Cisco 1720 VPN Access Router

Transcription

1 OVERVIEW Cisco 1720 VPN Access Router Flexible, Secure VPN Access for Small and Medium-Sized Businesses and Small Branch Offices Market Trends The Internet is fundamentally changing the way companies do business. And the future will bring even more change, driven by rapid changes in networking technology. Companies who are ready for this future stand to gain competitive advantage. In the new world of networking, three key market trends need to be considered when making decisions on network equipment for small and medium-sized businesses and small branch offices: virtual private network (VPN) capability, flexibility, and network device integration. VPNs The New World of Networking Traditionally, companies connect their geographically dispersed sites by leasing private WAN connections from service providers to form a private communications infrastructure. The resulting networks offer guaranteed bandwidth with predictable delay, but the company pays a high price for this bandwidth regardless of whether they actually use all of it. This scenario leads to an expensive infrastructure, with cost being a function of the specified bandwidth and distance. Virtual private networks connect geographically dispersed sites and remote users together using shared or public networks such as the Internet while providing security, traffic prioritization, management, and reliability as good as that of private networks. By utilizing shared, global networks such as the Internet, VPNs can deliver significantly reduced WAN costs and provide new capabilities such as secure extranet communication among business partners. The main benefits of a VPN solution include: Reduced cost Industry analysts and news media report that VPNs can save recurring WAN costs by 30 to 80 percent (see, for example, Data Communications 9/98, Network World 8/31/98), resulting in equipment payback periods of a few months and returns on investment (ROIs) in the hundreds of percents. For site-to-site connectivity, VPNs leverage the low cost of intranet access over a shared infrastructure. For remote-user access, VPNs save long-distance dialup charges by calling a local number and connecting over a shared infrastructure for the long distance. Further, companies can simplify WAN operations by outsourcing their VPNs to a service provider. Extranet communication VPNs allow business partners and suppliers to communicate easily and securely, and to control access to network resources such as databases. Improved connectivity The Internet provides global reach for connecting sites and remote dial users. Due to the Internet s global popularity and availability, it is much easier to set up a local Internet connection within a foreign country than it is to get an international private WAN line through the country s telephone company. Better reliability Using the Internet or any large service provider s shared network provides automatic redundancy due to ubiquitous routing nodes. Page 1 of 14

2 Flexibility A company s networking requirements constantly change due to several factors such as growing demand for bandwidth, technological change, and global deregulation of telecommunications. As a company adds users and discovers more ways to use its network, its bandwidth requirements keep increasing. Ethernet local area networks (LANs) need to be future proofed for easy migration to Fast Ethernet technology. And telecommunications industry deregulation is resulting in lower cost for existing WAN technologies such as leased lines, frame relay, Integrated Service Digital Network (ISDN), Switched Multimegabit Data Service (SMDS), and Asynchronous Transfer Mode (ATM), as well as the rapid emergence of new technologies, such as digital subscriber line (DSL). In such a world of constant change, a company needs to protect its investment with flexible network equipment that can adapt. Network Device Integration Integration of multiple functions into a single product reduces deployment and management time and costs. Examples of integrated network components include the access router, firewall, high-speed encryption, VPN tunnel server, and data service unit/channel service unit (DSU/CSU) or network termination unit. With integration, deployment costs are reduced because there are fewer devices and cables to install and configure. Because remote configuration, monitoring, and troubleshooting of each of the integrated functions is possible through the access router, on-going support of remote offices from a central site is simplified. To meet these important market needs beyond typical Internet and intranet access, Cisco Systems has developed the Cisco 1720 VPN Access Router for small- and medium-sized businesses and small branch offices. Introduction to Cisco 1720 VPN Access Router The Cisco 1720 router offers the following key components: Cisco IOS software One autosensing 10/100 Fast Ethernet port Two WAN interface card slots One auxiliary (AUX) port (up to kbps asynchronous serial) One console port RISC processor for high-performance encryption One internal expansion slot for support of future hardware-assisted services such as encryption (up to T1/ E1) and compression DRAM memory: 16 MB default, expandable to 48 MB Flash memory: 8 MB default, expandable to 16 MB Desktop form factor Figure 1 The Cisco 1720 Router Delivers VPN Access with the Power of Cisco IOS Software, Flexibility, and Network Device Integration The flexible Cisco 1720 router supports any combination of one or two of the following WAN interface cards: WIC-1T: One-port high-speed serial (sync/async) WIC-2T: Two-port high-speed serial (sync/async) WIC-2A/S: Two-port low-speed serial (sync/async) (up to 128 kbps) WIC-1B-S/T: One-port ISDN Basic Rate Interface (BRI) S/T WIC-1B-U: One-port ISDN BRI U WIC-1DSU-56K4: One-port integrated 56/64-kbps 4-wire DSU/CSU WIC-1DSU-T1: One-port integrated T1 / Fractional T1 DSU/CSU These WAN interface cards are shared with the Cisco 1600, 2600, and 3600 routers. The Cisco 1720 router extends the leadership established by Cisco s 1600 series routers for small businesses and small branch offices, offering more functionality and flexibility for higher-end applications. In addition to meeting the needs of Internet and intranet access, the Cisco 1720 router offers the following key advantages: Virtual private networking with the power of Cisco IOS software Flexibility through modular architecture Network device integration Virtual Private Networking Access VPNs can help companies reap benefits such as dramatically lower WAN costs, improved global connectivity, and better reliability, while enabling capabilities such as secure extranet communications. Remote dial, Internet, intranet, and extranet access can all be consolidated over a single WAN connection to the Internet. Page 2 of 14

