Copyright © 1998 Cisco Systems, Inc. All Rights Reserved. Page 1 of 14
O
VERVIEWCisco 1720 VPN Access Router
Flexible, Secure VPN Access for Small and Medium-Sized Businesses and Small Branch OfficesMarket Trends
The Internet is fundamentally changing the way companies do business. And the future will bring even more change, driven by rapid changes in networking technology. Companies who are ready for this future stand to gain competitive advantage. In the new world of networking, three key market trends need to be considered when making decisions on network equipment for small and medium-sized businesses and small branch offices: virtual private network (VPN) capability, flexibility, and network device integration. VPNs—The New World of Networking
Traditionally, companies connect their geographically dispersed sites by leasing private WAN connections from service providers to form a private communications infrastructure. The resulting networks offer guaranteed bandwidth with predictable delay, but the company pays a high price for this bandwidth—regardless of whether they actually use all of it. This scenario leads to an expensive infrastructure, with cost being a function of the specified bandwidth and distance.
Virtual private networks connect geographically dispersed sites and remote users together using shared or public networks—such as the Internet—while providing security, traffic prioritization, management, and reliability as good as that of private networks. By utilizing shared, global networks such as the Internet, VPNs can deliver significantly
reduced WAN costs and provide new capabilities such as secure extranet communication among business partners. The main benefits of a VPN solution include:
• Reduced cost—Industry analysts and news media report that VPNs can save recurring WAN costs by 30 to 80 percent (see, for example, Data Communications 9/98, Network World 8/31/98), resulting in equipment payback periods of a few months and returns on investment (ROIs) in the hundreds of percents. For site-to-site connectivity, VPNs leverage the low cost of intranet access over a shared infrastructure. For remote-user access, VPNs save long-distance dialup charges by calling a local number and connecting over a shared infrastructure for the long distance. Further, companies can simplify WAN operations by outsourcing their VPNs to a service provider.
• Extranet communication—VPNs allow business partners and suppliers to communicate easily and securely, and to control access to network resources such as databases. • Improved connectivity—The Internet provides global reach
for connecting sites and remote dial users. Due to the Internet’s global popularity and availability, it is much easier to set up a local Internet connection within a foreign country than it is to get an international private WAN line through the country’s telephone company.
• Better reliability—Using the Internet or any large service provider’s shared network provides automatic redundancy due to ubiquitous routing nodes.
Flexibility
A company’s networking requirements constantly change due to several factors such as growing demand for
bandwidth, technological change, and global deregulation of telecommunications. As a company adds users and discovers more ways to use its network, its bandwidth requirements keep increasing. Ethernet local area networks (LANs) need to be future proofed for easy migration to Fast Ethernet technology. And telecommunications industry deregulation is resulting in lower cost for existing WAN technologies such as leased lines, frame relay, Integrated Service Digital Network (ISDN), Switched Multimegabit Data Service (SMDS), and Asynchronous Transfer Mode (ATM), as well as the rapid emergence of new technologies, such as digital subscriber line (DSL). In such a world of constant change, a company needs to protect its investment with flexible network equipment that can adapt.
Network Device Integration
Integration of multiple functions into a single product reduces deployment and management time and costs. Examples of integrated network components include the access router, firewall, high-speed encryption, VPN tunnel server, and data service unit/channel service unit (DSU/CSU) or network termination unit. With integration, deployment costs are reduced because there are fewer devices and cables to install and configure. Because remote configuration, monitoring, and troubleshooting of each of the integrated functions is possible through the access router, on-going support of remote offices from a central site is simplified.
To meet these important market needs beyond typical Internet and intranet access, Cisco Systems has developed the Cisco 1720 VPN Access Router for small- and medium-sized businesses and small branch offices.
Introduction to Cisco 1720 VPN Access Router
The Cisco 1720 router offers the following key components: • Cisco IOS® software
• One autosensing 10/100 Fast Ethernet port • Two WAN interface card slots
• One auxiliary (AUX) port (up to 115.2 kbps asynchronous serial)
• One console port
• RISC processor for high-performance encryption • One internal expansion slot for support of future
hardware-assisted services such as encryption (up to T1/ E1) and compression
• DRAM memory: 16 MB default, expandable to 48 MB
• Flash memory: 8 MB default, expandable to 16 MB • Desktop form factor
Figure 1 The Cisco 1720 Router Delivers VPN Access with the Power of Cisco IOS Software, Flexibility, and Network Device Integration
The flexible Cisco 1720 router supports any combination of one or two of the following WAN interface cards:
• WIC-1T: One-port high-speed serial (sync/async) • WIC-2T: Two-port high-speed serial (sync/async) • WIC-2A/S: Two-port low-speed serial (sync/async) (up to
128 kbps)
• WIC-1B-S/T: One-port ISDN Basic Rate Interface (BRI) S/T • WIC-1B-U: One-port ISDN BRI U
• WIC-1DSU-56K4: One-port integrated 56/64-kbps 4-wire DSU/CSU
• WIC-1DSU-T1: One-port integrated T1 / Fractional T1 DSU/CSU
These WAN interface cards are shared with the Cisco 1600, 2600, and 3600 routers.
