This deployment guide shows how the Cisco® Enterprise-Class Teleworker (ECT) solution can be deployed using Cisco Router and Security Device Manager (SDM) for commercial and small and medium-sized enterprises.
® Enterprise Class Teleworker solution is a highly scalable Cisco IOS
® Software-based solution that securely integrates the network infrastructure, management infrastructure, managed services, and applications across the entire enterprise, including LAN, WAN, branch, and teleworker locations.
The solution is an integral part of the Cisco Service-Oriented Network Architecture (SONA), a framework that enables enterprise customers to build integrated systems across a fully converged, intelligent network. Using the Cisco SONA framework, the enterprise network can evolve into an Intelligent Information Network-one that offers the kind of end-to-end functions and centralized, unified control that promote true business transparency and agility.
® has successfully deployed the Enterprise Class Teleworker solution within its own organization, increasing productivity and improving efficiency while enabling "zero-touch" deployment, manageability, and low-to-negative total cost of ownership (TCO). Enterprises and service providers can use the Cisco ECT solution to offer the benefits of network services to their end users and customers, while maintaining an effective ROI.
Cisco SDM is a Web-style graphical user interface (GUI) tool that can be used to configure Cisco IOS
® routers. It usually comes with a router's factory default configuration and can be invoked from any Java-enabled browser that has connectivity to the Cisco IOS router to be configured. The latest version of Cisco SDM is available at
When Cisco ECT is deployed for a small number of VPN spokes, the network can be provisioned by configuring all hubs and spokes using Cisco SDM. This is the focus of this guide.
CISCO SDM USE FOR THE CISCO ECT SOLUTION
This guide covers the steps needed for the provisioning of a Cisco ECT solution using Cisco SDM. It explains how to configure DMVPN hubs and all necessary features needed for a spoke, including DMVPN, firewall, Network Address Translation (NAT), quality of service (QoS), and IP services.
Note: Only some selective screen shots are shown in this guide. You will find that some steps do not have a matching screen shot. We opted for selecting the most meaningful ones, to keep the guide shorter. The missing ones should not cause any confusion when following the detailed steps.
The configuration can be downloaded from Cisco SDM directly to the routers, or it can be saved to a file. In this last case, Secure Device Provisioning (SDP) can be used to remotely retrieve the configuration file, and to install a new certificate in a new spoke router. However, SDP is not covered in this guide.
Cisco SDM can be used to manage devices that are online, as it allows to the user to remotely access a router using Secure Sockets Layer (SSL) and change the configuration.
Cisco SDM is a good choice for deploying a Cisco ECT solution for a small number of routers. In this scenario, the VPN routers are usually provisioned locally at the central office and then shipped or hand-delivered to the end user, or sent to a small office.
Below is one possible list of features that can be enabled by Cisco SDM for a Cisco ECT remote spoke router, used for a small or medium-sized VPN deployment. Other features might be enabled for each particular case.
• Internet connectivity, DSL, cable, etc.
• Two VLANs; one for corporate traffic and one to be used as a guest VLAN
• DMVPN as the underlying VPN backbone
• Routing for DMVPN
• IP Security (IPsec) and Public Key Infrastructure (PKI) for VPN access
• Cisco IOS Firewall and access control lists (ACLs)
• Network/Port Address Translation (NAT/PAT)
• Intrusion prevention system (IPS)
• Quality of service (QoS)
• Network Admission Control (NAC)
• Baseline IP services: Dynamic Host Control Protocol (DHCP), DNS, Network Time Protocol (NTP), VTY access, etc.
• Wireless configuration (for a Cisco 871 router example)
Before deploying spokes, the primary and secondary DMVPN hubs need to be configured. This will be the first step.
The picture above (Figure 1) shows a typical ECT architecture. It shows how a remote router acting as a DMVPN spoke connects back to the corporate site. It also contains a separate management network, which allows for a central management of the remote routers and gives an opportunity to change the data security policies without breaking the remote connection to the distant router.
Platforms and Images
For a small deployment, use any Cisco 3800 Series router for hubs. For spokes, use a Cisco 870 Series router for home or small offices, a Cisco 1800 Series router for small to medium-sized offices, or any larger Cisco IOS router for large offices.
