|
Home > Archive > Voice over IP Cisco > October 2007 > Home user
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Curt Shaffer 2007-10-15, 7:11 pm |
| I was wondering want everyone out there is using for the situation where you
have someone on your CCM or CCME that has 1 phone at a home office.
Something tells me an ASA is overkill and I haven't found solid information
that any of the 87x routers support tagging QoS of packets going through the
VPN tunnel. We would obviously like to have QoS in place even though it's
not respected at their ISP just to make sure the VPN/Voice packets are
leaving their routers first as a best effort to get some quality.
Thanks
| |
| Linsemier, Matthew 2007-10-16, 1:11 pm |
| We currently have about 40 production remote home teleworkers that have
been deployed using cisco 871/877 wireless routers and a 7960 phones.
We are using a cisco 3845 series router at the head-end so that we can
control QoS tagging on the egress / ingress points of both sides of the
VPN tunnel. We are using a phase 2 DMVPN solution dual-homed to two
sites to provide secure redundant connectivity.
It took me a bit to tweak my router configurations (I started on Cisco
831/837 routers) to get the results that we wanted, but all and all our
users are happy. There is the occasional jitter and packet loss (it is
the Internet mind you) but g.729 is working quite well coupled with
business cable and DSL services.
If you have any other questions, feel free to ask.
Matt
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Curt Shaffer
Sent: Monday, October 15, 2007 6:37 PM
To: cisco-voip@puck.nether.net
Subject: [cisco-voip] Home user
I was wondering want everyone out there is using for the situation where
you have someone on your CCM or CCME that has 1 phone at a home office.
Something tells me an ASA is overkill and I haven't found solid
information that any of the 87x routers support tagging QoS of packets
going through the VPN tunnel. We would obviously like to have QoS in
place even though it's not respected at their ISP just to make sure the
VPN/Voice packets are leaving their routers first as a best effort to
get some quality.
Thanks
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may
be protected by one or more legal privileges. It is intended
solely for the use of the addressee identified above. If you
are not the intended recipient, any use, disclosure, copying
or distribution of this communication is UNAUTHORIZED. Neither
this information block, the typed name of the sender, nor
anything else in this message is intended to constitute an
electronic signature unless a specific statement to the
contrary is included in this message. If you have received this
communication in error, please immediately contact me and delete
this communication from your computer. Thank you.
| |
| Johnson, Ken 2007-10-16, 1:12 pm |
| Couldn't say but we've used 3002 VPN hardware clients for years and more
recently 871 routers without any problems whatsoever. Mostly 7970's on
the other end.
Ken Johnson
Mgr. Network Services,
Information Technology
LeTourneau University
_________________________________
E-mail: kenjohnson@letu.edu
Helpdesk: (903) 233-3500
Phone: (903) 233-3520
Web: http://www.letu.edu/infotech/
<BLOCKED::http://www.letu.edu/infotech/>
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Curt Shaffer
Sent: Monday, October 15, 2007 5:37 PM
To: cisco-voip@puck.nether.net
Subject: [cisco-voip] Home user
I was wondering want everyone out there is using for the situation where
you have someone on your CCM or CCME that has 1 phone at a home office.
Something tells me an ASA is overkill and I haven't found solid
information that any of the 87x routers support tagging QoS of packets
going through the VPN tunnel. We would obviously like to have QoS in
place even though it's not respected at their ISP just to make sure the
VPN/Voice packets are leaving their routers first as a best effort to
get some quality.
Thanks
________________________________
Spam <http://antispam.letu.edu/canit/b.ph...46c512813c5&c=s>
Not spam
<http://antispam.letu.edu/canit/b.ph...46c512813c5&c=n>
Forget previous vote
<http://antispam.letu.edu/canit/b.ph...46c512813c5&c=f>
| |
| Scott Voll 2007-10-16, 1:12 pm |
| | |
|
| This has been kicked around for a while since we moved to CallManager
but not much thought has been given to it. I'm trying to understand
how your hardware is setup. How would it look, similar to one of these?
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <--
Ethernet--> LAN
or
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
<---> ASA or PIX Firewall <--Ethernet--> LAN
Is the 3800 used for all your firewalling needs in lieu of something
like an ASA or PIX? Sonicwall's are currently in place and haven't
worked very well for the remote users it was tested with. The
Sonicwalls we have don't have anything similar to what the 871's seem
to have in regards to vlans and packet tagging. We would probably
kick the Sonicwalls out if something else would work better.
jeff
On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
> We currently have about 40 production remote home teleworkers that
> have been deployed using cisco 871/877 wireless routers and a 7960
> phones. We are using a cisco 3845 series router at the head-end so
> that we can control QoS tagging on the egress / ingress points of
> both sides of the VPN tunnel. We are using a phase 2 DMVPN
> solution dual-homed to two sites to provide secure redundant
> connectivity.
>
>
>
> It took me a bit to tweak my router configurations (I started on
> cisco 831/837 routers) to get the results that we wanted, but all
> and all our users are happy. There is the occasional jitter and
> packet loss (it is the Internet mind you) but g.729 is working
> quite well coupled with business cable and DSL services.
>
>
>
> If you have any other questions, feel free to ask.
>
>
>
> Matt
>
>
>
> From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-
> bounces@puck.nether.net] On Behalf Of Curt Shaffer
> Sent: Monday, October 15, 2007 6:37 PM
> To: cisco-voip@puck.nether.net
> Subject: [cisco-voip] Home user
>
>
>
> I was wondering want everyone out there is using for the situation
> where you have someone on your CCM or CCME that has 1 phone at a
> home office. Something tells me an ASA is overkill and I haven’t
> found solid information that any of the 87x routers support tagging
> QoS of packets going through the VPN tunnel. We would obviously
> like to have QoS in place even though it’s not respected at their
> ISP just to make sure the VPN/Voice packets are leaving their
> routers first as a best effort to get some quality.
>
>
>
> Thanks
>
>
>
>
>
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely
> for the use of the addressee identified above. If you are not the
> intended recipient, any use, disclosure, copying or distribution of
> this communication is UNAUTHORIZED. Neither this information block,
> the typed name of the sender, nor anything else in this message is
> intended to constitute an electronic signature unless a specific
> statement to the contrary is included in this message. If you have
> received this communication in error, please immediately contact me
> and delete this communication from your computer. Thank you.
>
>
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
| |
| Curt Shaffer 2007-10-16, 7:11 pm |
| Actually due to a difference between who this customer uses for Server
network vs. Phone network; they have been using Sonicwall for normal VPN
connectivity, which I personally do not like based on personal experience.
But the setup will be as follows:
87x router or ASA ß-DSL or Cable-à INTERNET ß---PRI/Internet
connection--à2811 routerß-Phone LAN
From: Jerky [mailto:lists@jerkys.org]
Sent: Tuesday, October 16, 2007 6:32 PM
To: Linsemier, Matthew
Cc: Curt Shaffer; cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Home user
This has been kicked around for a while since we moved to CallManager but
not much thought has been given to it. I'm trying to understand how your
hardware is setup. How would it look, similar to one of these?
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
<--Ethernet--> LAN
or
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <---> ASA
or PIX Firewall <--Ethernet--> LAN
Is the 3800 used for all your firewalling needs in lieu of something like an
ASA or PIX? Sonicwall's are currently in place and haven't worked very well
for the remote users it was tested with. The Sonicwalls we have don't have
anything similar to what the 871's seem to have in regards to vlans and
packet tagging. We would probably kick the Sonicwalls out if something else
would work better.
jeff
On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
We currently have about 40 production remote home teleworkers that have been
deployed using cisco 871/877 wireless routers and a 7960 phones. We are
using a cisco 3845 series router at the head-end so that we can control QoS
tagging on the egress / ingress points of both sides of the VPN tunnel. We
are using a phase 2 DMVPN solution dual-homed to two sites to provide secure
redundant connectivity.
It took me a bit to tweak my router configurations (I started on Cisco
831/837 routers) to get the results that we wanted, but all and all our
users are happy. There is the occasional jitter and packet loss (it is the
Internet mind you) but g.729 is working quite well coupled with business
cable and DSL services.
If you have any other questions, feel free to ask.
Matt
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Curt Shaffer
Sent: Monday, October 15, 2007 6:37 PM
To: cisco-voip@puck.nether.net
Subject: [cisco-voip] Home user
I was wondering want everyone out there is using for the situation where you
have someone on your CCM or CCME that has 1 phone at a home office.
Something tells me an ASA is overkill and I haven’t found solid information
that any of the 87x routers support tagging QoS of packets going through the
VPN tunnel. We would obviously like to have QoS in place even though it’s
not respected at their ISP just to make sure the VPN/Voice packets are
leaving their routers first as a best effort to get some quality.
Thanks
_____
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may be protected
by one or more legal privileges. It is intended solely for the use of the
addressee identified above. If you are not the intended recipient, any use,
disclosure, copying or distribution of this communication is UNAUTHORIZED.
