Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Enterprise Class Telecommuter VPN Solution
David IacobacciMike SwartzPlamen Nedeltchev, Ph.D.
2© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ECT Agenda
Access Market Demands and Landscape
ECT: The Business Enabler Meets Customer Requirements
ECT Reduces TCO
ECT Solution: Site-to-Site Cisco IOS®-based VPN
ECT Is End-to-End, Scalable VPN Solution
ECT E2EVPN Model End-to-End SecurityEnd-to-End ConnectivityEnd-to-End DeploymentEnd-to-End Management
ECT Best Practices
3© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Access Market Demands and Landscape
• Customers require a VPN solution that:Provides secure end-to-end support for data, voice, wireless, and video Is simple, scalable, and manageable and allows customers to easily subscribe or unsubscribe from modular servicesIs proven in real-world scenarios; vendors should provide effective information including lessons learned, detailing how to deploy and manage, while minimizing TCO
• LandscapeVPN has proven to be a big cost saver for enterprisesIndustry is transitioning from permanent circuits to Internet as a super mediaResidential broadband is exploding; home access speeds rapidly increasing Telecommuting lifestyle continues to grow—up to 50 million people by 2006Clients continue to operate in a hostile environment as 70% of attacks are coming across Internet
4© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ECTThe Business Enabler Meets Customer Requirements
• ManageableMinimizes TCO due to ZTD and automated management; results in improved control of remote devices
• ScalableCan address the requirements of ISPs as well as large and small enterprises
• SecureSupports layers of Cisco security features consistent with self-defending networks strategy; will transform from integrated to collaborative and later adaptive security
• Market distinguisherStreamlines router configurations and integrates Cisco security with Cisco dynamic routing framework creating a solution only Cisco can offer
• Flexible and modular service offeringsECT is expanding from secure data to secure IPT, Wi-Fi, and video
5© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ECT Reduces TCO
Total Cost Of Ownership
(TCO)
Return on investment
(ROI)
Life Time of the Asset1 2 3 4 5
Years
Maintain a Low TCO by Using Automation to :• Lower costs of deployment• Lower costs of management
Total Cost of Ownership (TCO) Is the Sum of Acquisition Costs, Plus All the Operational and Support Costs Over the Lifetime of an Asset—generally 3–5 Years; as TCO Decreases, ROI Improves
35% Operational
Costs
20% Acquisition
Costs
45% Management
Costs
6© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ECT SolutionCisco IOS®-Based Site-to-Site VPN
• Enterprise or ISP models
• Spoke router in home network has three VPN tunnels; two data and one mgmt
• Traffic is routed over data tunnels in fail-over model
• Management subnet is separate from data subnet and can be physically isolated
Data GW1
ISCIE2100PKI ServersEzSDD Registrar
Secondary Data Tunnel
Cisco
Internet
Mgmt Tunnel
Primary Data Tunnel
Data GW #1
MgmtGW
Home Network
ISP
Data GW#2
7© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ECT 3 Phase Approach
Phase 1
Benefits:
• New HW VPN architecture for home users
• 831 replaces 3002
• Automated Provisioning
• Secure and Standardized Management
• Auth-proxy user id
Phase 2
Benefits:
• Automated provisioning of IP Telephony
• Add NBAR, IPS, 802.1x
• Out-of-office productivity close to office levels
• Multiple device types
Phase 3
Benefits:
• Introduce the 871 router as new standard
• Integration of secure, managed wireless LAN service
• 20x improved performance/ throughput
8© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ECT’s Global Reach Is Scalable
Tokyo
San Jose
Amsterdam
Singapore
BoxboroughRTP
Hong Kong
Richardson Tel Aviv
Management and Data Hub Data Hub
Sydney
9© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ECT Management Hub
Other Equipment Not on Management Subnet
ACS Server Provisioning Infrastructure
IE2100 Linux-Based
Appliance
DC GW 2
DC GW 1
SMGCisco 374 or Cat65K Spoke Router
Cisco 831
ISC IP Solutions Center
UNIX-Based Server
Plain IPSec Tunnel to Loopback of ECT-smg1
Internet
Data Center