3 The Power of Cisco IOS Software for VPNs. The industry defacto standard networking software for the Internet and private WANs, Cisco IOS software delivers the most comprehensive set of VPN features on security, quality of service, management, and reliability/scalability. The Cisco 1720 router, with full Cisco IOS support and modular, integrated hardware, is designed for the new world of VPNs. It defines a new class of VPN access routers that enables practical, cost-effective, wide-scale VPN deployment. Consider the following VPN requirements: Security is crucial for a VPN because the company s data traverses a shared (untrusted) WAN and the internal network of each office is exposed to this shared WAN. Advanced security features are integrated into Cisco IOS software of the Cisco 1720 router: Firewall The optional Cisco IOS Firewall protects the LAN from attacks. Context-based access control (CBAC) provides dynamic or stateful filtering on a per-application basis, permitting legitimate traffic to enter the LAN only while a session is active. CBAC capability is considered essential for effective firewall functionality. Cisco IOS Firewall also supports other key features such as Java blocking, denial-of-service detection and prevention, audit trail, and real-time alerts. Encryption Optional IP Security Data Encryption Standard ( DES) and Triple DES encryption up to 168-bit key length provides the strongest standards-based encryption to ensure confidentiality, data integrity, and data origin authenticity while traversing a shared WAN. Tunneling Several optional tunneling standards are supported:, generic routing encapsulation (GRE), Layer 2 Forwarding (L2F), and Layer 2 Tunneling Protocol (L2TP). L2F and L2TP support allows mobile workers to dial in to a service provider s local points of presence (POPs), tunnel traffic back to the Cisco 1720, and access resources such as databases residing on the LAN of the router. When the router is used in this way, it is called a home gateway or tunnel server. This setup obviates the need for a separate remote access server (RAS) at the small to medium business and saves on long-distance calling charges. L2TP can also be used to tunnel non-ip traffic for connecting remote offices or users ( tunneling supports only IP traffic). Devise authentication and key management Support for Internet Key Exchange (IKE), X.509v3 digital certificate, and Certificate Enrollment Protocol (CEP) with certificate authorities such as Verisign and Entrust ensures device and data authenticity and enables scalability to very large networks through automated key management. VPN client software Any industry-standard and L2TP clients will interoperate with Cisco IOS software. User Authentication User authentication provides support for Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), TACACS+, Remote Access Dial-In User Service (RADIUS), and token authentication. Quality of Service (Traffic Management). For a VPN to provide the highest level of availability and predictability, quality-of-service (QoS) controls are needed with regards to which applications or users have access to how much bandwidth. Time-sensitive or mission-critical applications (for example, Enterprise Resource Planning applications such as PeopleSoft) should get priority over less-critical traffic (for example, push applications such as Pointcast). The Cisco 1720 router supports leadership QoS features such as: Committed access rate (CAR) performs three important functions on a per-application or per-user level: 1) Classify traffic type (for example, is it PeopleSoft or Pointcast traffic?); 2) Set the maximum bandwidth allowed for that traffic (also known as traffic policing or rate shaping for example, PeopleSoft gets 1.0 Mbps, Pointcast gets 28 kbps); and 3) Prioritize the traffic by giving each traffic type an IP Precedence number. Policy routing can also classify and prioritize traffic by IP Precedence, but it also directs which type of traffic should go to which interface on the router. However, it does not set the allowed bandwidth like CAR. Weighted Fair Queueing (WFQ) provides consistent response time. It schedules low-bandwidth traffic to the front of the queue to reduce response time, and fairly shares the remaining bandwidth among high-bandwidth applications. Generic Traffic Shaping (GTS) avoids congestion by controlling and smoothing outbound WAN traffic to a specified bandwidth. This feature is useful when the receiving router on the other edge of the WAN cannot handle the incoming traffic bandwidth. Resource Reservation Protocol (RSVP) allows an application to have reserved guaranteed bandwidth throughout the entire WAN, from one end to the other. Page 3 of 14

