisco-voip-bounces at puck.nether.net [
> mailto:cisco-voip-bounces at puck.nether.net<cisco-voip-bounces at puck.nether.net>]
> *On Behalf Of *Curt Shaffer
> *Sent:* Monday, October 15, 2007 6:37 PM
> *To:* cisco-voip at puck.nether.net
> *Subject:* [cisco-voip] Home user
>
>
>
> I was wondering want everyone out there is using for the situation where
> you have someone on your CCM or CCME that has 1 phone at a home office.
> Something tells me an ASA is overkill and I haven't found solid information
> that any of the 87x routers support tagging QoS of packets going through the
> VPN tunnel. We would obviously like to have QoS in place even though it's
> not respected at their ISP just to make sure the VPN/Voice packets are
> leaving their routers first as a best effort to get some quality.
>
>
>
> Thanks
>
>
>
>
> ------------------------------
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely for the use
> of the addressee identified above. If you are not the intended recipient,
> any use, disclosure, copying or distribution of this communication is
> UNAUTHORIZED. Neither this information block, the typed name of the sender,
> nor anything else in this message is intended to constitute an electronic
> signature unless a specific statement to the contrary is included in this
> message. If you have received this communication in error, please
> immediately contact me and delete this communication from your computer.
> Thank you.
> ------------------------------
>
> _______________________________________________
>
> cisco-voip mailing list
>
> cisco-voip at puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> ------------------------------
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely for the use
> of the addressee identified above. If you are not the intended recipient,
> any use, disclosure, copying or distribution of this communication is
> UNAUTHORIZED. Neither this information block, the typed name of the sender,
> nor anything else in this message is intended to constitute an electronic
> signature unless a specific statement to the contrary is included in this
> message. If you have received this communication in error, please
> immediately contact me and delete this communication from your computer.
> Thank you.
>
> ------------------------------
>
>
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-voip/attachments/20071017/f3471063/attachment-0001.html
More information about the cisco-voip
mailing list