Cisco Network Admission Control (NAC) Router-Integrated Services
Cisco Network Admission Control (NAC) Router-Integrated Services
Cisco Network Admission Control (NAC) Router-Integrated Services
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Session Number<br />
Presentation_ID<br />
<strong>Cisco</strong> IP Communication<br />
Thomas Kaiser<br />
Business Development Voice<br />
© 2003 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
1
Agenda<br />
– Markt Trends<br />
– Call Manager News<br />
– Konvergenz in einer Box <strong>Integrated</strong> Service <strong>Router</strong><br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
2
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
3
Marktanteil bei Systemen über 100<br />
Teilnehmer Europa 1.HJ 2003<br />
Total IP Extension Market<br />
10%<br />
16%<br />
9%<br />
3% 2%<br />
7% 3% 1%<br />
•<strong>Cisco</strong> #1 in IP Telephony Market<br />
•<strong>Cisco</strong> #7 in total market above 100 lines<br />
•Total 8.8 M Lines for 1H03<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
1%<br />
0%<br />
0%<br />
0%<br />
2%<br />
46%<br />
<strong>Cisco</strong> Systems<br />
Siemens<br />
Alcatel<br />
Mitel <strong>Network</strong>s<br />
Nortel <strong>Network</strong>s<br />
AVAYA<br />
EADS Telecom<br />
Tenovis<br />
Philips<br />
Ericsson<br />
Ascom<br />
Inter-Tel<br />
NEC Infrontia<br />
Others<br />
10%<br />
11%<br />
8%<br />
5%<br />
11%<br />
5% 4% 7%<br />
16%<br />
23%<br />
Siemens<br />
Alcatel<br />
Ericsson<br />
Nortel<br />
Tenovis<br />
Avaya<br />
<strong>Cisco</strong><br />
Philips<br />
EADS<br />
Others<br />
MZA October 2003<br />
4
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
5
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
6
<strong>Cisco</strong> Is the Most<br />
Experienced in IP Communications<br />
<strong>Cisco</strong> Enters the IP<br />
Communications Market<br />
1996 1997 1998 1999 2000 2001 2002 2003<br />
2004<br />
• <strong>Cisco</strong> has the largest and more IP Communications installs of any<br />
vendor<br />
3M+ IP phones shipped<br />
2.3M+ Unity seats shipped<br />
730K Contact center agent seats shipped<br />
83K+ MeetingPlace Licenses<br />
15,000+ IP Communications customers<br />
13.9M+ VoIP ports shipped<br />
21M+ Power over Ethernet ports shipped<br />
60% of Fortune 500® using <strong>Cisco</strong> IP Communications<br />
• <strong>Cisco</strong> has 20 years experience in IP networking<br />
Traditional Voice Vendors<br />
Enter the IP Communications Market<br />
Means high success rate and low risk of implementation issues<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
7
Agenda<br />
Markt Trends<br />
Call Manager News<br />
Konvergenz in einer Box <strong>Integrated</strong> Service <strong>Router</strong><br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
8
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
9
Features:<br />
Namensanzeige, Rückruf,<br />
Schleifenauflösung, ..<br />
.<br />
Q.SIG<br />
IP<br />
PRI<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
• Q.SIG<br />
• Calling Line Identification Presentation (CLIP),<br />
Calling Name Identification Presentation (CNIP),<br />
Connected Name Identification Presentation<br />
(CONP), and Calling/Connected Line Identification<br />
Restriction (CLIR) for basic calls<br />
• Ab Q4.2004:<br />
• Path Replacement<br />
• Call Back (CCBS & CCNR)<br />
• Alerting name (CSCdx84644)<br />
• Documentation of adherence to ECMA<br />
and ETSI standards<br />
