Cisco Network Admission Control (NAC) Router-Integrated Services

Session Number 

Presentation_ID 

Cisco IP Communication 

Thomas Kaiser 

Business Development Voice 

© 2003 Cisco Systems, Inc. All rights reserved. 

1

Agenda 

– Markt Trends 

– Call Manager News 

– Konvergenz in einer Box Integrated Service Router 


2


3

Marktanteil bei Systemen über 100 

Teilnehmer Europa 1.HJ 2003 

Total IP Extension Market 

10% 

16% 

9% 

3% 2% 

7% 3% 1% 

•Cisco #1 in IP Telephony Market 

•Cisco #7 in total market above 100 lines 

•Total 8.8 M Lines for 1H03 


1% 

0% 

0% 

0% 

2% 

46% 

Cisco Systems 

Siemens 

Alcatel 

Mitel Networks 

Nortel Networks 

AVAYA 

EADS Telecom 

Tenovis 

Philips 

Ericsson 

Ascom 

Inter-Tel 

NEC Infrontia 

Others 

10% 

11% 

8% 

5% 

11% 

5% 4% 7% 

16% 

23% 

Siemens 

Alcatel 

Ericsson 

Nortel 

Tenovis 

Avaya 

Cisco 

Philips 

EADS 

Others 

MZA October 2003 

4


5


6

Cisco Is the Most 

Experienced in IP Communications 

Cisco Enters the IP 

Communications Market 

1996 1997 1998 1999 2000 2001 2002 2003 

2004 

• Cisco has the largest and more IP Communications installs of any 

vendor 

3M+ IP phones shipped 

2.3M+ Unity seats shipped 

730K Contact center agent seats shipped 

83K+ MeetingPlace Licenses 

15,000+ IP Communications customers 

13.9M+ VoIP ports shipped 

21M+ Power over Ethernet ports shipped 

60% of Fortune 500® using Cisco IP Communications 

• Cisco has 20 years experience in IP networking 

Traditional Voice Vendors 

Enter the IP Communications Market 

Means high success rate and low risk of implementation issues 


7

Agenda 

Markt Trends 

Call Manager News 

Konvergenz in einer Box Integrated Service Router 


8


9

Features: 

Namensanzeige, Rückruf, 

Schleifenauflösung, .. 

. 

Q.SIG 

IP 

PRI 


• Q.SIG 

• Calling Line Identification Presentation (CLIP), 

Calling Name Identification Presentation (CNIP), 

Connected Name Identification Presentation 

(CONP), and Calling/Connected Line Identification 

Restriction (CLIR) for basic calls 

• Ab Q4.2004: 

• Path Replacement 

• Call Back (CCBS & CCNR) 

• Alerting name (CSCdx84644) 

• Documentation of adherence to ECMA 

and ETSI standards 

• Support for H.323 Annex M1 

• Q.SIG certification 

• CTI support for Path Replacement 

• andere 

• Call Coverage 

• T.38 

• MGCP für BRI Gateways 

• Forced Authorization Code / CMC 

• LDAPS... 

10

Cisco VT Advantage 

Video Telefonie für die Cisco IP Phones 

• Günstige Video Lösung für jeden 

Arbeitsplatz 

– Cisco IP Phones 7940G, 7960G, and 

7970G sind unterstützt 

• Gute Video Qualität für effekive 

Kommunikation 

• Ein integriertes Netzwerk 

– Einfach zu bedienende Features 

• Weiterverbinden, Umleiten, Halten, 

Konferenzen, Mute 

– Integration von H.323 basierenden 

Endgeräten 

– Automatische Erkennung von 

Codec, Format und Bitrate 


Video ist… einfach anrufen! 

Sprach und Video Kommunikation 

• Sprache wie gewohnt am Telefon 

• Video am PC (Cisco VT Kamera inkludiert) 

11

Video Telefonie einfach 

VT Advantage 

Tandberg 

Video 

Voice 

Call Manager 


Corporate HQ 

Answer Video 

Transfer 

Voice 

Answer 

Desk Phone 

12

Video Telefonie einfach 

VT Advantage 

CALL ON 

HOLD 

Video 

Video 

3540 MCU 

Call Manager 


Video 

Answer Video 

Conference Video 

Answer Video 

13

1 

2 

3 

Thema Sicherheit 

Netzwerk-Sicherheit: 

Redundanzen, USV, Intrusion Detection, Firewall, 

NAC 

Server Sicherheit: 

Appliance, Virenscan, Cisco Security Agent 

Anwendungs Sicherheit: 