Neither this information block, the typed name of the sender, nor anything
else in this message is intended to constitute an electronic signature
unless a specific statement to the contrary is included in this message. If
you have received this communication in error, please immediately contact me
and delete this communication from your computer. Thank you.
_____
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
|
| I haven't been particularly fond of the Sonicwalls either but they
pre-date me and have been inherited.
currently it looks like this:
Sonicwall (10 user type)ß-DSL or Cable-à INTERNET ß---T1 Internet--
à26xx router ß--Ethernet---àSonicwall (VX/PRO type)ß--- LAN
|______ß--- DMZ
network
I'll have to take a closer look at a 2800 router for this. I have one
available that I typically use in the voice lab. Should the 2800 be
able to handle things like setting up a DMZ and one-to-one NAT
mappings (I'm not sure if that is the same term used in the cisco
world for it) to internal hosts. From the initial reading I've done
about it seems there's a fine line between the firewall appliances
like the Sonicwall and ASA or PIX and 2800/3800 routers since it
seems the ISRs have hardware level encryption built in.
Thanks,
jeff
On Oct 16, 2007, at 6:40 PM, Curt Shaffer wrote:
> Actually due to a difference between who this customer uses for
> Server network vs. Phone network; they have been using Sonicwall
> for normal VPN connectivity, which I personally do not like based
> on personal experience. But the setup will be as follows:
>
>
>
> 87x router or ASA ß-DSL or Cable-à INTERNET ß---PRI/Internet
> connection--à2811 routerß-Phone LAN
>
>
>
> From: Jerky [mailto:lists@jerkys.org]
> Sent: Tuesday, October 16, 2007 6:32 PM
> To: Linsemier, Matthew
> Cc: Curt Shaffer; cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] Home user
>
>
>
> This has been kicked around for a while since we moved to
> CallManager but not much thought has been given to it. I'm trying
> to understand how your hardware is setup. How would it look,
> similar to one of these?
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <--Ethernet--> LAN
>
>
>
> or
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <---> ASA or PIX Firewall <--Ethernet--> LAN
>
>
>
> Is the 3800 used for all your firewalling needs in lieu of
> something like an ASA or PIX? Sonicwall's are currently in place
> and haven't worked very well for the remote users it was tested
> with. The Sonicwalls we have don't have anything similar to what
> the 871's seem to have in regards to vlans and packet tagging. We
> would probably kick the Sonicwalls out if something else would work
> better.
>
>
>
> jeff
>
>
>
> On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
>
>
>
>
> We currently have about 40 production remote home teleworkers that
> have been deployed using cisco 871/877 wireless routers and a 7960
> phones. We are using a cisco 3845 series router at the head-end so
> that we can control QoS tagging on the egress / ingress points of
> both sides of the VPN tunnel. We are using a phase 2 DMVPN
> solution dual-homed to two sites to provide secure redundant
> connectivity.
>
>
>
> It took me a bit to tweak my router configurations (I started on
> cisco 831/837 routers) to get the results that we wanted, but all
> and all our users are happy. There is the occasional jitter and
> packet loss (it is the Internet mind you) but g.729 is working
> quite well coupled with business cable and DSL services.
>
>
>
> If you have any other questions, feel free to ask.
>
>
>
> Matt
>
>
>
> From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-
> bounces@puck.nether.net] On Behalf Of Curt Shaffer
> Sent: Monday, October 15, 2007 6:37 PM
> To: cisco-voip@puck.nether.net
> Subject: [cisco-voip] Home user
>
>
>
> I was wondering want everyone out there is using for the situation
> where you have someone on your CCM or CCME that has 1 phone at a
> home office. Something tells me an ASA is overkill and I haven’t
> found solid information that any of the 87x routers support tagging
> QoS of packets going through the VPN tunnel. We would obviously
> like to have QoS in place even though it’s not respected at their
> ISP just to make sure the VPN/Voice packets are leaving their
> routers first as a best effort to get some quality.
>
>
>
> Thanks
>
>
>
>
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely
> for the use of the addressee identified above. If you are not the
> intended recipient, any use, disclosure, copying or distribution of
> this communication is UNAUTHORIZED. Neither this information block,
> the typed name of the sender, nor anything else in this message is
> intended to constitute an electronic signature unless a specific
> statement to the contrary is included in this message. If you have
> received this communication in error, please immediately contact me
> and delete this communication from your computer. Thank you.
>
> ________________________________________
_______
>
> cisco-voip mailing list
>
> cisco-voip@puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
| |
| Scott Voll 2007-10-17, 1:12 pm |
| if your trying to get around the Firewall and lets say your Call manager is
on the DMZ or LAN I think the Phone Proxy is a great option. No VPN. Well
priced (believe it or not...... ) and easy to use.
I got the Phone proxy with the default 25 phone license pack and had it up
and running in less then 4 hours. reading the doc's to get it setup. No
VPN overhead or troubleshooting.
Just my two cents.
Scott
On 10/17/07, Jerky <lists@jerkys.org> wrote:
>
> I haven't been particularly fond of the Sonicwalls either but they
> pre-date me and have been inherited.
> currently it looks like this:
> Sonicwall (10 user type)ß-DSL or Cable-à INTERNET ß---T1 Internet--à26xx
> router ß--Ethernet---àSonicwall (VX/PRO type)ß--- LAN
> |______ß--- DMZ
> network
>
>
> I'll have to take a closer look at a 2800 router for this. I have one
> available that I typically use in the voice lab. Should the 2800 be able to
> handle things like setting up a DMZ and one-to-one NAT mappings (I'm not
> sure if that is the same term used in the cisco world for it) to internal
> hosts. From the initial reading I've done about it seems there's a fine line
> between the firewall appliances like the Sonicwall and ASA or PIX and
> 2800/3800 routers since it seems the ISRs have hardware level encryption
> built in.
>
>
> Thanks,
> jeff
>
>
>
> On Oct 16, 2007, at 6:40 PM, Curt Shaffer wrote:
>
> Actually due to a difference between who this customer uses for Server
> network vs. Phone network; they have been using Sonicwall for normal VPN
> connectivity, which I personally do not like based on personal experience..
> But the setup will be as follows:
>
>
>
> 87x router or ASA ß-DSL or Cable-à INTERNET ß---PRI/Internet connection--à2811
> routerß-Phone LAN
>
>
>
> *From:* Jerky [mailto:lists@jerkys.org <lists@jerkys.org>]
> *Sent:* Tuesday, October 16, 2007 6:32 PM
> *To:* Linsemier, Matthew
> *Cc:* Curt Shaffer; cisco-voip@puck.nether.net
> *Subject:* Re: [cisco-voip] Home user
>
>
>
> This has been kicked around for a while since we moved to CallManager but
> not much thought has been given to it. I'm trying to understand how your
> hardware is setup. How would it look, similar to one of these?
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <--Ethernet--> LAN
>
>
>
> or
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <--->
> ASA or PIX Firewall <--Ethernet--> LAN
>
>
>
> Is the 3800 used for all your firewalling needs in lieu of something like
> an ASA or PIX? Sonicwall's are currently in place and haven't worked very
> well for the remote users it was tested with. The Sonicwalls we have don't
> have anything similar to what the 871's seem to have in regards to vlans and
> packet tagging. We would probably kick the Sonicwalls out if something else
> would work better.
>
>
>
> jeff
>
>
>
> On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
>
>
>
> We currently have about 40 production remote home teleworkers that have
> been deployed using cisco 871/877 wireless routers and a 7960 phones. We
> are using a cisco 3845 series router at the head-end so that we can control
> QoS tagging on the egress / ingress points of both sides of the VPN tunnel.
> We are using a phase 2 DMVPN solution dual-homed to two sites to provide
> secure redundant connectivity.
>
>
>
> It took me a bit to tweak my router configurations (I started on Cisco
> 831/837 routers) to get the results that we wanted, but all and all our
> users are happy. There is the occasional jitter and packet loss (it is the
> Internet mind you) but g.729 is working quite well coupled with business
> cable and DSL services.
>
>
>
> If you have any other questions, feel free to ask.
>
>
>
> Matt
>
>
>
> *From:* cisco-voip-bounces@puck.nether.net [
> mailto:cisco-voip-bounces@puck.nether.net<cisco-voip-bounces@puck.nether.net>]
> *On Behalf Of *Curt Shaffer
> *Sent:* Monday, October 15, 2007 6:37 PM
> *To:* cisco-voip@puck.nether.net
> *Subject:* [cisco-voip] Home user
>
>
>
> I was wondering want everyone out there is using for the situation where
> you have someone on your CCM or CCME that has 1 phone at a home office.
> Something tells me an ASA is overkill and I haven't found solid information
> that any of the 87x routers support tagging QoS of packets going through the
> VPN tunnel. We would obviously like to have QoS in place even though it's
> not respected at their ISP just to make sure the VPN/Voice packets are
> leaving their routers first as a best effort to get some quality.