• Support for H.323 Annex M1<br />
• Q.SIG certification<br />
• CTI support for Path Replacement<br />
• andere<br />
• Call Coverage<br />
• T.38<br />
• MGCP für BRI Gateways<br />
• Forced Authorization Code / CMC<br />
• LDAPS...<br />
10
<strong>Cisco</strong> VT Advantage<br />
Video Telefonie für die <strong>Cisco</strong> IP Phones<br />
• Günstige Video Lösung für jeden<br />
Arbeitsplatz<br />
– <strong>Cisco</strong> IP Phones 7940G, 7960G, and<br />
7970G sind unterstützt<br />
• Gute Video Qualität für effekive<br />
Kommunikation<br />
• Ein integriertes Netzwerk<br />
– Einfach zu bedienende Features<br />
• Weiterverbinden, Umleiten, Halten,<br />
Konferenzen, Mute<br />
– Integration von H.323 basierenden<br />
Endgeräten<br />
– Automatische Erkennung von<br />
Codec, Format und Bitrate<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Video ist… einfach anrufen!<br />
Sprach und Video Kommunikation<br />
• Sprache wie gewohnt am Telefon<br />
• Video am PC (<strong>Cisco</strong> VT Kamera inkludiert)<br />
11
Video Telefonie einfach<br />
VT Advantage<br />
Tandberg<br />
Video<br />
Voice<br />
Call Manager<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Corporate HQ<br />
Answer Video<br />
Transfer<br />
Voice<br />
Answer<br />
Desk Phone<br />
12
Video Telefonie einfach<br />
VT Advantage<br />
CALL ON<br />
HOLD<br />
Video<br />
Video<br />
3540 MCU<br />
Call Manager<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Video<br />
Answer Video<br />
Conference Video<br />
Answer Video<br />
13
1<br />
2<br />
3<br />
Thema Sicherheit<br />
Netzwerk-Sicherheit:<br />
Redundanzen, USV, Intrusion Detection, Firewall,<br />
<strong>NAC</strong><br />
Server Sicherheit:<br />
Appliance, Virenscan, <strong>Cisco</strong> Security Agent<br />
Anwendungs Sicherheit:<br />
Call Manager Cluster, SRST, CTI Backup Server,<br />
Unity Failover, ICM Redundanz,…<br />
4 Endgeräte Sicherheit:<br />
Authentifizierung, Encryption<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
14
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
15
Agenda<br />
Markt Trends<br />
Call Manager News<br />
Konvergenz in einer Box <strong>Integrated</strong> Service <strong>Router</strong><br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
16
SMBs and Enterprises Prefer Systems<br />
Approach to <strong>Services</strong> & Applications<br />
• More than half of the respondents<br />
PREFERRED router-integrated<br />
services for their small offices and<br />
enterprise branch offices<br />
• Converged data, security, voice<br />
enables customers to protect,<br />
optimize, grow their businesses<br />
• Systems approach maximizes<br />
operating efficiencies:<br />
More time for network<br />
planning, design<br />
Improve network monitoring and<br />
troubleshooting<br />
Offload voice and data staff<br />
Leverage better<br />
pricing/packaging<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Functions that SHOULD<br />
be router-integrated n=331<br />
Firewall<br />
VPN<br />
Intrusion Detection<br />
Anti-Virus Software<br />
IP Telephony<br />
Compression<br />
Content Filtering<br />
Caching<br />
QoS<br />
Streaming<br />
Multicasting<br />
<strong>Cisco</strong> Survey: June 03<br />
0 50 100 150 200 250<br />
17
Traditionelle Standort-Lösung<br />
Separate Boxen<br />
Security<br />
Content Delivery<br />
Voice <strong>Services</strong><br />
Data<br />
Local Connectivity<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Firewall, IDS and VPN<br />
Appliances<br />