The Cisco 1720 router extends the leadership
established by Cisco’s 1600 series routers for small businesses and small branch offices, offering more functionality and flexibility for higher-end applications. In addition to meeting the needs of Internet and intranet access, the Cisco 1720 router offers the following key advantages:
• Virtual private networking with the power of Cisco IOS software
• Flexibility through modular architecture • Network device integration
Virtual Private Networking Access
VPNs can help companies reap benefits such as dramatically lower WAN costs, improved global connectivity, and better reliability, while enabling capabilities such as secure extranet communications. Remote dial, Internet, intranet, and extranet access can all be consolidated over a single WAN connection to the Internet.
The Power of Cisco IOS Software for VPNs. The industry defacto standard networking software for the Internet and private WANs, Cisco IOS software delivers the most comprehensive set of VPN features on security, quality of service, management, and reliability/scalability. The Cisco 1720 router, with full Cisco IOS support and modular, integrated hardware, is designed for the new world of VPNs. It defines a new class of VPN access routers that enables practical, cost-effective, wide-scale VPN deployment. Consider the following VPN requirements:
Security is crucial for a VPN because the company’s data traverses a shared (untrusted) WAN and the internal network of each office is exposed to this shared WAN. Advanced security features are integrated into Cisco IOS software of the Cisco 1720 router:
• Firewall—The optional Cisco IOS Firewall protects the LAN from attacks. Context-based access control (CBAC) provides dynamic or stateful filtering on a per-application basis, permitting legitimate traffic to enter the LAN only while a session is active. CBAC capability is considered essential for effective firewall functionality. Cisco IOS Firewall also supports other key features such as Java blocking, denial-of-service detection and prevention, audit trail, and real-time alerts.
• Encryption—Optional IP Security Data Encryption Standard (IPSec DES) and Triple DES encryption up to 168-bit key length provides the strongest standards-based encryption to ensure confidentiality, data integrity, and data origin authenticity while traversing a shared WAN. • Tunneling—Several optional tunneling standards are
supported: IPSec, generic routing encapsulation (GRE), Layer 2 Forwarding (L2F), and Layer 2 Tunneling Protocol (L2TP). L2F and L2TP support allows mobile workers to dial in to a service provider’s local points of presence (POPs), tunnel traffic back to the Cisco 1720, and access resources such as databases residing on the LAN of the router. When the router is used in this way, it is called a home gateway or tunnel server. This setup obviates the need for a separate remote access server (RAS) at the small to medium business and saves on long-distance calling charges. L2TP can also be used to tunnel non-IP traffic for connecting remote offices or users (IPSec tunneling supports only IP traffic).
• Devise authentication and key management—Support for Internet Key Exchange (IKE), X.509v3 digital certificate, and Certificate Enrollment Protocol (CEP) with certificate
authorities such as Verisign and Entrust ensures device and data authenticity and enables scalability to very large IPSec networks through automated key management.
• VPN client software—Any industry-standard IPSec and L2TP clients will interoperate with Cisco IOS software. • User Authentication—User authentication provides
support for Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), TACACS+, Remote Access Dial-In User Service (RADIUS), and token authentication.
Quality of Service (Traffic Management). For a VPN to provide the highest level of availability and predictability, quality-of-service (QoS) controls are needed with regards to which applications or users have access to how much bandwidth. Time-sensitive or mission-critical applications (for example, Enterprise Resource Planning applications such as PeopleSoft) should get priority over less-critical traffic (for example, push applications such as Pointcast). The Cisco 1720 router supports leadership QoS features such as:
• Committed access rate (CAR) performs three important functions on a per-application or per-user level: 1) Classify traffic type (for example, is it PeopleSoft or Pointcast traffic?); 2) Set the maximum bandwidth allowed for that traffic (also known as “traffic policing” or “rate
shaping”—for example, PeopleSoft gets 1.0 Mbps, Pointcast gets 28 kbps); and 3) Prioritize the traffic by giving each traffic type an “IP Precedence number”. • Policy routing can also classify and prioritize traffic by IP
Precedence, but it also directs which type of traffic should go to which interface on the router. However, it does not set the allowed bandwidth like CAR.
