Cisco Integrated Services Routers

These new Services Routers bring together IP telephony, intrusion protection and data for a highly integrated router, all managed from the easy-to-use Security Device Manager.

December 3, 2004

6 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Voice Test

In testing the 3845, I focused on the promise of converged voice and data with on-board packet voice DSP (Digital Signal Processing) modules. The unit didn't let me down.

To replicate various central and branch-office setups, I connected the 3845 and the 2821 over Gigabit, 100Base-T, and simulated T1 and T3 links. Then I generated random HTTP and FTP traffic between the routers, using 5 percent to 10 percent of the available bandwidth.

With Spirent's Abacus 5000 Call Generator, Simulator and Analysis Tool for Convergence, I simulated up to 180 simultaneous calls (three to four calls per second). I rated call quality with the PSQM (Perceptual Speech Quality Measurement) and MOS (Mean Opinion Score) tests.

With the help of the Abacus software (version 2.6), I ran 15-minute tests simulating channels or calls using H.323 circuits, with a G711 u-law codec using 64 to 80 Kbps per call. Each 30- to 60-second call passed artificial voice records based on the ITU-T P861 standard. I received path confirmation for each successful call.With both ICG3 cards connected to the 3845 router simulating calls at the central office, the router didn't break a sweat, taking a mere 30 percent CPU utilization. Call quality was excellent, with a PSQM score of 0 (the range is 0 to 6.5, with 0 the highest and 4 intelligible) and an MOS of 4.6 (on a scale of 1 to 5, with 5 being the highest).

The same scores were achieved when I connected one ICG3 to the 3845 and the other to the 2821 and turned on the Shunra Storm for network emulation. At 100-Mbps and T3 speeds, there was still plenty of overhead to handle up to 180 simultaneous calls, with more than four calls per second.

Shrink the Pipes

Things got more interesting when I simulated a T1 at 1,544 Kbps. As the pipe got smaller, I needed to reduce the number of simultaneous calls from 180 to 24, and then to 20. With TCP overhead, bandwidth per call ranged from 64 to 80 Kbps. When the T1 link was saturated with calls and other traffic, call quality was reduced to minimal levels. Dropping to 20 calls gave me good PSQM and MOS scores.

The quality of the calls improved more when I applied QoS from the GUI. I launched Cisco's SDM 2.0 over SSL using Internet Explorer with Java 1.4.2 support. Once SDM was up, I selected the appropriate WAN interface to apply QoS with the help of a wizard. QoS consists of a low-latency queuing service for traffic classes, including real time (voice, video, signaling), critical applications (transactional, management, routing) and best effort (e-mail, HTTP). I took the default.

Good

• Integrated digital signal processing• GUI configuration manager and monitor for interfaces and integrated services• Support for existing WICs, VICs and network modules

Bad

• IOS command line still required for many tasks

Cisco Integrated Services Routers, 2821 starts at $3,895; 3845 starts at $9,500. Cisco Systems, (800) 553-6387, (408) 526-4000. www.cisco.com

Build the Wall

From the SDM interface, I selected firewall and ACL (access-control list) tasks. Using a firewall wizard, I set defined rules to allow local network users access to the Internet and protect the private network from common attacks. A drop-down list made it easy to build ACL rules to scrutinize originating or returning traffic.I saved the running config to the PC using SDM. Under additional tasks from the SDM menu, I adjusted the date and time, set up NTP (Network Time Protocol) service, turned on logging to a syslog server, and set SNMP strings and a host name to receive traps. There are tools for setting user IDs and for reserving a RADIUS or TACACS+ server to authenticate and authorize access to the router.

In SDM, I also created DHCP pools and associated them with interfaces. In addition, I nailed our lab DNS information and configured an IPS (intrusion-prevention system) from the GUI. For more on my security tests, see "New Routers Provide Build-In Security".

Call Manager Express

The engineers who accompanied the routers walked me through the initial configuration for the CME system using an automated setup tool. Manual setup from the command line is an option using the "ephone-dn" configuration for users and groups.

Cisco Router and Security Device ManagerClick to Enlarge

CME gave me an easy call-processing app that delivered PBX functionality. I plugged both analog and IP phones into the routers and watched them register with CME. Read an in-depth look at Cisco telephony.

The 3800 Series routers continue support for existing WICs (WAN Interface Cards), VICs, and network modules like the CUE AIM (Advanced Integration Module) and NAM. CUE's voicemail network module comes with a GUI to set up users, voice mailboxes, voicemail features (like call-forward busy and hunt), and an auto-attendant. There is also a GUI script editor that provides a visual programming environment to create auto-attendant scripts.

The NAM traffic analyzer lived up to its name when I had trouble setting up the Abacus 5000. At one point, the ICG3 call generators were communicating on the network but not with each other, so I used NAM to capture packets and decode them to get call-setup information. With that information, I identified the proper route between the call generators to originate and terminate calls, as well as monitor the traffic flows in real time.

The Cisco 2821 and 3845 ISRs aren't bargain-basement routers. On the street (Cnet), prices start at $2,900 and $8,966, respectively. But if you need to converge voice, video and data or expand a Call Manager environment to a branch office without a conventional PBX, check out these units. You can add network modules and reduce the number of appliances in the data center.

Sean Doherty is a technology editor and lawyer based at our Syracuse University Real-World Labs®. Write to him at [email protected].For security testing on the Cisco 2821 and 3845 routers, I built a firewall using the firewall wizard. I marked local interfaces as "trusted," and the wizard applied access rules to deny inbound spoofing traffic and traffic sourced from broadcast and local loop back addresses. I marked interfaces connected to the Internet as "untrusted." For untrusted interfaces, the wizard checked for unicast reverse path forwarding and permitted inbound VPN, ICMP and NTP traffic. Then it denied spoofing traffic, traffic sourced from broadcast, local loop back and private addresses. Once the wizard finished, it copied 95 commands to the router, and I had a default firewall in place.

I also configured an IPS (intrusion-prevention system) from the GUI. I enabled interfaces for inbound and outbound inspection using default packet signatures at the click of a mouse. I set up IPS on the untrusted interface facing the real world and enabled fragment-checking. Once done, 82 packet signatures were added to a list of inspection tasks. They all focused on "attack" and "code execution"--for example, statd automount attack and DNS SIG overflow.

Although the IPS recognized many of the packets I generated from NMAP, there's more to security than packet signatures. To review other possible security concerns, SDM also supplies an audit tool that checks and identifies common security problems, such as minimum password lengths, TCP synwait time and IP redirects. I reviewed the problems along with their recommended solutions and, with one click, implemented them.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights