This deployment guide provides detailed information on configuring the Cisco® Virtual Office headend components. It also presents the end-user provisioning process performed to deploy new routers in a Cisco Virtual Office network.
Please refer to the Cisco Virtual Office overview (http://www.cisco.com/go/cvo) for more information about the solution, its architecture, and all of its components.
Contents
Introduction
Cisco® Virtual Office is an end-to-end solution that provides an office-caliber end-user experience for employees working outside the traditional office environment, such as teleworkers or employees in a branch office. Integrating voice, video, wireless, and real-time data, Cisco Virtual Office offers the advantage of deployment with no need for administrator intervention, simplifying management and allowing rapid scaling. This document describes how to set up and configure Cisco Virtual Office using ArcanaNetworks ManageExpress Virtual Office (MEVO).
This document assumes a working knowledge of Cisco Virtual Office concepts. For more information and details about specific components of Cisco Virtual Office, please visit http://www.cisco.com/go/cvo.
Cisco Virtual Office Architecture
Figure 1 shows the basic Cisco Virtual Office architecture.
Figure 1. Cisco Virtual Office Architecture
Components on the corporate network or hub side include:
• VPN headend router serving as the VPN termination point
• Certificate authority (CA) server to issue certificates for both remote and headend routers
• Secure device provisioning (SDP) server for provisioning the remote routers
• Authentication, authorization, and accounting (AAA) server for device and user authentication: Typically a Cisco Secure Access Control Server (ACS)
• ArcanaNetworks MEVO on a Microsoft Windows 2003 or 2008 server for Cisco Virtual Office management and provisioning
Typical deployments on the remote side include:
• Cisco Virtual Office router: Typically a Cisco Integrated Services Router (ISR) or Cisco Integrated Services Routers Generation 2 (ISR G2)
• IP phone if voice is required
• Laptop computer for connecting to the corporate network; provided by the end user or employer
In a typical production environment, at least two headend devices for failover are recommended on the corporate network side. One hub hosts the SDP server. A CA server, which can also be configured on one of the headends, is also required. This document assumes that the CA and SDP servers are on the same VPN headend router, although they can be on a separate router (the SDP server must be on a router that runs Cisco IOS® Software).
On the remote-end side, a Cisco 880 Series ISR, Cisco 890 Series ISR, Cisco 1900 Series ISR, or Cisco 2900 Series ISR (the platform is determined by the number of hosts that need to connect) is needed, with an optional IP phone depending on the needs of the customer.
Zero-Touch Deployment
One differentiating feature Cisco Virtual Office offers is zero-touch deployment. Initial setup of multiple home offices, remote offices, and branch offices is often a challenge. Cisco Virtual Office saves complete equipment upgrades and eliminates the need for preconfigured routers. In addition, the remote router can be provisioned and configured securely with minimal, nontechnical user intervention.
The setup begins at the corporate network, where a user account, User1 for example, is created on MEVO. When that user is approved for Cisco Virtual Office, the configuration for User1's router gets created automatically and stored in the MEVO database. The setup steps for provisioning at the corporate site end here; the rest of the provisioning and deployment occurs at the remote location.
At the remote location, the spoke router is shipped to the office or branch office with a default configuration from manufacturing that allows the router to get an IP address from DHCP. The spoke router is then connected to an ISP device through its WAN interface to obtain Internet connectivity. A laptop is connected behind the spoke router through one of its LAN interfaces. The end user (or perhaps an admin in the case of a branch deployment), User1, navigates to a provisioning URL (which connects to the SDP server) provided by the admin through the laptop connected to the remote router. User1 authenticates via a username and password prompt from the browser. The credentials are passed to the ACS, which checks to see if User1 is authorized to use/provision Cisco Virtual Office. If User1 is allowed to proceed with provisioning, the SDP router will find the configuration associated with User1 on MEVO and push it out to the remote router. After a few minutes, the remote router will get the full configuration and will be able to establish a DMVPN tunnel to the corporate headquarters or data center.
The remaining portion of this document focuses on the configuration of the CA and SDP servers, VPN headend router, and ArcanaNetworks MEVO. Using this document, you should be able to fully configure the CA and SDP servers, VPN headend router, and ArcanaNetworks MEVO and deploy a remote router using the factory default configuration. Cisco Secure ACS policy configuration and the spoke router feature configuration are beyond the scope of this document.