Call Manager Cluster, SRST, CTI Backup Server, 

Unity Failover, ICM Redundanz,… 

4 Endgeräte Sicherheit: 

Authentifizierung, Encryption 


14


15

Agenda 

Markt Trends 

Call Manager News 

Konvergenz in einer Box Integrated Service Router 


16

SMBs and Enterprises Prefer Systems 

Approach to Services & Applications 

• More than half of the respondents 

PREFERRED router-integrated 

services for their small offices and 

enterprise branch offices 

• Converged data, security, voice 

enables customers to protect, 

optimize, grow their businesses 

• Systems approach maximizes 

operating efficiencies: 

More time for network 

planning, design 

Improve network monitoring and 

troubleshooting 

Offload voice and data staff 

Leverage better 

pricing/packaging 


Functions that SHOULD 

be router-integrated n=331 

Firewall 

VPN 

Intrusion Detection 

Anti-Virus Software 

IP Telephony 

Compression 

Content Filtering 

Caching 

QoS 

Streaming 

Multicasting 

Cisco Survey: June 03 

0 50 100 150 200 250 

17

Traditionelle Standort-Lösung 

Separate Boxen 

Security 

Content Delivery 

Voice Services 

Data 

Local Connectivity 


Firewall, IDS and VPN 

Appliances 

Content Engine 

Hybrid / Key System 

Branch Access Router 

LAN Switch 

18

Security 



Data 






Appliances 




LAN Switch 

19

Neu: 

Integrierte Lösung für erweiterte Services 

Integrated Services Router 


Security 

IP Telephony 

Low Density L2 Switching 


20

Building A Foundation To Support 

Future Requirements 

Future Proof 

Investment 

Integrated Intelligent 

Network that Adapts, 

Scales and Performs 

Presentation_ID 

© 2002, 2004 Cisco Cisco Systems, Systems, Inc. Inc. All All rights rights reserved. reserved. 

Advanced Security Software/ 

Modules 

Video, Content 

Modules 

Voice 

Services 

Density, Scalability, 

High Availability 

Incremental port 

functionality & 

performance 

21

Leistung an jede Größe anpassbar 

Von SMB bis zu großen Unternehmen 

Performance and Services Density 

3800 Series 

FCS 

September 2004 

Highest Density and 

Performance for 

Concurrent Services 


2800 Series 

Embedded, Advanced Voice, Video, Data & 

Security Services 

Integrated Security & Data 

FCS 


Increased Value Extended 

to New Markets 

• Substantial increase in 

price/performance! 

• Extension into new markets! 

• Greater service densities 

across the portfolio! 

1800 Series 

Enterprise Branch Office Small Branch 

SMB 

FCS 


22

Security 



Data 






Appliances 




LAN Switch 

23

Router-Integrated Services 

IP Communications for the Enterprise Branch 

Office 

Affordable and robust IP Telephony application 

including integrated voice mail and full featured 

automated attendant is required 

Solution: Cisco CallManager Express (CCME) 

and Cisco Unity Express (CUE) 

• Localized Call Processing with Cisco CallManager 

Express (CCME) 

• Failover Localized Call Processing with Cisco 

Survivable Remote Site Telephony (SRST) 

• Distributed Voicemail via Cisco Unity Express 

(NM-CUE, or AIM-CUE) 

• Etherswitch® Module for Line Powering IP Phones 

• Centralized DSP resources for voice connectivity 

• Higher digital and analog voice densities 

• Greater voice call capacity and gateway performance 


IP WAN 

Remote 

Users 

Data Center 

CCM 

Cisco Integrated 

Services Router 

CCME and NM-CUE 

or AIM-CUE 

24


25

IP Communications Express Application: 

Small Standalone Office Deployment 

Analog phones 

GUI 

Management 

station 

Fax 

Cisco IP Phone 

7905 in lobby, 

break room, or 

conference room 


7960+ 7914 as the 

Attendant Console 

Dial backup 

and POS 


PSTN 

Printer 

Application 

server 

CO Line1, 2, 3, 4 

DSL 

Cisco Integrated Services Router 

with Cisco CallManager Express, 

Cisco Unity Express and IOS 

Firewall 

Catalyst 3550-24 PWR Access Switch 

Wireless access point 

Public 

Internet 

Employee PC, Cisco IP 

Phone 7960G and voice mail 

IP Connected Land Mobile 

Radio Device 


7920 for roaming 

employees 

26

Applications 

Server Server 

CallManager 

Cluster 

A 

Survivable Remote Site Telephony – How it 

works 

• IP Phones exchange Keep alive messages and Call Processing messages 

with Centrally located CallManager (CCM) 

