Cisco Validated Design
The Cisco Validated Design Program consists of systems and solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable customer deployments. For more information visit www.cisco.com/go/validateddesigns.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.
CCDE, CCENT, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks.; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0803R)
Contents
The main objective of the document is to outline the architectural and design specifications for the Cisco's Enterprise Class Teleworker (ECT) solution. In summary, ECT is an end-to-end manageable, secure and integrated turn-key architectural solution for remote offices and Teleworkers.
The Cisco ECT solution is an integral part of the Cisco Service Oriented Network Architecture (SONA) framework to guide customers to achieve Intelligent Information Network (IIN) in their Enterprises.
Based on the SONA and IIN framework, the Cisco ECT Solution is a highly scalable Cisco IOS Software solution that securely integrates the network infrastructure, management infrastructure, managed services, and applications across the entire enterprise: LAN, WAN, Branch, and Teleworker locations. The key differentiator of ECT Solution is the integration of Cisco IOS Software, managed services, and applications on the same Customer Premises Equipment (CPE).
Cisco has successfully deployed ECT solution internally, thus increasing productivity and improving efficiency, while enabling seamless "zero-touch deployment", manageability, and low-to-negative Total Cost of Ownership (TCO). Both Enterprises and Service Providers can leverage Cisco ECT Solution to offer the benefits of network services to their end users/customers, while maintaining an effective return on investment (ROI).
Please visit http://cisco.com/go/ect for additional white papers about Cisco ECT Solution.
This document goes beyond the standard concept of design specifications and addresses some of the services offered as part of the ECT framework and includes service oriented architectural components, such as provisioning, management, TCO and business requirements and lessons learned from Cisco IT implementation of ECT.
Cisco's ECT solution is designed to provide full office replica and near office user experience for day-extenders, part-time, teleworkers, and full-time teleworkers in their home offices. It provides Wireless Service@Home for both Cisco employees, and for his/her spouse and kids. It also provides IP Telephony (IPT) @Home and Video@Home for Cisco employees-in other works, ECT extends Cisco' Unified Communitations all the way to the home, thus providing global reach and full access to collaboration tools. ECT enables businesses to offer new services, maintaining manageable TCO.
ECT is built on four pillars: end-to-end layered security, end-to-end connectivity, and end-to-end provisioning and end-to-end management. The production offering is based on a single piece of Customer Premises Equipment (CPE) for the home-Cisco 831 Router in the past, Cisco 870 Series now and leverages Dynamic Multipoint Private Virtual Network (DMVPN)1 as an underlying VPN technology and architecture. For Field Sales Offices (FSOs), larger platforms are used, from 1800, 2800 or 3800 series.
The four pillars constitute the network platform, which is a basis for the service oriented architecture capable of delivering variety of services and business models, eventually enhancing service availability and performance and improving the overall user experience and increasing workforce productivity.
With ECT, companies can leverage all the best in their network, and benefit from the framework of services that ECT provides, as shown in the Figure 1.
Figure 1. ECT Framework
1.1 Business Strategy
ECT takes advantage of the exploding broadband offering, where more than 225 million home users worldwide are already using broadband to connect to Internet2. The trend is expected to accelerate the volume of users and the resulting demand for more bandwidth. Additionally, these users are expected to purchase more new services on the top of the FTTN, Wi-Fi, WiMax broadband connections and take advantage of new broadband technology offerings.
The demand for video from Small Office, Home Office (SOHO) users, and Small & Medium Business (SMB) users, will require Internet Service Providers (ISPs) to offer 15-25 Mbps at the access layer of their networks. Some service providers have already announced plans to offer next generation networks for their customers. The expected differentiated services (DifServ) standard3 and offering at the access layer and edges of the provider's network and the Internetwork Services (InterServ)4 between peers will allow Enterprises to prioritize their traffic and applications and provide differentiated services for their users with committed Internet Protocol Service Level Agreements (IP SLAs).