Platforms and Images
For a complete list of supported and recommended platforms and images, please refer to the "Cisco Virtual Office Supported Hardware and Software" at http://www.cisco.com/go/cvo.
MEVO Requirements
ArcanaNetworks MEVO must be installed on Microsoft Windows Server 2003 or 2008. (See the ArcanaNetworks MEVO installation guide for full ArcanaNetworks MEVO requirements. The ArcanaNetworks MEVO installation guide can be found on the ArcanaNetworks MEVO account page at http://www.arcananetworks.com/.)
Setting Up Cisco Virtual Office
The following sections describe how to configure the management components, in the following order:
• Headend configuration
– CA server
– SDP server
– DMVPN headend
• ArcanaNetworks MEVO
Headend Configuration
This section presents the configurations for the headend components of Cisco Virtual Office for the CA server, SDP server, and DMVPN.
The configurations in this section can be copied and pasted from the document to the headend routers after variables specific to each setup are replaced in the configurations. The variables appear here in the format $variable_name$. (ArcanaNetworks MEVO uses this same variable-naming convention.)
Note the values for variables set in the configuration templates here; you will need to enter them later in the ArcanaNetworks MEVO configuration.
These configurations assume that the CA and SDP servers are configured on the same router that is used as the DMVPN headend. If separate CA and SDP servers are being configured on a different router, simply paste the relevant configurations for the CA and SDP servers into the corresponding router.
CA and SDP Server Configuration
The CA and SDP server configurations shown here allow the remote user to begin the Cisco Virtual Office provisioning process to securely establish a VPN tunnel to the hub routers. The CA and SDP server templates themselves come with ArcanaNetworks MEVO and do not need to be configured by the administrator. These configurations should be manually copied and pasted onto the CA and SDP server router; the CA and SDP router is not managed by ArcanaNetworks MEVO.
1. Configure the certificate server.
!!! Configure HTTP server required for Simple Certificate Enrollment Protocol (SCEP)
ip http server
ip http port $ca_http_port$ !! e.g. ip http port 8000
!!! Configure PKI server
crypto pki server cvo-cs
database level complete
database archive pkcs12 password $ca_password$
!! e.g. database archive pks12 password mypassword123
issuer-name cn=cvo-cs,ou=cvo
auto-rollover
no shut
2. Configure the AAA server for user authentication.
!!! The $n in $n_Bootstrap.cfg below refers to the username for the user/device associated with the config. e.g. user johndoe would have config johndoe_Bootstrap.cfg associated with him.
!!! SDP templates come with MEVO by default and are displayed to end-users when they are doing the SDP process
DMVPN Configuration
The DMVPN configuration for the hub router shown here must be copied and pasted onto the headend router manually; the headend router is not managed by ArcanaNetworks MEVO.
1. Configure the AAA server for device authorization (PKI-AAA, optional).
!! e.g. server-private 10.1.1.2 auth-port 1812 acct-port 1813 key mykey123
!!! Configure AAA list for PKI-AAA
aaa authorization network pkiaaa group acs
!!! PKI-AAA adds security to the PKI infrastructure by validating certificates using ACS
2. Configure public key infrastructure (PKI) trustpoint for Internet Security Association and Key Management Protocol (ISAKMP) authentication (if being used).
