Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Business Ready Teleworker Design Guide January 2004 Customer Order Number: OL-11675-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Business Ready Teleworker Design Guide Copyright © 2004 Cisco Systems, Inc. All rights reserved. iii Business Ready Teleworker Design Guide OL-11675-01 CONTENTS Preface xi Scope xi Target Audience xii Obtaining Documentation xii Cisco.com xii Documentation CD-ROM xii Ordering Documentation xii Documentation Feedback xiii Obtaining Technical Assistance xiii Cisco.com xiii Technical Assistance Center xiv Cisco TAC Website xiv Cisco TAC Escalation Center xiv Obtaining Additional Publications and Information xv CHAPTER 1 Business Ready Teleworker Design Guide Introduction 1-1 Solution Introduction 1-1 Solution Benefits 1-3 Business Ready Teleworker Benefits 1-3 V3PN Benefits for Business Ready Teleworkers 1-4 Service Provider Benefits 1-5 Solution Scope 1-5 Public and Private IP Addressing Conventions 1-6 Supporting Designs 1-6 CHAPTER 2 Business Ready Teleworker VPN Solution Overview 2-1 Solution Characteristics 2-2 General Best Practices Guidelines 2-2 Basic Guidelines 2-3 Quality of Service Guidelines 2-3 IPSec VPN Guidelines 2-4 Security Guidelines 2-4 General Solution Caveats 2-5 Basic Caveats 2-5 Contents iv Business Ready Teleworker Design Guide OL-11675-01 QoS Caveats 2-6 IPSec VPN Caveats 2-6 Security Caveats 2-6 Solution Technology Components 2-7 Virtual Private Networks 2-7 IP Telephony 2-9 Small Office/Home Office 2-10 General Deployment Models 2-11 Integrated Unit 2-12 Dual Unit 2-12 Integrated Unit + Access Device 2-13 Which Model to Choose 2-14 Broadband Access Technologies 2-15 Digital Subscriber Line 2-15 Cable 2-16 Integrated Services Digital Network 2-16 Broadband Encapsulation 2-17 Choosing Broadband Access 2-18 CHAPTER 3 Business Ready Teleworker CPE Deployment Models 3-1 Devices Used for Models 3-3 CPE Selection Criteria and Recommendations 3-7 CHAPTER 4 Business Ready Teleworker Deployment Guidelines 4-1 Basic Services 4-1 One Broadband Connection 4-1 Ethernet Connection for Four or More SOHO Devices 4-2 Dynamic Host Configuration Protocol Support 4-2 Network Address Translation 4-4 Network Time Protocol and Simple Network Time Protocol 4-6 Enterprise-based Telephony Services 4-6 Quality of Service 4-8 General 4-8 CPE Performance 4-8 End-to-End QoS 4-9 Access Circuit QoS 4-10 QoS Classification Persistence through VPNs 4-11 IPSec VPN and Security 4-12 Technique for Strong Encryption 4-12 Contents v Business Ready Teleworker Design Guide OL-11675-01 Packet Authentication Options 4-12 VPN Network Design 4-13 VPN Authentication 4-14 Per-User Authentication 4-16 Authentication Proxy 4-17 802.1X for VPN Access Control 4-20 Context-Based Access Control 4-29 Firewall Options 4-29 Split Tunneling 4-30 Two-Teleworker Homes 4-32 IP Multicast 4-35 In-Home Wireless 4-35 Improved Availability 4-37 Management 4-38 Basic Device Provisioning 4-38 Provisioning IPSec VPN 4-39 Provisioning Authentication 4-41 Policy and Device Management 4-41 Service Provider Managed Services 4-42 Ongoing Solution Creation for Provisioning 4-43 CHAPTER 5 V3PN for Business Ready Teleworker Solution Overview 5-1 Teleworker Applications Overview 5-1 Solution Characteristics 5-4 General Best Practices Guidelines 5-5 General Solution Caveats 5-5 CHAPTER 6 V3PN for Business Ready Teleworker Broadband Issues 6-1 Avoid Known Issues 6-1 Link Fragmentation and Interleaving 6-2 Use QoS where Available 6-3 Minimize ISP Exposure 6-3 Personal Firewalls 6-4 Issues with Personal Firewalls 6-4 IPSec Pass-through—Calls Drop When Muted 6-5 IPSec Pass-through—Calls Drop During Rekey 6-8 Solution for Cisco IOS Personal Firewalls 6-9 Solution for Linksys Personal Firewalls 6-9 Contents vi Business Ready Teleworker Design Guide OL-11675-01 CHAPTER 7 V3PN for Business Ready Teleworker Planning and Design 7-1 Teleworker Deployment Model 7-1 IP Telephony (Voice over IP) 7-2 Call Admission Control 7-2 Recommended Broadband Link Speeds 7-3 Voice Quality Comparison 7-4 Quality of Service 7-7 Bandwidth Provisioning for WAN Edge QoS 7-8 Voice over IP 7-8 DSL Packet Size—IPSec (only) Encrypted G.729 7-9 Packet