Content Engine<br />
Hybrid / Key System<br />
Branch Access <strong>Router</strong><br />
LAN Switch<br />
18
Security<br />
Content Delivery<br />
Voice <strong>Services</strong><br />
Data<br />
Traditionelle Standort-Lösung<br />
Separate Boxen<br />
Local Connectivity<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Firewall, IDS and VPN<br />
Appliances<br />
Content Engine<br />
Hybrid / Key System<br />
Branch Access <strong>Router</strong><br />
LAN Switch<br />
19
Neu:<br />
Integrierte Lösung für erweiterte <strong>Services</strong><br />
<strong>Integrated</strong> <strong>Services</strong> <strong>Router</strong><br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Security<br />
IP Telephony<br />
Low Density L2 Switching<br />
Content Delivery<br />
20
Building A Foundation To Support<br />
Future Requirements<br />
Future Proof<br />
Investment<br />
<strong>Integrated</strong> Intelligent<br />
<strong>Network</strong> that Adapts,<br />
Scales and Performs<br />
Presentation_ID<br />
© 2002, 2004 <strong>Cisco</strong> <strong>Cisco</strong> Systems, Systems, Inc. Inc. All All rights rights reserved. reserved.<br />
Advanced Security Software/<br />
Modules<br />
Video, Content<br />
Modules<br />
Voice<br />
<strong>Services</strong><br />
Density, Scalability,<br />
High Availability<br />
Incremental port<br />
functionality &<br />
performance<br />
21
Leistung an jede Größe anpassbar<br />
Von SMB bis zu großen Unternehmen<br />
Performance and <strong>Services</strong> Density<br />
3800 Series<br />
FCS<br />
September 2004<br />
Highest Density and<br />
Performance for<br />
Concurrent <strong>Services</strong><br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
2800 Series<br />
Embedded, Advanced Voice, Video, Data &<br />
Security <strong>Services</strong><br />
<strong>Integrated</strong> Security & Data<br />
FCS<br />
September 2004<br />
Increased Value Extended<br />
to New Markets<br />
• Substantial increase in<br />
price/performance!<br />
• Extension into new markets!<br />
• Greater service densities<br />
across the portfolio!<br />
1800 Series<br />
Enterprise Branch Office Small Branch<br />
SMB<br />
FCS<br />
September 2004<br />
22
Security<br />
Content Delivery<br />
Voice <strong>Services</strong><br />
Data<br />
Traditionelle Standort-Lösung<br />
Separate Boxen<br />
Local Connectivity<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Firewall, IDS and VPN<br />
Appliances<br />
Content Engine<br />
Hybrid / Key System<br />
Branch Access <strong>Router</strong><br />
LAN Switch<br />
23
<strong>Router</strong>-<strong>Integrated</strong> <strong>Services</strong><br />
IP Communications for the Enterprise Branch<br />
Office<br />
Affordable and robust IP Telephony application<br />
including integrated voice mail and full featured<br />
automated attendant is required<br />
Solution: <strong>Cisco</strong> CallManager Express (CCME)<br />
and <strong>Cisco</strong> Unity Express (CUE)<br />
• Localized Call Processing with <strong>Cisco</strong> CallManager<br />
Express (CCME)<br />
• Failover Localized Call Processing with <strong>Cisco</strong><br />
Survivable Remote Site Telephony (SRST)<br />
• Distributed Voicemail via <strong>Cisco</strong> Unity Express<br />
(NM-CUE, or AIM-CUE)<br />
• Etherswitch® Module for Line Powering IP Phones<br />
• Centralized DSP resources for voice connectivity<br />
• Higher digital and analog voice densities<br />
• Greater voice call capacity and gateway performance<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