• Weighted Fair Queueing (WFQ) provides consistent response time. It schedules low-bandwidth traffic to the front of the queue to reduce response time, and fairly shares the remaining bandwidth among high-bandwidth
applications.
• Generic Traffic Shaping (GTS) avoids congestion by controlling and smoothing outbound WAN traffic to a specified bandwidth. This feature is useful when the receiving router on the other edge of the WAN cannot handle the incoming traffic bandwidth.
• Resource Reservation Protocol (RSVP) allows an application to have reserved guaranteed bandwidth throughout the entire WAN, from one end to the other.
Management and Ease of Installation
The Cisco 1720 router supports a range of network management and ease-of-installation tools. Cisco
ConfigMaker is a Windows Wizards-based tool designed to configure a small network of Cisco routers, switches, hubs, and other network devices from a single PC. Designed for resellers and network administrators of small to
medium-sized businesses, it guides the user through the network design and new device installation process, making the tasks as simple as drawing a network diagram. Cisco ConfigMaker simplifies VPN deployment with support for VPN policy configuration, including the Cisco IOS Firewall feature set, IPSec, Network Address Translation (NAT), and Dynamic Host Configuration Protocol (DHCP) Server. (IPSec support will be available in Q1 CY '99.)
CiscoView, a GUI-based device management software application for UNIX platforms, provides dynamic status, statistics, and comprehensive configuration information. In Q1 CY '99, the Cisco 1720 will also support
CiscoWorks2000, Cisco's industry-leading Web-based
network management suite. Its browser interface simplifies tasks such as managing network inventory and device changes, changing configuration, rapidly deploying new software images, and troubleshooting. For service providers, Cisco Service Management (CSM) provides an extensive suite of service management solutions to enable service providers to quickly plan, provision, monitor, and bill for VPNs.
Reliability and Scalability—Cisco IOS software is the industry accepted standard networking software with proven reliability. Cisco IOS technologies ensure that a VPN can scale reliably to very large networks through support of Internet Key Exchange (IKE) and digital certificates with leading certificate authorities, scalable routing protocols such as Open Shortest Path First (OSPF) and Enhanced Interior Gateway Routing Protocol (Enhanced IGRP), and reliability services such as Hot Standby Router Protocol (HSRP).
Encryption Performance—The Cisco 1720 router currently supports software-based encryption and will support hardware-based encryption in the future. Powered by a RISC processor, the Cisco 1720 supports IPSec software-based encryption at 512 kbps for 256-byte packets (typical packet size for most networks). (Performance may vary, depending on the encryption algorithm used, network packet sizes, and so on) An expansion slot on the
motherboard of the Cisco 1720 allows for support of future hardware-assisted services such as encryption (up to T1/E1) and compression.
Flexibility
To protect their investment against the constant change in networking requirements, companies need a product that can adapt. The Cisco 1720 router provides the most flexible solution for small/medium businesses and small branch offices.
Modular WAN interface cards—All WAN interfaces on the Cisco 1720 are interchangeable through the two WAN slots. Customers can mix and match whichever WAN interface card combination they want, allowing them to upgrade or change WAN technologies as needed. A wide range of WAN options are available, including dual ISDN BRI, up to five ports for serial aggregation, and integrated DSU/CSUs up to T1 speed.
Shared WAN interface cards with Cisco 1600, 2600, and 3600 routers—Shared WAN interface cards enhance the investment-protection value of the routers and WAN interface cards. When a card is no longer needed in one platform, it can be reused on another platform. Also, customers, resellers, and service providers who keep spare WIC cards can reduce the number of stock-keeping units and inventory.
Autosensing 10/100 Fast Ethernet—The Cisco 1720 has an autosensing 10/100 Fast Ethernet port that allows for easy migration to Fast Ethernet networks. Simply plug in the LAN cable and this port automatically detects whether the LAN speed ought to be 10 or 100 Mbps and automatically negotiates simplex or duplex mode. For offices with 100BaseTX hubs, the autosensing 10/100 port of the Cisco 1720 eliminates the need for a 10/100 bridge.