Cisco IOS Software Releases 12.4(6)T3 and 12.4(8) or above are recommended for hubs and spoke routers, or the latest available. An advance enterprise image is needed to enable all Cisco ECT features.
In this guide, Cisco SDM 2.3 is used for all security configurations. It was executed from a PC installation, but for a given version, the software is the same, only the location is different. For Internet access, Cisco SDM Express was used. Cisco SDM Express is only started from the router installation.
When a new router is ordered, Cisco SDM can usually be factory-installed in the router's flash memory. This Cisco SDM version may be outdated when it comes time to configure the router for Cisco ECT. When deploying the Cisco ECT solution, the latest Cisco SDM version should be installed for ease of use; otherwise, it is necessary to install the latest version on all Cisco ECT routers.
Note: In order to be able to download this software, an account with Cisco.com is required.
CONFIGURING DMVPN HUBS
Cisco SDM delivers commands to the active running configuration only. To save the configuration to NVRAM, go to "File > Write to Startup Config..." menu option.
Cisco SDM can also be used to configure DMVPN hubs used for Cisco ECT deployments. In the most common architecture, two DMVPN hubs are provisioned; one acts as primary and the second, a backup hub.
To configure a router as a primary DMVPN hub perform the following steps:
Step 1. Start Cisco SDM and connect to the router that will be configured as the hub.
Step 2. Navigate to Configure > VPN > Dynamic Multipoint VPN. Select "Create a hub" option and click on "launch the selected task" button.
Step 3. In the next screen, select Full Mesh if you want to allow direct spoke-to-spoke connections.
Step 4. Click Next and then select the primary hub to start.
Figure 2. Configure the DMVPN Hubs
In the Multipoint GRE Tunnel Interface Configuration screen specify the IP Address of the multipoint GRE tunnel interface.
IP Addresses of multipoint GRE tunnel interfaces on all routers in a DMVPN network must belong to the same subnet. Typically this is a private subnet.
Make sure the "Tunnel Key" and "NHRP Network ID" are the same for all hubs and spokes, so that they share the same DMVPN area. (Figure 2)
Regarding the multipoint generic routing encapsulation (mGRE) tunnel interface, the same subnet must be used by all VPN routers that are part of the same DMVPN area. This is an internal subnet, only visible to the DMVPN routers.
Step 5. Select Digital Certificates in the Authentication screen that follows.
Note: If a digital certificate is not configured on this router, configure one. All the routers in a DMVPN cloud must be issued a digital certificate by the same CA server.
(Please refer to "Step 3-VPN configuration" in this guide for the steps required to install a PKI certificate in this router).
Step 6. Even though all three routing protocols (Enhanced Interior Gateway Routing Protocol [EIGRP], Open Shortest Path First [OSPF], and Routing Information Protocol [RIP]) will work, Cisco recommends EIGRP or OSPF.
Step 7. Select the appropriate AS number and the internal network networks that other VPN nodes should have access to.
Step 8. Click Finish to generate and deliver the configuration to the router.
Now perform the same steps, but select the "Backup" DMVPN hub. There is an additional screen to select the primary hub IP addresses (Figure 3).
Figure 3. DMVPN Backup Hub
Following is a sample configuration. It is almost the same as the primary DMVPN hub, but here the we use the bandwidth command to lower the routing metric, or preference, for this tunnel interface, making this DMVPN hub second best from a spoke routing perspective. Everything else remains the same, except for the mGRE IP address, of course.
Note: The bandwidth for this mGRE interface is smaller than that of the primary one.
At this point, you must save the configuration to NVRAM by going to "File > Save to Startup Config...". Otherwise, the configuration will be lost when the router is power-cycled. It is also recommended that you save a copy of the configuration in your PC for future reference. This can be achieved by clicking on "File > Save Running Config to PC...".
ADDING A NEW CISCO ECT-ENABLED SITE
Note: Cisco SDM delivers commands to the active running configuration. To save the configuration to NVRAM you need to go to "File > Write to Startup Config...".
Step 1-Internet Connectivity
This example uses a new Cisco 871 router with just the factory default configuration.
Appendix A includes a sample factory configuration for a Cisco 871 router.
Note: In this example, the router uses DHCP to connect to the outside network, but can be configured with the addressing scheme used by the ISP at the final destination in mind. Then, the configuration can be saved to NVRAM.