IP WAN<br />
Remote<br />
Users<br />
Data Center<br />
CCM<br />
<strong>Cisco</strong> <strong>Integrated</strong><br />
<strong>Services</strong> <strong>Router</strong><br />
CCME and NM-CUE<br />
or AIM-CUE<br />
24
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
25
IP Communications Express Application:<br />
Small Standalone Office Deployment<br />
Analog phones<br />
GUI<br />
Management<br />
station<br />
Fax<br />
<strong>Cisco</strong> IP Phone<br />
7905 in lobby,<br />
break room, or<br />
conference room<br />
<strong>Cisco</strong> IP Phone<br />
7960+ 7914 as the<br />
Attendant Console<br />
Dial backup<br />
and POS<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
PSTN<br />
Printer<br />
Application<br />
server<br />
CO Line1, 2, 3, 4<br />
DSL<br />
<strong>Cisco</strong> <strong>Integrated</strong> <strong>Services</strong> <strong>Router</strong><br />
with <strong>Cisco</strong> CallManager Express,<br />
<strong>Cisco</strong> Unity Express and IOS<br />
Firewall<br />
Catalyst 3550-24 PWR Access Switch<br />
Wireless access point<br />
Public<br />
Internet<br />
Employee PC, <strong>Cisco</strong> IP<br />
Phone 7960G and voice mail<br />
IP Connected Land Mobile<br />
Radio Device<br />
<strong>Cisco</strong> IP Phone<br />
7920 for roaming<br />
employees<br />
26
Applications<br />
Server Server<br />
CallManager<br />
Cluster<br />
A<br />
Survivable Remote Site Telephony – How it<br />
works<br />
• IP Phones exchange Keep alive messages and Call Processing messages<br />
with Centrally located CallManager (CCM)<br />
• WAN Link fails – IP phones lose contact with CCM<br />
• IP Phones register with local router as router of last resort<br />
• <strong>Router</strong> queries pones for configuration and auto-configures itself<br />
• <strong>Router</strong> provides call processing for duration of failure via PSTN<br />
• Upon restoration of WAN, IP Phones revert back to CCM<br />
Headquarters<br />
<strong>Cisco</strong> 7200<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
X<br />
WAN WAN<br />
PSTN<br />
<strong>Cisco</strong> <strong>Integrated</strong><br />
<strong>Services</strong> <strong>Router</strong> with<br />
SRS Telephony<br />
27
EVM-HD Combinations<br />
• Combine individual components in any order<br />
Base Board<br />
8 FXS or DID<br />
EVM-HD-<br />
8FXS/DID<br />
EM 0<br />
-<br />
EM-HDA-8FXS<br />
EM-HDA-8FXS<br />
EM-HDA-8FXS<br />
EM-HDA-8FXS<br />
EM-HDA-8FXS<br />
EM-HDA-3FXS/4FXO<br />
EM-HDA-3FXS/4FXO<br />
EM-HDA-3FXS/4FXO<br />
EM-HDA-3FXS/4FXO<br />
EM-HDA-6FXO<br />
EM-HDA-6FXO<br />
EM-HDA-6FXO<br />
EM-4BRI-NT/TE<br />
EM-4BRI-NT/TE<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
EM 1<br />
-<br />
EM-HDA-8FXS<br />
EM-HDA-3FXS/4FXO<br />
EM-HDA-6FXO<br />
EM-4BRI-NT/TE<br />
-<br />
EM-HDA-3FXS/4FXO<br />
EM-HDA-6FXO<br />
EM-4BRI-NT/TE<br />
-<br />
EM-HDA-6FXO<br />
EM-4BRI-NT/TE<br />
-<br />
EM-4BRI-NT/TE<br />
FXS or<br />
DID<br />
8<br />
8<br />
8<br />
8<br />
8<br />
8<br />
8<br />
8<br />
8<br />
8<br />
8<br />
8<br />
8<br />
8<br />
8<br />
FXS<br />
8<br />
16<br />
11<br />
8<br />
8<br />
3<br />
6<br />
3<br />
3<br />
Total Ports<br />
FXO<br />
4<br />
6<br />
4<br />
8<br />
10<br />
4<br />
6<br />
12<br />
6<br />
Ports<br />
4<br />
4<br />
4<br />
4<br />
8<br />
BRI<br />
B-Ch<br />
8<br />
8<br />
8<br />
8<br />
16<br />
Module<br />
8<br />
16<br />
24<br />
23<br />
22<br />
24<br />
15<br />
22<br />
21<br />
23<br />
14<br />
20<br />