!!! PKI server info
ip host cvo-cs $SDP_ADDRESS$ !! e.g. ip host cvo-cs 10.2.2.1
!!! Create a trustpoint for PKI
crypto pki trustpoint cvo-pki
enrollment url http://cvo-cs:$ca_http_port$
!! e.g. enrollment url http://cvo-cs:8000
serial-number
ip-address none
password none
revocation-check crl
auto-enroll 75
authorization list pkiaaa
3. Authenticate and enroll the certificate.
crypto pki authenticate cvo-pki
!!! Type YES if prompted to accept the certificate
!! e.g. crypto ipsec transform-set t1 esp-aes 256 esp-sha-hmac
mode transport require
crypto ipsec profile cvo-profile
set transform-set t1
5. Enable the DMVPN server.
!!! Enable multicast
ip multicast-routing (distributed) !(on ASR only)
!!! DMVPN tunnel
interface Tunnel0
bandwidth $bandwidth$ !! e.g. bandwidth 2000
ip address $pgw_tunnel_address$ $tunnel_subnet$
!! e.g. ip address 192.168.99.1 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip nhrp authentication $nhrp_auth_key$ !! e.g. ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id $nhrp_network_id$ !! e.g. ip nhrp network-id 12345
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp $eigrp_as$ !! e.g. ip split-horizon eigrp 99
delay $delay$ !! e.g. delay 1000
qos pre-classify
tunnel source <OUTSIDE_INTERFACE_NAME> !! e.g. tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key $tunnel_key$ !! e.g. tunnel key 12345
tunnel protection ipsec profile cvo-profile
6. Enable routing.
!!! EIGRP for DMVPN
router eigrp $eigrp_as$ !! e.g. router eigrp 99
no auto-summary
network $pgw_tunnel_address$ 0.0.0.0 !! e.g. network 192.168.99.1 0.0.0.0
!!! Route Redistribution Example
ip access-list standard no_split_in
permit 0.0.0.0
route-map no_split_in permit 10
match ip address no_split_in
router eigrp $eigrp_as$ !! e.g. router eigrp 99
redistribute static route-map no_split_in
ArcanaNetworks MEVO Configuration
ArcanaNetworks MEVO automatically generates configurations for the remote end devices and pushes configuration updates and Cisco IOS Software image upgrades.
Four roles are available in ArcanaNetworks MEVO:
• Administrator: This role configures and maintains ArcanaNetworks MEVO. This role may also manage users and ArcanaNetworks MEVO accounts. If the Administrator requests Cisco Virtual Office service on behalf of the user, a manager approval is not required.
• End user: This role includes teleworkers, mobile workers, and individuals working at remote and branch offices. In the case of a branch-office deployment, the end user also may be the technician who configures the branch router for the office.
• Manager or approver: This role approves or declines a user's request for Cisco Virtual Office in the typical Cisco Virtual Office deployment workflow.
• Requestor: This role requests Cisco Virtual Office service on behalf of the end user, but does not have ArcanaNetworks MEVO administrator privileges. This role is optional; end users can request their own services if corporate policies permit.
Figure 2 shows the typical ArcanaNetworks MEVO workflow with Cisco Virtual Office.
Figure 2. Typical ArcanaNetworks MEVO Workflow with Cisco Virtual Office
An option to remove the end user from the approval process is also available. In this scenario, either the administrator or the requestor requests Cisco Virtual Office service on behalf of the end user, eliminating the need for users to log into ArcanaNetworks MEVO to request Cisco Virtual Office. The steps after the request for Cisco Virtual Office are the same. If a requestor places the request, a manager or approver must still approve the Cisco Virtual Office request before the user can provision the router.
The following sections describe the best practices for setting up ArcanaNetworks MEVO for Cisco Virtual Office. All steps in the workflow shown in Figure 2 are covered; however, how a user obtains a router will differ depending on the customer.
Please refer to the ArcanaNetworks MEVO installation guide for instructions on installing ArcanaNetworks MEVO and to the ArcanaNetworks MEVO user guide for more detailed explanations of ArcanaNetworks MEVO components and functions. Both the ArcanaNetworks MEVO installation guide and user guide can be downloaded from the ArcanaNetworks MEVO account page at http://www.arcananetworks.com/ (after login).
This section describes the tasks needed to configure a newly installed instance of ArcanaNetworks MEVO for Cisco Virtual Office. Many of the administrator tasks need to be performed only once. After the initial configuration, the administrator needs to do little except manage user accounts, assuming that the network addressing does not change.
Step 1: Logging In for the First Time
1. Open a browser and enter http://<ip-address-or-domain-name>/mevo to access the ArcanaNetworks MEVO GUI (Figure 3). (For example, enter http://cvoarcana.cisco.com/mevo).
Figure 3. MEVO GUI initial login screen.
2. Log in using the default credentials (username and password: mevoadmin and mevoadmin). Change the default password to a new password if this is the first time ArcanaNetworks MEVO is being used (Figure 4).
Figure 4. Login with username: mevoadmin and password: mevoadmin as default. Change the default password upon login.
1. Choose Configuration > Subnet Blocks > Add to add a subnet block (Figure 5).
Figure 5. Add a subnet block.
2. Click Add to configure a LAN subnet on the spoke routers. This LAN subnet should be network-routable and assigned uniquely to the Cisco Virtual Office spoke routers.