>
>
>
> Thanks
>
>
>
>
> ------------------------------
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely for the use
> of the addressee identified above. If you are not the intended recipient,
> any use, disclosure, copying or distribution of this communication is
> UNAUTHORIZED. Neither this information block, the typed name of the sender,
> nor anything else in this message is intended to constitute an electronic
> signature unless a specific statement to the contrary is included in this
> message. If you have received this communication in error, please
> immediately contact me and delete this communication from your computer.
> Thank you.
> ------------------------------
>
> ________________________________________
_______
>
> cisco-voip mailing list
>
> cisco-voip@puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
>
>
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
| |
| Linsemier, Matthew 2007-10-17, 1:12 pm |
| In our environment we utilize PIX firewalls (still have to upgrade to
ASA's) to handle our firewall needs and then use the 3800 series router
just to terminate the DMVPN home users. They are deployed in parallel
and sit behind a perimeter screening router (another 3800 series
router). We shied away from using the PIX for the simple fact that
while it would preserve QoS markings, we couldn't do any remarking or
shaping in the device. Maybe this has changed in the ASA, but I don't
think you have the control like you do in IOS (such as qos pre-classify,
shaping, policing, etc.). Depending on how many tunnels you plan on
using, you could use a router much smaller than a 3800 series to
terminate the end nodes.
On the home user end we have the cisco 871/877 routers configured to
support wired and wireless connections using three VLANS. We have a
VLAN configured for corporate connectivity, one VLAN configured as a
voice VLAN, and then a VLAN configured for untrusted traffic. One
Ethernet port on the router provides connectivity to the corporate and
voice VLANS, while the remaining three are configured as untrusted.
Similarly with Wireless, we extend PEAP authentication from the
headquarters and authenticate users to the corporate VLAN, and use a
WPA-PSK to secure the untrusted connections. This way the users plug in
their phone, then their laptop/docking station to port 0, and any other
home devices can be connected to port 1-3 or use the wireless WPA-PSK
network and be logically segregated (using ACL's) from any data on the
corporate network. This way we can also control QoS and mark down all
traffic that enters the router from the untrusted network. So when said
employees son or daughter starts downing a 2 gig torrent from a home PC,
they don't kill the voice or impact the corporate workflow. Eventually
we will be implementing 802.1x on the corporate port for additional
security, but have had mixed results of getting it to work with Windows
XP.
Hope this helps.
Matt
From: Jerky [mailto:lists@jerkys.org]
Sent: Tuesday, October 16, 2007 6:32 PM
To: Linsemier, Matthew
Cc: Curt Shaffer; cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Home user
This has been kicked around for a while since we moved to CallManager
but not much thought has been given to it. I'm trying to understand how
your hardware is setup. How would it look, similar to one of these?
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
<--Ethernet--> LAN
or
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <--->
ASA or PIX Firewall <--Ethernet--> LAN
Is the 3800 used for all your firewalling needs in lieu of something
like an ASA or PIX? Sonicwall's are currently in place and haven't
worked very well for the remote users it was tested with. The Sonicwalls
we have don't have anything similar to what the 871's seem to have in
regards to vlans and packet tagging. We would probably kick the
Sonicwalls out if something else would work better.
jeff
On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
We currently have about 40 production remote home teleworkers that have
been deployed using cisco 871/877 wireless routers and a 7960 phones.
We are using a cisco 3845 series router at the head-end so that we can
control QoS tagging on the egress / ingress points of both sides of the
VPN tunnel. We are using a phase 2 DMVPN solution dual-homed to two
sites to provide secure redundant connectivity.
It took me a bit to tweak my router configurations (I started on Cisco
831/837 routers) to get the results that we wanted, but all and all our
users are happy. There is the occasional jitter and packet loss (it is
the Internet mind you) but g.729 is working quite well coupled with
business cable and DSL services.
If you have any other questions, feel free to ask.
Matt
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Curt Shaffer
Sent: Monday, October 15, 2007 6:37 PM
To: cisco-voip@puck.nether.net
Subject: [cisco-voip] Home user
I was wondering want everyone out there is using for the situation where
you have someone on your CCM or CCME that has 1 phone at a home office.
Something tells me an ASA is overkill and I haven't found solid
information that any of the 87x routers support tagging QoS of packets
going through the VPN tunnel. We would obviously like to have QoS in
place even though it's not respected at their ISP just to make sure the
VPN/Voice packets are leaving their routers first as a best effort to
get some quality.
Thanks
________________________________
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may be
protected by one or more legal privileges. It is intended solely for the
use of the addressee identified above. If you are not the intended
recipient, any use, disclosure, copying or distribution of this
communication is UNAUTHORIZED. Neither this information block, the typed
name of the sender, nor anything else in this message is intended to
constitute an electronic signature unless a specific statement to the
contrary is included in this message. If you have received this
communication in error, please immediately contact me and delete this
communication from your computer. Thank you.
________________________________
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may
be protected by one or more legal privileges. It is intended
solely for the use of the addressee identified above. If you
are not the intended recipient, any use, disclosure, copying
or distribution of this communication is UNAUTHORIZED. Neither
this information block, the typed name of the sender, nor
anything else in this message is intended to constitute an
electronic signature unless a specific statement to the
contrary is included in this message. If you have received this
communication in error, please immediately contact me and delete
this communication from your computer. Thank you.
| |
|
| I saw your mention of that earlier. It sounds interesting and fairly
simple. I haven't gotten to spend much time reading up on it yet so
correct me if I'm wrong but it sounds like this is geared towards
phones only. Something that's starting to get getting kicked around
also is IPCCX which I think has been rebadged as UPCCX to keep with
the whole Unified naming scheme. It's another thing I've just started
to look into but from what I get there is a desktop client that goes
with it, which I'm not sure what the communication protocols it uses
yet. I think the goal is to have a few home based service people that
aren't out on calls use their down time to help man the phones via an
IP phone at home.
jeff
On Oct 17, 2007, at 9:46 AM, Scott Voll wrote:
> if your trying to get around the Firewall and lets say your Call
> manager is on the DMZ or LAN I think the Phone Proxy is a great
> option. No VPN. Well priced (believe it or not...... ) and easy to
> use.
>
> I got the Phone proxy with the default 25 phone license pack and
> had it up and running in less then 4 hours. reading the doc's to
> get it setup. No VPN overhead or troubleshooting.
>
> Just my two cents.
>
> Scott
>
>
> On 10/17/07, Jerky <lists@jerkys.org> wrote:
> I haven't been particularly fond of the Sonicwalls either but they
> pre-date me and have been inherited.
>
> currently it looks like this:
> Sonicwall (10 user type) ß-DSL or Cable- à INTERNET ß---T1
> Internet-- à26xx router ß--Ethernet--- àSonicwall (VX/PRO type)ß
> --- LAN
> |______ß ---
> DMZ network
>
>
> I'll have to take a closer look at a 2800 router for this. I have
> one available that I typically use in the voice lab. Should the
> 2800 be able to handle things like setting up a DMZ and one-to-one
> NAT mappings (I'm not sure if that is the same term used in the
> cisco world for it) to internal hosts. From the initial reading
> I've done about it seems there's a fine line between the firewall
> appliances like the Sonicwall and ASA or PIX and 2800/3800 routers
> since it seems the ISRs have hardware level encryption built in.
>
>
> Thanks,
> jeff
>
>
>
> On Oct 16, 2007, at 6:40 PM, Curt Shaffer wrote:
>
>
>
>
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
| |
| Scott Voll 2007-10-17, 1:12 pm |
| Not sure if it's TAC supported but I just tested it the other day because we
want the helpdesk to answer calls if we are snowed out and it does work.
our agents log into the client via Citrix (not sure if that's tac supported
either). All and all it does work. CM 4.1.3 / IPCCx 4.0.1 / Unity 4.0.5
Not that we don't also give the option to VPN the computer in, but the Voice
doesn't have the extra overhead of IPSEC.
Scott
On 10/17/07, Jerky <lists@jerkys.org> wrote:
>
> I saw your mention of that earlier. It sounds interesting and fairly
> simple. I haven't gotten to spend much time reading up on it yet so correct
> me if I'm wrong but it sounds like this is geared towards phones only.
> Something that's starting to get getting kicked around also is IPCCX which
> I think has been rebadged as UPCCX to keep with the whole Unified naming
> scheme. It's another thing I've just started to look into but from what I
> get there is a desktop client that goes with it, which I'm not sure what
> the communication protocols it uses yet. I think the goal is to have a few
> home based service people that aren't out on calls use their down time to
> help man the phones via an IP phone at home.
>
>
> jeff
>
> On Oct 17, 2007, at 9:46 AM, Scott Voll wrote:
>
> if your trying to get around the Firewall and lets say your Call manager
> is on the DMZ or LAN I think the Phone Proxy is a great option. No VPN.