Size—Layer-2 Overhead 7-10 Cable—Packet Size, IPSec (only) Encrypted G.729 7-11 Bandwidth Classes and Class-Default 7-12 Broadband Downlink QoS 7-13 Broadband Serialization Delay 7-14 TCP Maximum Segment Size 7-15 Broadband Video Conference Support 7-17 QoS Pre-Classify 7-17 LLQ for Crypto Engine 7-18 Determining Available Uplink Bandwidth 7-18 Limiting High Priority Traffic 7-21 Split Tunneling—Prioritizing Enterprise Traffic over Spouse-and-Children Traffic 7-23 IP Security 7-28 Multiple Peer Statements, IKE Keepalive and Dead Peer Detection 7-28 X.509 Certificates 7-29 Head-end Topology 7-29 Sample Topology—Router-on-a-Stick 7-29 Sample Topology—Routers In-line 7-30 Head-end Redundancy for Remote Peers 7-32 Service Provider 7-34 Cisco Powered Network References 7-34 Testing Methods for Simulating an Internet Service Provider 7-34 Testing Methods for Simulating a Congested Cable Plant 7-35 Design Checklist 7-37 CHAPTER 8 V3PN for Business Ready Teleworker Implementation and Configuration 8-1 Switching Path 8-1 IP Cisco Express Forwarding 8-1 Contents vii Business Ready Teleworker Design Guide OL-11675-01 NetFlow 8-2 QoS Configuration 8-2 Configure QoS Class Map 8-3 QoS Policy Map Configuration 8-3 Configure the Shaper 8-4 Attach the Service Policy to the Interface 8-5 Configure TCP Adjust-MSS 8-5 PPPoE Configuration 8-6 Hold Queue 8-7 IKE and IPSec Configuration 8-8 Configure X.509 Digital Certificate 8-8 Configure IKE (ISAKMP) Policy 8-10 Configure IPSec Transform-Set 8-10 Configure the Crypto Map 8-10 Apply Crypto Map to Interface 8-11 Configure an Inbound Access List 8-11 Configure Context-Based Access Control 8-11 Implementation and Configuration Checklist 8-13 CHAPTER 9 V3PN for Business Ready Teleworker Product and Performance Data 9-1 Scalability Test Methodology 9-1 Test Tool Topology 9-2 Traffic Profiles 9-2 Product Selection 9-6 Performance Results by Link Speed 9-6 Issues with Cisco PIX 501 and Cisco VPN 3002 9-7 Software Releases Evaluated 9-9 Performance Results—Additional Features and Higher Bandwidth 9-9 CPU Utilization by Feature 9-10 Split Tunnel Traffic Profile 9-11 Higher Bandwidth for Small Office Deployments 9-12 Business Class Bandwidth Rates—DSL 9-13 Business Class Bandwidth Rates – Cable 9-14 Teleworker Deployment 768 Kbps/3072 Kbps 9-15 Small Office—Two Concurrent Voice Calls 9-16 CHAPTER 10 V3PN for Business Ready Teleworker Verification and Troubleshooting 10-1 Service Assurance Agent 10-1 Contents viii Business Ready Teleworker Design Guide OL-11675-01 Configuration to Measure Jitter 10-1 Spoke-to-Spoke Jitter Illustration 10-3 ICMP Echo 10-4 Comparison of Broadband Internet Connectivity 10-6 Internetwork Performance Monitor 10-9 Common Deployment Issues 10-10 Codec Changes 10-10 NTP Servers 10-11 Enable Secret Passwords 10-11 Certificate Server 10-11 Special Requests 10-12 Home Topology 10-12 Hardware Failures 10-12 RFC 1918 Addresses 10-12 Identifying Remote Link Flaps 10-13 Troubleshoot the Basics 10-13 Cable, DHCP and MAC Addresses 10-14 Certificate Expiration 10-15 Windows Kerberos Authentication 10-15 Powering the Cisco 7960 IP Phone 10-15 Category-5 Cables 10-16 Duplicate IP Subnet 10-16 Verifying Packet Classification 10-16 Source Interface 10-19 APPENDIX A V3PN for Business Ready Teleworker Solution Testbed Network Diagram A-1 APPENDIX B ToS Byte Reference Chart B-1 APPENDIX C Additional Performance Data Configuration Examples C-1 Global Configuration Changes C-1 Input Access-Control Lists for Auth-Proxy C-2 NAT/pNAT C-2 CBAC C-3 Cisco IOS-IDS C-3 APPENDIX D Sample Deployment D-1 Head-end D-1 Contents ix Business Ready Teleworker Design Guide OL-11675-01 Primary Head-end Configuration D-1 Secondary Head-end Configuration D-5 Remote—DSL Integrated Unit Plus Access D-9 IPSec SOHO Router D-9 Remote—DSL Router / Personal Firewall (Access Router) D-14 Remote—DSL Integrated Unit D-17 Remote—Cable Integrated Unit Plus Access with 802.1X D-22 I NDEX Contents x Business Ready Teleworker Design Guide OL-11675-01 [...]