In the Name field, enter the name of the subnet. This name should be uniquely defined. This name will be used as a key to be associated with a user class as discussed later in this document.
In the Network Address field, enter the starting network address of your LAN subnet. Select the subnet for this network from the Subnet drop-down menu. The range of IP addresses in the Network Address and Subnet fields will be automatically divided and assigned sequentially to each spoke. The size of the individual subnet is configured in the LAN Subnet Mask drop-down menu.
Enter any excluded IP addresses in the Exclude Start IP Address or Exclude End IP Address field and click Add to add them to the Exclude IP Address List. Click Delete to remove IP addresses from the Exclude IP Address List. Click Ok when you are finished (Figure 6).
Figure 6. Enter naming and IP addressing details to add a subnet.
3. Enter the values for the guest network (Figure 7):
a. Guest IP Address: Enter the guest VLAN IP address for the spoke router.
b. Guest Subnet Mask: Enter the guest VLAN subnet mask for the spoke router.
Note: The guest VLAN information is the same for all spokes. Guest traffic will be sent to the Internet using Network Address Translation (NAT).
Figure 7. Enter IP addressing for guest vlan.
Step 3: Configuring ArcanaNetworks MEVO - Headend
1. Click Headend and enter Device Type, Management IP, and Outside IP values for the SDP server (Figure 8).
Device Type: For informational purposes only
Management IP: IP address accessible from ArcanaNetworks MEVO
Outside IP: IP address accessible from the Internet; end users will start the SDP process using this address.
Figure 8. Enter device type and IP addresses for SDP server.
2. Click the icon in the Passwords field and enter the access credentials to allow Secure Shell (SSH) Protocol access to the SDP server (Figure 9).
Figure 9. Enter access credentials for the SDP server.
3. Click the icon in the Variables field and enter the information as listed here. Click Ok when you are finished (Figure 10).
a. Certificate Authority HTTP Port: HTTP port used for SCEP for certificate enrollment
b. Certification Authority Archive Password: PKI server archive password; used locally on the SDP server only
c. RADIUS IP Address: IP address of the RADIUS server; used for user authentication at the start of SDP processing
d. RADIUS Ports: RADIUS port pair for authentication and accounting
e. RADIUS Server Key: Shared secret as configured on the RADIUS server
Figure 10. Enter SDP Registrar Variables for the SDP server.
4. At the bottom right of the screen, click Save Changes. ArcanaNetworks MEVO will then try to use SSH or Telnet to reach the router. The resulting status will not affect provisioning (Figure 11).
Figure 11. ArcanaNetworks MEVO tires to reach the router after SDP server is added. Status will show "Passed" if test is succesful.
5. Click Add to add a new DMVPN cloud. Leave the Group Suffix field empty for the first cloud (Figure 12).
Figure 12. Add a new DMVPN Cloud.
6. Enter Device Type, Management IP, and Outside IP values for the primary and secondary data gateways. If you do not need the secondary gateway, select it and click Delete (Figure 13).
Figure 13. Enter device type and IP addresses for DMVPN Gateway(s).
7. For the DMVPN Cloud, click the icon in the Variables field and enter the information as listed here. These variables should match the configuration on the DMVPN hub (Figure 14).
a. Tunnel Network Address: DMVPN multipoint generic routing encapsulation (mGRE) tunnel network address; these addresses will be passed to the spoke routers
b. Tunnel Subnet Mask: DMVPN mGRE tunnel subnet mask
c. ISAKMP Encryption, IPsec Encryption, IPsec Hash Algorithm, and Diffie-Hellman Group: Cryptographic policies; these policies should match on hubs and spokes
d. EIGRP AS: Autonomous system (AS) number for Enhanced Interior Gateway Routing Protocol (EIGRP); this protocol is the preferred routing protocol for DMVPN
e. Tunnel Bandwidth and Tunnel Delay: Parameters used by EIGRP for routing metrics
f. Tunnel Key: DMVPN mGRE tunnel key; this value should match on hubs and spokes
g. Enable Secondary Gateway: Check the box if a secondary gateway is used
h. NHRP Network ID, Authentication Password, and Holdtime: Next-Hop Resolution Protocol (NHRP) parameters; the authentication password should match on hubs and spokes
When you are done, click Ok to save the settings.
Figure 14. Enter and save variables for the DMVPN cloud.