Performance for emerging broadband technologies—The RISC processor of the Cisco 1720 gives it the performance necessary to support emerging broadband technologies such as digital subscriber line (DSL) in the future. Cisco’s roadmap for future WAN interface cards includes DSL technology.
Network Device Integration
Integrating multiple functions into a single device reduces deployment and management time and costs. The Cisco 1720 router provides all-in-one integration advantages in two ways:
Integrated devices in a single box—The Cisco 1720 is capable of combining multiple functions, including router, firewall, encryption, VPN tunnel server (home gateway), DSU/CSU, and Network Termination 1 (NT1). Benefits include:
• Simplified support and reduced costs because
configuration, monitoring, and troubleshooting of each of the integrated functions can be done remotely via the router function
• Simplified VPN configuration: Cisco IOS software support for VPN tunneling such as L2TP is integrated with security features such as IPSec encryption and user authentication • Fewer devices and cables to install and configure • Enhanced reliability (fewer components such as power
supplies)
• Physical space savings
Integrated Single-Vendor LAN/WAN Solution: Cisco Networked Office Stack—Small- and medium-sized businesses, which typically have little or no network administration resources, benefit from deploying integrated solutions with LAN and WAN components from a single vendor that work together easily and seamlessly. Further, with single-vendor solutions, only a single phone call is necessary when support is needed. The Cisco 1720 router is a member of the Cisco Networked Office (CNO)
stack—Cisco’s integrated LAN/WAN solution. Other CNO components include the Cisco 1600 series routers, Cisco IOS Firewall feature set, Cisco 1528 10/100 hub, Cisco 1548 10/ 100 switch, and Cisco ConfigMaker network configuration tool.
Figure 3 The Cisco 1720 VPN Router is Part of the Cisco Networked Office
Stack, Which includes Autosensing 10/100 Hubs and Switches
Key Features and Benefits
The Cisco 1720 offers industry-leading VPN support, flexibility, and network device integration, with key features listed in Table 1.
Table 1 Key Features and Benefits of Cisco 1720 Series
Feature Function/Benefit
VPN Support Full Cisco IOS support
Including multiprotocol routing (IP, IPX, AppleTalk, IBM/SNA) and bridging
• Industry de facto standard networking software for Internet and private WANs
• Provides industry’s most robust, scalable, and feature-rich internetworking software support • Part of Cisco’s end-to-end network solution
Firewall
Cisco IOS Firewall includes CBAC for dynamic firewall filtering, denial-of-service detection and prevention, Java blocking, and real-time alerts
• Allows internal users to access the Internet with secure, per-application-based dynamic access control while preventing unauthorized Internet users from accessing the internal LAN
Encryption
IPSec ESP DES and Triple DES.
Expansion slot for future high-speed hardware-based encryption
• Enables creation of VPNs by providing industry-standard data privacy, integrity, and authenticity as data traverses public networks
• Provides option to upgrade to high-speed hardware-assisted encryption up to T1/E1 when available
RISC Processor • Enables software-based encryption performance at 512 kbps for VPNs
Device Authentication and Key Management
IKE, X.509v3 digital certificate, support for CEP with certificate authorities (CAs) such as Verisign and Entrust
• Ensures proper identity/authenticity of devices and data
• Enables scalability to very large IPSec networks through automated key management
User Authentication
PAP/CHAP, RADIUS, TACACS+, Token • Ensures that the users are who they say they are Tunneling
IPSec, GRE, L2F, L2TP • Choice of standards-based tunneling methods to create VPNs for IP and non-IP traffic• Allows any standards-based IPSec or L2TP client to interoperate with Cisco IOS tunneling technologies
Management
Manageable via SNMP (CiscoView, CiscoWorks2000), Telnet, and through console port
• Allows central monitoring, configuration, and diagnostics for all functions integrated in the Cisco 1720 router, reducing management time and costs
Ease of Use and Installation
Cisco ConfigMaker, SETUP configuration utility, AutoInstall, color-coded ports/cables, LED status indicators
• Simplifies and reduces deployment time and costs with graphical LAN/VPN policy configurator, command-line context-sensitive configuration questions, and straight-forward cabling • LEDs allow quick diagnostics and troubleshooting