The expected increase in the number of telecommuters, as well as workforce disruptions (caused by pandemics and natural disasters) create opportunities for the ECT type of managed security services solutions, which enables several categories of users to conduct business away from the permanent offices, and owned and leased corporate facilities, for extended periods of time.
Continued globalization of the workforce requires more and more business activities to take place outside of normal business hours affecting employee's well-being and work-life balance. New technologies and services offered by ECT enables employees to keep flexible hours and work on business activities independent of their location thereby enabling Enterprises to maintain and retain talent, giving employees the tools to maintain a work-life balance even during changing circumstances in employee's personal or work life.
Offering an end-to-end manageable, secure turn-key solution helps Cisco customers implement effective access control mechanisms and improves the overall security protection of an Enterprise's intellectual property.
1.2 Business Continuity: Disaster Recover and Pandemic Preparedness
Cisco's ECT solution is positioned as one of the major Cisco technologies for crisis management and business continuity management. Based on the some industry studies, only 13% of enterprises are prepared for workforce disruptions. With ECT as an business enabler, a company can quickly relocate its workforce because of the ECT `Zero Touch' deployment model, scalability, redundancy and resiliency. Therefore ECT greatly increass employees productivity and improves the user experience today, and sets the foundations for business continuity, and increased business resiliency.
Figure 2. Increase Workforce Resiliency
1.3 Cisco's IT Strategy
The ECT is the next generation remote access solution of Cisco. Its primary goal is to improve the overall security of intellectual property. A key strategy for achieving this goal is to implement effective access control mechanisms to ensure the workforce has access to the network by individuals with appropriate security credentials. As a result, IT must be able to continuously manage all end devices to ensure they are running with the latest Internet Operating System (IOS) updates, patches, and policies, yet allow the users of the devices to retrieve data and use Cisco services securely. Other goals include reduction of operating expenses, while increasing revenues.
ECT allows Cisco customers to leverage the latest Cisco VPN technologies, Cisco IT best deployment and management practices and lessons learned. It includes some industry leading practices such as Secure Device Provisioning for CPE (SDP), Zero Touch Deployment (ZTD) for IPT, industry leading VPN technology like DMVPN and management and provisioning practices, which add value to Cisco products, allow Cisco to offer end-to-end solutions and professional practices for SOHO and SMB Enterprise and ISP market segments and expand IT business impact beyond the boundaries of showcasing technologies, increasing the overall productivity. ECT achieves the following common for every IT organizations goals:
• Design and build supportable and scalable Internet-based VPN solutions improving accessibility to corporate information resources from virtually everywhere.
• Offer a rapid ordering and deployment solution for a VPN service and other bundled services to the home with minimal installation and configuration effort for our clients. Expand the existing zero touch model (ZTD) for deploying CPEs into Secure Device Provisioning model for CPE. Expand the ZTD to all services, expands the existing ZTD for CPE into IPT, Wi-Fi and video services deployments.
• Extend the footprint of the full-service workplace beyond traditional corporate owned and leased facilities, extending virtually all workplace services to any user's location.
• Enable a readily available Business Continuity option for mission-critical business functions, permitting users to support Cisco's business when Cisco owned and leased office space is unreachable.
ECT is introducing a managed secure end-to-end solution for bringing enterprise-quality services-voice, video, wireless and data into the home offices. It is designed to provide time and location agnostic service availability for employee's home offices, increase their flexibility and user satisfaction, and improve overall productivity and enable unified communications. Based on some industry analysis, in ECT type solutions the TCO comprises 20% acquisition cost, 35% initial install and deployment cost and 45% day by day operations and management cost.
The following example shows Cisco's deployment of ECT as it exapands to all theaters as shown in Figure 3.
Figure 3. The Existing Cisco IT Global ECT Deployment.
The management of the remote routers is performed over management tunnels, terminated to Secure Management Gateways (SMG) located in San Jose, RTP, Amsterdam and Hong Kong and Bangalore. This deployment is designed to host more then 30,000 users globally.
From an architectural point of view, the current ECT architecture is built on the concept of integrated managed security and encompasses the following major pillars:
• End-to-end security
• End-to-end connectivity
• End-to-end provisioning
• End-to-end management.