4 Management and Ease of Installation The Cisco 1720 router supports a range of network management and ease-of-installation tools. Cisco ConfigMaker is a Windows Wizards-based tool designed to configure a small network of Cisco routers, switches, hubs, and other network devices from a single PC. Designed for resellers and network administrators of small to medium-sized businesses, it guides the user through the network design and new device installation process, making the tasks as simple as drawing a network diagram. Cisco ConfigMaker simplifies VPN deployment with support for VPN policy configuration, including the Cisco IOS Firewall feature set,, Network Address Translation (NAT), and Dynamic Host Configuration Protocol (DHCP) Server. ( support will be available in Q1 CY '99.) CiscoView, a GUI-based device management software application for UNIX platforms, provides dynamic status, statistics, and comprehensive configuration information. In Q1 CY '99, the Cisco 1720 will also support CiscoWorks2000, Cisco's industry-leading Web-based network management suite. Its browser interface simplifies tasks such as managing network inventory and device changes, changing configuration, rapidly deploying new software images, and troubleshooting. For service providers, Cisco Service Management (CSM) provides an extensive suite of service management solutions to enable service providers to quickly plan, provision, monitor, and bill for VPNs. Reliability and Scalability Cisco IOS software is the industry accepted standard networking software with proven reliability. Cisco IOS technologies ensure that a VPN can scale reliably to very large networks through support of Internet Key Exchange (IKE) and digital certificates with leading certificate authorities, scalable routing protocols such as Open Shortest Path First (OSPF) and Enhanced Interior Gateway Routing Protocol (Enhanced IGRP), and reliability services such as Hot Standby Router Protocol (HSRP). Figure 2 Cisco ConfigMaker Provides Graphical Wizards-Based Configuration. A Network Diagram Puts Devices in Perspective Page 4 of 14