Network Address Translation and Easy IP • Simplifies deployment and reduces Internet access costs Quality of Service
CAR, Policy Routing, WFQ, GTS, RSVP • Allocates WAN bandwidth to priority applications for improved network performance Reliability and Scalability
Cisco IOS software, dial-on-demand routing; dual bank Flash memory, scalable routing protocols (for example, OSPF and Enhanced IGRP), Hot Standby Router Protocol
• Improves network reliability and enables scalability to large networks
Flexibility
Modular architecture (WAN card slots) • Enables flexible WAN choices on the Cisco 1720 router, protecting investment WAN interface cards shared with Cisco 1600, 2600, and 3600 routers • Reduced cost of maintaining inventory
• Lowers training costs for support personnel
Autosensing 10/100 Fast Ethernet • Simplifies migration to Fast Ethernet performance in the office
Expansion slot on motherboard • Allows expandability to support future services such as hardware-assisted encryption and compression
Network Device Integration
Integrated router, firewall, encryption, VPN tunnel server, DSU/CSU, and NT1 in single device
• Reduces deployment costs and simplifies management compared to solutions based upon multiple, separate devices
Part of Cisco Networked Office stack • Delivers complete, compatible solutions for small office networks
Feature Function/Benefit
Software Feature Sets
The Cisco 1720 feature sets share the same feature definitions as the Cisco 1600 series as of Cisco IOS Release 12.0. Thirteen feature sets are available: four Base and nine Plus versions. Starting with Release 12.0, the Base feature sets include some features formerly in Plus: NAT, OSPF, Remote Access Dial-In User Service (RADIUS), and Next Hop Resolution Protocol (NHRP). Plus feature sets contain all the features in their corresponding Base feature set, plus an
additional number of value-added features such as L2TP, L2F, Border Gateway Protocol (BGP), IP Multicast, Frame Relay switched virtual circuit (SVC), RSVP, NetWare Link Services Protocol (NLSP), AppleTalk Simple Multicast Routing Protocol (SMRP), and Network Timing Protocol (NTP).
Tables 2 and 3 show the features available in the Cisco 1720 feature sets.
Table 2 Base Feature Sets
Category Basic Protocols/Features IP IP/IPX IP Firewall IP/IPX/AT/IBM
LAN Transparent bridging x x x x
IP x x x x
IPX, NetBIOS access lists, name caching x x
AppleTalk phases 1 and 2 x
WAN Leased lines, Frame Relay, Switched 56, SMDS, HDLC x x x x
ISDN leased line (IDSL) at 64 and 128 Kbps x x x x
ISDN caller ID callback x x x x
PPP, PPP compression x x x x
Async, SLIP x x x x
X.25, X.25 PAD, X.25 over ISDN D channel x x x x
LLC2, LAPB x x x x
IP Routing RIP, RIP2, IGRP, Enhanced IGRP, OSPF, NHRP x x x x
IP policy routing x x x x
GRE tunneling x x x x
Other Routing IPX-RIP x x
Note: AppleTalk routing and bridging are not supported for asynchronous interfaces. CiscoWorks2000 support will be available in Q1 CY ’99.
Table 3 Plus Feature Sets - Additional Features
Security PAP/CHAP, local password x x x x
Extended access lists; Lock and Key x x x x
RADIUS, TACACS+, Token x x x x
Quality of Service Weighted Fair Queueing (WFQ) x x x x
WAN Optimization
Bandwidth on demand, dial on demand x x x x
IPX and SPX spoofing x x
Snapshot routing x x x x Frame Relay FRF.9 x x x x Ease of Use and Deployment ConfigMaker x x x x
Easy IP (PAT, IPCP, and DHCP server) x x x x
Network Address Translation (NAT) x x x x
AutoInstall for leased line & Frame Relay x x x x
Management SNMP, Telnet, console port x x x x
CiscoView, CiscoWorks2000 x x x x
Simple Network Timing Protocol (SNTP) x x x x
Category Plus Protocols/Features IPPlus IP Plus 40 IP Plus IPSe c 56 IP Plus IPSec 3DES IP FW Plus IPSec 56 IP FW Plus IPSec 3DES IP/IPX FW Plus IP/IPX/ AT/IBM FW Plus IPSec 56 IP/IPX/ AT/IBM FW Plus IPSec 3DES
WAN Frame Relay SVC x x x x x x x x x
IP Routing BGP x x x x x x x x x
Other Routing NetWare Link Services Protocol x x x
AppleTalk AURP, ATIP x x
VPN/Security IPSec DES x x x x x x
IPSec Triple DES x x x
Cisco Encryption Technology:
40-bit x x x x x x x
Cisco Encryption Technology:
56-bit x x x x x x
VPN/Tunnels L2TP, L2F x x x x x x x x x
Quality of Service
Resource Reservation Protocol (RSVP)
x x x x x x x x x
Note: FW above denotes Cisco IOS Firewall. Encryption is offered in special encryption feature sets (Plus 40, Plus IPSec 56, and Plus IPSec 3DES). *CAR, CEF, and NetFlow supported with Cisco IOS Release 12.0(3)T and up. To build an IP VPN, the recommended images are IP Firewall Plus IPSec 56 or IP Firewall Plus IPSec 3DES.