> Well priced (believe it or not...... ) and easy to use.
>
> I got the Phone proxy with the default 25 phone license pack and had it up
> and running in less then 4 hours. reading the doc's to get it setup. No
> VPN overhead or troubleshooting.
>
> Just my two cents.
>
> Scott
>
>
> On 10/17/07, Jerky <lists@jerkys.org> wrote:
>
>
>
>
| |
|
| so it would be more like this:
Cisco 871
|
DSL CABLE
|
Internet
|
T1 Connection (Serial0/0/0)
|
_____ 3800 _____
| |
ethernet 0/0 ethernet 0/1
| |
PIX/ASA 3800 (Cisco 871 VPN's terminate here)
| |
LAN(computers) LAN (Voice)
Homefully my crude diagram makes sense. Do your home users have
access to any data on the computer network side. Or is the 87x VPNs
solely for getting to the voice network If users access things on the
"computer" side would you have a separate tunnel setup just for that?
Thanks for so much helping enlighten me. It's been very helpful.
jeff
On Oct 17, 2007, at 10:19 AM, Linsemier, Matthew wrote:
> In our environment we utilize PIX firewalls (still have to upgrade
> to ASA’s) to handle our firewall needs and then use the 3800 series
> router just to terminate the DMVPN home users. They are deployed
> in parallel and sit behind a perimeter screening router (another
> 3800 series router). We shied away from using the PIX for the
> simple fact that while it would preserve QoS markings, we couldn’t
> do any remarking or shaping in the device. Maybe this has changed
> in the ASA, but I don’t think you have the control like you do in
> IOS (such as qos pre-classify, shaping, policing, etc.).
> Depending on how many tunnels you plan on using, you could use a
> router much smaller than a 3800 series to terminate the end nodes.
>
>
>
> On the home user end we have the cisco 871/877 routers configured
> to support wired and wireless connections using three VLANS. We
> have a VLAN configured for corporate connectivity, one VLAN
> configured as a voice VLAN, and then a VLAN configured for
> untrusted traffic. One Ethernet port on the router provides
> connectivity to the corporate and voice VLANS, while the remaining
> three are configured as untrusted. Similarly with Wireless, we
> extend PEAP authentication from the headquarters and authenticate
> users to the corporate VLAN, and use a WPA-PSK to secure the
> untrusted connections. This way the users plug in their phone,
> then their laptop/docking station to port 0, and any other home
> devices can be connected to port 1-3 or use the wireless WPA-PSK
> network and be logically segregated (using ACL’s) from any data on
> the corporate network. This way we can also control QoS and mark
> down all traffic that enters the router from the untrusted
> network. So when said employees son or daughter starts downing a 2
> gig torrent from a home PC, they don’t kill the voice or impact the
> corporate workflow. Eventually we will be implementing 802.1x on
> the corporate port for additional security, but have had mixed
> results of getting it to work with Windows XP.
>
>
> Hope this helps.
>
>
>
> Matt
>
>
>
>
>
> From: Jerky [mailto:lists@jerkys.org]
> Sent: Tuesday, October 16, 2007 6:32 PM
> To: Linsemier, Matthew
> Cc: Curt Shaffer; cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] Home user
>
>
>
> This has been kicked around for a while since we moved to
> CallManager but not much thought has been given to it. I'm trying
> to understand how your hardware is setup. How would it look,
> similar to one of these?
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <--Ethernet--> LAN
>
>
>
> or
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <---> ASA or PIX Firewall <--Ethernet--> LAN
>
>
>
> Is the 3800 used for all your firewalling needs in lieu of
> something like an ASA or PIX? Sonicwall's are currently in place
> and haven't worked very well for the remote users it was tested
> with. The Sonicwalls we have don't have anything similar to what
> the 871's seem to have in regards to vlans and packet tagging. We
> would probably kick the Sonicwalls out if something else would work
> better.
>
>
>
> jeff
>
>
>
> On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
>
>
>
>
> We currently have about 40 production remote home teleworkers that
> have been deployed using cisco 871/877 wireless routers and a 7960
> phones. We are using a cisco 3845 series router at the head-end so
> that we can control QoS tagging on the egress / ingress points of
> both sides of the VPN tunnel. We are using a phase 2 DMVPN
> solution dual-homed to two sites to provide secure redundant
> connectivity.
>
>
>
> It took me a bit to tweak my router configurations (I started on
> cisco 831/837 routers) to get the results that we wanted, but all
> and all our users are happy. There is the occasional jitter and
> packet loss (it is the Internet mind you) but g.729 is working
> quite well coupled with business cable and DSL services.
>
>
>
> If you have any other questions, feel free to ask.
>
>
>
> Matt
>
>
>
> From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-
> bounces@puck.nether.net] On Behalf Of Curt Shaffer
> Sent: Monday, October 15, 2007 6:37 PM
> To: cisco-voip@puck.nether.net
> Subject: [cisco-voip] Home user
>
>
>
> I was wondering want everyone out there is using for the situation
> where you have someone on your CCM or CCME that has 1 phone at a
> home office. Something tells me an ASA is overkill and I haven’t
> found solid information that any of the 87x routers support tagging
> QoS of packets going through the VPN tunnel. We would obviously
> like to have QoS in place even though it’s not respected at their
> ISP just to make sure the VPN/Voice packets are leaving their
> routers first as a best effort to get some quality.
>
>
>
> Thanks
>
>
>
>
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely
> for the use of the addressee identified above. If you are not the
> intended recipient, any use, disclosure, copying or distribution of
> this communication is UNAUTHORIZED. Neither this information block,
> the typed name of the sender, nor anything else in this message is
> intended to constitute an electronic signature unless a specific
> statement to the contrary is included in this message. If you have
> received this communication in error, please immediately contact me
> and delete this communication from your computer. Thank you.
>
> ________________________________________
_______
>
> cisco-voip mailing list
>
> cisco-voip@puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely
> for the use of the addressee identified above. If you are not the
> intended recipient, any use, disclosure, copying or distribution of
> this communication is UNAUTHORIZED. Neither this information block,
> the typed name of the sender, nor anything else in this message is
> intended to constitute an electronic signature unless a specific
> statement to the contrary is included in this message. If you have
> received this communication in error, please immediately contact me
> and delete this communication from your computer. Thank you.
>
>
>
| |
| Scott Voll 2007-10-17, 1:12 pm |
| no cisco CPE required.
ip phone
|
internet connection
|
--------------------------- phone proxy
| |
| |
FW / router |
| |
internal network ------ voice network
basically you save the money of a cisco CPE by getting the phone proxy. let
the end users VPN in with the client for data purposes or use Citrix to get
around VPN all together.
the phone proxy has a north / South interface so the only thing going
through it is the authenticated voice traffic.
hope that's understandable.
scott
On 10/17/07, Jerky <lists@jerkys.org> wrote:
>
> so it would be more like this:
>
> cisco 871
> |
> DSL CABLE
> |
> Internet
> |
> T1 Connection (Serial0/0/0)
> |
> _____ 3800 _____
> | |
> ethernet 0/0 ethernet 0/1
> | |
> PIX/ASA 3800 (Cisco 871 VPN's terminate here)
> | |
> LAN(computers) LAN (Voice)
>
>
>
>
> Homefully my crude diagram makes sense. Do your home users have access to
> any data on the computer network side. Or is the 87x VPNs solely for getting
> to the voice network If users access things on the "computer" side would you
> have a separate tunnel setup just for that?
>
>
> Thanks for so much helping enlighten me. It's been very helpful.
>
>
> jeff
>
>
>
>
>
>
> On Oct 17, 2007, at 10:19 AM, Linsemier, Matthew wrote:
>
> In our environment we utilize PIX firewalls (still have to upgrade to
> ASA's) to handle our firewall needs and then use the 3800 series router just
> to terminate the DMVPN home users. They are deployed in parallel and sit
> behind a perimeter screening router (another 3800 series router). We shied
> away from using the PIX for the simple fact that while it would preserve QoS
> markings, we couldn't do any remarking or shaping in the device. Maybe this
> has changed in the ASA, but I don't think you have the control like you do
> in IOS (such as qos pre-classify, shaping, policing, etc.). Depending on
> how many tunnels you plan on using, you could use a router much smaller than
> a 3800 series to terminate the end nodes.
>
>
>
> On the home user end we have the cisco 871/877 routers configured to
> support wired and wireless connections using three VLANS. We have a VLAN
> configured for corporate connectivity, one VLAN configured as a voice VLAN,
> and then a VLAN configured for untrusted traffic. One Ethernet port on the
> router provides connectivity to the corporate and voice VLANS, while the
> remaining three are configured as untrusted. Similarly with Wireless, we
> extend PEAP authentication from the headquarters and authenticate users to
> the corporate VLAN, and use a WPA-PSK to secure the untrusted connections.