22<br />
16<br />
24<br />
28
Security<br />
Content Delivery<br />
Voice <strong>Services</strong><br />
Data<br />
Traditionelle Standort-Lösung<br />
Separate Boxen<br />
Local Connectivity<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Firewall, IDS and VPN<br />
Appliances<br />
Content Engine<br />
Hybrid / Key System<br />
Branch Access <strong>Router</strong><br />
LAN Switch<br />
29
Hardware Innovation Raises Security Leadership<br />
<strong>Cisco</strong> Self-defending <strong>Network</strong>s Delivered At Wire-speed!<br />
Complete, Preventative, Scalable Security Solutions<br />
Endpoint Protection & <strong>Control</strong><br />
Leverage the network to<br />
intelligently protect endpoints<br />
<strong>Network</strong> <strong>Admission</strong> <strong>Control</strong>,<br />
802.1x<br />
<strong>Network</strong> Device Protection<br />
Protect the network<br />
infrastructure from attacks and<br />
vulnerabilities<br />
<strong>Control</strong> Plane Policing<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Secure Connectivity<br />
Secure and scalable<br />
network connectivity<br />
VPN, DMVPN, V3PN, Secure<br />
Voice<br />
Threat Defense<br />
Prevent and respond to network<br />
attacks and threats such as worms<br />
Intrusion Protection, Firewall<br />
30
<strong>Router</strong>-<strong>Integrated</strong> <strong>Services</strong><br />
<strong>Network</strong> <strong>Admission</strong> <strong>Control</strong> (<strong>NAC</strong>)<br />
Companies need to minimize downtime due to viruses<br />
and worms, protect network availability and integrity,<br />
manage network access, and enforce security policy<br />
Solution: <strong>Cisco</strong> <strong>Network</strong> <strong>Admission</strong> <strong>Control</strong> (<strong>NAC</strong>)<br />
• Reduces IT costs by preventing external and internal threats<br />
• Prevents “contagious” endpoints from infecting network; reduces downtime<br />
• Day-zero protection, increases network availability, resilience, and<br />
productivity<br />
• Leverages existing <strong>Cisco</strong>, antivirus, and endpoint investments<br />
• <strong>Integrated</strong> <strong>Services</strong> <strong>Router</strong> is one of first network devices to enable <strong>NAC</strong><br />
<strong>Cisco</strong> <strong>Integrated</strong><br />
<strong>Services</strong> <strong>Router</strong><br />
Policy<br />
(AAA) Svr<br />
Credentials Credentials Credentials<br />
EAP/UDP,<br />
EAP/802.1x<br />
Notification<br />
Enforcement<br />
RADIUS<br />
Access<br />
Rights<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Comply?<br />
HTTPS<br />
31
<strong>Router</strong>-<strong>Integrated</strong> <strong>Services</strong><br />
Intrusion Prevention Systems (NM-CIDS, IOS IPS)<br />
Threat Defense: prevent and respond to<br />
network attacks such as worms and virus<br />
Solution: Intrusion Prevention System (IPS)<br />
• IPS in hardware with NM-CIDS, or software with<br />
IOS IPS<br />
• IOS IPS: Inline Intrusion Prevention - send<br />
alarm, drop packet, reset connection<br />
• Dynamically load customizable signatures<br />
• IDS <strong>Network</strong> Module stores signature data base<br />
locally and captures/logs all events<br />
• External NM FE allows for complete IDS<br />
segmented Net/Op and Sec/Op management<br />
NM-CIDS<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Dedicated CPU<br />
Monitors, and Report alarms<br />
Built in GU for Graphical reports<br />
Hacker<br />
Monitoring<br />
IDS<br />
DATABASE<br />
Internet<br />
NM-CIDS<br />
Remote<br />
Users<br />
Data Center<br />
<strong>Cisco</strong> <strong>Integrated</strong><br />
<strong>Services</strong> <strong>Router</strong><br />
(IOS IPS option)<br />
32
<strong>Router</strong>-<strong>Integrated</strong> <strong>Services</strong><br />
LAN Switching with Transparent Firewall<br />
Providing LAN segmentation with security<br />
in multiple branch sites can be costly and<br />
time consuming to deploy<br />
Solution: EtherSwitch (NM-ESW or HWIC-ESW)<br />
and IOS Transparent Firewall<br />
• VLAN and transparent IOS FW enables segmented<br />
networks with secure access control<br />
• Simplify subnets, no changing IP addresses on a<br />
device by device basis<br />
• Configure the router and integrated switch without<br />
visiting the remote site<br />
How do you allow only<br />
some devices in?<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Branch Office<br />
Wireless<br />
data base<br />
IOS FW<br />
<strong>Cisco</strong> <strong>Integrated</strong><br />
<strong>Services</strong> <strong>Router</strong><br />
16 Port NM-16ESW<br />
NM-ESW<br />
16 and 36 ports of 10/100 Ethernet<br />
HWIC-ESW<br />
4 and 9 port<br />
Hi-Speed WAN Interface Card<br />
WAN<br />
NEW<br />
Head<br />
Quarters<br />
33
Security<br />
Content Delivery<br />
Voice <strong>Services</strong><br />
Data<br />
Traditionelle Standort-Lösung<br />
Separate Boxen<br />
Local Connectivity<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Firewall, IDS and VPN<br />
Appliances<br />
Content Engine<br />
Hybrid / Key System<br />
Branch Access <strong>Router</strong><br />
LAN Switch<br />
34
<strong>Router</strong>-<strong>Integrated</strong> <strong>Services</strong><br />
Voice and Video Enabled VPN (V3PN)<br />
Managing separate voice & data<br />
networks is costly and inefficient.<br />
<strong>Network</strong> connectivity is too difficult or<br />
expensive to reach remote offices and<br />
Teleworkers.<br />
Solution: V3PN<br />
• Reduces data, video and telephony bandwidth<br />
expenses while ensuring high-quality connections<br />
• Cost-effective, high-bandwidth connectivity<br />
regardless of location<br />
• Connectivity for all locations,<br />
including SOHOs<br />
• Enhanced security over traditional WANs<br />
• ISR on-board crypto accelerates performance<br />
• Fast network deployment<br />
• QoS, SLA and Multicast Support<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
<strong>Cisco</strong> <strong>Integrated</strong><br />
<strong>Services</strong> <strong>Router</strong><br />
IOS Security<br />
<strong>Services</strong><br />
Remote<br />
Users<br />
Internet<br />
Data Center<br />
35
Dynamic Multipoint VPN (DMVPN)<br />
Secure Meshed Tunnels – Automatically!<br />
Spoke A<br />
Hub<br />
VPN<br />
= DMVPN Tunnels<br />
= Traditional Static Tunnels<br />
= Static Known IP Addresses<br />
= Dynamic Unknown IP Addresses<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Spoke<br />
B<br />
Dynamic Multipoint VPN:<br />
Spoke A needs to contact Spoke B,<br />
such as:<br />
V3PN Call<br />
PC Contact to a Server<br />
Learns real address of Spoke B via NHRP,<br />
OSPF or EIGRP (routing features)<br />
IPSec VPN tunnel to Spoke B is dynamically<br />
built over mGRE interface<br />
Benefits:<br />
• Additional Multicast, video traffic<br />
supported with GRE<br />
• Full Meshed connectivity with<br />
configuration simplicity of<br />
hub and spoke<br />
• Preserves (central) bandwidth,<br />