The first step to provision this router is to carry out the Internet access configuration. If connecting from a DHCP-accessible site, such as a cable modem, these steps are needed:
1. Connect the WAN interface to the Internet (modem, NAT router). On a Cisco 871 router, this interface is "FastEthernet4".
2. Connect a PC to the Cisco 871 router (LAN side); to the FastEthernet0 of a Cisco 871 router, for example.
3. Type http://10.10.10.1 to access the Cisco SDM Express that comes in flash. Cisco SDM Express consists of a step-by-step wizard that you can use to set up login credentials, ISP network information, and basis firewall. If Cisco SDM Express is not there, run the setup of the downloaded Cisco SDM software and install it in the router.
4. Enter the default username/password cisco/cisco to gain access to the router.
5. In the first screen of the wizard, enter the hostname and login credentials for console/SSH and future Cisco SDM access (Figure 4).
Figure 4. Define Hostname and Login Credentials
For the admin username (this will be the router login username/password): (Figure 4)
• For username, type: admin
• For password, type: cisco123
• For enable, enter: cisco123
• There is no need to configure the "Wireless Interface Configuration" at this point (in case you are using a wireless-enabled router)
6. Keep the default "LAN Interface Configuration" settings
7. Keep the default "DHCP Server Configuration" settings
8. For the "WAN configuration" select your ISP connection type: static, DHCP, or Point to Point Protocol over Ethernet (PPPoE). Configure the necessary parameters, if static or PPPoE is used. (Figure 5)
Figure 5. ISP Network Access
9. Keep the default "Interface WAN (advance options)" for NAT settings.
10. Keep the default "Firewall Configuration" settings.
11. Keep the default "Security Configuration" settings.
12. Click "Finish". You can optionally save the configuration. Click "Yes" when prompted to "Permit DHCP traffic through the firewall".
13. Close the wizard.
Once ISP access has been set up, the next logical step is to configure the LAN side. Cisco SDM will close the Express wizard at this point. You now need to start the full Cisco SDM software to begin with the LAN side configuration.
1. Start by restarting Cisco SDM. In the PC, click Cisco SDM and enter the 10.10.10.1 IP address. Cisco SDM will force you to remove the default cisco/cisco login credentials, as it is too obvious.
2. Now click the Configure top tab and then on Interfaces and Connection (Figure 6).
Figure 6. Create New LAN Connection
3. The wizard will prompt you to select the LAN interface to configure. Select one of the LAN interfaces that you want to use for corporate traffic.
4. Follow the wizard instructions. For Small Office/Home Office (SOHO), the switch port should be on "access mode" as shown in Figure 7.
Figure 7. Switch Mode for a Router with Switch Ports
5. Again, for a router with switch ports, create a VLAN for your corporate network (VLAN 10, for example). Select the option to "include the VLAN in an IRB bridge", so that you can later configure your wireless interface to share the same VLAN (Figure 8).
6. Click Next.
Figure 8. Create VLAN
7. Create a new bridge group, and give it number 1. Then click Next.
8. In the following screen, give bridge group 1 an IP address (it needs to be unique for each spoke and routable thought the corporate network). For example: 10.1.1.1/28.
9. After that, enable a "DHCP server". Enter the start and end IP address of the spoke subnet in the following screen (Figure 9). Click Next.
Figure 9. Add DHCP Server for Trusted Pool
10. Enter the DNS server (required if you use static IP address) WINs and domain name.
11. Click Finish. Cisco SDM will deliver the generated configuration to the new Cisco ECT-enabled router.
This is the resulting configuration:
ip dhcp pool sdm-pool1
network 10.20.1.0 255.255.255.240
dns-server 172.16.226.120 220.127.116.11
bridge 1 protocol ieee
bridge 1 route ip
switchport access vlan 10
no ip address
ip address 10.20.1.1 255.255.255.240
Also, a vlan.dat file is created and saved in the router's flash, with VLAN database information.
At this point, the Cisco 871 router would be able to access the Internet, if it were already connect to the ISP modem at the final destination.