Cert2Cisco 3725
Cert1Cisco 3725
10© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Typical ECT Data HubCorporate Network
Internet Secondary Data GW7206 VXRNPE-G1 and VAM2
Primary Data GW7206 VXR
NPE-G1 and VAM2
DMVPN-Based IPSec Primary Tunnel DMVPN-Based IPSec
Secondary Tunnel
Spoke RouterCisco 831
SDP RegistrarCisco 3725
Layer 3 Wired Connection
DMVPN IPSec Connection
11© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ECT and End-to-End VPN
DMVPN
• Failover/Load-balancing• Dynamic routing
• Full—mesh and partial-mesh topologies
• Hub-to-spoke and spoke-to-spoke tunnels. Permanent and on-demand tunnels
• mGRE, IPSec, NHRP. Transport and Tunnel modes
• Multiple DMVPN clouds per head-end router. Resiliency
Full Support of IP Applications
• Data• VoIP
• QoS• Wi-Fi
• Multicast• Video
End-to-End Management
Device and User
Authentication and Anti-Theft Protection
• Secure RSA Lock Key• Secure ARP-proxy
• Auth-Proxy• 802.1X
IOS-Based PKI
• Certificate Server (CA&RA, Sub-CS modes)
• PKI-AAA Integration• Auto-enrollment
• Multiple Trust Points
Underlying Security Features
• IPSec (3DES or AES)• Stateful Firewall
• NBAR, IDS/IPS, and NAC
Ongoing Management IP Solution Center (ISC)Cisco IE2100 based CNS Notification Engines• CNS Configuration
• CNS Notification
• CNS Image Management EMAN Framework Integration
• Automated user service application and entitlement
• Automated configuration/pre-configuration and audit
• Automated image mgmt.
• Automated control, monitoring and security mgmt.
• Interactive/Automated decision making and service termination
• Anti-virus, anti-worm and DoS protection
• Automated event log mgmt.
Configuration AutomationIP Solution Center (ISC)Cisco CNS 2100 Series Intelligence Engine:• CNS Configuration Engine
• CNS Notification Engine
• CNS Image engineAutomated Zero TouchDeployment (ZTD)• Bootstrap Configuration and
PKI certificates (EzSDD)
• Off-line (ISC CA Proxy)• In-house (RA engineer)Automated Policy Deployment, Re-deployment and Audit• DMVPN/IPSec
• Firewall
• QoS• NAT, NBAR & IDS
End-to-End Security End-to-End Connectivity
E2EVPN
End-to-End Deployment
12© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
End-to-End SecurityLayered Security
Feature BenefitRSA Key Loss Due to Password Recovery Guards against unauthorized configuration changes
Prevents VPN connection after theft Anti-spoofing of IP addresses assigned to devicesUser-level authentication (layer 3)User-level authentication (layer 2)Secure, scalable solution enables quick addition and deletion of spoke routers utilizing existing AAA serversMaintains state info per application, will provide deep packet inspection and off-board URL filteringMultiple signatures, will combine with CBAC to perform deep packet inspection with single lookup
Device posture validation
Secure RSA Private KeySecure ARPAuthentication-Proxy802.1xCisco IOS® PKI Support and PKI-AAA IntegrationCisco IOS® Stateful Firewall (CBAC)
Cisco IOS® IPS
Network Admission Control (NAC)
13© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
RSA Key Loss Due to Password Recovery
• If someone attempts password recovery on the router, the RSA private key will become unusable
• If the user tries to change the hostname of the router, the RSA private key is permanently deleted
The Router Cannot Establish a VPN Session Using the Installed
Certificates After Password Recovery
14© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Protected Private RSA Key
• RSA Private key is locked by user—must be unlocked by password entry in order to establish VPN connection
• VPN connections will not be established until the private key is unlocked
The Router Cannot Be Stolen and Later Used to Establish a VPN Session
15© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Secure ARP
• When the spoke router assigns an IP address via DHCP, the entry is secured in the ARP table
• Intruder cannot just clear the ARP cache and use the IP address to gain access to the Cisco network
Secure ARP Is an Effective Anti-Spoofing Mechanism; However the Best Approach for All
Services Would Be to Require Device Certificates
16© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Authentication Proxy