minimizes latency<br />
• No administration required after initial<br />
configuration of DMVPN feature<br />
36
Secure, <strong>Integrated</strong>, Toll Quality IP Telephony<br />
Using DMVPN, V3PN, SRTP and IOS Security<br />
<strong>Services</strong><br />
LLQ before crypto to<br />
ensure voice priority<br />
DMVPN determines<br />
VPN destination<br />
PSTN<br />
Requirements<br />
• Wire-speed encryption<br />
• Voice / video prioritization<br />
• Bandwidth conservation<br />
• Concurrent services VPN<br />
• Secure RTP<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Egress Interface<br />
QoS Policy<br />
IP WAN<br />
VPN Encryption V3PN Protects WAN Backbone<br />
Benefits<br />
• Traffic throughput with encryption<br />
• Toll quality, jitter-free voice and video<br />
• DMVPN sets up tunnel when needed<br />
• WAN hacker security, lower costs<br />
• LAN hacker security<br />
<strong>Cisco</strong>’s<br />
Self-<br />
Defending<br />
<strong>Network</strong><br />
SRTP Protects LAN<br />
37
Voice and video-enabled IPSec VPN (V3PN)<br />
delivers secure connectivity<br />
• Converges voice, video, and data across a secure IPSec VPN network<br />
with high-quality, reliable performance<br />
• DMVPN (Dynamic Multipoint VPN) creates tunnels on-the-fly based<br />
on user traffic<br />
Combined features provide Quality of Service, Multi Protocol, ease of<br />
provisioning, and secure connectivity<br />
Branch Office<br />
A<br />
Branch Office<br />
B<br />
DMVPN<br />
Branch Office<br />
C<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Internet<br />
VPN QoS<br />
V3PN<br />
Voice<br />
Video<br />
Corporate<br />
Headquarters<br />
38
Media authentication and encryption using<br />
SRTP protects voice conversations<br />
Branch Office A<br />
Branch Office B<br />
PSTN<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
Gateway Encrypted<br />
signaling using IPSec<br />
VoIP<br />
WAN<br />
Media encryption using SRTP<br />
Headquarters<br />
Encrypted<br />
signaling using<br />
TLS<br />
• Encrypted IP phone to gateway calls or gateway to gateway calls protects voice<br />
conversations from hackers:<br />
• Standards-based encryption with Secure Real Time Protocol (SRTP)<br />
• Signaling authentication and encryption to <strong>Cisco</strong> CallManager<br />
• Supported on IOS MGCP Gateways with PVDM2, NM-HDV2 and NM-HD modules<br />
• Available with IOS 12.3(11)T and upcoming release of CCM<br />
A<br />
39
SRTP Media Encryption Options on 2800<br />
and 3800 <strong>Integrated</strong> <strong>Services</strong> <strong>Router</strong><br />
HWIC HWIC HWIC HWIC<br />
GE GE<br />
HWIC HWIC HWIC HWIC<br />
NME X<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
EVM<br />
USB USB<br />
USB USB<br />
Voice Encryption Options :<br />
• Digital Signal Processing PVDM2 slots with VICs/VWICs/EVM<br />
• NM-HDV2 and NM-HD network modules<br />
Signaling Encryption Options:<br />
• IOS software IPSec VPN encryption<br />
• Hardware IPSec VPN Encryption<br />
• Onboard VPN accelerator (3DES and up to 256 bit AES)<br />
• AIM VPN Modules (AIM-VPN/BPll-Plus for 2801, and AIM-<br />
VPN/EPII-Plus for 2811, 2821, 2851)<br />
40
<strong>Cisco</strong> IP Communication<br />
Skalierbare Sprach-Lösungen und Konvergenz<br />
• Service Provider PGW, Meetingplace, Hosted IPCC, …<br />
• Enterprise <strong>Cisco</strong> Call Manager, SRST, ISR<br />
• SMB <strong>Cisco</strong> Call Manager Express, ISR<br />
© 2004 <strong>Cisco</strong> Systems, Inc. All rights reserved.<br />
41