Note: These steps only created a pool for corporate (trusted) access. If your deployment requires a pool for guest (non-trusted) access, which is usually the case when the Cisco ECT-enabled router is used for telecommuting and others need to share the same Internet access, there are additional steps. To create a "guest VLAN", follow the steps described above a second time. Create a second VLAN (VLAN 20, for example) and another bridge interface. For the guest pool, assign any private pool (10.1.1.0/24, for example).
All switch port interfaces need to be assigned to a VLAN to be able to connect to your corporate network or just to the Internet. You can assign interfaces to VLANs by clicking the
Edit Interface/Connection tab and editing each of the interface properties. You can, for example, put two ports in the corporate VLAN and two on the guest VLAN.
Step 2-Wireless Configuration (Cisco 871 or 1811 Router)
In this example, the Web-based user interface that comes with the Cisco 871 router is used to configure the wireless interface. For Cisco ECT, we recommend Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) for authentication, with Wi-Fi Protected Access (WPA) association mode and Temporal Key Integrity Protocol (TKIP) as the encryption method.
3. Click Launch Wireless application; this opens a browser window (Figure 10)
Figure 10. Wireless User Interface
Now let us enable the wireless interface (Figure 11).
4. Select Wireless Interfaces
5. Select the Radio0-802.11G interface link (in the Cisco 871 router example)
6. Click Settings on the upper tab
7. Click the Enable radio button and then click Apply.
Note: There are multiple speed choices. You can keep the default ones, or select your own by scrolling down and selecting the required ones. We recommend keeping the defaults here.
Figure 11. Enable the Wireless Interface
8. Select Wireless Security from the menu at left.
9. Click the Cipher radio button (Figure 12).
10. Select TKIP + WEP 128 bit from the drop-down list.
11. Under "Broadcast key rotation interval," click the Enable Rotation radio button and set the interval rotation to 30 seconds. (Figure 12).
12. Click Apply.
Figure 12. Wireless Encryption
13. Now, create the EAP "Server Manager" - the authentication server that will be used. It can be global for all devices in the VPN, or local per device. You can keep the default "Global Properties" and also the "Default Server Properties" as shown in Figure 13. You just need the corporate AAA server ip address and shared key.
Figure 13. Create an Authentication Server Manager
14. Next, create the SSID by first select the "SSID Manager" menu option on the left and select the EAP Server Manager that you just created before (Figure 14). You also need to give it a name, like "corporate-access".
Figure 14. Create an SSID and Associate with EAP Server
15. Finally, associate the SSID with the corporate VLAN and the respective bridge interface. In this example, the corporate VLAN is VLAN10 and the bridge interface is BVI1. Go to "Wireless Services > VLAN > Bridging". (Figure 15)
16. Select the SSID created previously (we called it "corporate-access")
17. For the VLAN ID, enter 10; for Bridge Group No., enter 1 (Figure 15).
Figure 15. Associate SSID with VLAN and Bridge Interface
This is the resulting configuration:
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius rad_eap1
server 10.99.99.3 auth-port 1645 acct-port 1646
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
It might seem logical to next configure the firewall and ACLs, but it is better to do this last. Cisco SDM will automatically generate rules for VPN, DHCP, NTP, and other protocols if they are already configured.
For Cisco ECT, it is recommended to use one tunnel just dedicated for management, which should be completely separated from the corporate data access tunnels. The main objective is to always have a secure link to the remote device to provide for policy update, image management, and device and user authentication. The management VPN tunnel can be achieved with plain IPsec tunnel, or using Cisco Easy VPN. Please refer to the Cisco ECT deployment guide for more information about configuring the management gateway.
The use of PKI is recommended for Cisco ECT deployments; PKI is more secure than pre-shared keys, and it scales better.
These are the steps for management and actual tunnel configuration:
• Add NTP servers for PKI
• Create a PKI certificate trust point
• Create an IKE policy
• Create an IPsec transform set
Use these policies for configuring a regular IPsec tunnel for management and DMVPN tunnels for data traffic.
Before starting, make sure that the time zone is set. Go to "Additional Tasks > Router Properties > Date/Time" to select your time zone (Figure 16).
Figure 16. Set the Time Zone
Network Time Protocol
For PKI, the remote VPN router must be synchronized to a global clock to check for certificate validation. A public domain NTP server is recommended. Go to the "Additional Tasks" main tab. To add an NTP server, select
NTP from the "Router Properties". In Figure 17 we add the 18.104.22.168.
