WHY VOIP IS A BIG DEAL FOR BUSINESSES
One of the biggest benefits of VoIP to businesses is saving cabling and related infrastructure costs, due to the elimination of a completely separate voice cabling implementation. That can be a big deal, but as you dig deeper into the ramifications of running voice over data networks, you begin to uncover many business benefits that were previously untapped.
THE BUSINESS BENEFITS OF VOIP INCLUDE THE FOLLOWING:
■ Reduced cost of communications: Instead of relying on expensive tie lines or toll charges to communicate between offices, VoIP allows you to forward calls over existing WAN (including Internet) connections that are already paid for regardless of utilization.
■ Reduced cost of cabling: VoIP deployments typically cut cabling costs in half by running a single Ethernet connection instead of both voice and data cables. (This cost savings is only a factor realized in new construction or renovation of offices.)
■ Seamless voice networks: Because data networks connect offices, mobile workers, and telecommuters, VoIP naturally inherits this property. The voice traffic is crossing “your network” rather than exiting to the PSTN. This also provides centralized control of all voice devices attached to the network and a consistent dial plan. For example, all users could dial each other using four-digit extensions, even though many of them may be scattered around the world.
■ Take your phone with you: Cost estimates for moves, adds, and changes (MAC) to a traditional PBX system range from $55 to $295 per MAC. With VoIP phone systems, this cost is greatly reduced. In addition, IP phones are becoming increasingly plug-and-play within the local offices, allowing moves with little to no reconfiguration of the voice network.
When combined with a VPN configuration, users can even take an IP phone home with them and retain their work extension.
■ IP softphones: Softphones represent an ideal example of the possibilities when combining voice and data networks. Users can now plug a headset into their laptop or desktop computer or tablet and allow it to act as their phone. Softphones are becoming increasingly more integrated with other applications such as email contact lists, instant messaging, presence, video telephony, and rich-media collaboration tools such as WebEx.
■ Unified email, voicemail, fax: All messaging can be sent to a user’s email inbox. This allows users to get all messages in one place and easily reply to, forward, or archive messages.
■ Increased productivity: VoIP extensions can forward to ring multiple devices before forwarding to voicemail. This eliminates the “phone tag” game.
■ Feature-rich communications: Because voice, data, and video networks have combined, users can initiate phone calls that communicate with or invoke other applications from the voice or data network to add additional benefits to a VoIP call. For example, calls flowing into a call center can automatically pull up customer records based on caller ID information or trigger a video stream for one or more of the callers.
■ Open, compatible standards: In the same way that you can network Apple, Dell, and IBM PCs together, you can now connect devices from different telephony vendors together. Although this capability is still evolving, it will allow businesses to choose the best equipment for their network, regardless of the manufacturer.
001. INTRODUCTION TO CISCO COLLABORATION SOLUTIONS (VOICE, VIDEO & DATA OVER IP [VoIP])
The way we work has changed: Do you work the same way you did 10 years ago? 5? Harvard Business Review surveyed business leaders worldwide about how collaboration is changing within their organizations (Source: www.cisco.com):
72% say “effective team communication” has become more important over the past two years.
54% are investing in easier-to-use collaboration solutions.
64% report that collaboration with external parties has increased in importance.
CISCO’S COLLABORATION PORTFOLIO
Improve productivity and innovation with Cisco’s easy-to-use collaboration technology.
001. UNIFIED COMMUNICATIONS
Unify your voice, video, data, and mobile applications.
1. Cisco Spark
2. Cisco Unified Communications Manager
3. Cisco Business Edition 6000
4. Cisco Expressway
5. Just to mention but a few ….
002. CUSTOMER CARE
Deliver personalized omnichannel experiences that satisfy customers.
1. Cisco Unified Contact Center Express
2. Cisco Unified Contact Center Enterprise
3. Cisco Spark Care
4. And more
Simplify meetings with easy-to-use solutions that bring teams together.
1. Cisco Meeting Server
2. Cisco WebEx Meeting Center
3. Cisco TelePresence Server
4. And more
004. COLLABORATION ENDPOINTS
Find endpoints, from IP phones and video units to web, mobile, and desktop clients.
1. Cisco Spark Board
2. Cisco Spark Room Series
3. Cisco IP Phones
4. And much more
I could like to take this opportunity to welcome you to the world of collaboration where we will show case most of if not all of Cisco’s collaboration solutions. By the end of it all you will be amazed of what collaboration technology is available to meet all your needs. You will also see why Cisco is the best of the best in the Collaboration technology and why you should choose Cisco. So, welcome and let’s do this.
DEPLOYING HIGH AVAILABILITY FEATURES ON THE ASA (ACTIVE/STANDBY FAILOVER)
When a single Cisco Adaptive Security Appliance (ASA) is configured with security features and policies, it can offer reliable protection—as long as it continues to run properly, has a continuous source of power, and has consistent network connectivity. Power and connectivity are resources that are provided outside the ASA, but the ASA itself might experience a hardware or software failure, making it a single point of failure.
You can configure two ASAs as a failover pair, allowing them to operate in tandem. The result is greater reliability because one or both ASAs are always available for use.
Two ASAs can be configured to operate as a high availability or “failover” pair. The idea is to leverage two separate devices so that one of them is always available in case the other one fails. Naturally, there is a possibility that both ASAs might fail within the same timeframe, but our goal should be to minimize that chance. For example, you might want to install each ASA in a different building to give them physical separation, in case power fails in one building for an extended time.
In this demonstration we are going to configure two ASA Firewall in an Active/Standby fashion.