5 Encryption Performance The Cisco 1720 router currently supports software-based encryption and will support hardware-based encryption in the future. Powered by a RISC processor, the Cisco 1720 supports software-based encryption at 512 kbps for 256-byte packets (typical packet size for most networks). (Performance may vary, depending on the encryption algorithm used, network packet sizes, and so on) An expansion slot on the motherboard of the Cisco 1720 allows for support of future hardware-assisted services such as encryption (up to T1/E1) and compression. Flexibility To protect their investment against the constant change in networking requirements, companies need a product that can adapt. The Cisco 1720 router provides the most flexible solution for small/medium businesses and small branch offices. Modular WAN interface cards All WAN interfaces on the Cisco 1720 are interchangeable through the two WAN slots. Customers can mix and match whichever WAN interface card combination they want, allowing them to upgrade or change WAN technologies as needed. A wide range of WAN options are available, including dual ISDN BRI, up to five ports for serial aggregation, and integrated DSU/CSUs up to T1 speed. Shared WAN interface cards with Cisco 1600, 2600, and 3600 routers Shared WAN interface cards enhance the investment-protection value of the routers and WAN interface cards. When a card is no longer needed in one platform, it can be reused on another platform. Also, customers, resellers, and service providers who keep spare WIC cards can reduce the number of stock-keeping units and inventory. Autosensing 10/100 Fast Ethernet The Cisco 1720 has an autosensing 10/100 Fast Ethernet port that allows for easy migration to Fast Ethernet networks. Simply plug in the LAN cable and this port automatically detects whether the LAN speed ought to be 10 or 100 Mbps and automatically negotiates simplex or duplex mode. For offices with 100BaseTX hubs, the autosensing 10/100 port of the Cisco 1720 eliminates the need for a 10/100 bridge. Performance for emerging broadband technologies The RISC processor of the Cisco 1720 gives it the performance necessary to support emerging broadband technologies such as digital subscriber line (DSL) in the future. Cisco s roadmap for future WAN interface cards includes DSL technology. Network Device Integration Integrating multiple functions into a single device reduces deployment and management time and costs. The Cisco 1720 router provides all-in-one integration advantages in two ways: Integrated devices in a single box The Cisco 1720 is capable of combining multiple functions, including router, firewall, encryption, VPN tunnel server (home gateway), DSU/CSU, and Network Termination 1 (NT1). Benefits include: Simplified support and reduced costs because configuration, monitoring, and troubleshooting of each of the integrated functions can be done remotely via the router function Simplified VPN configuration: Cisco IOS software support for VPN tunneling such as L2TP is integrated with security features such as encryption and user authentication Fewer devices and cables to install and configure Enhanced reliability (fewer components such as power supplies) Physical space savings Integrated Single-Vendor LAN/WAN Solution: Cisco Networked Office Stack Small- and medium-sized businesses, which typically have little or no network administration resources, benefit from deploying integrated solutions with LAN and WAN components from a single vendor that work together easily and seamlessly. Further, with single-vendor solutions, only a single phone call is necessary when support is needed. The Cisco 1720 router is a member of the Cisco Networked Office (CNO) stack Cisco s integrated LAN/WAN solution. Other CNO components include the Cisco 1600 series routers, Cisco IOS Firewall feature set, Cisco /100 hub, Cisco / 100 switch, and Cisco ConfigMaker network configuration tool. Page 5 of 14

6 Figure 3 The Cisco 1720 VPN Router is Part of the Cisco Networked Office Stack, Which includes Autosensing 10/100 Hubs and Switches Key Features and Benefits The Cisco 1720 offers industry-leading VPN support, flexibility, and network device integration, with key features listed in Table 1. Table 1 Key Features and Benefits of Cisco 1720 Series Feature Function/Benefit VPN Support Full Cisco IOS support Including multiprotocol routing (IP, IPX, AppleTalk, IBM/SNA) and bridging Firewall Cisco IOS Firewall includes CBAC for dynamic firewall filtering, denial-of-service detection and prevention, Java blocking, and real-time alerts Encryption ESP DES and Triple DES. Expansion slot for future high-speed hardware-based encryption RISC Processor Device Authentication and Key Management IKE, X.509v3 digital certificate, support for CEP with certificate authorities (CAs) such as Verisign and Entrust User Authentication PAP/CHAP, RADIUS, TACACS+, Token Tunneling, GRE, L2F, L2TP Management Manageable via SNMP (CiscoView, CiscoWorks2000), Telnet, and through console port Ease of Use and Installation Cisco ConfigMaker, SETUP configuration utility, AutoInstall, color-coded ports/cables, LED status indicators Network Address Translation and Easy IP Quality of Service CAR, Policy Routing, WFQ, GTS, RSVP Reliability and Scalability Cisco IOS software, dial-on-demand routing; dual bank Flash memory, scalable routing protocols (for example, OSPF and Enhanced IGRP), Hot Standby Router Protocol Industry de facto standard networking software for Internet and private WANs Provides industry s most robust, scalable, and feature-rich internetworking software support Part of Cisco s end-to-end network solution Allows internal users to access the Internet with secure, per-application-based dynamic access control while preventing unauthorized Internet users from accessing the internal LAN Enables creation of VPNs by providing industry-standard data privacy, integrity, and authenticity as data traverses public networks Provides option to upgrade to high-speed hardware-assisted encryption up to T1/E1 when available Enables software-based encryption performance at 512 kbps for VPNs Ensures proper identity/authenticity of devices and data Enables scalability to very large networks through automated key management Ensures that the users are who they say they are Choice of standards-based tunneling methods to create VPNs for IP and non-ip traffic Allows any standards-based or L2TP client to interoperate with Cisco IOS tunneling technologies Allows central monitoring, configuration, and diagnostics for all functions integrated in the Cisco 1720 router, reducing management time and costs Simplifies and reduces deployment time and costs with graphical LAN/VPN policy configurator, command-line context-sensitive configuration questions, and straight-forward cabling LEDs allow quick diagnostics and troubleshooting Simplifies deployment and reduces Internet access costs Allocates WAN bandwidth to priority applications for improved network performance Improves network reliability and enables scalability to large networks Flexibility Modular architecture (WAN card slots) WAN interface cards shared with Cisco 1600, 2600, and 3600 routers Enables flexible WAN choices on the Cisco 1720 router, protecting investment Reduced cost of maintaining inventory Lowers training costs for support personnel Protects investments through reuse on various platforms Page 6 of 14