Random Early Detection (RED) x x x x x x x x x
Cisco Express Forwarding (CEF)* x x x x x x x x x
Committed access rate (CAR)* x x x x x x x x x
NetFlow* x x x x x x x x x
RTP Header Compression (RTP-HC)
x x x x x x x x x
Multimedia IP Multicast (Protocol Independent multicast or PIM)
x x x x x x x x x
AppleTalk SMRP (Multicast) x x
Management Network Timing Protocol (NTP) x x x x x x x x x
Category Plus Protocols/Features IPPlus IP Plus 40 IP Plus IPSe c 56 IP Plus IPSec 3DES IP FW Plus IPSec 56 IP FW Plus IPSec 3DES IP/IPX FW Plus IP/IPX/ AT/IBM FW Plus IPSec 56 IP/IPX/ AT/IBM FW Plus IPSec 3DES
Applications
The Cisco 1720 router extends the leadership capabilities of the Cisco 1600 series for small/medium businesses and small branch offices. In addition to the flexible, secure Internet/ intranet access solutions provided by the Cisco 1600 routers, the Cisco 1720 is also ideal for the application examples that follow.
Figure 4 Access/Intranet/Extranet VPNs for Small/Medium Businesses
CNO Switch CNO Switch CNO Switch
SMB A Small Main Office Access VPN Home Gateway
Firewall Cisco 1720 CNO Hub CNO Hub SMB A Small Branch SMB A Mobile Workers Firewall Cisco 1720 CNO Hub CNO Hub CNO Hub SMB B Supplier or Customer Firewall Cisco 1720 Internet Encryted tunnels
Figure 4 illustrates VPN applications for two small- and medium-sized businesses (SMB A and SMB B). SMB A has a main office and a branch office, connected via a secure VPN tunnel. SMB B is a strategic customer or supplier with a secure extranet connection to SMB A. The VPN applications here include:
• Intranet VPN (branch-to-branch connectivity)—Instead of a long-distance private leased line between SMB A’s main office and the branch office, each office subscribes to a local Internet access line and an encrypted IPSec tunnel carries the traffic over the Internet for long distance. IPSec DES or Triple DES provides data confidentiality, authenticity, and integrity while Cisco IOS Firewall, integrated into the Cisco 1720 router, prevents unauthorized access or attack to each office’s LAN. Traffic is prioritized using QoS features such as policy routing or committed access rate to ensure that mission-critical applications get the highest network bandwidth. Cisco ConfigMaker simplifies VPN configuration for a small/medium network with a Graphical User Interface (GUI)-based tool that configures basic router parameters as well as Cisco IOS Firewall and IPSec encryption policies. IPSec configuration is simplified to a few simple steps by using standard defaults established by Cisco ConfigMaker such as tunnel mode,
ESP-HMAC-MD5 (a popular IPSec transform), and preshared key for IKE policy—secure VPN tunnels can be quickly established by specifying the choice of encryption algorithm (DES or Triple DES), preshared key password, and IP addresses of destination routers. (IPSec
configuration support will be available in Cisco ConfigMaker in Q1 CY ‘99.)
• Access VPN (mobile-user remote access)—SMB A’s mobile users or teleworkers/telecommuters can dial into a local Internet POP and tunnel the long-distance traffic back to the company LAN via the Internet or a service provider’s
shared backbone. This scenario leads to cost savings by avoiding long-distance dial charges. Access VPN tunnels can be implemented as client-initiated or network access server (NAS)-initiated. For client-initiated tunneling, a standard IPSec or L2TP client on the mobile user’s PC initiates a tunnel between the PC and the Cisco 1720 router. The router serves as a home gateway (also called VPN tunnel server or L2TP network server) to terminate the tunnel. For NAS-initiated tunneling, when a user dials into a NAS at a local POP, the service provider
authenticates the user to the company and initiates an L2TP tunnel from the NAS to the Cisco 1720 home gateway. The user is then authenticated based on a security server; the tunnel is terminated; and the user is authorized to access resources on the LAN based on policies
established for him or her.