8. For Primary (and Secondary) Data Gateway, click the icon in the Variables field and enter the DMVPN mGRE tunnel IP addresses for each hub. Click Ok when done (Figure 15).
Figure 15. Enter the Primary Data Gateway tunnel IP address.
9. Add a PKI-AAA server (optional).
a. Click Add and select PKI-AAA Server in the Role drop-down menu (optional).
Leave the Group Suffix field empty for the first PKI-AAA server (Figure 16).
Figure 16. Add a new PKI-AAA Server
b. Select the Device Type (Cisco Access Control Server) and Management IP for the PKI-AAA server (Figure 17).
Figure 17. Enter device type and IP address for the PKI-AAA server.
c. Click the icon in the Passwords field and enter the access credentials to allow Secure Shell (SSH) Protocol access to the PKI-AAA server. Click Ok when done (Figure 18).
Figure 18. Enter access credentials for the PKI-AAA server.
d. Click the icon in the Variables field. Select the Server Ports from the drop-down menu, and enter the Server Key. Click Ok when done (Figure 19).
Figure 19. Enter PKI-AAA server variables.
10. Click Save Changes to save the settings of the headend.
Note: Status will not affect provisioning, but an Offline status generally means ArcanaNetworks MEVO cannot communicate with the headend, SDP server, or PKI-AAA server.
1. Click Remote End and enter the information as listed here (Figure 20).
a. Management User, Management Password, and Enable Secret: Local access credentials on spoke routers
b. Domain Name and DNS IP Address: Domain information; enter the domain name in this format: <domain>.com
c. Enable External SSH Access, SSH Network Address, and SSH Inverse Subnet Mask: Check the box if SSH access to WAN interface of spoke routers is allowed; a permit statement will be added to the WAN (firewall) access control list (ACL) in this format: permit tcp $ssh_network_address$ $ssh_inverse_subnet$ any eq 22
d. Wireless SSID: Secure Set Identifier (SSID) for corporate access when an autonomous access point is used
e. Call Manager TFTP Server: Cisco Unified Communications Manager Trivial File Transfer Protocol (TFTP) server address; used in Dynamic Host Configuration Protocol (DHCP) pool
f. Time Zone, Enable Daylight Savings Time, and NTP IP Address: Time settings
1. Click Templates. Choose the router type and select the templates for the deployment (Figure 21).
a. Filter by Router Type: Router type used in this deployment
b. Recommended minimum set of templates: Base, EEM, Firewall, DMVPN, QoS, and Configuration
Figure 21. Select templates to be deployed to remote routers.
c. (Optional) Edit a template by selecting the icon in the Edit field. Make any changes necessary to the template; then click Ok to save and close the template (Figure 22).
Figure 22. Edit an individual template by selecting the Edit icon next to the template.
2. Click Save to confirm the settings (Figure 23).
Figure 23. Verify list of template changes before clicking Save.
Step 6: Configuring ArcanaNetworks MEVO - Email
1. Click Email and for the Simple Mail Transfer Protocol (SMTP) server, enter the hostname or IP address and the sender email address. These settings will be used to send email messages that are automatically generated by ArcanaNetworks MEVO; e.g., during the provisioning workflow (Figure 24).
Figure 24. Configure email settings.
Administrator Tasks: User Classes and Users
ArcanaNetworks MEVO uses the concept of user classes, allowing easy management of users with different configurations. There must be at least one user class, and each user can belong to one and only one class.
User classes are typically defined based on network architecture needs. A common example may be a customer with employees divided between the East Coast and West Coast of the United States. In this case, the administrator may want to define two user classes, one for East Coast users and one for West Coast users, because the two groups may want to connect to different headends, etc. Another common example is a customer with employees who are using both Cisco 881 and 891 ISRs. In this case, the administrator may define two user classes, one for Cisco 881 ISR users and one for Cisco 891 ISR users, because the configurations on each type of platform may be slightly different. If no separation of users is required, all users can belong to a single user class.
Because each user must belong to a user class, you must create a user class before you create users. Users are subsequently added to user classes upon creation.
Note: Users in this section do not include administrators, requestors, or managers. Administrators, requestors, and managers can be added at any time.
Step 1: Adding User Classes
1. Click the Accounts tab in the left column and then click the User Class tab (Figure 25).
Figure 25. Navigate to the User Class tab from Accounts.