7 Feature Autosensing 10/100 Fast Ethernet Expansion slot on motherboard Function/Benefit Simplifies migration to Fast Ethernet performance in the office Allows expandability to support future services such as hardware-assisted encryption and compression Network Device Integration Integrated router, firewall, encryption, VPN tunnel server, DSU/CSU, and NT1 in single device Part of Cisco Networked Office stack Reduces deployment costs and simplifies management compared to solutions based upon multiple, separate devices Delivers complete, compatible solutions for small office networks Software Feature Sets The Cisco 1720 feature sets share the same feature definitions as the Cisco 1600 series as of Cisco IOS Release Thirteen feature sets are available: four Base and nine versions. Starting with Release 12.0, the Base feature sets include some features formerly in : NAT, OSPF, Remote Access Dial-In User Service (RADIUS), and Next Hop Resolution Protocol (NHRP). feature sets contain all the features in their corresponding Base feature set, plus an additional number of value-added features such as L2TP, L2F, Border Gateway Protocol (BGP), IP Multicast, Frame Relay switched virtual circuit (SVC), RSVP, NetWare Link Services Protocol (NLSP), AppleTalk Simple Multicast Routing Protocol (SMRP), and Network Timing Protocol (NTP). Tables 2 and 3 show the features available in the Cisco 1720 feature sets. Table 2 Base Feature Sets Category Basic Protocols/Features IP IP/IPX IP Firewall IP/IPX/AT/IBM LAN Transparent bridging x x x x IP x x x x IPX, NetBIOS access lists, name caching x x AppleTalk phases 1 and 2 x WAN Leased lines, Frame Relay, Switched 56, SMDS, HDLC x x x x ISDN leased line (IDSL) at 64 and 128 Kbps x x x x ISDN caller ID callback x x x x PPP, PPP compression x x x x Async, SLIP x x x x X.25, X.25 PAD, X.25 over ISDN D channel x x x x LLC2, LAPB x x x x IP Routing RIP, RIP2, IGRP, Enhanced IGRP, OSPF, NHRP x x x x IP policy routing x x x x GRE tunneling x x x x Other Routing IPX-RIP x x (AppleTalk) RTMP x Page 7 of 14

8 Category Basic Protocols/Features IP IP/IPX IP Firewall IP/IPX/AT/IBM Security PAP/CHAP, local password x x x x Extended access lists; Lock and Key x x x x RADIUS, TACACS+, Token x x x x Quality of Service Weighted Fair Queueing (WFQ) x x x x WAN Optimization Bandwidth on demand, dial on demand x x x x IPX and SPX spoofing x x Snapshot routing x x x x Frame Relay FRF.9 x x x x Ease of Use and Deployment ConfigMaker x x x x Easy IP (PAT, IPCP, and DHCP server) x x x x Network Address Translation (NAT) x x x x AutoInstall for leased line & Frame Relay x x x x Management SNMP, Telnet, console port x x x x CiscoView, CiscoWorks2000 x x x x Simple Network Timing Protocol (SNTP) x x x x Note: AppleTalk routing and bridging are not supported for asynchronous interfaces. CiscoWorks2000 support will be available in Q1 CY 99. Table 3 Feature Sets - Additional Features Category Protocols/Features IP IP 40 IP IPSe c 56 IP 3DES IP FW 56 IP FW 3DES IP/IPX FW IP/IPX/ AT/IBM FW 56 IP/IPX/ AT/IBM FW 3DES WAN Frame Relay SVC x x x x x x x x x IP Routing BGP x x x x x x x x x Other Routing NetWare Link Services Protocol x x x AppleTalk AURP, ATIP x x VPN/Security DES x x x x x x Triple DES x x x Cisco Encryption Technology: 40-bit Cisco Encryption Technology: 56-bit x x x x x x x x x x x x x VPN/Tunnels L2TP, L2F x x x x x x x x x Quality of Service Resource Reservation Protocol (RSVP) x x x x x x x x x Page 8 of 14

