Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

design issue

Hi Peter,

I am studying on a project that we want to use VPN.

There are 18 sites. 15 of them have few users (at most 5) and 3 of them have more. We choose the following products. Do these products suitable for this project.

There are totally 50-60 users at remote sites.

At central site : 2611 and VPN,IOS firewall

At 3 site : 1750 VPN

Other 15 sites : 805 VPN

At 3 site we will use leased line, and at other siters we will use analog dial-up.

At 3 site we want use VoIP. All sites will go to internet.

We need only IP. and We will use terminal server on central site


  • Other Security Subjects
New Member

Re: design issue

Well, I see your biggest problem being the 1750’s don’t support MGCP (Media Gateway Control Protocol) which is what call manager uses to control a standalone gateway. Let’s assume your gateway will be at the central site the 2600’s and 3600’s will both provide MGCP support in the future. If you plan to have a local gateway at the remote sites you better get at least 2600’s and maybe even a 3600 at the central site. They will both handle the VPN, IP, CBAC (Firewall) fine.

Cisco has a good white paper on this. You might want to check it out.

New Member

Re: design issue

A couple of comments and suggestions about this design:

1. Buy a bigger router at the core, assuming that the core router will also be handling the VoIP and the Internet traffic from that site you will bring a 2611 to its knees with the processing you are attempting.

2. VoIP on a VPN is very tricky business, unless you are using a private IP backbone (AT&T and MCI offer these with great SLAs) I would avoid VoIP over a VLAN at all costs.

3. Keeping in mind the slow and unpredictable nature of dial-up Internet connections and the overhead generated by encrypting and rencapsulating packets, you may want to look at DSL or ISDN at your remotes as opposed to standard analog dial.

Know, here is my two cents -

Core site perimeter (internet router)

Cisco 2610

Lock-it down

Behind this put a PIX 515R with v5.2 SW and an extra 1 port FE card

Use this as your firewall and a VPN concentrator (3rd interface gives you a DMZ for WWW, mail, etc.)

Behind PIX (on Inside interface) put either

a Cisco 2620 with analog or digital ports (depends on req voice port density and interfaces to your PBX if you are using Cisco IP Telephony you don't need this router bu remote sites w/ vocie should be 2610 or higher)

a Cisco 3640 or 3660 if you need lots of ports (ore than 2 T1/PRI worth of voice ports.

Remote sites:

Voice enabled -

1750 is fine if Cisco Call Manager is not the PBX at the core site. (If it is use a 2610)

Non - Voice enabled remote -

Assuming you want to use dial-up ( see concerns above) the 805 is OK, for ISDN use an 804, for DSL use a 1605 or 2611 (Dual ethernet ports). All options would need IP/FW/IPSec feature set.

Final recommendation - Talk to your local Cisco rep, ask for a recommendation of a consulting/integration firm with experience in multiservice WANs and VPN they can help design a solution that will work and scale.

New Member

Re: design issue

thank you briggs.simon

what you said would be helpfull to me.


tetra eng.