Figure 17. Adding an NTP Server
At this step, also add the clock adjustment settings. Select
Date/Time from the "Router Properties" list, and set your clock to your local area. Make sure all your VPN routers are in the same time zone.
1. Click on VPN.
2. Click on VPN Components, followed by Public Key Infrastructure, and then Certificate Wizards.
3. Launch the SCEP Wizard (Figure 18)
Figure 18. Launch the Certificate Wizard
4. Enter the trust point name and the enrollment URL (for example: http://my-pki-server:80 Figure 19). The certificate server must have been already configured. More information is available in the Cisco ECT deployment guide.
Figure 19. Enter PKI Certificate Server Name
5. In the next screen, include the FQDN and serial number, but not the IP address; this will likely change due to DHCP reassignment.
6. On the next page, select Generate new key pairs.
7. Click Next. Cisco SDM will deliver the configuration to the Cisco 871 router, generate RSA keys, and enroll with the PKI certificate server. You will be prompted to accept the fingerprint, as shown in Figure 20. Click Yes.
Figure 20. Accept the PKI Certificate Enrollment
8. Next, the enrollment status screen pops up (Figure 21).
9. Click Finish.
Figure 21. Certificate Enrollment Request Sent to PKI Server
At this point, you can check in the router's console that the certificate was received from the PKI server. Here is an example:
%SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.10.10.2)
%SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.10.10.2)
%PKI-6-CERTRET: Certificate received from Certificate Authority
On Cisco SDM you can also click on
Router Certificates, select the trust point that was just created, and click
Refresh to see the result.
Now, we can proceed to configuring an IKE policy (Figure 22).
1. Click on IKE Policies and then Add.
2. Select the 3DES (or AES 256) for encryption, SHA for hash, and RSA-SIG for authentication.
3. Click OK.
Figure 22. Add IKE policy
After you are done, it is necessary to set the certificate revocation list (CRL) check for "none"; a remote router will not be able to retrieve the CRL unless the tunnel is up. PKI certificate servers are usually behind a firewall and cannot be accessed from the Internet. You can optionally publish the CRL in a Lightweight Directory Access Protocol (LDAP) public access server.
To set the revocation check, go to
VPN-VPN Components-Router Certificates. Select the PKI trust point just created. Click on
Revocation Check and set it to
None (Figure 23).
Figure 23. Revocation Check
Now we can create a new site-to-site VPN for the management gateway tunnel:
1. Select the site-to-site VPN and click Add.
2. Select Launch the Selected Task.
3. Select the Site-to-Site VPN Wizard.
4. In the next screen, select the WAN interface for this tunnel. For the Cisco 871 router, this is FastEthetnet4. It can also be a dialer interface if that is used.
5. Select your peer's (Secure Management Gateway) IP address. This is the public head-end IP address.
6. Select Digital Certificates.
7. In the next screen, and for the IKE policy, select the one you just created before.
8. In the next screen, select the default IPsec transform set.
9. Next, Cisco SDM asks about the protected subnet. If, for example, the remote Cisco 871 VPN router will be assigned the 10.20.1.0/28 protected subnet, and the Cisco ECT-enabled management servers sit in the 10.99.99.0/27 subnet, then the selection would be as shown in Figure 24.
Note: Only the router IP address is used. End PCs or other hosts should not have access to the management servers. Only the router itself needs to be allowed (Figure 24).
Figure 24. Define Traffic for the Management Servers
10. In the following screen, Cisco SDM asks to confirm the values entered (Figure 25).
11. If all values are correct, click Finish.
Figure 25. Push the Management Tunnel Configuration to the Cisco 871 Router
The above steps result in the following sample configuration:
set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600
set transform-set ESP-3DES-SHA
match address 100
ip nat outside
crypto map SDM_MAP
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip access-list extended SDM_NAT
remark IPSec Rule
deny ip host 10.20.1.1 10.99.99.0 0.0.0.31
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip host 10.20.1.1 10.99.99.0 0.0.0.31
route-map SDM_RMAP_1 permit 1
match ip address SDM_NAT
Now that a management tunnel is established, we can configure the DMVPN network that will be used for remote data access to the corporate servers.