9 Category Protocols/Features IP IP 40 IP IPSe c 56 IP 3DES IP FW 56 IP FW 3DES IP/IPX FW IP/IPX/ AT/IBM FW 56 IP/IPX/ AT/IBM FW 3DES Random Early Detection (RED) x x x x x x x x x Cisco Express Forwarding (CEF)* x x x x x x x x x Committed access rate (CAR)* x x x x x x x x x NetFlow* x x x x x x x x x RTP Header Compression (RTP-HC) x x x x x x x x x Multimedia IP Multicast (Protocol Independent multicast or PIM) x x x x x x x x x AppleTalk SMRP (Multicast) x x Management Network Timing Protocol (NTP) x x x x x x x x x Note: FW above denotes Cisco IOS Firewall. Encryption is offered in special encryption feature sets ( 40, 56, and 3DES). *CAR, CEF, and NetFlow supported with Cisco IOS Release 12.0(3)T and up. To build an IP VPN, the recommended images are IP Firewall 56 or IP Firewall 3DES. Applications The Cisco 1720 router extends the leadership capabilities of the Cisco 1600 series for small/medium businesses and small branch offices. In addition to the flexible, secure Internet/ intranet access solutions provided by the Cisco 1600 routers, the Cisco 1720 is also ideal for the application examples that follow. Figure 4 Access/Intranet/Extranet VPNs for Small/Medium Businesses Firewall CNO Hub CNO Hub CNO Hub SMB B Supplier or Customer Cisco 1720 Internet Encryted tunnels SMB A Mobile Workers Firewall Firewall Cisco 1720 Cisco 1720 CNO Switch CNO Switch CNO Switch SMB A Small Main Office Access VPN Home Gateway CNO Hub CNO Hub SMB A Small Branch Page 9 of 14

10 Figure 4 illustrates VPN applications for two small- and medium-sized businesses (SMB A and SMB B). SMB A has a main office and a branch office, connected via a secure VPN tunnel. SMB B is a strategic customer or supplier with a secure extranet connection to SMB A. The VPN applications here include: Intranet VPN (branch-to-branch connectivity) Instead of a long-distance private leased line between SMB A s main office and the branch office, each office subscribes to a local Internet access line and an encrypted tunnel carries the traffic over the Internet for long distance. DES or Triple DES provides data confidentiality, authenticity, and integrity while Cisco IOS Firewall, integrated into the Cisco 1720 router, prevents unauthorized access or attack to each office s LAN. Traffic is prioritized using QoS features such as policy routing or committed access rate to ensure that mission-critical applications get the highest network bandwidth. Cisco ConfigMaker simplifies VPN configuration for a small/medium network with a Graphical User Interface (GUI)-based tool that configures basic router parameters as well as Cisco IOS Firewall and encryption policies. configuration is simplified to a few simple steps by using standard defaults established by Cisco ConfigMaker such as tunnel mode, ESP-HMAC-MD5 (a popular transform), and preshared key for IKE policy secure VPN tunnels can be quickly established by specifying the choice of encryption algorithm (DES or Triple DES), preshared key password, and IP addresses of destination routers. ( configuration support will be available in Cisco ConfigMaker in Q1 CY 99.) Access VPN (mobile-user remote access) SMB A s mobile users or teleworkers/telecommuters can dial into a local Internet POP and tunnel the long-distance traffic back to the company LAN via the Internet or a service provider s shared backbone. This scenario leads to cost savings by avoiding long-distance dial charges. Access VPN tunnels can be implemented as client-initiated or network access server (NAS)-initiated. For client-initiated tunneling, a standard or L2TP client on the mobile user s PC initiates a tunnel between the PC and the Cisco 1720 router. The router serves as a home gateway (also called VPN tunnel server or L2TP network server) to terminate the tunnel. For NAS-initiated tunneling, when a user dials into a NAS at a local POP, the service provider authenticates the user to the company and initiates an L2TP tunnel from the NAS to the Cisco 1720 home gateway. The user is then authenticated based on a security server; the tunnel is terminated; and the user is authorized to access resources on the LAN based on policies established for him or her. Extranet VPN (business partner connectivity) SMB s A and B reduce business process cycle time (for example, for billing, order fulfillment, or joint design projects) and strengthen their business relationship as strategic customers, suppliers, or partners who can access certain resources on each other s network. The technology for establishing extranet VPNs is similar to that for establishing intranet VPNs. A Cisco IOS Firewall integrated in each site s Cisco 1720 router is configured with custom firewall policy to allow access to resources on a per-application and per-interface basis. Integrated LAN/WAN stackable solution At each of the sites, the Cisco 1720 router combines with Cisco 1500 series 10/100 Fast Ethernet hubs and switches, providing a complete, integrated LAN/WAN solution from a single vendor. Cisco ConfigMaker provides a common network configuration tool with step-by-step guidance through Page 10 of 14