• Authentication proxy enables user authentication at layer 3 of the network stack; the user must authenticate in order gain intranet access from laptops, workstations, and PCs; upon successful authentication, an access list will be then downloaded to the router from the AAA RADIUS servers to enforce corporate access policies
• Authentication proxy can be implemented as a mechanism to prevent non-employees from accessing corporate network resources in a teleworker scenario
• User access to different areas of an intranet can be controlled via the group info on the RADIUS server
17© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
802.1x-Based Device Authentication
• 802.1x provides layer 2 authentication of devices
• 2 VLANs on the spoke router Trusted (corporate routable) VLAN
Non-trusted (home) VLAN
Devices that pass 802.1x authentication assigned to trusted VLAN
• 802.1x simplifies router configuration vs. authentication proxy
18© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Cisco IOS® Certificate Server Support and PKI-AAA Integration
• Cisco IOS® Certificate Server (IOS®-CS) feature enables a router to function as a certificate server
• IOS®-CS supports CA, RA, and subordinate server modes
• IOS®-CS supports exportable and non-exportable keys, full backup, restore, and auto-enroll
• IOS®-CS permits storage of certificates on external databases or on local flash
• Cisco IOS® provides PKI-AAA integration which can eliminate the need to manage CRLs; this significantly simplifies the management and deployment of a PKI solution and builds upon existing AAA infrastructure
19© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Cisco IOS® Firewall Features
• Cisco IOS® provides a stateful firewall and CBAC (Context-Based Access Control)
• The firewall ACL will block any access attempts from outside
• CBAC will punch holes for the return traffic for the connections initiated from the inside
• Apart from standard TCP and UDP, CBAC; also supports protocols like SIP, SCCP, SMTP, FTP, and more
20© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Intrusion Prevention System (IPS)
• Intrusion prevention system detects attack signatures and raises alarms
• Cisco IOS® has increasing number of built-in signatures
• New signatures can be loaded at any time
• Combined with CBAC, the Cisco IOS®-based IPS will perform deep packet inspection with a single lookup
21© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Network Admission ControlDevice Posture Validation
• NAC ensures that only PCs with latest anti-virus software can access the network
• In addition to anti-virus posture, it can check many other parameters like system OS, OS patch level, etc.
• These policies are configured on the Cisco Secure ACS server; each posture status results in different network access levels for the PC
• The anti-virus SW must also support NAC; supported vendors include NAI anti-virus, Symantec, and Trend Micro
22© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
End-to-End Connectivity
Feature Benefit
DMVPN Fundamentals Dynamic Multipoint VPN based upon IPSec, NHRP, and Multipoint GRE Allows for dynamically-configured IPSec tunnels that support routing protocolsRouting protocols in DMVPN cloud provide responsive failover Simplifies configurations, separates management and data traffic paths and builds on-demand full or partially meshed networksLatency-sensitive applications, e.g., voice and video as well as multicast; managed Wi-Fi in near future
DMVPN Functionality
Routing with DMVPN
DMVPN Key Differentiators
IP Applications Support
23© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
DMVPN Fundamentals
• Dynamic Multipoint VPN is a Cisco IOS®-based solution for easily building scalable VPNs by encapsulating GRE in IPSec
• Relies on three proven Cisco technologiesIPSec
Next Hop Resolution Protocol (NHRP)
Hub maintains a (NHRP) database of all the spoke’s routable (public interface) addresses
Each spoke registers its routable address with the NHRP server (hub) after successful negotiation of the IPSec tunnel
Spokes query NHRP database for routable addresses of destination spokes to build direct tunnels
Multipoint GRE tunnel interface
Allows GRE interface to support multiple IPSec tunnels
Simplifies size and complexity of configuration
24© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
DMVPN Functionality
• Spokes have a dynamic, permanent IPSec tunnel with the hub, but not with other spokes; the spokes register as clients of the NHRP server on the hub
• All routing information pushed to spoke routers across DMVPN cloud via routing protocols
• In a spoke-to-spoke scenario, when a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the NHRP server for the routable (outside) address of the destination spoke
• The originating spoke then initiates a dynamic GRE tunnel, encapsulated in IPSec to the target spoke
• The spoke to spoke tunnel is built over the mGRE interface
25© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Routing with DMVPN
• Dynamic routing is required over hub-to-spoke tunnels
• Spokes learn the private networks of other spokes and the hub via routing updates sent by the hub
• From the hub perspective, the IP next-hop for a spoke network is the tunnel interface for that spoke
• Possible routing protocols are EIGRP, OSPF, BGP, RIP
• Failover between spoke and primary/secondary hubs occurs via routing protocol; EIGRP failover is < 10ms
26© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
DMVPN: Key Differentiators
• DMVPN uses crypto profiles and tunnel protection; this frees the physical interface from a crypto map
• Management is performed over a separate VPN tunnel independent of the primary DMVPN data tunnels
• DMVPN allows for dynamic registration of spokesOne tunnel interface defined on the hub side supports a single DMVPN cloud Eliminates static point-to-point configurationsReduces the complexity of the hub configuration
• DMVPN provides dynamic full and partial mesh capability
Provides improved support for applications such as voice and video
27© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
IP Applications Support
• IP phones (SIP and SCCP) are supported
• QoS for Voice over IP (VoIP) provided on spoke routers; QoS with LLQ/Shaping—provides acceptable voice for links > 128k upstream bw, but 256k+ recommended
Future improvements will allow QoS settings to be applied per security association on the hub
• Multicast support available
• Video can be supported
• Managed Wi-Fi support will be available with the deployment of the 871 router
28© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
End-to-End Deployment
Major Features and ComponentsConventional Provisioning of CPE/Spoke Routers
Three Deployment Options in ECTZTD: Zero-Touch Deployment OverviewZTD Secure BootstrappingZTD Secure Policy EnforcementZTD of a Spoke Router: Step-by-StepOn-line Deployment Option (Cert-Proxy)ZTD of IPT for Remote Access
29© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
End-to-End Deployment Major Features and Components
Feature BenefitZTD: Zero-Touch Deployment
Touchless/automated configuration of the remote device—router, IPT, Wi-Fi
SDM: Secure Device Manager (Formerly CRWS)
Friendly GUI interface to configure spoke router to gain Internet access
SDP: Secure Device Provisioning(Formerly EzSDD)
Securely bootstraps spoke routers including enrollment in PKI CA that establishes management tunnel
ISC: IP Solutions Center Management
Securely provisions and audit spoke routers
IE2100: Intelligence Engine 2100
CNS (Cisco Network Services) transport mechanism
30© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Conventional Provisioning and Deployment of CPE/Spoke Routers
• In-house; router configured by IT
• Outsource to ISP; router configured at staging facility
• Outsource to 3rd party; router configured at staging facility or on-site
All Three Methods Add Excessive Cost to the Deployment Process!
31© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ECT Offers Three Deployment Options
• ZTD User responsible for configuring router for Internet access and running EzSDD (SDP)
Policy configurations are pushed over the CNS transport mechanism
• On-line (Cert-Proxy)Allows engineer to configure router remotely
• Off-lineSpecial cases/configurations and pilot environments
• Regardless of the deployment option, spoke router provisioning process is automated to minimize TCO
32© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ZTD Steps
ZTD Is Achieved in Two Steps
Secure Bootstrapping Access to Management Servers1.