The existing architecture allows reduction of the deployment and management cost, effectively reducing the TCO of the solution.
Here are the ECT major achievements which result in a lower TCO:
• Use of integrated devices, such as Cisco's Integrated Secure Router II generation, combing VPN, firewall, QoS, Wireless, threat defense mechanisms
• Leverage of DMVPN and the dynamic routing protocols integration as technology framework of the solution for full resiliency with failover; load-balancing; and server load balancing (SLB)
• Deploy of end-to-end models for security, connectivity, deployment and management
• Use of ZTD models to lower the cost of the initial install and deployment.
• Automation of the deployment and management framework.
• Integration of the solution into existing management system in order to utilize the existing management components and developing reusable ones.
• Enabling of a self-adaptable network changes, which dynamic updates its routing tables from end-to-end
• Adding of on-demand tunnels for bandwidth preservation and least possible latency
The four pillars of the solution, as shown in Figure 4, the end-to-end model and the tiered support structure constitute a framework, which allows the next phases of the ECT to be built on the top of it and offer variety of services.
Figure 4. ECT is Built On an End-to-End Model
These pillar hold the foundations for rapid deployment today's key IP applications:
• Data
• VoIP
• QoS
• Wi-Fi
• Multicast
• Video
From architectural point of view, the end to end architecture approach will inherit and expand the existing foundation and framework to allow more services to be supported as part of the program and become an enabler for service oriented architectures, much more suitable for end-to-end "turn key" secure managed service oriented solutions.
Many of the management tasks can be automated and integrated with existing IT tools. Some of these task are: adding device profiles to a AAA; adding DNS router name and respective ip address to the corporate DNS server; terminating employees; running IP SLA probes and collecting performance data.
As stated earlier, the IOS end-to-end security solution is integrated into the connectivity, provisioning and management framework. The following chapter will address the end to end security of ECT in its architectural, and design aspects and it will provide configurations examples, based on the architecture provided in Chapter 2.
The end-to-end security in ECT is based on the IOS concept of security, available for Cisco IOS Software release 12.4 and above. The existing layered security model includes the security of Cisco IOS, password protection, hostname protection, and digital certificates for authentication, encryption and non-repudiation. Based on an ECT configuration a CPE has two kinds of ports: trusted port and non-trusted port. Every user who tries to connect to the trusted port of the CPE router is prompted for valid user credentials. Typically 802.1x is used to automatically assign the corrected VLAN to a user (trusted, or non-trusted, often called guest VLAN). If the user is successfully authenticated, he will be granted access to corporate resources, if the user fails the authentication, his traffic will be sent to the corporate gateways, but based on ACLs he will be denied access to the corporate resources and granted access only to Internet. Every user who is connected to the non-trusted port of the router can only access Internet.
Cisco IP phones are automatically detected and placed in a specific voice VLAN.
The end-to-end security in ECT requires a continuum of security features and all its layers and components. The end-to-end security of ECT in essence provides collaborative security which is typically associated with the so-called triad of trust and includes authorization, authentication and posture.
Figure 5. ECT Architecture
3.1 Loss of RSA Private Key
If router is stolen, Bboot flash (ROMMON) hacked, and password recovery is attempted, the private key is erased. Without the private key, the spoke router cannot successfully negotiate IPSec connectivity with the Management or Data GW's. The feature prevents the user from downgrading the IOS on the spoke router, perform password recovery, restore the spoke router to the initially deployed image and have the router retain the capability of the router to establish the VPN tunnels to the Management and Data GW's because the RSA private key is destroyed.
3.2 Disabling Password Recovery
Cisco IOS router provide the facility to recover from a forgotten password. An IOS savvy end user may be able to look at the router configuration using this method. This can be prevented by disabling password recovery. This is done by configuring "no service password-recovery" on global configuration.
Config terminal
test-router(config)#no service password-recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes/no]:yes
test-router(config)#
3.3 Restricting Console Access
Security policy of some customers may require controlling the access to the console port. There are two ways to control the console access, password protection and locking down.