• Extranet VPN (business partner connectivity)—SMB’s A and B reduce business process cycle time (for example, for billing, order fulfillment, or joint design projects) and strengthen their business relationship as strategic customers, suppliers, or partners who can access certain resources on each other’s network. The technology for establishing extranet VPNs is similar to that for establishing intranet VPNs. A Cisco IOS Firewall integrated in each site’s Cisco 1720 router is configured with custom firewall policy to allow access to resources on a per-application and per-interface basis.
• Integrated LAN/WAN stackable solution—At each of the sites, the Cisco 1720 router combines with Cisco 1500 series 10/100 Fast Ethernet hubs and switches, providing a complete, integrated LAN/WAN solution from a single vendor. Cisco ConfigMaker provides a common network configuration tool with step-by-step guidance through
LAN and WAN network design, addressing, and
configuration. If vendor support is needed, a phone call to a single vendor reduces management time and costs. Figure 5 Hybrid Private/Virtual Private Network
Figure 5 shows a multinational corporation with
headquarters in Frankfurt. Its WAN was initially established in Europe, with private leased lines connecting headquarters to branch offices. This company now migrates some of its sites to a VPN, starting with its international sites such as Tokyo, Singapore, and Sydney to save on international WAN costs and to reduce the complexity of leasing lines from foreign telecom companies. They may either outsource the entire VPN implementation to a global service provider, sending traffic over the provider’s shared IP backbone, or implement on their own by subscribing to a local Internet access line at each site and configuring IPSec tunnels over the Internet.
Cisco IOS software provides an end-to-end solution across this hybrid of private and virtual private networks. The small branch offices in Singapore and Sydney each use a
Cisco 1720 router with an integrated Cisco IOS Firewall. The larger branch office in Tokyo uses a Cisco 2600 router. All routers connected to the VPN have encrypted IPSec tunnels set up to each other.
Remote access for mobile users is also migrated to a VPN. An employee traveling worldwide can dial into a local POP and an IPSec tunnel is established from his or her PC to the Cisco PIX Firewall at the Frankfurt headquarters. Long-distance dial charges are avoided because traffic is carried via the Internet or service provider’s shared
backbone. The PIX Firewall is ideal for larger enterprise sites with requirements for high-bandwidth encryption, most advanced security features, and fail-over capabilities.
As this company gets more experience with VPNs, it migrates more and more sites from its private WAN to VPN, ensuring a smooth transition.
Figure 6 Small Branch Office Access
Figure 6 illustrates that the Cisco 1720 router is ideal for providing Internet and intranet access for small branch offices of a corporation—with the most flexibility and investment protection of any router in its class. The autosensing 10/100 Fast Ethernet provides the flexibility of easy migration to Fast Ethernet LANs. The two WAN interface card slots provide maximum flexibility in choosing WAN services for current use as well as flexibility to change services later. The RISC processor and expansion slot for Cisco 2600 Cisco 2500 Cisco 1720 Sydney Small Branch Office Tokyo Branch Office Paris Small Branch Office London Branch Office Cisco 1720 Singapore Small Branch Office PIX Firewall Frankfurt Cisco 7000 Internet or SP Shared Backbone Private IP Cisco 1720 1720 1720 BRI BRI CiscoView ISDN Internet
future hardware-assisted services such as encryption or compression provide the flexibility to accommodate future plans such as VPNs.
The Cisco 1720 router, installed with two ISDN BRI WAN interface cards, provides an ideal solution for branch offices where ISDN service is inexpensive. Using Multi link PPP, the four B channels can be “bonded” to support up to 256 kbps. Or, one BRI can be provisioned as the primary WAN while the other serves as a backup. The second BRI can be configured to be brought up on demand when bandwidth requirements spike. The Cisco 1720 supports numerous features to optimize the use of bandwidth, including dial on demand; bandwidth on demand; snapshot routing; OSPF on-demand circuit routing; header, link, and payload compression; and filtering and spoofing.
Using CiscoView and CiscoWorks2000 management applications, administrators at central sites can locally manage both the Cisco central site router and the remote-site Cisco 1720 routers, thereby reducing administrative, deployment, and installation time and costs.
Product Positioning
The Cisco 1720 router is an extension to the Cisco 1600 series, providing more functionality at a higher price point for small- and medium-sized businesses and small branch offices. In addition to the functionality of the Cisco 1600
series, the Cisco 1720 router offers higher-speed encryption for VPNs, autosensing 10/100 Fast Ethernet, more flexibility with an additional WAN interface card slot, more serial interfaces, and additional performance for emerging broadband WAN technologies.
