<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Manoj,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Do you currently have private lines or
some other circuits interconnecting your offices or are you planning to use VPN
exclusively for voice and data? My major concern when using a Cisco PIX for
voice would be Quality of Service. While the PIX can preserve DSCP values as
they are passed across the tunnels, unless anything has changed in 7.x, it doesn’t
have the ability to perform marking, LLQ prioritization, and traffic shaping.
This means that before any traffic is passed to the PIX, the device behind it
(a switch or router) will have to perform some of these functions (say marking
or traffic shaping). In regards to LLQ you are out of luck. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>For our Teleworker VPN network we utilize
a 2851 at the head-end and failover site and 871/877 routers at our remotes.
This gives us the capability to mark, LLQ, and shape traffic at the edge,
before it is passed on to the ISP. Additionally we utilize DMVPN and GRE to
maintain routing information (EIGRP) and to dynamically handle routing changes
when we loose a VPN link (say to our head-end). I think you can do some least
cost routing type things on the PIX to achieve the same effect, but it’s
much easier in IOS.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Your ideas are sound in my opinion. I’m
sure that there are some people that are handling voice fine using Cisco PIX’s
however we had mixed results when we were using them. Once we moved to the IOS
VPN several of our QoS issues were resolved. Regardless, you always have to
remember that it still is the Internet and not a private network connection, so
you get what you get.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hope this helps,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>-Matt<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Manoj Kalpage<br>
<b><span style='font-weight:bold'>Sent:</span></b> Wednesday, September 13,
2006 5:20 AM<br>
<b><span style='font-weight:bold'>To:</span></b> cisco-voip@puck.nether.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> [cisco-voip] ISP and VPN
Failover for Call Manager based VOIPnetwork</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Dear All,<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I am looking for ISP fail over for VoIP network. We
have small enterprise VoIP network. If I explain our
network bit, Basically we have call manager and unity server in main
office with PIX515. All the branch offices has PIX 501. With attached
fail over solution I am going to create two tunnels from each branch office and
have them connected to each firewall in main office. I think this way if one
PIX515 fail at main office, still branch office can be connected through
second PIX515. Bellow is the router configuration for routing between two
PIX 515. This configuration itself doesn't mean anything without looking at a
diagram.I need to test this but I don't have enough gears with me right now and
also I don't have 100% confidence on this. So, I would like to share with you
folks. Any comments and ideas would be greatly appreciated.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Please find the diagram bellow link (Sorry it's han written one )<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><a
href="http://proxy.f2.ymdb.yahoofs.jp/bc/857e55a/bc/bd7f/failover.jpg?bcQM9BFBNirrJIWq">http://proxy.f2.ymdb.yahoofs.jp/bc/857e55a/bc/bd7f/failover.jpg?bcQM9BFBNirrJIWq</a><o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>best regards,<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Manoj<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
ip cef<o:p></o:p></span></font></p>
</div>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>!####Establish
sla monitors for use in tracking objects####!<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>ip sla
monitor 1<br>
type echo protocol ipIcmpEcho <a href="http://174.16.0.1/" target="_blank">174.16.0.1</a><br>
threshold 3<br>
frequency 5<br>
ip sla monitor schedule 1 life forever start-time now <o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>ip sla
monitor 2<br>
type echo protocol ipIcmpEcho <a href="http://173.16.0.1/" target="_blank">173.16.0.1</a><br>
threshold 3<br>
frequency 5<br>
ip sla monitor schedule 2 life forever start-time now <br>
!<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>!####Configure
Tracking objects (referencing IP SLA monitor's above)####!<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>track 101
rtr 1 reachability<br>
!<br>
track 102 rtr 2 reachability<br>
!<br>
!<br>
!<br>
!<br>
!####Configure Interfaces with NAT####!<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>interface
FastEthernet 0/1<br>
ip address <a href="http://172.16.0.1/" target="_blank">172.16.0.1</a> <a
href="http://255.255.0.0/" target="_blank">255.255.0.0</a><br>
ip nat inside<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>!<br>
interface Fastethernet 0/0<br>
ip address <a href="http://173.16.0.2/" target="_blank">173.16.0.2</a> <a
href="http://255.255.255.0/" target="_blank">255.255.255.0</a><br>
ip nat outside<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>!<br>
interface Fastethernet 0/2<br>
ip address <a href="http://174.16.0.2/" target="_blank">174.16.0.2</a> <a
href="http://255.255.255.0/" target="_blank">255.255.255.0</a><br>
ip nat outside<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>!<br>
ip classless<br>
!####Configure gateway of last resort with tracking objects####!<br>
ip route <a href="http://0.0.0.0/" target="_blank">0.0.0.0</a> <a
href="http://0.0.0.0/" target="_blank">0.0.0.0</a> <a href="http://173.16.0.1/"
target="_blank">173.16.0.1</a> track 101 <br>
ip route <a href="http://0.0.0.0/" target="_blank">0.0.0.0</a> <a
href="http://0.0.0.0/" target="_blank">0.0.0.0</a> <a href="http://174.16.0.1/"
target="_blank">174.16.0.1</a> track 102<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>!####Configure
NAT statements for most outbound traffic####!<br>
ip nat inside source route-map ISP1 interface FastEthernet 0/0 overload<br>
ip nat inside source route-map ISP2 interface FastEthernet 0/2 overload<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>!<br>
access-list 10 permit <a href="http://172.16.0.0/" target="_blank">172.16.0.0</a>
<a href="http://0.0.0.255/" target="_blank">0.0.0.255</a><br>
access-list 101 permit icmp any host <a href="http://173.16.0.1/"
target="_blank">173.16.0.1</a> echo<br>
access-list 102 permit icmp any host <a href="http://174.16.0.1/"
target="_blank">174.16.0.1</a> echo<o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>!<br>
!####Configure route maps for reference in NAT statements####!<br>
route-map ISP2 permit 10<br>
match ip address 10<br>
match interface Fastethernet 0/1<br>
!<br>
route-map ISP1 permit 10<br>
match ip address 10<br>
match interface Fastethernet 0/0 <br>
! <o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'> <o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br clear=all>
<o:p></o:p></span></font></p>
</div>
<FONT face=Arial size=2>
<P><FONT color=#808080>
<HR>
</FONT></P>
<P><FONT face=Verdana color=#808080><STRONG>CONFIDENTIALITY
STATEMENT</STRONG></FONT></P>
<P><FONT face=Verdana color=#808080>This communication and any attachments
are <STRONG>CONFIDENTIAL</STRONG> and may be protected by one or more legal
privileges. It is intended solely for the use of the addressee identified above.
If you are not the intended recipient, any use, disclosure, copying or
distribution of this communication is <STRONG>UNAUTHORIZED</STRONG>.
Neither this information block, the typed name of the sender, nor anything else
in this message is intended to constitute an electronic signature unless a
specific statement to the contrary is included in this message. If you have
received this communication in error, please immediately contact me and
delete this communication from your computer. Thank you.</FONT></P>
<P><FONT color=#808080>
<HR>
</FONT>
<P></P></FONT>
</body>
</html>