1. Under the VPN tab, select Dynamic Multipoint VPN and click the Create a spoke (client) in a DMVPN radio button (Figure 26).
2. Click Launch the selected task.
Figure 26. Start DMVPN Configuration
3. When prompted about the DMVPN topology, select the one that fits your deployment. Full mesh is recommended for direct spoke-to-spoke. Load in the hubs is reduced when it is foreseen that a significant percentage of direct spoke-to-spoke traffic will occur.
4. In the next screen (Figure 27), enter your DMVPN IP addresses (these are the internal multipoint GRE [mGRE] IP addresses). For Cisco ECT, it is recommended to use a backup hub that can take over all traffic when the main hub goes down for any reason.
5. Click Next.
Figure 27. DMVPN Hubs Where the Spoke Will Connect
Next, select the next available mGRE tunnel IP address for the new spoke. It is necessary to set the common NHRP parameters for the entire DMVPN deployment in advance (Figure 28). The WAN interface also needs to be selected at this point, usually the FastEthernet4 for a Cisco 871 router, or the dialer interface if PPPoE is used to connect to the Internet.
Figure 28. NHRP and DMVPN Parameters
6. Next, select Digital Certificates and Create a new IPsec transform set.
7. In the "Add Transform Set" window (Figure 29), select Transport Mode. It is the supported method for DMVPN.
Figure 29. Create a Transport Mode IPsec Transform Set for DMVPN
8. In the next screen, select the routing protocol. EIGRP, OSPF, and RIP will work, but EIGRP or OSPF are recommended for a Cisco ECT deployment.
This results in the following sample configuration:
To have a guest VLAN, or to enable split tunneling to make sure that only your corporate traffic comes to your data gateways and all other traffic goes directly to the Internet, you will need to enable NAT/PAT in the remote device.
If all traffic is routed through your corporate gateways, there is no need to enable NAT. For a Cisco ECT deployment it is optional, but it is most common to allow a guest VLAN to directly access the Internet.
For a remote VPN router we advise the use of PAT. To add PAT:
1. Select the NAT/PAT menu from the list on the left.
2. Select Basic NAT and start the Advanced NAT Wizard (Figure 30).
Figure 30. PAT Configuration
3. Select the outside (WAN) interface. This is usually the FastEthernet4 interface for an Cisco 871 router, or Dialer1 if PPPoE is used.
4. Select both the corporate and guest VLAN pools, BVI1 and 2 (if configured), to allow for Internet access for the Cisco 871 router.
5. Click Finish.
Step 5-Intrusion Prevention
This is a quick process.
1. Select the Intrusion Prevention tab option from the left menu (Figure 31).
2. Click the Edit IPS tab on top. For Cisco ECT deployments, it is recommended to always use IPS at least for the WAN interface.
3. When using a Cisco 871 router as a VPN router, select the FastEthernet4 interface and click Enable. You have selected the respective interface and the click on Edit (Figure 31).
4. In the "Edit IPS on an Interface-FastEthernet4" window, select the Inbound traffic radio button. Click OK. The Enable fragment checking on this interface option should also be checked, to protect against IP fragment attacks.
Figure 31. Intrusion Prevention
To select the signature definition file (SDF), go to the
Global Settings menu and click
+ Add. The "Add a Signature Location" window will appear (Figure 32). Select an SDF from the drop-down menu.
Note: In order to be able to download this software, an account with Cisco.com is required.
Figure 32. Select the Signature Definition File
Note: If you wish to disable a particular signature, just click on the Signatures menu from Figure 31 to view and select it.
This is the resulting configuration:
ip ips sdf location flash://attack-drop.sdf
ip ips name ips-rule
ip ips ips-rule in
The list of built-in signatures is shown in the Signature Compilation Status window (Figure 33).
Figure 33. Select IPS Signatures
Step 6-Quality of Service
For a Cisco ECT deployment, it is recommended that voice, ISAKMP, and routing traffic be prioritized so that voice quality is clear, the router does not lose tunnels during IKE renegotiation, and routing traffic can go though.
1. Select the Quality of Service tab to launch the QoS wizard.
2. Select the outside interface. For a Cisco 871 router, it is FastEthernet4.
3. On the following screen (Figure 34), Cisco SDM allows us to fine-tune some default values. There is no need to change them for a Cisco ECT deployment.
