Bandwidth and network requirements—Increasing bandwidth and network requirements are driven by a unified service network, transporting video, voice, and data, and supporting mission critical functions and applications.Consolidated data centers—Rather than operating local data servers at the branch, information is consolidated at a central local. A primary goal with this consolidation is to gain centralized security and management control, to comply with corporate governance mandates driven in part by government and industry regulations.Mobility—The dispersion of the staff coupled with the consolidation of the IT resources has resulted is a significant WAN load as distant users compete for access across the WAN. Not addressing the issue of the consolidated data center, coupled with users' mobility, has left legacy branch offices with poor application response time and therefore disgruntled users.Disparate networks—Branch offices that are built in isolation tend to run aging and separate voice and data networks, which do not benefit from the use of collaborative communications applications hosted in IP call servers. Different circuit-switched private branch exchanges (PBXs) from different vendors might exist at various branch office sites, each with its own feature set, proprietary technology, and special operational requirements.Management costs—Generally as branch office sites develop, often without much strategic thought given to future requirements, equipment and services are added to solve specific problems. The result then is a patchwork of network devices in which branch offices often have very different equipment and architectures. For this reason, branch offices are often extremely costly to manage and troubleshoot. In addition, rolling out new services across inconsistent branch office infrastructures is extremely difficult.
Bandwidth and service availability are largely based on the choices of access and connectivity technologies. Technologies such as digital subscriber line (DSL) and cable usually provide dynamic IP addressing, and therefore a default route is created at the moment of connection. Virtual private networks (VPNs) are created using technologies such as IPsec. However, IPsec does not support dynamic routing protocols, and therefore complementary technologies such as generic routing encapsulation (GRE) should be considered.Resiliency considerations will typically result in alternative paths to the central location and other branches, and this will impact your choice of routing tools. Your choice of routing protocol is important because it will impact routing convergence, backup routes, load sharing, and so on. The traffic and service mix (such as NAT, QoS, ACLs, and WAN optimization) will also have an impact in routing facilities. Other considerations include security and mobility requirements due to the requirement to connect to a central office and also serving mobile users
Cisco ISR = Integrated Services Router
For more information, see http://cisco.com/en/US/netsol/ns1015/
Branch offices typically use diverse applications (for example, e-mail, web-based applications, mission-critical applications, real-time collaboration, voice, video, and videoconferencing) that require high-bandwidth connections.
Broadband is often referred to as high-speed access to the Internet because it refers to any connection of 256 Kbps or greater.
Cities with municipal Wifi: http://en.wikipedia.org/wiki/Municipal_wireless_network#Cities_with_Municipal_Wi-Fi
The following properties differentiate DSL variants:Nature: The nature of DSL is the relationship between downstream and upstream speeds. Synchronous DSL has the same speed in both directions, while asynchronous DSL has different downstream and upstream speeds.Maximum data rate: This defines the maximum speed that you can deploy with a certain type of DSL.Line coding technology: This describes the technique used to represent digital signals transported over a copper twisted pair so that the receiver can interpret the signals accurately.Data and voice support: Depending on the usage of the available frequency spectrum, certain DSL types support data and voice simultaneously while other types do not.Maximum distance: This describes the maximum distance that a certain type of DSL connection can span.
Most DSL networks use ATM as the data-link layer protocol. In basic terms, a DSLAM is an ATM switch with DSL interface cards (ATU-Cs). The DSLAM terminates the ADSL connections and then switches the traffic over an ATM network to an aggregation router. The aggregation router is the Layer 3 device where IP connections from the subscriber terminate. There are three ways to encapsulate IP packets over an ATM and DSL connection:RFC 1483/2684 BridgedPPP over Ethernet (PPPoE)PPP over ATM (PPPoA)In RFC 1483 Bridging, the ADSL CPE bridges the Ethernet frame from the end user’s PC to the aggregation router, where integrated routing and bridging (IRB) provides connectivity to the IP cloud. RFC 1483 Bridging has security and scalability issues, making it unpopular. ISPs are now opting for PPPoE and PPPoA, both of which are much more scalable and secure but involve a more complex implementation.