> This way the users plug in their phone, then their laptop/docking station to
> port 0, and any other home devices can be connected to port 1-3 or use the
> wireless WPA-PSK network and be logically segregated (using ACL's) from any
> data on the corporate network. This way we can also control QoS and mark
> down all traffic that enters the router from the untrusted network. So when
> said employees son or daughter starts downing a 2 gig torrent from a home
> PC, they don't kill the voice or impact the corporate workflow. Eventually
> we will be implementing 802.1x on the corporate port for additional
> security, but have had mixed results of getting it to work with Windows XP.
>
>
> Hope this helps.
>
>
>
> Matt
>
>
>
>
>
> *From:* Jerky [mailto:lists@jerkys.org <lists@jerkys.org>]
> *Sent:* Tuesday, October 16, 2007 6:32 PM
> *To:* Linsemier, Matthew
> *Cc:* Curt Shaffer; cisco-voip@puck.nether.net
> *Subject:* Re: [cisco-voip] Home user
>
>
>
> This has been kicked around for a while since we moved to CallManager but
> not much thought has been given to it. I'm trying to understand how your
> hardware is setup. How would it look, similar to one of these?
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <--Ethernet--> LAN
>
>
>
> or
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <--->
> ASA or PIX Firewall <--Ethernet--> LAN
>
>
>
> Is the 3800 used for all your firewalling needs in lieu of something like
> an ASA or PIX? Sonicwall's are currently in place and haven't worked very
> well for the remote users it was tested with. The Sonicwalls we have don't
> have anything similar to what the 871's seem to have in regards to vlans and
> packet tagging. We would probably kick the Sonicwalls out if something else
> would work better.
>
>
>
> jeff
>
>
>
> On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
>
>
>
> We currently have about 40 production remote home teleworkers that have
> been deployed using cisco 871/877 wireless routers and a 7960 phones. We
> are using a cisco 3845 series router at the head-end so that we can control
> QoS tagging on the egress / ingress points of both sides of the VPN tunnel.
> We are using a phase 2 DMVPN solution dual-homed to two sites to provide
> secure redundant connectivity.
>
>
>
> It took me a bit to tweak my router configurations (I started on Cisco
> 831/837 routers) to get the results that we wanted, but all and all our
> users are happy. There is the occasional jitter and packet loss (it is the
> Internet mind you) but g.729 is working quite well coupled with business
> cable and DSL services.
>
>
>
> If you have any other questions, feel free to ask.
>
>
>
> Matt
>
>
>
> *From:* cisco-voip-bounces@puck.nether.net [
> mailto:cisco-voip-bounces@puck.nether.net<cisco-voip-bounces@puck.nether.net>]
> *On Behalf Of *Curt Shaffer
> *Sent:* Monday, October 15, 2007 6:37 PM
> *To:* cisco-voip@puck.nether.net
> *Subject:* [cisco-voip] Home user
>
>
>
> I was wondering want everyone out there is using for the situation where
> you have someone on your CCM or CCME that has 1 phone at a home office.
> Something tells me an ASA is overkill and I haven't found solid information
> that any of the 87x routers support tagging QoS of packets going through the
> VPN tunnel. We would obviously like to have QoS in place even though it's
> not respected at their ISP just to make sure the VPN/Voice packets are
> leaving their routers first as a best effort to get some quality.
>
>
>
> Thanks
>
>
>
>
> ------------------------------
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely for the use
> of the addressee identified above. If you are not the intended recipient,
> any use, disclosure, copying or distribution of this communication is
> UNAUTHORIZED. Neither this information block, the typed name of the sender,
> nor anything else in this message is intended to constitute an electronic
> signature unless a specific statement to the contrary is included in this
> message. If you have received this communication in error, please
> immediately contact me and delete this communication from your computer.
> Thank you.
> ------------------------------
>
> ________________________________________
_______
>
> cisco-voip mailing list
>
> cisco-voip@puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> ------------------------------
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely for the use
> of the addressee identified above. If you are not the intended recipient,
> any use, disclosure, copying or distribution of this communication is
> UNAUTHORIZED. Neither this information block, the typed name of the sender,
> nor anything else in this message is intended to constitute an electronic
> signature unless a specific statement to the contrary is included in this
> message. If you have received this communication in error, please
> immediately contact me and delete this communication from your computer.
> Thank you.
>
> ------------------------------
>
>
>
>
>
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
| |
| Michael Thompson 2007-10-18, 1:12 am |
| the big reason I'm more of a fan of taking the 871 route is that you have
flexibility of creating a DMZ (using F0/3 I think) for the other home users
on the network (kids at home playing games, etc) and it creates a seperate
segment for SoHo users.
what's sexy about it is that you can be working from home, on your company
laptop for security reasons of course, on a site to site VPN
essentially. you can control what traffic from that VLANs / Subnets is
allowed across so that only specific application traffic is allowed (Citrix,
EMail, IP Voice, IPCC CAD, etc). The best part is that since you assign LLQ
to the tunnel interface, you have the full capabilities of the MQC at your
disposal no matter how QoS nutty you get with your DSCP markings (priority
markings, policing, variable drop precedence, etc)...it's all there. AND
the capper, and ABSOLUTELY critical when talking about using this from home,
you have absolute control over how the bandwidth is used to the internet.
i.e junior downloading music and playing World of Warcraft isn't crippling
your IPCC / Voice traffic.
essentially you create a VPN on the 871 that terminates on the outside
interface of the router. Then you have GRE terminate on a loopback inside
the router. You then apply policing on the GRE tunnel equivalent to the
approximate upstream bandwidth of your broadband. the exceed parameter
calls the MQC / LLQ configuration (it's not invoked unless you start to
approach bandwidth contention). the 871 is a beefy little box. we have
customers running this exact config with up to around 5 PCs in the house
(personal and work). all of the personal computers are on the DMZ and only
the work devices go on the inside interfaces.
all of that being said, you're still at the mercy of the idiot out at the
distribution box pulling your DSL wires because he doesn't get dial tone on
them and he needs copper for the neighbors new phone...but you can't totally
defend against the morons of the world.
On 10/17/07, Jerky <lists@jerkys.org> wrote:
>
> so it would be more like this:
>
> cisco 871
> |
> DSL CABLE
> |
> Internet
> |
> T1 Connection (Serial0/0/0)
> |
> _____ 3800 _____
> | |
> ethernet 0/0 ethernet 0/1
> | |
> PIX/ASA 3800 (Cisco 871 VPN's terminate here)
> | |
> LAN(computers) LAN (Voice)
>
>
>
>
> Homefully my crude diagram makes sense. Do your home users have access to
> any data on the computer network side. Or is the 87x VPNs solely for getting
> to the voice network If users access things on the "computer" side would you
> have a separate tunnel setup just for that?
>
>
> Thanks for so much helping enlighten me. It's been very helpful.
>
>
> jeff
>
>
>
>
>
>
> On Oct 17, 2007, at 10:19 AM, Linsemier, Matthew wrote:
>
> In our environment we utilize PIX firewalls (still have to upgrade to
> ASA's) to handle our firewall needs and then use the 3800 series router just
> to terminate the DMVPN home users. They are deployed in parallel and sit
> behind a perimeter screening router (another 3800 series router). We shied
> away from using the PIX for the simple fact that while it would preserve QoS
> markings, we couldn't do any remarking or shaping in the device. Maybe this
> has changed in the ASA, but I don't think you have the control like you do
> in IOS (such as qos pre-classify, shaping, policing, etc.). Depending on
> how many tunnels you plan on using, you could use a router much smaller than
> a 3800 series to terminate the end nodes.
>
>
>
> On the home user end we have the cisco 871/877 routers configured to
> support wired and wireless connections using three VLANS. We have a VLAN
> configured for corporate connectivity, one VLAN configured as a voice VLAN,
> and then a VLAN configured for untrusted traffic. One Ethernet port on the
> router provides connectivity to the corporate and voice VLANS, while the
> remaining three are configured as untrusted. Similarly with Wireless, we
> extend PEAP authentication from the headquarters and authenticate users to
> the corporate VLAN, and use a WPA-PSK to secure the untrusted connections.
> This way the users plug in their phone, then their laptop/docking station to
> port 0, and any other home devices can be connected to port 1-3 or use the
> wireless WPA-PSK network and be logically segregated (using ACL's) from any
> data on the corporate network. This way we can also control QoS and mark
> down all traffic that enters the router from the untrusted network. So when
> said employees son or daughter starts downing a 2 gig torrent from a home
> PC, they don't kill the voice or impact the corporate workflow. Eventually
> we will be implementing 802.1x on the corporate port for additional
> security, but have had mixed results of getting it to work with Windows XP.
>
>
> Hope this helps.
>
>
>
> Matt
>
>
>
>
>
> *From:* Jerky [mailto:lists@jerkys.org <lists@jerkys.org>]
> *Sent:* Tuesday, October 16, 2007 6:32 PM
> *To:* Linsemier, Matthew
> *Cc:* Curt Shaffer; cisco-voip@puck.nether.net
> *Subject:* Re: [cisco-voip] Home user
>
>
>
> This has been kicked around for a while since we moved to CallManager but
> not much thought has been given to it. I'm trying to understand how your
> hardware is setup. How would it look, similar to one of these?
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <--Ethernet--> LAN
>
>
>
> or
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <--->
> ASA or PIX Firewall <--Ethernet--> LAN
>
>
>
> Is the 3800 used for all your firewalling needs in lieu of something like
> an ASA or PIX? Sonicwall's are currently in place and haven't worked very
> well for the remote users it was tested with. The Sonicwalls we have don't
> have anything similar to what the 871's seem to have in regards to vlans and
> packet tagging. We would probably kick the Sonicwalls out if something else
> would work better.
>
>
>
> jeff
>
>
>
> On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
>
>
>
> We currently have about 40 production remote home teleworkers that have
> been deployed using cisco 871/877 wireless routers and a 7960 phones. We
> are using a cisco 3845 series router at the head-end so that we can control
> QoS tagging on the egress / ingress points of both sides of the VPN tunnel.
> We are using a phase 2 DMVPN solution dual-homed to two sites to provide
> secure redundant connectivity.
>
>
>
> It took me a bit to tweak my router configurations (I started on Cisco
> 831/837 routers) to get the results that we wanted, but all and all our
> users are happy. There is the occasional jitter and packet loss (it is the
> Internet mind you) but g.729 is working quite well coupled with business
> cable and DSL services.
>
>
>
> If you have any other questions, feel free to ask.
>
>
>
> Matt
>
>
>
> *From:* cisco-voip-bounces@puck.nether.net [
> mailto:cisco-voip-bounces@puck.nether.net<cisco-voip-bounces@puck.nether.net>]
> *On Behalf Of *Curt Shaffer
> *Sent:* Monday, October 15, 2007 6:37 PM
> *To:* cisco-voip@puck.nether.net
> *Subject:* [cisco-voip] Home user
>
>
>
> I was wondering want everyone out there is using for the situation where
> you have someone on your CCM or CCME that has 1 phone at a home office.
> Something tells me an ASA is overkill and I haven't found solid information
> that any of the 87x routers support tagging QoS of packets going through the
> VPN tunnel. We would obviously like to have QoS in place even though it's
> not respected at their ISP just to make sure the VPN/Voice packets are
> leaving their routers first as a best effort to get some quality.
>
>
>
> Thanks
>
>
>
>
> ------------------------------
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely for the use
> of the addressee identified above. If you are not the intended recipient,
> any use, disclosure, copying or distribution of this communication is
> UNAUTHORIZED. Neither this information block, the typed name of the sender,
> nor anything else in this message is intended to constitute an electronic
> signature unless a specific statement to the contrary is included in this
> message. If you have received this communication in error, please
> immediately contact me and delete this communication from your computer.
> Thank you.
> ------------------------------
>
> ________________________________________
_______
>
> cisco-voip mailing list
>
> cisco-voip@puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> ------------------------------
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely for the use
> of the addressee identified above. If you are not the intended recipient,
> any use, disclosure, copying or distribution of this communication is
> UNAUTHORIZED. Neither this information block, the typed name of the sender,
> nor anything else in this message is intended to constitute an electronic
> signature unless a specific statement to the contrary is included in this
> message. If you have received this communication in error, please
> immediately contact me and delete this communication from your computer.
> Thank you.
>
> ------------------------------
>
>
>
>
>
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
| |
| Curt Shaffer 2007-10-20, 7:12 am |
| I tried searching on this on cisco.com. Do you have a part number or a more
direct name that may help? Is this something that is production ready or is
it still beta quality?
Thanks
Curt
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net] On Behalf Of Scott Voll
Sent: Wednesday, October 17, 2007 2:05 PM
To: Jerky
Cc: Linsemier, Matthew; cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Home user
no cisco CPE required.
ip phone
|
internet connection
|
--------------------------- phone proxy
| |
| |
FW / router |
| |
internal network ------ voice network
basically you save the money of a cisco CPE by getting the phone proxy. let
the end users VPN in with the client for data purposes or use Citrix to get
around VPN all together.
the phone proxy has a north / South interface so the only thing going
through it is the authenticated voice traffic.
hope that's understandable.
scott
On 10/17/07, Jerky <lists@jerkys.org> wrote:
so it would be more like this:
Cisco 871
|
DSL CABLE
|
Internet
|
T1 Connection (Serial0/0/0)
|
_____ 3800 _____
| |
ethernet 0/0 ethernet 0/1
| |
PIX/ASA 3800 (Cisco 871 VPN's terminate here)
| |
LAN(computers) LAN (Voice)
Homefully my crude diagram makes sense. Do your home users have access to
any data on the computer network side. Or is the 87x VPNs solely for getting
to the voice network If users access things on the "computer" side would you
have a separate tunnel setup just for that?
Thanks for so much helping enlighten me. It's been very helpful.
jeff
On Oct 17, 2007, at 10:19 AM, Linsemier, Matthew wrote:
In our environment we utilize PIX firewalls (still have to upgrade to ASA's)
to handle our firewall needs and then use the 3800 series router just to
terminate the DMVPN home users. They are deployed in parallel and sit
behind a perimeter screening router (another 3800 series router). We shied
away from using the PIX for the simple fact that while it would preserve QoS
markings, we couldn't do any remarking or shaping in the device. Maybe this
has changed in the ASA, but I don't think you have the control like you do
in IOS (such as qos pre-classify, shaping, policing, etc.). Depending on
how many tunnels you plan on using, you could use a router much smaller than
a 3800 series to terminate the end nodes.
On the home user end we have the cisco 871/877 routers configured to support
wired and wireless connections using three VLANS. We have a VLAN configured
for corporate connectivity, one VLAN configured as a voice VLAN, and then a
VLAN configured for untrusted traffic. One Ethernet port on the router
provides connectivity to the corporate and voice VLANS, while the remaining
three are configured as untrusted. Similarly with Wireless, we extend PEAP
authentication from the headquarters and authenticate users to the corporate
VLAN, and use a WPA-PSK to secure the untrusted connections. This way the
users plug in their phone, then their laptop/docking station to port 0, and
any other home devices can be connected to port 1-3 or use the wireless
WPA-PSK network and be logically segregated (using ACL's) from any data on
the corporate network. This way we can also control QoS and mark down all
traffic that enters the router from the untrusted network. So when said
employees son or daughter starts downing a 2 gig torrent from a home PC,
they don't kill the voice or impact the corporate workflow. Eventually we
will be implementing 802.1x on the corporate port for additional security,
but have had mixed results of getting it to work with Windows XP.
Hope this helps.
Matt
From: Jerky [mailto:lists@jerkys.org]
Sent: Tuesday, October 16, 2007 6:32 PM
To: Linsemier, Matthew
Cc: Curt Shaffer; cisco-voip@puck.nether.net
Subject: Re: [cisco-voip] Home user
This has been kicked around for a while since we moved to CallManager but
not much thought has been given to it. I'm trying to understand how your
hardware is setup. How would it look, similar to one of these?
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
<--Ethernet--> LAN
or
87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <---> ASA
or PIX Firewall <--Ethernet--> LAN
Is the 3800 used for all your firewalling needs in lieu of something like an
ASA or PIX? Sonicwall's are currently in place and haven't worked very well
for the remote users it was tested with. The Sonicwalls we have don't have
anything similar to what the 871's seem to have in regards to vlans and
packet tagging. We would probably kick the Sonicwalls out if something else
would work better.
jeff
On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
We currently have about 40 production remote home teleworkers that have been
deployed using cisco 871/877 wireless routers and a 7960 phones. We are
using a cisco 3845 series router at the head-end so that we can control QoS
tagging on the egress / ingress points of both sides of the VPN tunnel. We
are using a phase 2 DMVPN solution dual-homed to two sites to provide secure
redundant connectivity.
It took me a bit to tweak my router configurations (I started on Cisco
831/837 routers) to get the results that we wanted, but all and all our
users are happy. There is the occasional jitter and packet loss (it is the
Internet mind you) but g.729 is working quite well coupled with business
cable and DSL services.
If you have any other questions, feel free to ask.
Matt
From: cisco-voip-bounces@puck.nether.net
[mailto:cisco-voip-bounces@puck.nether.net ] On Behalf Of Curt Shaffer
Sent: Monday, October 15, 2007 6:37 PM
To: cisco-voip@puck.nether.net
Subject: [cisco-voip] Home user
I was wondering want everyone out there is using for the situation where you
have someone on your CCM or CCME that has 1 phone at a home office.