... deployed in this design guide Please refer to the Technical Tip section after logging on the TAC homepage at: http://www.cisco.com/tac Business Ready Teleworker Design Guide OL-11675-01 1-7 Chapter 1 Business Ready Teleworker Design Guide Introduction Supporting Designs Business Ready Teleworker Design Guide 1-8 OL-11675-01 PA R T 1 Business Ready Teleworker C H A P T E R 2 Business Ready Teleworker VPN... Private Networking (V3PN) for Business Ready Teleworker • Chapter 5, “V3PN for Business Ready Teleworker Solution Overview” • Chapter 6, “V3PN for Business Ready Teleworker Broadband Issues” • Chapter 7, “V3PN for Business Ready Teleworker Planning and Design • Chapter 9, “V3PN for Business Ready Teleworker Product and Performance Data” • Chapter 8, “V3PN for Business Ready Teleworker Implementation and... http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html Business Ready Teleworker Design Guide OL-11675-01 xv Preface Obtaining Additional Publications and Information Business Ready Teleworker Design Guide xvi OL-11675-01 C H A P T E R 1 Business Ready Teleworker Design Guide Introduction This introductory chapter presents a high-level overview of the Cisco Business Ready Teleworker solution Specific sections presented... presented in each part Chapter 1, Business Ready Teleworker Design Guide Introduction” is presented to provide an overall context for the remainder of the publication Part 1 Business Ready Teleworker • Chapter 2, Business Ready Teleworker VPN Solution Overview” • Chapter 3, Business Ready Teleworker CPE Deployment Models” • Chapter 4, Business Ready Teleworker Deployment Guidelines” Part 2—Voice and... cost-effective and reliable manner Business Ready Teleworker Design Guide 1-2 OL-11675-01 Chapter 1 Business Ready Teleworker Design Guide Introduction Solution Benefits Solution Benefits The Business Ready Teleworker solution offers benefits for both enterprises and service providers These are summarized separately in the following general sections: • Business Ready Teleworker Benefits, page 1-3 • Service... 7, “V3PN for Business Ready Teleworker Planning and Design, ” of this guide • Hub-and-spoke IPSec topologies are recommended Take into account traversing the service provider network twice if teleworker- to -teleworker (spoke-to-spoke) calls are supported Business Ready Teleworker Design Guide OL-11675-01 2-3 Chapter 2 Business Ready Teleworker VPN Solution Overview General Best Practices Guidelines Note... Supporting Designs The Business Ready Teleworker solution is based on several supporting technologies and designs (see Figure 1-2) In an effort to minimize overlap and repetition, this guide will focus on the unique aspects of the solution and refer to supporting design guides when appropriate Figure 1-2 Underlying Business Ready Teleworker Design Foundation Enterprise Class Teleworker Solution Teleworker. .. a guidelines for including access media (cable and DSL) to V3PN deployments As such, it is expected that the reader be familiar with the concepts covered in related guides Where appropriate, and to provide particular emphasis, these guides will be referenced in the text Business Ready Teleworker Design Guide 1-6 OL-11675-01 Chapter 1 Business Ready Teleworker Design Guide Introduction Supporting Designs... for Business Ready Teleworker Verification and Troubleshooting” • Appendix A, “V3PN for Business Ready Teleworker Solution Testbed Network Diagram” • Appendix B, “ToS Byte Reference Chart” • Appendix C, “Additional Performance Data Configuration Examples” • Appendix D, “Sample Deployment” Business Ready Teleworker Design Guide OL-11675-01 xi Preface Target Audience Target Audience This design guide. .. summarize the benefits of the teleworker voice and data solution, this solution extends the advantages of VPNs (such as cost savings, data application support, extended availability, security, and privacy) to provide secure enterprise voice services to full-time and part-time teleworkers Business Ready Teleworker Design Guide OL-11675-01 1-3 Chapter 1 Business Ready Teleworker Design Guide Introduction Solution . Contents x Business Ready Teleworker Design Guide OL-11675-01 xi Business Ready Teleworker Design Guide OL-11675-01 Preface This design guide presents. full-time and part-time teleworkers. 1-4 Business Ready Teleworker Design Guide OL-11675-01 Chapter 1 Business Ready Teleworker Design Guide Introduction Solution