By enabling console access authentication the console access will be password protected. User will be prompted for username and password. Access is granted only if the correct credentials are entered. The router can be configured to verify with the local credentials configured on the router or with a RADIUS or TACACS server. Doing local authentication will ensure that console access is possible even if the network connectivity is down.
3.4 Locking the Console Port
This method completely locks down the console. Once it is enabled the only way to access the router will be network based mechanisms like ssh or telnet. This means once the network access is gone router becomes inaccessible. Therefore extreme caution should be taken when deploying on router which can loose its network access often. E.g. a user who changes his ISP to a different IP address assignment, like DHCP to static. (On 870 platforms user can press the reset button for six to ten seconds to make the router configuration to reset to factory default. Other platforms do not give that option). Here is the simple sequence to configure the feature:
menu disable clear-screen
menu disable title %Console Disabled%
line con 0
autocommand menu disable
! "clear line 0" will clear the console connection if a connection
! is active. But this needs to be done from a ssh or telnet window.
If these commands are entered from telnet or console prompt, we might need a "clear line 0" command at the end of configuration.
3.5 Authentication Proxy
Authentication Proxy is configured on all CPEs. When the user connects a computer to particular port of the router, or associates with the trusted wireless connection, the authentication proxy mechanism will prompt the user for valid user credentials. Upon success, the computer will be granted access to the corporate resources. If the user connects a computer to the non-trusted port of the router, the PC will be granted access to Internet without being challenged for credentials. The authentication proxy authenticates an IP address, which after the successful event will be stored in the authentication proxy cache memory. The only exception is IPT traffic, which will be allowed to pass even if a user has not successfully authenticated against the auth-proxy mechanism, on the device terminating the IPT. The authentication proxy first checks to see if the user has been authenticated. If a valid authentication entry exists for the user, the connection is completed with no further intervention by the authentication proxy. If no entry exists, the authentication proxy responds to the request forcing the user's device to open a browser window and prompting the user for a username and password. The login page is shown in Figure 6. Users must successfully authenticate in order to access the Cisco internal network resources. Otherwise, user can only access the Internet.
Figure 6. The Authentication Proxy Login Page
In the ECT deployment, user authentication requests are sourced from the IP address from the BVI1 subnet. User access will be authenticated against the Active Directory servers maintained by CISCO IT. If the authentication succeeds, the user's authorization profile is retrieved from the AAA server. Authentication Proxy uses the information in this profile to create dynamic access control entries (ACEs) and add them to the inbound (input) access control list (ACL) of an input interface and to the outbound (output) ACL of an output interface, if an output ACL exists at the interface. For the ECT CPEs, the ACL is on trusted ports.
Upon successful user authentication, dynamic access-control list entries ACEs are added to the interface configuration. The authentication proxy customizes each of the access list entries in the user profile by replacing the source IP addresses in the downloaded access list with the source IP address of the authenticated host. The authentication proxy sends a message to the user confirming that the login was successful and the device will then be given immediate access to the Cisco internal network resource. An inactivity timer is set to 1440 minutes. As a result, if there is no traffic to a device with an IP address that has already successfully authenticated against the authentication proxy, then the dynamic ACEs will be deleted, and any user trying to access internal Cisco network resources from a device using the same IP address including the original device will have re-authenticate.
If the authentication fails, the authentication proxy reports the failure to the user and prompts the user with multiple retries. If the user fails to authenticate after preconfigured number of attempts, the user must wait two minutes and initiate another HTTP session to trigger authentication proxy. The login page is refreshed each time the user makes requests to access information from a web server.
The initial ECT Authentication Proxy configuration enables users to make and receive call over their IP phones, bypassing the authentication proxy. There are several configuration components of auth-proxy:
• Configuring AAA
• Configuring the HTTP server
• Configuring the Authentication Proxy ACLs
3.6 Configuring Authentication Proxy
aaa new-model
aaa group server radius authproxy
server-private <ip address> auth-port 1812 acct-port 1813 key 0 <key>
ip radius source-interface BVI1
!
aaa authorization auth-proxy default group authproxy
!
ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw rtsp
ip inspect name fw tftp
ip inspect name fw skinny
ip inspect name fw esmtp
ip inspect name fw sip
ip inspect name fw sip-tls
!
ip admission auth-proxy-banner file http://10.99.99.2/customize-authpproxy-page.htm
ip admission auth-proxy-banner http ^
Please login now to get connected to the corporate network
^
ip admission max-login-attempts 5
! Configure 1440 minutes of inactivity timeout.
! proxy_acl is the intercept ACL
ip admission name pxy proxy http inactivity-time 1440 list proxy_acl
!
ip admission name test_proxy proxy http list proxy_acl
interface BVI1
description inside interface
ip inspect fw in
ip access-group proxy_inbound_acl in
ip admission test_proxy
!...
ip access-list extended proxy_acl
remark --- Auth-Proxy ACL -----------
! Deny lines are used to bypass auth-proxy
deny tcp any host 10.10.200.1 eq www
! auth-proxy will intercept http access matching the below permit lines
permit tcp any 10.10.30.0 0.0.255 eq www
...
!
ip access-list extended proxy_inbound_acl
remark --- Auth-Proxy Inbound ACL which blocks the traffic ---
! Allow access to certain protcols
permit udp any any eq domain
permit udp any any eq netbios-ns
permit udp any any eq netbios-dgm
permit udp any any eq 5445
permit tcp any any eq 5060
permit tcp any any eq 5061
permit tcp any any eq 2000
permit tcp any any eq 2443
permit udp any any eq tftp
! Block corporate subnets. If split tunneling is not enabled denying
! all traffic using
! "deny any any" is sufficient
deny ip any 10.0.0.0 0.255.255.255
...
...
! if split tunneling is enabled
permit ip any any
!
3.7 IP Phone Consideration
IP phones cannot display authentication proxy prompt. Therefore it cannot be authenticated using auth-proxy. One solution to this is to use Cisco IOS deep firewall inspection mechanism. IP phones usually download initial configuration using TFTP. In that case TFTP needs to be opened in the inbound ACL. If the IP phone is using Skinny Client Control Protocol (SCCP), then UDP port 2000 needs to be opened. IP inspection will dynamically open holes for RTP streams when a phone call is made. By opening only UDP 2000, access control is not diluted much and IP phone works without doing auth-proxy. Same thing works for SIP phones. For SIP phones open UDP 5060 and 5061.
UDP port 5445 needs to be opened if Cisco Unified Video Advantage (CUVA) is enabled on the IP Phone.
Important Authentication Proxy Diagnostics Commands:
3.8 IEEE 802.1x Port Authentication
The IEEE 802.1x and its Layer 2 and Layer 3 extensions provide IP device-level security for both the switch-port and routed-port CPEs. Deploying this feature in ECT ensures that only authenticated device gets access to the VPN network5. Non-authenticated devices are assigned to "auth-failed VLAN" and only get Internet access. This is particularly helpful for separating "Spouse and Kids" computers from an employee's computers. Following is a list of important functionalities provided by this feature:
• User Authentication and Port Security: Only authorized user gets access to the VLAN.
• Automatic VLAN Assignment: Port is assigned the appropriate VLAN based on the user credentials.
• Guest VLAN: Client less devices can be assigned to a separate VLAN designated as Guest VLAN.
• Single host/Multi host mode (the 871 supports only multi-host mode)
Using 802.1x, all IP devices connecting to the router are subject to 802.1x based credential validation. This works only on the switch ports of the ISR router platforms. The device will not get IP address until the credentials are validated. Once validated, the port becomes active and the device gets network access. If the validation fails the port is shut down.
This authentication requires an 802.1x client (called supplicant) running on the device. Many devices like IP phones do have 802.1 x supplicants. In order to accommodate client less device, guest VLAN feature can be enabled. Guest VLAN typically has less access privilege than the primary VLAN. In the case of ECT guest VLAN will be part of BVI2.