2. Click Add to create a new user class (Figure 26).
a. In the Class Name field, create a label for the user class.
b. From the Device Type drop-down list, choose the devices this user class will use. Only one platform type is allowed per user class.
c. Select the LAN pool from which IP addresses for this user class should be selected.
d. When you are done, click Ok. (Alternatively, enter variable values as necessary; see Step 3 for detailed instructions.)
Figure 26. Enter details to add a new User Class.
3. (Optional) To add variables for user classes, click the Add Variable button. Variable names are global across user classes, but variable values are local to each user group (Figure 27).
Note: The order of Step 2 (adding user classes) and Step 3 (adding variables) is interchangeable. If Step 3 is completed before Step 2, you will see the added variable names when adding a new user class. Variable values are locally significant to each user class.
a. On the Variables screen, click Add to create a new variable.
Figure 27. Add a new variable.
b. Enter the information as listed here according to the variable required. The screen images that follow are examples only (Figure 28).
• Type: Select the textbox, combo box, or checkbox for the variable format.
• Label: Enter a descriptive label for the variable.
• Variable Name: Enter the variable name. This name will appear as $variable_name$ in the configuration templates.
• Display as Password: Select this checkbox if the variable added is a password variable. The value entered will be displayed as *** to prevent others from seeing the value in plaintext.
• Required: Select this checkbox if this variable is required in the configuration.
• Validators: Select the string, number, IP address, subnet, or inverse subnet for format validation.
• Min Length or Min Value: Enter the minimum length or value that a valid variable should be. This field appears only if the variable is a string or number.
• Max Length or Max Value: Enter the maximum length or value that a valid variable should be. This field appears only if the variable is a string or number.
Figure 28. Two examples of Add Variable details for text boxes.
4. Click Save to save the added variable (Figure 29).
Figure 29. Save the new added variable.
5. For each user class, click the icon in the Variables field to enter variable values specific to the user class (Figure 30).
Figure 30. Enter values specific for each user class by clicking the Variables icon next to the class.
6. Click Save to save the values for each user class (Figure 31).
Figure 31. Save values for each user class.
After at least one user class has been created, users can be created and added.
Adding Users with CSV Import (Recommended)
1. Click the Accounts tab in the left column and then click the Users tab. Click the icon in the Details field to change the ArcanaNetworks MEVO Administrator password and email address if desired (Figure 32).
Figure 32. Change the default ArcanaNetworks MEVO admin credentials.
2. Create a comma-separated value (CSV) file either manually or with a script. To download and modify a sample, choose Import Users > Download Sample CSV. An example of a CSV file is shown here (Figure 33).
Figure 33. CSV file of users to import into ArcanaNetworks MEVO.
3. Click Import Users and choose CSV; then import the CSV file you created in Step 2. When you are finished, click Ok (Figure 34).
Figure 34. Import an existing CSV file of users.
4. Verify the information and modify it if necessary. When you are finished, click Ok (Figure 35).
Figure 35. Verify imported users.
The users are imported (Figure 36).
Figure 36. List of imported users in ArcanaNetworks MEVO.
Adding Users Manually
1. To add a user manually, click Create User at the bottom of the screen and enter the required information. When you are finished, click Ok (Figure 37).
Figure 37. Add a user manually and enter in user details.
Note: Whether you create users manually or by importing CSV files, you should select all users and click Reset Password. This step will send an email message to each user and allow the users to enter their own passwords (Figure 38).
Figure 38. Allow users to reset their own passwords.
User Tasks: Requesting Cisco Virtual Office
This section presents the steps the end user should take to request Cisco Virtual Office service.
1. Open a web browser, type the same URL that you entered when you first logged in (http://<ip-address-or-domain-name>/mevo), and log in with the user credentials.
2. Enter the ISP information: Broadband, Addressing Scheme, and Upload Speed settings. If you do not know your Upload Speed, pick your best estimate. Click Send Request to submit your request (Figure 39).
Note: Upload Speed is used to adjust the quality-of-service (QoS) settings on the spoke router.
Figure 39. Enter in end user ISP information.
An autogenerated email message will be sent to the user's manager, who will approve or decline the request.
This section describes the tasks the requestor performs to request Cisco Virtual Office on behalf of a user.