11 LAN and WAN network design, addressing, and configuration. If vendor support is needed, a phone call to a single vendor reduces management time and costs. Figure 5 Frankfurt Cisco 7000 Hybrid Private/Virtual Private Network Paris Small Branch Office Cisco 1720 PIX Firewall Private IP Internet or SP Shared Backbone Cisco 2500 Cisco 1720 London Branch Office Singapore Small Branch Office Cisco 1720 router with an integrated Cisco IOS Firewall. The larger branch office in Tokyo uses a Cisco 2600 router. All routers connected to the VPN have encrypted tunnels set up to each other. Remote access for mobile users is also migrated to a VPN. An employee traveling worldwide can dial into a local POP and an tunnel is established from his or her PC to the Cisco PIX Firewall at the Frankfurt headquarters. Long-distance dial charges are avoided because traffic is carried via the Internet or service provider s shared backbone. The PIX Firewall is ideal for larger enterprise sites with requirements for high-bandwidth encryption, most advanced security features, and fail-over capabilities. As this company gets more experience with VPNs, it migrates more and more sites from its private WAN to VPN, ensuring a smooth transition. Figure 6 Small Branch Office Access Internet CiscoView Cisco 2600 Tokyo Branch Office Cisco 1720 Sydney Small Branch Office Figure 5 shows a multinational corporation with headquarters in Frankfurt. Its WAN was initially established in Europe, with private leased lines connecting headquarters to branch offices. This company now migrates some of its sites to a VPN, starting with its international sites such as Tokyo, Singapore, and Sydney to save on international WAN costs and to reduce the complexity of leasing lines from foreign telecom companies. They may either outsource the entire VPN implementation to a global service provider, sending traffic over the provider s shared IP backbone, or implement on their own by subscribing to a local Internet access line at each site and configuring tunnels over the Internet. Cisco IOS software provides an end-to-end solution across this hybrid of private and virtual private networks. The small branch offices in Singapore and Sydney each use a ISDN BRI BRI Figure 6 illustrates that the Cisco 1720 router is ideal for providing Internet and intranet access for small branch offices of a corporation with the most flexibility and investment protection of any router in its class. The autosensing 10/100 Fast Ethernet provides the flexibility of easy migration to Fast Ethernet LANs. The two WAN interface card slots provide maximum flexibility in choosing WAN services for current use as well as flexibility to change services later. The RISC processor and expansion slot for Page 11 of 14