Figure 34. Default QoS Settings
This is the resulting sample configuration:
class-map match-any SDMVoice-FastEthernet4
match protocol rtp audio
class-map match-any SDMTrans-FastEthernet4
match protocol citrix
match protocol finger
match protocol notes
match protocol novadigm
match protocol pcanywhere
match protocol secure-telnet
match protocol sqlnet
match protocol sqlserver
match protocol ssh
match protocol telnet
match protocol xwindows
class-map match-any SDMScave-FastEthernet4
match protocol napster
match protocol fasttrack
match protocol gnutella
class-map type access-control match-all http
match field TCP dest-port eq 80
class-map type stack match-all ip_tcp
match field IP protocol eq 6 next TCP
class-map type stack match-all ip_udp
match field IP protocol eq 17 next UDP
class-map match-any SDMIVideo-FastEthernet4
match protocol rtp video
class-map match-any SDMSVideo-FastEthernet4
match protocol cuseeme
match protocol netshow
match protocol rtsp
match protocol streamwork
match protocol vdolive
class-map type access-control match-all ftp
match field TCP dest-port eq 21
class-map match-any SDMBulk-FastEthernet4
match protocol exchange
match protocol ftp
match protocol irc
match protocol nntp
match protocol pop3
match protocol printer
match protocol secure-ftp
match protocol secure-irc
match protocol secure-nntp
match protocol secure-pop3
match protocol smtp
match protocol tftp
class-map match-any SDMSignal-FastEthernet4
match protocol h323
match protocol rtcp
class-map match-any SDMRout-FastEthernet4
match protocol bgp
match protocol eigrp
match protocol ospf
match protocol rip
match protocol rsvp
class-map match-any SDMManage-FastEthernet4
match protocol dhcp
match protocol dns
match protocol imap
match protocol kerberos
match protocol ldap
match protocol secure-imap
match protocol secure-ldap
match protocol snmp
match protocol socks
match protocol syslog
class-map type access-control match-all codered
match start l3-start offset 40 size 32 regex "GET /default.ida\x3FNNNNNNNNNNNNNNN"
match field TCP dest-port e
bandwidth remaining percent 33
set dscp af21
bandwidth remaining percent 40
set dscp cs3
bandwidth remaining percent 3
set dscp cs6
priority percent 70
set dscp ef
bandwidth remaining percent 3
set dscp cs2
ip nbar protocol-discovery
service-policy output SDM-Pol-FastEthernet4
Note: Cisco SDM will activate Network-Based Application Recognition (NBAR) for matching traffic.
Not all of settings shown in the above sample configuration are necessary for an ECT spoke. We can see, for example, that for many routing protocols are used. For an ECT deployment, only one is actually deployed. But it is much easier to accept SDM default QoS settings, as this is a superset of an ECT spoke needs, and thus will still provide the minimum quality of service, plus extra settings.
Step 7-Network Admission Control
For a Cisco ECT deployment, you can optionally enable Network Admission Control (NAC).
1. Start by selecting the NAC Components tab.
2. Under the NAC Components menu, select Exception Policies.
3. If you use voice over your VPN, you will want to create an exception policy for IP phones. In the Add Exception Policy window, in the "Name" field, enter ip-phones. Click Add to create a new access rule and permit ip any any (Figure 35)
Figure 35. Create an Access List for Permitting IP Phone Traffic
Figure 36. Add Exception for IP Phones
4. Next, create an exception list for IP phones. Just add on and select the policy you just created (Figure 36).
5. Return to the NAC menu and launch the NAC wizard on the top of the menu.
6. Select BVI1 for the interface and Strict Validation for the default option.
7. Next, add your NAC RADIUS server, which should be part of the management network (Figure 37), for example the 10.99.99.3 in this guide's example.
Figure 37. Add the NAC AAA Server
8. Select the ip-phone exception list you created before (Figure 38)
Figure 38. Attach the Correct Exception List
9. Next, you can optionally authenticate clientless hosts by entering a username/password for them (Figure 39). This is the case of Linux, or Apple hosts, for example.
Figure 39. Clientless NAC Hosts
10. Since we are applying NAC to the inside (LAN-facing) interface for the Cisco ECT deployment, there is no need to enable remote management. We will always be able to come through the management tunnel. Do not enable management (Figure 40).