• WAN Link fails – IP phones lose contact with CCM 

• IP Phones register with local router as router of last resort 

• Router queries pones for configuration and auto-configures itself 

• Router provides call processing for duration of failure via PSTN 

• Upon restoration of WAN, IP Phones revert back to CCM 

Headquarters 

Cisco 7200 


X 

WAN WAN 

PSTN 


Services Router with 

SRS Telephony 

27

EVM-HD Combinations 

• Combine individual components in any order 

Base Board 

8 FXS or DID 

EVM-HD- 

8FXS/DID 

EM 0 

- 

EM-HDA-8FXS 

EM-HDA-8FXS 

EM-HDA-8FXS 

EM-HDA-8FXS 

EM-HDA-8FXS 

EM-HDA-3FXS/4FXO 




EM-HDA-6FXO 

EM-HDA-6FXO 

EM-HDA-6FXO 

EM-4BRI-NT/TE 

EM-4BRI-NT/TE 


EM 1 

- 

EM-HDA-8FXS 


EM-HDA-6FXO 

EM-4BRI-NT/TE 

- 


EM-HDA-6FXO 

EM-4BRI-NT/TE 

- 

EM-HDA-6FXO 

EM-4BRI-NT/TE 

- 

EM-4BRI-NT/TE 

FXS or 

DID 

8 

8 

8 

8 

8 

8 

8 

8 

8 

8 

8 

8 

8 

8 

8 

FXS 

8 

16 

11 

8 

8 

3 

6 

3 

3 

Total Ports 

FXO 

4 

6 

4 

8 

10 

4 

6 

12 

6 

Ports 

4 

4 

4 

4 

8 

BRI 

B-Ch 

8 

8 

8 

8 

16 

Module 

8 

16 

24 

23 

22 

24 

15 

22 

21 

23 

14 

20 

22 

16 

24 

28

Security 



Data 






Appliances 




LAN Switch 

29

Hardware Innovation Raises Security Leadership 

Cisco Self-defending Networks Delivered At Wire-speed! 

Complete, Preventative, Scalable Security Solutions 

Endpoint Protection & Control 

Leverage the network to 

intelligently protect endpoints 

Network Admission Control, 

802.1x 

Network Device Protection 

Protect the network 

infrastructure from attacks and 

vulnerabilities 

Control Plane Policing 


Secure Connectivity 

Secure and scalable 

network connectivity 

VPN, DMVPN, V3PN, Secure 

Voice 

Threat Defense 

Prevent and respond to network 

attacks and threats such as worms 

Intrusion Protection, Firewall 

30


Network Admission Control (NAC) 

Companies need to minimize downtime due to viruses 

and worms, protect network availability and integrity, 

manage network access, and enforce security policy 

Solution: Cisco Network Admission Control (NAC) 

• Reduces IT costs by preventing external and internal threats 

• Prevents “contagious” endpoints from infecting network; reduces downtime 

• Day-zero protection, increases network availability, resilience, and 

productivity 

• Leverages existing Cisco, antivirus, and endpoint investments 

• Integrated Services Router is one of first network devices to enable NAC 



Policy 

(AAA) Svr 

Credentials Credentials Credentials 

EAP/UDP, 

EAP/802.1x 

Notification 

Enforcement 

RADIUS 

Access 

Rights 


Comply? 

HTTPS 

31


Intrusion Prevention Systems (NM-CIDS, IOS IPS) 

Threat Defense: prevent and respond to 

network attacks such as worms and virus 

Solution: Intrusion Prevention System (IPS) 

• IPS in hardware with NM-CIDS, or software with 

IOS IPS 

• IOS IPS: Inline Intrusion Prevention - send 

alarm, drop packet, reset connection 

• Dynamically load customizable signatures 

• IDS Network Module stores signature data base 

locally and captures/logs all events 

• External NM FE allows for complete IDS 

segmented Net/Op and Sec/Op management 

NM-CIDS 


Dedicated CPU 

Monitors, and Report alarms 

Built in GU for Graphical reports 

Hacker 

Monitoring 

IDS 

DATABASE 

Internet 

NM-CIDS 

Remote 

Users 

Data Center 



(IOS IPS option) 

32


LAN Switching with Transparent Firewall 

Providing LAN segmentation with security 

in multiple branch sites can be costly and 

time consuming to deploy 

Solution: EtherSwitch (NM-ESW or HWIC-ESW) 

and IOS Transparent Firewall 

• VLAN and transparent IOS FW enables segmented 

networks with secure access control 

• Simplify subnets, no changing IP addresses on a 

device by device basis 

• Configure the router and integrated switch without 

visiting the remote site 

How do you allow only 

some devices in? 


Branch Office 

Wireless 

data base 

IOS FW 



16 Port NM-16ESW 

NM-ESW 

16 and 36 ports of 10/100 Ethernet 

HWIC-ESW 

4 and 9 port 

Hi-Speed WAN Interface Card 

WAN 

NEW 

Head 

Quarters 

33

Security 



Data 






Appliances 




LAN Switch 

34


Voice and Video Enabled VPN (V3PN) 

Managing separate voice & data 

networks is costly and inefficient. 