1. Open a web browser, type the same URL as you entered when you first logged in (http://<ip-address-or-domain-name>/mevo), and log in with the requestor credentials. The requestor will see a list of users for whom he or she can request Cisco Virtual Office (Figure 40).
Figure 40. Request Cisco Virtual Office for users as a Requestor.
2. Select the users and click New Request (Figure 41).
Figure 41. Create a New Request for selected user(s).
3. Enter the ISP information: the Broadband, Addressing Scheme, and Upload Speed settings for the user. The requestor should pick the average Upload Speed all users will have if adding more than one user at a time. Click Submit Request to submit the request (Figure 42).
Note: Upload Speed is used to adjust the QoS settings on the spoke router.
Figure 42. Enter in ISP information for end users.
4. (Optional) Modify requests by clicking the icon in the Modify field. Make the necessary changes and click the Modify button when you are done (Figure 43).
Figure 43. Modify requests using the Modify icon next to each user.
An autogenerated email message will be sent to the users' managers, who will approve or decline the request.
This section describes the tasks the administrator performs to request Cisco Virtual Office on behalf of a user.
1. Open a web browser, type the same URL as you entered when you first logged in (http://<ip-address-or-domain-name>/mevo), and log in with the admin credentials.
2. Go to the Accounts tab and select the Users tab. The admin will see the list of all users.
3. Select the user(s) that need Cisco Virtual Office and click New Request (Figure 44).
Figure 44. Create a New Request as Administrator.
4. Enter the ISP information: the Broadband, Addressing Scheme, and Upload Speed settings for the user. The admin should pick the average Upload Speed all users will have if adding more than one user at a time. Click Submit Request to submit the request.
Note: Upload Speed is used to adjust the QoS settings on the spoke router (Figure 45).
Figure 45. Enter in ISP information for end users.
Manager or Approver Tasks: Approving or Declining a User Request
This section describes the tasks the manager or approver performs to approve or decline a pending request from a user. After a request is approved, ArcanaNetworks MEVO will generate the configuration for that device and user.
1. Open a web browser, enter the same URL that you entered when you first logged in (http://<ip-address-or-domain-name>/mevo), and log in with the manager credentials.
2. Select the requests and click either Approve or Decline (Figure 46).
Figure 46. Approve or Decline a user's request for Cisco Virtual Office.
End-User Provisioning
This section describes the SDP process from the end-user's perspective and shows what needs to be done after the user receives the router at the remote location. Typically, the end user will receive a router with factory-default settings with instructions for setup and an email message to access the provisioning page (described in more detail in the steps that follow). In the case of a branch office or clinic, this process would most likely be performed by a technician or administrator at the branch office or clinic.
The steps presented here assume that an Internet connection is available with DHCP. Variations such as connection through DSL or a static IP address are also possible with a few modifications, but the basic steps performed by the end user remain the same.
1. Set up the router according to Figure 47.
Figure 47. Router setup.
Routers ordered with the Cisco Virtual Office option come with a factory-default configuration that has DHCP enabled on the WAN side. After connecting according to the setup, you should have Internet connection through your PC.
2. After the configuration is generated on ArcanaNetworks MEVO, you will get an email message similar to the one shown in Figure 48 with a link to start the SDP process. Click the link to continue.
Figure 48. Sample email with link to start the SDP process for Cisco Virtual Office.
3. Enter the appropriate AAA credentials when the pop-up screen asks for user credentials (Figure 49).
Figure 49. User enters the appropriate AAA credentials to verify identity before the SDP process can start.
4. Click Next on the welcome screen to begin provisioning the router (Figure 50).
Figure 50. Welcome screen for Cisco Virtual Office's zero-touch router provisioning. User clicks "Next" button to begin.
5. ArcanaNetworks MEVO will connect to the router to begin configuration (Figure 51).
Figure 51. ArcanaNetworks MEVO connects to the router to begin configuration.
6. Enter the username cisco and the password cisco if you are asked for the router login credentials.
The configuration will be downloaded automatically to the router (Figure 52).
When the process is finished, the router is fully configured with access to the corporate network (Figure 53).
Figure 53. Once the router configuration push is complete, the user will be able to connect to the corporate network.
Appendix
Updating the Configuration
After a router is deployed and connected, the administrator can use the steps shown here to add a new configuration template to ArcanaNetworks MEVO and then push the configuration to the remote Cisco Virtual Office routers.