Most DSL networks use ATM as the data-link layer protocol. In basic terms, a DSLAM is an ATM switch with DSL interface cards (ATU-Cs). The DSLAM terminates the ADSL connections and then switches the traffic over an ATM network to an aggregation router. The aggregation router is the Layer 3 device where IP connections from the subscriber terminate. There are three ways to encapsulate IP packets over an ATM and DSL connection:RFC 1483/2684 BridgedPPP over Ethernet (PPPoE)PPP over ATM (PPPoA)In RFC 1483 Bridging, the ADSL CPE bridges the Ethernet frame from the end user’s PC to the aggregation router, where integrated routing and bridging (IRB) provides connectivity to the IP cloud. RFC 1483 Bridging has security and scalability issues, making it unpopular. ISPs are now opting for PPPoE and PPPoA, both of which are much more scalable and secure but involve a more complex implementation.
To summarize the stages of a DSL connection: Inside traffic is routed to the dialer interface (Dialer 0). Dialer 0 being a virtual interface, which has been configured to enlist the help of any physical interfaces member of the dialer pool 1, will turn to interface ATM 0/0. Interface ATM 0/0 has been configured to bring up a DSL connection using PPP encapsulation. When the service provider core router requests a username and a password, the credentials configured under interface Dialer 0 will be presented. The core router then provides an IP address to the ATM 0/0 interface, and the Internet connection will be active. Inside users leaving through the Internet connection are provided with the IP address of the virtual interface.
IPsec provides two significant benefits:Encryption—Using a cryptographic algorithm, IPsec encrypts the data exchanged by the corporate offices that are using the public Internet.Encapsulation—Using tunneling technology, it encapsulate the data as it leaves a corporate site, thus protecting its original IP address and providing the illusion to the recipient that the sender is located within the organization.IPsec encryption provides three major services:Confidentiality—Confidentiality provides encryption during the exchange of the data. Only the recipient in possession of the valid key can decrypt the packets. Confidentiality is provided by cryptographic algorithms, such as Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES).Integrity—Integrity provides a check to confirm that the data was not altered during the transmission. Integrity checks are provides by hashing algorithms such as message digest algorithm 5 (MD5) and Secure Hash (SHA).
The output from the debug crypto ipsec command indicates that the VPN link has been activated.”
The output from the show crypto session command indicates that the VPN link is now up and active.
The output from the show crypto ipsec sa command indicates that four packets have been encrypted and decrypted.
GRE adds an additional 24 bytes to the original packet.
To check whether ACLs are filtering traffic on the router, use the show ip interface command and the show access-lists commands.
The access list called FIREWALL-INBOUND, currently configured in R1, could be part of a bigger firewalling strategy, and therefore we need to investigate further whether our IOS router is configured to act as a firewall.
We find out that we have a classic firewall configured inbound on R1. We can also see which access lists are involved in the access control process, so we can quickly make a note and proceed to change the ACLs to allow IPsec traffic. In this example the access list is conveniently called FIREWALL-INBOUND, which we looked at earlier. We can also test to see if ZBF is also configured. However the lack of output indicates that it is not configured.
NAT-T (NAT transversal en IKE) es un mecanismo en IPsec para la encapsulación UDP de los paquetes ESP para que pasen mejor a través de los cortafuegos. La negociación durante la fase IKE se define en la RFC 3947 y el encapsulado UDP en la RFC 3948.La funcionalidad existe en Microsoft Windows XP con Service Pack 2 pero tiene que ser habilitada.Todos los vendedores más importantes (Cisco, Juniper, etc) soportan NAT-T para IKEv1 en sus dispositivos también.[editar]RFCs de NAT-TRFC 3715IPsec-Network AddressTranslation (NAT) CompatibilityRequirementsRFC 3947Negotiation of NAT transversal in IKERFC 3948UDP Encapsulation of IPsec ESP Packets
The edge router is providing NAT to the internal network.