12 future hardware-assisted services such as encryption or series, the Cisco 1720 router offers higher-speed encryption compression provide the flexibility to accommodate future for VPNs, autosensing 10/100 Fast Ethernet, more flexibility plans such as VPNs. with an additional WAN interface card slot, more serial The Cisco 1720 router, installed with two ISDN BRI interfaces, and additional performance for emerging WAN interface cards, provides an ideal solution for branch broadband WAN technologies. offices where ISDN service is inexpensive. Using Multi link Compared to the Cisco 1600 series, the Cisco 1720 PPP, the four B channels can be bonded to support up to router is particularly suitable for environments and 256 kbps. Or, one BRI can be provisioned as the primary applications such as: WAN while the other serves as a backup. The second BRI can VPN deployment either now or within the next two years, be configured to be brought up on demand when bandwidth with requirements for encryption speeds between 128 kbps requirements spike. The Cisco 1720 supports numerous and T1/E1 (the Cisco 1720 can encrypt at 512 kbps using features to optimize the use of bandwidth, including dial on software-based encryption now, and at T1/E1 using a demand; bandwidth on demand; snapshot routing; OSPF future hardware-based encryption card inserted on the on-demand circuit routing; header, link, and payload motherboard) compression; and filtering and spoofing. Fast Ethernet LAN Using CiscoView and CiscoWorks2000 management Fast-growing or -changing environments that benefit from applications, administrators at central sites can locally the flexibility of additional WAN interface card slot manage both the Cisco central site router and the remote-site Offices or applications that benefit from higher number of Cisco 1720 routers, thereby reducing administrative, serial interfaces (up to five, including AUX port), for deployment, and installation time and costs. example, retail/point of sale (POS) or small bank branch offices Product Positioning Dual ISDN BRI connections The Cisco 1720 router is an extension to the Cisco 1600 Compression at speeds greater than 128 kbps series, providing more functionality at a higher price point for small- and medium-sized businesses and small branch offices. In addition to the functionality of the Cisco 1600 Asymetric digital subscriber line (ADSL) in the future (when ADSL WAN interface card becomes available), thus requiring higher performance to take advantage of ADSL bandwidth Figure 7 Key Enhanced Capabilities of Cisco 1720 Compared to Cisco 1600 Routers Cisco 1600 Series Cisco 1720 Flexible, Secure Internet/Intranet Access Router Flexible, Secure VPN Access Router DES Encryption Speed (Software-Based, 256-Byte Packets) 128 kbps 512 kbps DES Encryption Speed (Hardware-Based, 256-Byte Packets) Not available 2.0 Mbps (When hardware encryption card is available) Encryption Support DES DES, Triple DES Internal Expansion Slot for Future High-Speed Hardware-Based Encryption No Yes LAN Ethernet Autosensing 10/100 Fast Ethernet WAN One fixed WAN port plus one WAN interface card slot Two WAN interface card slots WAN Interface Cards Supported WIC-1T, WIC-1B-S/T, WIC-1B-U, WIC-1DSU-56K4, WIC-1DSU-T1 All 1600 Series WAN interface cards plus WIC-2T and WIC-2A/S Page 12 of 14

13 Cisco 1600 Series Cisco 1720 Maximum WAN Interfaces Supported Flexible, Secure Internet/Intranet Access Router Serial (sync/async): two ISDN BRI: one ( One Serial) Flexible, Secure VPN Access Router Serial (sync/async): five (including one AUX port) ISDN BRI: Two Support for Dual ISDN BRI No Yes AUX Port (Async up to kbps) No Yes Maximum DRAM Memory 24 MB 48 MB Figure 8 Cisco 1720 Product Positioning and Key Product Characteristics Small and Medium-Sized Business and Small Branch Office Enterprise Branch Office Cisco 2600 Data, Voice and Dial Rackmount Enterprise S/W features Two WAN interface card slots plus one NM slot AIM expansion slot RISC processor Small Office/ Professional Office Cisco 700 Lowest acquisition cost ISDN teleworker One fixed WAN Simple to install Cisco 1720 VPN router Desktop Two WAN Interface card slots 10/100 BaseT RISC processor Expansion slot for future HW encryption Cisco 1600 Flexible, secure Internet access Desktop Entry-level modularity: One fixed WAN plus one WAN interface card slot Cisco 2500 Industry standard data router Rackmount Enterprise S/W features 16 fixed-configuration models Figure 8 illustrates the product positioning along with key product characteristics. Orderability and Availability The Cisco 1720 router is orderable now and is shipping to all countries. Page 13 of 14

14 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA USA Tel: NETS (6387) Fax: European Headquarters Cisco Systems Europe s.a.r.l. Parc Evolic, Batiment L1/L2 16 Avenue du Quebec Villebon, BP Courtaboeuf Cedex France Tel: Fax: Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA USA Tel: Fax: Asia Headquarters Nihon Cisco Systems K.K. Fuji Building, 9th Floor Marunouchi Chiyoda-ku, Tokyo 100 Japan Tel: Fax: Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the Cisco Connection Online Web site at Argentina Australia Austria Belgium Brazil Canada Chile China PRC Colombia Costa Rica Czech Republic Denmark England France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Russia Saudi Arabia Scotland Singapore All contents are Copyright Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Printed in USA. Cisco, Cisco IOS, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. 9802R 10/98 B&W