2. Secure Policy Enforcement
Full Access to Internal Network Resources Per Enterprise Guidelines
33© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ZTD Secure Bootstrapping
• Secure bootstrapping involves configuring the router to connect to a management gateway; this bootstrap configuration includes:
Internet connectivity
IPSec management tunnel
Bootstrap/Management PKI Certificate
CNS (Cisco Network Service) agents
Spoke router is CNS client, CNS agents configured on the spoke router
IE2100 is CNS engine
IP Solutions Center (ISC) is CNS server
34© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ZTD Secure Policy Enforcement
• When ISC receives a cns.device.connect event for a spoke it will then push staged configlets to the spoke via the IE2100 CNS engine
• Policies are represented as configlets which are generated by service requests on the ISC
• Phase 1 policies DMVPN-IPSec
Firewall
QoS
NAT
• Future policies will include 802.1x, NAC, IPS, etc.
35© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ZTD of a Spoke Router: Step-by-Step
1. User applies for the ECT service and upon approval orders their 831 router from CCO; templates and SR’s auto-populated on ISC
2. Router is shipped to user directly from factory3. User connects the spoke router at home and
configures it to access the Internet via friendly, intuitive GUI menu—originally CRWS, now SDM
4. User authenticates SSL session with EzSDD Registrar (now SDP) with OTP, router is enrolled in certificate authority (CA) and minimum configlet is pushed to router to establish management VPN tunnel and CNS connection with IE2100
5. IPSEC tunnel to Management GW is established upon successful authentication using PKI-AAA
6. CNS agent in the router sends a connect event to the IE2100 (CNS engine) which notifies ISC (CNS server) that the spoke router is connected
7. ISC pushes all the policies (configlets): DMVPN, Cisco IOS®-Firewall, NAT, QoS, etc., and enrolls the router in the CA for data tunnel authentication
8. Data tunnels come up and spoke router has primary and failover data connections to the corporate network
CorporateNetwork
New SpokeRouter
Primary VPN Gateway
Failover VPN Gateway
Data Tunnels
Management Tunnel
ManagementVPN Gateway
ISCIE2100AAA ServersCA Servers
36© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
On-Line Deployment (Cert-Proxy)
Cert-proxy Is an ISC Tool That Allows ISC to Authenticate and Enroll in a Cisco IOS®-based CA on behalf of a router • User configures router to access Internet
• Engineer pastes certificates and configuration required to bring up management VPN tunnel in user’s router
• The remaining configlets (policies) are pushed to the spoke router upon establishment of the management tunnel via the CNS connection
37© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ZTD of IPT for Remote Access
1. User applies for the IPT service as part of their ECT service and upon approval orders their IP Phone or installs IP Communicator (IPC); an additional instance of a phone is configured for the employees Dialed Number (DN) on the Cisco Call Manager (CM)
2. IPT device is shipped from factory (if applicable)3. ECT router is successfully configured and has established data tunnels;
user connects the IPT device to the ECT router4. CNS agent on router sends cns.IPPhone.connect event when a IPT device
is connected to the router5. The cns.IPPhone.connect event includes the IPT MAC address, hostname,
and IP address6. The cns.IPPhone.connect event is published by the IE2100 CNS engine,
on the Tibco bus (logical bus)7. Java agent listens for events on the TIBCO bus intercepts the
cns.IPPhone.connect event and associates the MAC address information with the DN in the CM
8. TFTP session is established, and configuration information is sent from CM to the IPT device
38© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
End-to-End Management
ISC Basic Functionality
ISC Policy Management GUIISC CLI Commands/ACLs/Enable Secret Password Rotation Management GUIIE2100 Basic Functionality
IE2100 Image Management GUI
IE2100 Log Management GUI
Enterprise Management Framework Integration
39© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ISC Basic Functionality
IP Solution Center v.3.2.x Supports the Following Basic Functions• Create, deploy, audit policies