Cisco IP Phones has the capability to request for voice VLAN. If voice VLAN is enabled on the router, Cisco IP phone will be automatically placed in that VLAN and bypass 802.1x authentication.
If just user authentication is the goal, then auth-proxy will be sufficient. The following table gives a brief comparison of Authentication Proxy and 802.1x authentication feature.
3.9 Authentication Proxy Vs. 802.1x Comparison
Table 1. Authentication Proxy Vs. 802.1x Comparison
For more information about this feature and its configuration on ECT, refer the deployment guide named "Deploying 802.1x-Based Port Authentication on the Cisco ECT Solution" (Reference Table 1). All the ECT deployment guides can be found at http://www.cisco.com/go/ect.
The CPE can be configured following a trusted subnet-non-trusted subnet concept, which achieves the goal of the split tunneling of separating the traffic in a different way. When a user connects to any port of the router or associates with any wireless interface (trusted or non-trusted). The user will be prompted for 802.1x credentials. Upon successful or unsuccessful authentication, a trusted or non-trusted IP address will be assigned and routed respectively.
The IPT will be automatically assigned to a voice VLAN. This VLAN is a hybrid type-it bypasses the authentication, but the traffic will router as trusted, since the IPT has to reach the CCM.
This is a config sample for adding 802.1x to an ECT spoke:
aaa new-model
!
aaa group server radius dot1x
server-private 10.99.99.2 auth-port 1812 acct-port 1813 key 0 <key>
ip radius source-interface BVI1
!
aaa authentication dot1x default local group dot1x
!
! Enable dot1x feature globally
dot1x system-auth-control
!
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
spanning-tree portfast
!
ip access-list extended allow_skinny_acl
permit udp any any range bootps bootpc
permit udp any host 206.13.28.12 eq domain
permit udp any host 171.70.147.60 eq tftp
permit udp any host 171.68.196.70 eq tftp
permit tcp any any eq 2000
permit udp any any range 24576 24656
permit udp any any eq 5445
permit udp any any range 2326 2373
!! Permit the ip phones services to go through
permit tcp any host 172.16.147.59 eq www
deny ip any any log
interface vlan 11
description Voice VLAN
ip unnumbered BVI1
ip access-group allow_skinny_acl in
ip inspect fw in
no autostate
3.10 Secure-ARP (in DHCP).
The DHCP Authorized ARP feature enhances the Dynamic Host Configuration Protocol (DHCP) and Address Resolution Protocol (ARP) components of the Cisco IOS software to limit the leasing of IP addresses to mobile users to authorized users. When configured, ARP table entries and their corresponding DHCP leases are secured automatically for all new leases and DHCP bindings. When the lease is renewed, it is treated as a new lease and will be secured automatically. If not used, all existing secured ARP table entries will automatically change to dynamic ARP entries.
3.11 Network Admission Control
NAC is enabled at the head-end side, using Cisco NAC appliance.
Please visit http://cisco.com/go/nac for more information about how to deploy Cisco's NAC appliance.
The ECT router will work seemingly and needs no additional configuration.
3.12 Split Tunneling
The CPE routers can be configured in split-tunneling or non-split-tunneling mode. In split-tunneling mode, only the traffic destined for the corporate network is routed to the VPN tunnel; the remaining traffic is routed directly to the Internet service provider (ISP). In non-split-tunneling mode, all the traffic is routed via the corporate network regardless of the traffic's destination.
Split tunnel is controlled by the server side (the DMVPN hub). It can be enabled/disabled at any point in time. It will depend on the routing protocol in use. For non-split-tunnel configuration, the DMVPN hub passes a default route to the spokes.
3.13 IOS-Based PKI Overview and Architecture
The device authorization in ECT is based on PKI & AAA framework. Every device is authorized to be part of ECT infrastructure based on hostname accounts created in the AAA Server. Every device uses a pair of digital certificates to build three encrypted tunnels6, two for data, and one for management and digital certificates. The PKI environment serves the purposes of device authorization, PKI rollover, and Secure Device Provisioning. This section will include information about the design and the configuration of following components of PKI and AAA: