<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-khtml-nbsp-mode: space;-khtml-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In our environment we utilize PIX firewalls (still have to
upgrade to ASA’s) to handle our firewall needs and then use the 3800
series router just to terminate the DMVPN home users. They are deployed
in parallel and sit behind a perimeter screening router (another 3800 series
router). We shied away from using the PIX for the simple fact that while
it would preserve QoS markings, we couldn’t do any remarking or shaping
in the device. Maybe this has changed in the ASA, but I don’t think
you have the control like you do in IOS (such as qos pre-classify, shaping,
policing, etc.). Depending on how many tunnels you plan on using,
you could use a router much smaller than a 3800 series to terminate the end
nodes.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>On the home user end we have the Cisco 871/877 routers
configured to support wired and wireless connections using three VLANS.
We have a VLAN configured for corporate connectivity, one VLAN configured as a
voice VLAN, and then a VLAN configured for untrusted traffic. One Ethernet
port on the router provides connectivity to the corporate and voice VLANS,
while the remaining three are configured as untrusted. Similarly with
Wireless, we extend PEAP authentication from the headquarters and authenticate
users to the corporate VLAN, and use a WPA-PSK to secure the untrusted
connections. This way the users plug in their phone, then their
laptop/docking station to port 0, and any other home devices can be connected to
port 1-3 or use the wireless WPA-PSK network and be logically segregated (using
ACL’s) from any data on the corporate network. This way we can also
control QoS and mark down all traffic that enters the router from the untrusted
network. So when said employees son or daughter starts downing a 2 gig
torrent from a home PC, they don’t kill the voice or impact the corporate
workflow. Eventually we will be implementing 802.1x on the corporate port
for additional security, but have had mixed results of getting it to work with Windows
XP.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><br>
Hope this helps.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Matt<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jerky
[mailto:lists@jerkys.org] <br>
<b>Sent:</b> Tuesday, October 16, 2007 6:32 PM<br>
<b>To:</b> Linsemier, Matthew<br>
<b>Cc:</b> Curt Shaffer; cisco-voip@puck.nether.net<br>
<b>Subject:</b> Re: [cisco-voip] Home user<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>This has been kicked around for a while since we moved to
CallManager but not much thought has been given to it. I'm trying to understand
how your hardware is setup. How would it look, similar to one of these?<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>87x router <---DSL or Cable---> INTERNET <--T1
connection---> 3845 <--Ethernet--> LAN<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>or<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>87x router <---DSL or Cable---> INTERNET <--T1
connection---> 3845 <---> ASA or PIX Firewall <--Ethernet--> LAN<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Is the 3800 used for all your firewalling needs in lieu of
something like an ASA or PIX? Sonicwall's are currently in place and haven't
worked very well for the remote users it was tested with. The Sonicwalls we
have don't have anything similar to what the 871's seem to have in regards to
vlans and packet tagging. We would probably kick the Sonicwalls out if
something else would work better.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>jeff<o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>We currently have about 40 production remote home
teleworkers that have been deployed using Cisco 871/877 wireless routers and a
7960 phones. We are using a Cisco 3845 series router at the head-end so
that we can control QoS tagging on the egress / ingress points of both sides of
the VPN tunnel. We are using a phase 2 DMVPN solution dual-homed to two
sites to provide secure redundant connectivity.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>It took me a bit to tweak my router configurations (I
started on Cisco 831/837 routers) to get the results that we wanted, but all
and all our users are happy. There is the occasional jitter and packet
loss (it is the Internet mind you) but g.729 is working quite well coupled with
business cable and DSL services.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>If you have any other questions, feel free to ask.</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>Matt</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'> </span><o:p></o:p></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b>
cisco-voip-bounces@puck.nether.net [<a
href="mailto:cisco-voip-bounces@puck.nether.net">mailto:cisco-voip-bounces@puck.nether.net</a>]
<b>On Behalf Of </b>Curt Shaffer<br>
<b>Sent:</b> Monday, October 15, 2007 6:37 PM<br>
<b>To:</b> <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b> [cisco-voip] Home user<o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I
was wondering want everyone out there is using for the situation where you have
someone on your CCM or CCME that has 1 phone at a home office. Something tells
me an ASA is overkill and I haven’t found solid information that any of
the 87x routers support tagging QoS of packets going through the VPN tunnel. We
would obviously like to have QoS in place even though it’s not respected
at their ISP just to make sure the VPN/Voice packets are leaving their routers
first as a best effort to get some quality. <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
</div>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:7.5pt;font-family:"Arial","sans-serif";color:gray'>
<hr size=2 width="100%" align=center>
</span></div>
<p><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:gray'>CONFIDENTIALITY
STATEMENT<br>
This communication and any attachments are CONFIDENTIAL and may be protected by
one or more legal privileges. It is intended solely for the use of the
addressee identified above. If you are not the intended recipient, any use,
disclosure, copying or distribution of this communication is UNAUTHORIZED.
Neither this information block, the typed name of the sender, nor anything else
in this message is intended to constitute an electronic signature unless a
specific statement to the contrary is included in this message. If you have
received this communication in error, please immediately contact me and delete
this communication from your computer. Thank you.</span><span style='color:
gray'> </span><o:p></o:p></p>
<div class=MsoNormal align=center style='text-align:center'><span
style='color:gray'>
<hr size=2 width="100%" align=center>
</span></div>
<div>
<p class=MsoNormal>_______________________________________________<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>cisco-voip mailing list<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<P><FONT face=Arial color=#808080 size=1>
<HR>
</FONT></P>
<P><FONT color=#808080><FONT face=Arial size=1>CONFIDENTIALITY STATEMENT<BR>This
communication and any attachments are CONFIDENTIAL and may be protected by one
or more legal privileges. It is intended solely for the use of the addressee
identified above. If you are not the intended recipient, any use, disclosure,
copying or distribution of this communication is UNAUTHORIZED. Neither this
information block, the typed name of the sender, nor anything else in this
message is intended to constitute an electronic signature unless a specific
statement to the contrary is included in this message. If you have received this
communication in error, please immediately contact me and delete this
communication from your computer. Thank you.</FONT> </FONT></P>
<P><FONT color=#808080>
<HR>
</FONT></P>
</body>
</html>