Network connectivity is too difficult or 

expensive to reach remote offices and 

Teleworkers. 

Solution: V3PN 

• Reduces data, video and telephony bandwidth 

expenses while ensuring high-quality connections 

• Cost-effective, high-bandwidth connectivity 

regardless of location 

• Connectivity for all locations, 

including SOHOs 

• Enhanced security over traditional WANs 

• ISR on-board crypto accelerates performance 

• Fast network deployment 

• QoS, SLA and Multicast Support 




IOS Security 


Remote 

Users 

Internet 

Data Center 

35

Dynamic Multipoint VPN (DMVPN) 

Secure Meshed Tunnels – Automatically! 

Spoke A 

Hub 

VPN 

= DMVPN Tunnels 

= Traditional Static Tunnels 

= Static Known IP Addresses 

= Dynamic Unknown IP Addresses 


Spoke 

B 

Dynamic Multipoint VPN: 

Spoke A needs to contact Spoke B, 

such as: 

V3PN Call 

PC Contact to a Server 

Learns real address of Spoke B via NHRP, 

OSPF or EIGRP (routing features) 

IPSec VPN tunnel to Spoke B is dynamically 

built over mGRE interface 

Benefits: 

• Additional Multicast, video traffic 

supported with GRE 

• Full Meshed connectivity with 

configuration simplicity of 

hub and spoke 

• Preserves (central) bandwidth, 

minimizes latency 

• No administration required after initial 

configuration of DMVPN feature 

36

Secure, Integrated, Toll Quality IP Telephony 

Using DMVPN, V3PN, SRTP and IOS Security 


LLQ before crypto to 

ensure voice priority 

DMVPN determines 

VPN destination 

PSTN 

Requirements 

• Wire-speed encryption 

• Voice / video prioritization 

• Bandwidth conservation 

• Concurrent services VPN 

• Secure RTP 


Egress Interface 

QoS Policy 

IP WAN 

VPN Encryption V3PN Protects WAN Backbone 

Benefits 

• Traffic throughput with encryption 

• Toll quality, jitter-free voice and video 

• DMVPN sets up tunnel when needed 

• WAN hacker security, lower costs 

• LAN hacker security 

Cisco’s 

Self- 

Defending 

Network 

SRTP Protects LAN 

37

Voice and video-enabled IPSec VPN (V3PN) 

delivers secure connectivity 

• Converges voice, video, and data across a secure IPSec VPN network 

with high-quality, reliable performance 

• DMVPN (Dynamic Multipoint VPN) creates tunnels on-the-fly based 

on user traffic 

Combined features provide Quality of Service, Multi Protocol, ease of 

provisioning, and secure connectivity 

Branch Office 

A 

Branch Office 

B 

DMVPN 

Branch Office 

C 


Internet 

VPN QoS 

V3PN 

Voice 

Video 

Corporate 

Headquarters 

38

Media authentication and encryption using 

SRTP protects voice conversations 

Branch Office A 

Branch Office B 

PSTN 


Gateway Encrypted 

signaling using IPSec 

VoIP 

WAN 

Media encryption using SRTP 

Headquarters 

Encrypted 

signaling using 

TLS 

• Encrypted IP phone to gateway calls or gateway to gateway calls protects voice 

conversations from hackers: 

• Standards-based encryption with Secure Real Time Protocol (SRTP) 

• Signaling authentication and encryption to Cisco CallManager 

• Supported on IOS MGCP Gateways with PVDM2, NM-HDV2 and NM-HD modules 

• Available with IOS 12.3(11)T and upcoming release of CCM 

A 

39

SRTP Media Encryption Options on 2800 

and 3800 Integrated Services Router 

HWIC HWIC HWIC HWIC 

GE GE 

HWIC HWIC HWIC HWIC 

NME X 


EVM 

USB USB 

USB USB 

Voice Encryption Options : 

• Digital Signal Processing PVDM2 slots with VICs/VWICs/EVM 

• NM-HDV2 and NM-HD network modules 

Signaling Encryption Options: 

• IOS software IPSec VPN encryption 

• Hardware IPSec VPN Encryption 

• Onboard VPN accelerator (3DES and up to 256 bit AES) 

• AIM VPN Modules (AIM-VPN/BPll-Plus for 2801, and AIM- 

VPN/EPII-Plus for 2811, 2821, 2851) 

40

Cisco IP Communication 

Skalierbare Sprach-Lösungen und Konvergenz 

• Service Provider PGW, Meetingplace, Hosted IPCC, … 

• Enterprise Cisco Call Manager, SRST, ISR 

• SMB Cisco Call Manager Express, ISR 


41

Cisco Network Admission Control (NAC) Router-Integrated Services

Create successful ePaper yourself

Delete template?

Save as template?