Figure 40. Configure NAC for Remote Access
11. Click Next to push the configuration lines to the router.
Step 8-Additional Tasks
Besides the security aspects of the remote device, some more IP services need to be added to make the Cisco ECT spoke ready for use. These include:
• VTY/SSH setting for remote management
You will need to keep a privilege 15 user configured in the remote router for management (
privilege 15 means full access to the router's enable mode). Removing the default
cisco/cisco username and password is recommended; it is too obvious. The first step is to add a new user for administration. Select
Additional Tasks on the left and then
Router Access-User Accounts/View. The click
Add to be able to create a new user (Figure 41).
Figure 41. Add New Username
Still in the same menu option (
Router Access-User Accounts/View) we can delete the default "cisco" user. First select the "cisco" user and then click on
Delete. You can optionally add a management "back door" to the router, to be able to remotely SSH into the router. Make sure that you only allow incoming SSH sessions from a specific subnet; that should be part of your internal management network.
To add an optional management access to the router, click
Management Access under the
Router Access menu on the left and
Step 9-Firewalls and ACLs
The "Firewall and ACL" task defines access policies and creates rules for deep inspection defined protocols. Start by selecting
Firewall and ACL at left. Under the Create Firewall tab, select the
Advanced Firewall radio button and click
Launch the selected task. The Firewall Wizard will appear (Figure 42).
Figure 42. Start the Firewall Configuration
In the wizard there is no DMZ for an ECT spoke. The inside interfaces are the BVI1 (corporate VLAN) and BVI2 (guest VLAN) and the outside interface is FastEthernet4 (Figure 43).
Figure 43. Marking Interfaces for Firewall
In the next screen, the default "high security" can be kept (Figure 44).
Figure 44. Firewall Security Level
The other options, "medium" and "low", provide less firewall features. The decision depends on the corporate policy rules. The "low security" option just applies the regular IOS Firewall. The other options will use Application Firewall to block access for peer-to-peer file haring applications and other applications.
Finish to push the configuration to the router.
The "low security" sample configuration is:
ip inspect log drop-pkt
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
For the outside WAN interface, IPsec, ISAKMP, NTP, and BOOTPC traffic need to be allowed so that IKE/IPsec tunnels can be established, NTP is able to synchronize the clock, and the DHCP client is able to request an IP address from the ISP DHCP server.
Cisco SDM will automatically prompt you to accept auto-generated rules. Figure 45 shows an example. Make sure you accept them all.
Figure 45. Accept ACL Rules to Allow VPN-Related Traffic
Step 10-Extra Configuration Using Console Access
There are some configurations steps that are required for a Cisco ECT deployment that this version of Cisco SDM does not support. You can find information on how to configure them on
http://www.cisco.com/go/ect under the "Layered and Perimeter Security Managed Services" section. Authentication proxy and 802.1x are missing, although all are optional.
Also, for the PKI trust point it is recommended to have "source interface <inside>"; BVI1 in the case of the Cisco 871 router. This will make sure that auto-enroll will use the tunnel-protected network to request a new certificate, and thus it will encrypt the traffic.
One more missing command is the static routing of hub IP addresses to the outside interface. Usually, DMVPN hubs will have public IP addresses that are part of the corporate set of subnet pools. These subnets will be routed out to spokes, once the GRE tunnel comes up. To avoid a routing loop, it is recommended that DMVPN hubs' host IP addresses are routed to the Internet.
For example, if DHCP is used to connect to the Internet and the DMVPN hubs would have IP addresses in the 172.16.1.0/29 network, we would need to set these, as well as the management server's host and network.
Here is a sample configuration:
! Management Gateway
ip route 172.16.0.0 255.255.255.255 dhcp
! DMVPN hubs
ip route 172.16.1.0 255.255.255.248 dhcp
! Management subnet
ip route 10.99.99.0 255.255.255.224 dhcp
After all the Cisco ECT-needed features have been configured, you must save the configuration to NVRAM by going to "File > Save to Startup Config...". Otherwise all will be lost when the router is power-cycled. You should also save a copy of the configuration in your PC for future reference. This can be achieved by clicking on "File > Save Running Config to PC...".