Something tells me an ASA is overkill and I haven't found solid information
that any of the 87x routers support tagging QoS of packets going through the
VPN tunnel. We would obviously like to have QoS in place even though it's
not respected at their ISP just to make sure the VPN/Voice packets are
leaving their routers first as a best effort to get some quality.
Thanks
_____
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may be protected
by one or more legal privileges. It is intended solely for the use of the
addressee identified above. If you are not the intended recipient, any use,
disclosure, copying or distribution of this communication is UNAUTHORIZED.
Neither this information block, the typed name of the sender, nor anything
else in this message is intended to constitute an electronic signature
unless a specific statement to the contrary is included in this message. If
you have received this communication in error, please immediately contact me
and delete this communication from your computer. Thank you.
_____
________________________________________
_______
cisco-voip mailing list
<mailto:cisco-voip@puck.nether.net> cisco-voip@puck.nether.net
<https://puck.nether.net/mailman/listinfo/cisco-voip>
https://puck.nether.net/mailman/listinfo/cisco-voip
_____
CONFIDENTIALITY STATEMENT
This communication and any attachments are CONFIDENTIAL and may be protected
by one or more legal privileges. It is intended solely for the use of the
addressee identified above. If you are not the intended recipient, any use,
disclosure, copying or distribution of this communication is UNAUTHORIZED.
Neither this information block, the typed name of the sender, nor anything
else in this message is intended to constitute an electronic signature
unless a specific statement to the contrary is included in this message. If
you have received this communication in error, please immediately contact me
and delete this communication from your computer. Thank you.
_____
________________________________________
_______
cisco-voip mailing list
cisco-voip@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
| |
|
| Think this is what you are looking for:
http://www.cisco.com/en/US/products/ps7057/
products_data_sheet0900aecd80546906.html
jeff
On Oct 20, 2007, at 6:40 AM, Curt Shaffer wrote:
> I tried searching on this on cisco.com. Do you have a part number
> or a more direct name that may help? Is this something that is
> production ready or is it still beta quality?
>
>
>
> Thanks
>
>
>
> Curt
>
>
>
> From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-
> bounces@puck.nether.net] On Behalf Of Scott Voll
> Sent: Wednesday, October 17, 2007 2:05 PM
> To: Jerky
> Cc: Linsemier, Matthew; cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] Home user
>
>
>
> no cisco CPE required.
>
>
>
> ip phone
>
> |
>
> internet connection
>
> |
>
> --------------------------- phone proxy
>
> | |
>
> | |
>
> FW / router |
>
> | |
>
> internal network ------ voice network
>
>
>
> basically you save the money of a cisco CPE by getting the phone
> proxy. let the end users VPN in with the client for data purposes
> or use Citrix to get around VPN all together.
>
>
>
> the phone proxy has a north / South interface so the only thing
> going through it is the authenticated voice traffic.
>
>
>
> hope that's understandable.
>
>
>
> scott
>
>
>
>
>
>
>
> On 10/17/07, Jerky <lists@jerkys.org> wrote:
>
> so it would be more like this:
>
>
>
>
> cisco 871
>
> |
>
> DSL CABLE
>
> |
>
> Internet
>
> |
>
> T1 Connection (Serial0/0/0)
>
> |
>
> _____ 3800 _____
>
> | |
>
> ethernet 0/0 ethernet 0/1
>
> | |
>
> PIX/ASA 3800 (Cisco 871 VPN's terminate here)
>
> | |
>
> LAN(computers) LAN (Voice)
>
>
>
>
>
>
>
> Homefully my crude diagram makes sense. Do your home users have
> access to any data on the computer network side. Or is the 87x VPNs
> solely for getting to the voice network If users access things on
> the "computer" side would you have a separate tunnel setup just for
> that?
>
>
>
>
> Thanks for so much helping enlighten me. It's been very helpful.
>
>
>
>
> jeff
>
>
>
>
>
>
>
>
>
>
> On Oct 17, 2007, at 10:19 AM, Linsemier, Matthew wrote:
>
>
>
>
> In our environment we utilize PIX firewalls (still have to upgrade
> to ASA's) to handle our firewall needs and then use the 3800 series
> router just to terminate the DMVPN home users. They are deployed
> in parallel and sit behind a perimeter screening router (another
> 3800 series router). We shied away from using the PIX for the
> simple fact that while it would preserve QoS markings, we couldn't
> do any remarking or shaping in the device. Maybe this has changed
> in the ASA, but I don't think you have the control like you do in
> IOS (such as qos pre-classify, shaping, policing, etc.).
> Depending on how many tunnels you plan on using, you could use a
> router much smaller than a 3800 series to terminate the end nodes.
>
>
>
> On the home user end we have the cisco 871/877 routers configured
> to support wired and wireless connections using three VLANS. We
> have a VLAN configured for corporate connectivity, one VLAN
> configured as a voice VLAN, and then a VLAN configured for
> untrusted traffic. One Ethernet port on the router provides
> connectivity to the corporate and voice VLANS, while the remaining
> three are configured as untrusted. Similarly with Wireless, we
> extend PEAP authentication from the headquarters and authenticate
> users to the corporate VLAN, and use a WPA-PSK to secure the
> untrusted connections. This way the users plug in their phone,
> then their laptop/docking station to port 0, and any other home
> devices can be connected to port 1-3 or use the wireless WPA-PSK
> network and be logically segregated (using ACL's) from any data on
> the corporate network. This way we can also control QoS and mark
> down all traffic that enters the router from the untrusted
> network. So when said employees son or daughter starts downing a 2
> gig torrent from a home PC, they don't kill the voice or impact the
> corporate workflow. Eventually we will be implementing 802.1x on
> the corporate port for additional security, but have had mixed
> results of getting it to work with Windows XP.
>
>
> Hope this helps.
>
>
>
> Matt
>
>
>
>
>
> From: Jerky [mailto:lists@jerkys.org]
> Sent: Tuesday, October 16, 2007 6:32 PM
> To: Linsemier, Matthew
> Cc: Curt Shaffer; cisco-voip@puck.nether.net
> Subject: Re: [cisco-voip] Home user
>
>
>
> This has been kicked around for a while since we moved to
> CallManager but not much thought has been given to it. I'm trying
> to understand how your hardware is setup. How would it look,
> similar to one of these?
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <--Ethernet--> LAN
>
>
>
> or
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <---> ASA or PIX Firewall <--Ethernet--> LAN
>
>
>
> Is the 3800 used for all your firewalling needs in lieu of
> something like an ASA or PIX? Sonicwall's are currently in place
> and haven't worked very well for the remote users it was tested
> with. The Sonicwalls we have don't have anything similar to what
> the 871's seem to have in regards to vlans and packet tagging. We
> would probably kick the Sonicwalls out if something else would work
> better.
>
>
>
> jeff
>
>
>
> On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
>
>
>
> We currently have about 40 production remote home teleworkers that
> have been deployed using cisco 871/877 wireless routers and a 7960
> phones. We are using a cisco 3845 series router at the head-end so
> that we can control QoS tagging on the egress / ingress points of
> both sides of the VPN tunnel. We are using a phase 2 DMVPN
> solution dual-homed to two sites to provide secure redundant
> connectivity.
>
>
>
> It took me a bit to tweak my router configurations (I started on
> cisco 831/837 routers) to get the results that we wanted, but all
> and all our users are happy. There is the occasional jitter and
> packet loss (it is the Internet mind you) but g.729 is working
> quite well coupled with business cable and DSL services.
>
>
>
> If you have any other questions, feel free to ask.
>
>
>
> Matt
>
>
>
> From: cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-
> bounces@puck.nether.net ] On Behalf Of Curt Shaffer
> Sent: Monday, October 15, 2007 6:37 PM
> To: cisco-voip@puck.nether.net
> Subject: [cisco-voip] Home user
>
>
>
> I was wondering want everyone out there is using for the situation
> where you have someone on your CCM or CCME that has 1 phone at a
> home office. Something tells me an ASA is overkill and I haven't
> found solid information that any of the 87x routers support tagging
> QoS of packets going through the VPN tunnel. We would obviously
> like to have QoS in place even though it's not respected at their
> ISP just to make sure the VPN/Voice packets are leaving their
> routers first as a best effort to get some quality.
>
>
>
> Thanks
>
>
>
>
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely
> for the use of the addressee identified above. If you are not the
> intended recipient, any use, disclosure, copying or distribution of
> this communication is UNAUTHORIZED. Neither this information block,
> the typed name of the sender, nor anything else in this message is
> intended to constitute an electronic signature unless a specific
> statement to the contrary is included in this message. If you have
> received this communication in error, please immediately contact me
> and delete this communication from your computer. Thank you.
>
> ________________________________________
_______
>
> cisco-voip mailing list
>
> cisco-voip@puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely
> for the use of the addressee identified above. If you are not the
> intended recipient, any use, disclosure, copying or distribution of
> this communication is UNAUTHORIZED. Neither this information block,
> the typed name of the sender, nor anything else in this message is
> intended to constitute an electronic signature unless a specific
> statement to the contrary is included in this message. If you have
> received this communication in error, please immediately contact me
> and delete this communication from your computer. Thank you.