CONFIGURING ACTIVE/STANDBY FAILOVER
The figure below shows the configuration of Active/Standby Failover.
ACTIVE/STANDBY FAILOVER VERIFICATION
Currently the MOIGETECH-ASA-1 firewall is the active firewall while the MOIGETECH-ASA-2 is the standby firewall. I am going to change the active firewall by issuing the command no fail active on the active firewall as show below.
ASA-1 (Switching to standby)
ASA-2(Switching to Active)
As you can see from the above diagrams, the two ASA firewalls have been configured as a failover pair. That is to say if one of them (active one) fails, the other one (Standby) takes over immediately. With this deployment, your users will always be able to access the resources that they usually access be it from inside the company or outside using Remote Access or Site-to-Site VPNs.
CONFIGURING A POLICY FOR INSPECTING OSI LAYERS 5–7
In this demonstration we are going to focus on File Transfer Protocol (FTP). The File Transfer Protocol (FTP) is used between clients and servers. Clients can open FTP connections to servers and perform several different file-oriented operations. The ASA offers an FTP application inspector that must sit between the client and server to work properly.
The FTP inspector offers the following functions:
■ Protocol verification: Drop any FTP sessions that do not adhere to the FTP protocol specification and log the URI of all accessed FTP objects. FTP protocol verification is enabled by default and cannot be disabled.
■ Protocol minimization: Allow only specific FTP commands and functions to be passed on to the protected client or server. For example, any FTP connections that use any request commands other than GET could be dropped.
■ Payload minimization: Allow only specific FTP payloads to be delivered to the protected server. For example, an ASA can filter FTP connections according to filenames, file types, server names, and usernames.
■ Application layer signatures: Identify and drop specific FTP payloads.
In our demonstration we are going to prevent users from issuing unauthorized commands such as a Delete command once they are connected to the FTP server at 18.104.22.168 in the DMZ. In short we are going to disallow any delete commands that may be issued by the user once they are connected to the FTP server.
AN INTERNET USER CONNECTED TO THE FTP SERVER AT 22.214.171.124
The figure below shows a user already connected to the FTP server which is on the DMZ from the Internet.
BEFORE L5-7 INSPECTION, THE USER CAN DELETE FILES ON THE FTP SERVER.
Before we configure FTP L5 to L7 inspection let us verify that the user can delete files on the FTP server once connected.
FTP INSPECTION APPLIED
The figure below shows the configuration on the ASA firewall showing L5-L7 FTP inspection taking place.
A USER TRIES TO DELETE A FILE
THE USER IS DENIED THE PERMISSION TO DELETE THE FILE AS SHOWN BELOW.
As you can see from the figure above, we have successfully implemented FTP deep protocol inspection.
INSPECTING TRAFFIC ON THE ASA
A Cisco Adaptive Security Appliance (ASA) can maintain the state of connections passing through it in order to provide effective security. Connection state involves parameters such as address translation, connection direction and flow, and limits on the connection itself.
In addition, an ASA must be able to inspect various protocols as they pass through, so that the protocols themselves meet criteria defined in the security policies.
A Cisco ASA offers many robust traffic inspection features that you can leverage to secure a network in a variety of ways. The key to using these features lies in understanding the modular approach to configuring security policies.
In this demonstration, we are going to show you how the Cisco ASA Firewall is able to inspect OSI Layers 3 and 4 also we will look at the ASA inspecting OSI Layers 5 – 7.
THE NETWORK TOPOLOGY
THE FIREWALL DASHBOARD
INSPECTING OSI LAYERS 3 AND 4
With the MPF, you can configure a class map that identifies a specific type of traffic according to parameters found in OSI Layers 3 and 4, or the IP and UDP packet headers or TCP packet headers, respectively. You can apply that class map to a policy map that can take action on the matching traffic.
In this demonstration we are going to show you how the ASA firewall implements inspection of OSI Layers 3 and Layers 4. In a nutshell, the Cisco ASA Firewall statefully inspects TCP and UDP flows. It does not inspect ICMP by default. In this short demonstration we are going to configure ICMP inspection.
First we are going to show you that ICMP is not inspected by default and thus ping request even from a higher security level interface like the INSIDE interface with the security level of 100 to the OUTSIDE interface of the security level of 0 will not work. But when I will try to access HTTP resources (i.e TCP Session) it works by default without any further configuration.
BEFORE POLICY APPLICATION.
The figure below shows/verifies that ICMP traffic is not inspected by default and that any pings from any interface will not be allowed.
THE PING (ICMP) FAILING
I am going to initiate a ping from the INSIDE interface which has a higher security level of 100 to the OUTSIDE interface which has a security level of 0. Ordinarily, traffic should be allowed from a higher security level to a low security level if the traffic is statefully inspected. Since ICMP is not statefully inspected by default, the ICMP from 10.0.100.21 to the WEB server on the OUTSIDE interface on 126.96.36.199.
The INSIDE PC can reach its default gateway of 10.0.100.1 as shown below.
A ping to 188.8.131.52 is failing to go through as shown in the figure below.
BUT HTTP Traffic goes though successfully.
As shown in the figure below, HTTP traffic to 184.108.40.206 goes though without any problem on the ASA.
CONFIGURING ICMP INSPECTION
The figure below show the ASA Firewall configured to allow ICMP inspection.
VERIFICATION ON THE COMMAND LINE.
NOW THE PING (ICMP) WORKS FROM 10.0.100.21 (INSIDE INTERFACE) TO 220.127.116.11 (OUTSIDE INTERFACE)