IPSec-DMVPN QoSCBAC FW NAT
• Create and deploy “velocity-based” templates and instantiate them with data files to create configlets during the deployment
• CLI commands/ACL/enable secret password management• Communicates with CNS Engine over the TIBCO bus to push/pull
policiesEvent-drivenSchedule-drivenRapid deployment
• Supports open XML/SOAP interface and NB APIs enabling integration with existing enterprise management framework
• Supports fully managed service functionality to notify the administrators for non-ISC initiated configuration changes
40© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ISC Policy Management GUI
41© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
ISC ACL/Enable Secret Management GUI
42© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
IE2100: Basic Functionality
• Pull/push policies, CLI commands and populated templates • Notifies all Tibco subscribers of the events originating from the CNS agents, such as
config_change, load, warning, etc.• Generates and sends to all TIBCO subscribers two events: connect and disconnect on
behalf of the CNS agents• Performs Cisco IOS® image management• v.1.5 provides major enhancement—ability to create and deploy “velocity-based”
templates, instantiating the templates w/data files to create configlets for deployment• Provides capability to perform upgrades/updates based on schedule, event-driven,
and rapid deployment
CNS Engine Supports the Following Main CNS Agents:
CNS Engine Supports the Following Basic Functions:
• Event Agent: Enables CNS management (sends connect, disconnect to ISC)• Exec Agent: Allows remote application to send CLI commands to the router• Partial Configuration Agent: Allows configlet pushes and notifies ISC of unauthorized
configuration changes• Image Agent: Enables image upgrades
43© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
IE2100 Image Management GUI
44© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
IE2100 Log Management GUI
45© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Enterprise Management Framework Integration
EMAN ProvisioningUser Zone
Auto-Populated from HR DBClient Zone
IT RA Provisioning Controls This ZoneISP Zone
From User’s Service Request
User _ID Create, Search, Show Provisioning Status
Approved, Not-Approved, Ordered, Cancelled,
DeactivatedISP Service Type (xDSL,
Cable, T1, etc.)
IP Address Type (Static,
DHCP, PPPoE)
DNS1DNS2
Subnet Mask
ISP Password
Provider’s Device
EMAN OperationsAAA Zone
IT RA Configures/Controls This ZonePolicies Zone
IT RA Configures/Controls This ZoneOperational Zone
IT RA Controls This Zone
Config. Change (Last 10)
Static IP GW
ISP Login Name
Home Phone
Address, City, State, and Country SMG Hub SDG Hub Speed Service
AA History Search, Show QoS Policy Name DMVPN Policy Name Enable Password (Last 10)Auth-Proxy Policy
NameSplit Tunneling
Policy NameCNS Agent
StatusNAT Policy Name DHCP Policy Name Connect/Disconnect
Status: Waiting_to_Deploy/Deployed Disable Service
Site Location
User Comments(Full-Time Telecommuter)
SMG CERT Serial # SDG CERT Serial # Connection Specifics (Modem, NAT, etc.)
AAA Status Create, View, Update, Enable, Disable
IKE/IPSec Policy Name
Fire Wall Policy Name
Status (Operational, Connected, Disconnected, Cancelled
Last Name, First Name Emp. # Manager Router Type Hostname
Office Phone
Cisco Call Manager Approver IP Address Subnet
Mask mGREIP
Location Information Cisco IOS®
Image Config IE2100
EMAN Populated Fields in Red
46© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Best Practices
• Start with limited pilot Become familiar with technology
Understand information requirements and system flow
• Plan phased approach for new services
• Automate as much as possible for production process
• Select hub locations to optimize latency for most users
47© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
Q and A
48© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public
More Networked Home/Access Resources
http://www.cisco.com/web/about/ciscoitatwork/case_studies.htmlCase Studies
Call to get Product, Solution and Financing Information1-800-745-8308 ext 4699
Order Resourceshttp://cisco.com/en/US/ordering/index.shtml
49© 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID Cisco Public