>
>
>
>
>
>
>
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
| |
| Michael Thompson 2007-10-24, 7:12 pm |
| keep in mind, this proxy is just relaying the traffic. It is NOT addressing
any QoS issues with SoHo work.
On 10/21/07, Jerky <lists@jerkys.org> wrote:
>
> Think this is what you are looking for:
>
>
>
> http://www.cisco.com/en/US/products...cd80546906.html
>
>
> jeff
>
> On Oct 20, 2007, at 6:40 AM, Curt Shaffer wrote:
>
> I tried searching on this on cisco.com. Do you have a part number or a
> more direct name that may help? Is this something that is production ready
> or is it still beta quality?
>
>
>
> Thanks
>
>
>
> Curt
>
>
>
> *From:* cisco-voip-bounces@puck.nether.net [
> mailto:cisco-voip-bounces@puck.nether.net<cisco-voip-bounces@puck.nether.net>]
> *On Behalf Of *Scott Voll
> *Sent:* Wednesday, October 17, 2007 2:05 PM
> *To:* Jerky
> *Cc:* Linsemier, Matthew; cisco-voip@puck.nether.net
> *Subject:* Re: [cisco-voip] Home user
>
>
>
> no cisco CPE required.
>
>
>
> ip phone
>
> |
>
> internet connection
>
> |
>
> --------------------------- phone proxy
>
> | |
>
> | |
>
> FW / router |
>
> | |
>
> internal network ------ voice network
>
>
>
> basically you save the money of a cisco CPE by getting the phone proxy.
> let the end users VPN in with the client for data purposes or use Citrix to
> get around VPN all together.
>
>
>
> the phone proxy has a north / South interface so the only thing going
> through it is the authenticated voice traffic.
>
>
>
> hope that's understandable.
>
>
>
> scott
>
>
>
>
>
>
>
> On 10/17/07, *Jerky* <lists@jerkys.org> wrote:
>
> so it would be more like this:
>
>
>
>
> cisco 871
>
> |
>
> DSL CABLE
>
> |
>
> Internet
>
> |
>
> T1 Connection (Serial0/0/0)
>
> |
>
> _____ 3800 _____
>
> | |
>
> ethernet 0/0 ethernet 0/1
>
> | |
>
> PIX/ASA 3800 (Cisco 871 VPN's terminate here)
>
> | |
>
> LAN(computers) LAN (Voice)
>
>
>
>
>
>
>
> Homefully my crude diagram makes sense. Do your home users have access to
> any data on the computer network side. Or is the 87x VPNs solely for getting
> to the voice network If users access things on the "computer" side would you
> have a separate tunnel setup just for that?
>
>
>
>
> Thanks for so much helping enlighten me. It's been very helpful.
>
>
>
>
> jeff
>
>
>
>
>
>
>
>
>
>
> On Oct 17, 2007, at 10:19 AM, Linsemier, Matthew wrote:
>
>
>
> In our environment we utilize PIX firewalls (still have to upgrade to
> ASA's) to handle our firewall needs and then use the 3800 series router just
> to terminate the DMVPN home users. They are deployed in parallel and sit
> behind a perimeter screening router (another 3800 series router). We shied
> away from using the PIX for the simple fact that while it would preserve QoS
> markings, we couldn't do any remarking or shaping in the device. Maybe this
> has changed in the ASA, but I don't think you have the control like you do
> in IOS (such as qos pre-classify, shaping, policing, etc.). Depending on
> how many tunnels you plan on using, you could use a router much smaller than
> a 3800 series to terminate the end nodes.
>
>
>
> On the home user end we have the cisco 871/877 routers configured to
> support wired and wireless connections using three VLANS. We have a VLAN
> configured for corporate connectivity, one VLAN configured as a voice VLAN,
> and then a VLAN configured for untrusted traffic. One Ethernet port on the
> router provides connectivity to the corporate and voice VLANS, while the
> remaining three are configured as untrusted. Similarly with Wireless, we
> extend PEAP authentication from the headquarters and authenticate users to
> the corporate VLAN, and use a WPA-PSK to secure the untrusted connections.
> This way the users plug in their phone, then their laptop/docking station to
> port 0, and any other home devices can be connected to port 1-3 or use the
> wireless WPA-PSK network and be logically segregated (using ACL's) from any
> data on the corporate network. This way we can also control QoS and mark
> down all traffic that enters the router from the untrusted network. So when
> said employees son or daughter starts downing a 2 gig torrent from a home
> PC, they don't kill the voice or impact the corporate workflow. Eventually
> we will be implementing 802.1x on the corporate port for additional
> security, but have had mixed results of getting it to work with Windows XP.
>
>
> Hope this helps.
>
>
>
> Matt
>
>
>
>
>
> *From:* Jerky [mailto:lists@jerkys.org <lists@jerkys.org>]
> *Sent:* Tuesday, October 16, 2007 6:32 PM
> *To:* Linsemier, Matthew
> *Cc: *Curt Shaffer; cisco-voip@puck.nether.net
> *Subject:* Re: [cisco-voip] Home user
>
>
>
> This has been kicked around for a while since we moved to CallManager but
> not much thought has been given to it. I'm trying to understand how your
> hardware is setup. How would it look, similar to one of these?
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845
> <--Ethernet--> LAN
>
>
>
> or
>
>
>
> 87x router <---DSL or Cable---> INTERNET <--T1 connection---> 3845 <--->
> ASA or PIX Firewall <--Ethernet--> LAN
>
>
>
> Is the 3800 used for all your firewalling needs in lieu of something like
> an ASA or PIX? Sonicwall's are currently in place and haven't worked very
> well for the remote users it was tested with. The Sonicwalls we have don't
> have anything similar to what the 871's seem to have in regards to vlans and
> packet tagging. We would probably kick the Sonicwalls out if something else
> would work better.
>
>
>
> jeff
>
>
>
> On Oct 16, 2007, at 8:16 AM, Linsemier, Matthew wrote:
>
>
>
> We currently have about 40 production remote home teleworkers that have
> been deployed using cisco 871/877 wireless routers and a 7960 phones. We
> are using a cisco 3845 series router at the head-end so that we can control
> QoS tagging on the egress / ingress points of both sides of the VPN tunnel.
> We are using a phase 2 DMVPN solution dual-homed to two sites to provide
> secure redundant connectivity.
>
>
>
> It took me a bit to tweak my router configurations (I started on Cisco
> 831/837 routers) to get the results that we wanted, but all and all our
> users are happy. There is the occasional jitter and packet loss (it is the
> Internet mind you) but g.729 is working quite well coupled with business
> cable and DSL services.
>
>
>
> If you have any other questions, feel free to ask.
>
>
>
> Matt
>
>
>
> *From: *cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net
> <cisco-voip-bounces@puck.nether.net>] *On Behalf Of *Curt Shaffer
> *Sent:* Monday, October 15, 2007 6:37 PM
> *To:* cisco-voip@puck.nether.net
> *Subject:* [cisco-voip] Home user
>
>
>
> I was wondering want everyone out there is using for the situation where
> you have someone on your CCM or CCME that has 1 phone at a home office.
> Something tells me an ASA is overkill and I haven't found solid information
> that any of the 87x routers support tagging QoS of packets going through the
> VPN tunnel. We would obviously like to have QoS in place even though it's
> not respected at their ISP just to make sure the VPN/Voice packets are
> leaving their routers first as a best effort to get some quality.
>
>
>
> Thanks
>
>
>
>
> ------------------------------
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely for the use
> of the addressee identified above. If you are not the intended recipient,
> any use, disclosure, copying or distribution of this communication is
> UNAUTHORIZED. Neither this information block, the typed name of the sender,
> nor anything else in this message is intended to constitute an electronic
> signature unless a specific statement to the contrary is included in this
> message. If you have received this communication in error, please
> immediately contact me and delete this communication from your computer.
> Thank you.
> ------------------------------
>
> ________________________________________
_______
>
> cisco-voip mailing list
>
> cisco-voip@puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> ------------------------------
>
> CONFIDENTIALITY STATEMENT
> This communication and any attachments are CONFIDENTIAL and may be
> protected by one or more legal privileges. It is intended solely for the use
> of the addressee identified above. If you are not the intended recipient,
> any use, disclosure, copying or distribution of this communication is
> UNAUTHORIZED. Neither this information block, the typed name of the sender,
> nor anything else in this message is intended to constitute an electronic
> signature unless a specific statement to the contrary is included in this
> message. If you have received this communication in error, please
> immediately contact me and delete this communication from your computer.
> Thank you.
> ------------------------------
>
>
>
>
>
>
>
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
>
> ________________________________________
_______
> cisco-voip mailing list
> cisco-voip@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
|
|
|
|
|