Compared to the Cisco 1600 series, the Cisco 1720 router is particularly suitable for environments and applications such as:
• VPN deployment either now or within the next two years, with requirements for encryption speeds between 128 kbps and T1/E1 (the Cisco 1720 can encrypt at 512 kbps using software-based encryption now, and at T1/E1 using a future hardware-based encryption card inserted on the motherboard)
• Fast Ethernet LAN
• Fast-growing or -changing environments that benefit from the flexibility of additional WAN interface card slot • Offices or applications that benefit from higher number of
serial interfaces (up to five, including AUX port), for example, retail/point of sale (POS) or small bank branch offices
• Dual ISDN BRI connections
• Compression at speeds greater than 128 kbps
• Asymetric digital subscriber line (ADSL) in the future (when ADSL WAN interface card becomes available), thus requiring higher performance to take advantage of ADSL bandwidth
Figure 7 Key Enhanced Capabilities of Cisco 1720 Compared to Cisco 1600 Routers
Cisco 1600 Series Cisco 1720
Flexible, Secure Internet/Intranet
Access Router Flexible, Secure VPN Access Router
IPSec DES Encryption Speed (Software-Based, 256-Byte Packets)
128 kbps 512 kbps
IPSec DES Encryption Speed (Hardware-Based, 256-Byte Packets)
Not available 2.0 Mbps (When hardware encryption card is available)
Encryption Support DES DES, Triple DES
Internal Expansion Slot for Future High-Speed
Hardware-Based Encryption No Yes
LAN Ethernet Autosensing 10/100 Fast Ethernet
WAN One fixed WAN port plus one WAN interface card slot Two WAN interface card slots WAN Interface Cards Supported WIC-1T, WIC-1B-S/T, WIC-1B-U, WIC-1DSU-56K4,
Maximum WAN Interfaces Supported Serial (sync/async): two ISDN BRI: one (Plus One Serial)
Serial (sync/async): five (including one AUX port) ISDN BRI: Two
Support for Dual ISDN BRI No Yes
AUX Port (Async up to 115.2 kbps) No Yes
Maximum DRAM Memory 24 MB 48 MB
Cisco 1600 Series Cisco 1720
Flexible, Secure Internet/Intranet
Access Router Flexible, Secure VPN Access Router
Figure 8 Cisco 1720 Product Positioning and Key Product Characteristics
Figure 8 illustrates the product positioning along with key product characteristics.
Cisco 700
• Lowest acquisition cost • ISDN teleworker • One fixed WAN • Simple to install
Cisco 1600
• Flexible, secure Internet access • Desktop
• Entry-level modularity:
• One fixed WAN plus one WAN interface card slot
Cisco 1720
• VPN router • Desktop
• Two WAN Interface card slots
• 10/100 BaseT • RISC processor • Expansion slot for • future HW encryption Small and Medium-Sized
Business and Small Branch Office
Cisco 2500
• Industry standard data router • Rackmount
• Enterprise S/W features • 16 fixed-configuration models
Cisco 2600
• Data, Voice and Dial • Rackmount
• Enterprise S/W features • Two WAN interface card slots plus one NM slot
• AIM expansion slot • RISC processor Enterprise Branch
Office
Small Office/ Professional Office
Orderability and Availability
The Cisco 1720 router is orderable now and is shipping to all countries.
Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the
C i s c o C o n n e c t i o n O n l i n e W e b s i t e a t h t t p : / / w w w . c i s c o . c o m .
Argentina • Australia • Austria • Belgium • Brazil • Canada • Chile • China PRC • Colombia • Costa Rica • Czech Republic • Denmark
England • France • Germany • Greece • Hong Kong SAR •Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea •
Luxembourg • Malaysia Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Russia • Saudi
Arabia • Scotland • Singapore
Corporate Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters
Cisco Systems Europe s.a.r.l. Parc Evolic, Batiment L1/L2 16 Avenue du Quebec Villebon, BP 706 91961 Courtaboeuf Cedex France http://www-europe.cisco.com Tel: 33 1 6918 61 00 Fax: 33 1 6928 83 26 Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Headquarters
Nihon Cisco Systems K.K. Fuji Building, 9th Floor 3-2-3 Marunouchi Chiyoda-ku, Tokyo 100 Japan http://www.cisco.com Tel: 81 3 5219 6250 Fax: 81 3 5219 6001