Step 1: Add a New Configuration Template to ArcanaNetworks MEVO.
Note: If you are only modifying an existing configuration template, go to Step 2 and make the changes (skip Steps 1 and 3).
1. Create a new configuration in a text file and save it.
2. Log into ArcanaNetworks MEVO and choose Configuration > Templates.
3. Click the Add button at the lower right and enter or select the information as listed here. When you are finished, click Ok (Figure A1).
a. Type: Choose the type of configuration to be added: Authproxy, DMVPN, Dot1x, EEM, Base, Other, or Firewall. If you choose Other, provide a name for the configuration.
b. Apply on Module: Select this option if the configuration is to go on a module within the router (for example, wireless configurations on the Cisco 881 ISR will need Apply on Module selected).
c. Device Type: Choose the device platform on which the configuration is to be used. If the configuration is the same for all device types, choose Universal.
d. Post SDP: Select the checkbox if the configuration is to be pushed after SDP is completed. In most cases, this option does not need to be selected.
e. Template File: To upload the configuration file you created, click the Browse button and choose the file.
Figure 54. Figure A1. Add a template.
Step 2: Apply the Configuration Update to Deployed Routers
1. On the Device tab, select the devices that require a configuration update.
2. Choose Apply Templates and then click Go (Figure A2).
Note: Currently, only devices that are online can be updated.
Figure 55. Figure A2. Apply template
3. Select the configuration templates to be applied; then click Next.
Note: Base Configuration and EEM Configuration cannot be changed after provisioning.
4. To apply the configuration update immediately, select Start Immediately, or to select the date and time to apply the update, select Schedule. Click Next to complete the update or schedule (Figure A3).
Figure 56. Figure A3. Schedule time for template push.
Updating the Image
This section describes how the administrator can add Cisco IOS Software router images to ArcanaNetworks MEVO and push the images to connected remote routers.
Step 1: Add a New Image to ArcanaNetworks MEVO
1. Log into ArcanaNetworks MEVO, choose Configuration > IOS Images, and click Add.
2. Browse to select the image file to be added, enter the image version, and select the device type. RAM, Flash, and Description are optional (Figure A4).
Figure 57. Figure A4. Add a new image toArcanaNetworks MEVO.
3. When you are done, click Ok to finish adding the image (Figure A5).
Figure 58. Figure A5. New IOS image added to ArcanaNetworks.
Step 2: Apply the Image Update to Deployed Routers
1. Under the Device tab in ArcanaNetworks MEVO, select the devices that require an image update.
2. At the bottom right, select IOS Upgrade and then click Go.
If ArcanaNetworks MEVO asks for an inventory run, continue to Step 3; otherwise, skip to Step 4.
Note: Currently, only devices that are online can have image upgraded.
3. Run the inventory.
a. Select the appropriate devices, select Inventory, and click Go.
b. Basic Details and Interface Details should be checked automatically. Click Next to continue (Figure A6).
Figure 59. Figure A6. Select Inventory settings.
c. Select the Start Immediately button and click Next to complete the inventory run (Figure A7).
Figure 60. Figure A7. Schedule inventory or start immediately. Inventory will show status of "Passed" if successful.
4. Select the image to be pushed to the routers and click Next to complete the image update (Figure A8).
Figure 61. Figure A8. Select image for the image push.
Disconnecting a Device and Removing a User
This section describes how the administrator can remove a spoke router that has already been provisioned and deployed.
1. Click the Device tab, and go to the chart view.
2. Select the device to be removed and click Disconnect to remove the device. ArcanaNetworks MEVO will use SSH to access that device and reload the router with the default configuration, thereby disconnecting the router from the network. ArcanaNetworks will also remove the device profile on the Cisco ACS for that device if PKI-AAA is enabled (Figure A9).
Note: The device must be online in order for it to be removed. If the device is not currently online, you can still remove the user (see step 3). ArcanaNetoworks currently removes the device profile automatically with Cisco ACS Version 5.0.
Figure 62. Figure A9. Select the device to be removed and click "Disconnect."
3. Delete the user associated with the device under the Accounts > Users page (Figure A10).
Figure 63. Figure A10. Delete the user associated with the removed device.
4. Remove the user profiles from the Cisco ACS.
5. Revoke the router certificate from the CA server.
If you are using a Cisco IOS Software router as the CA server, use the following command:
crypto pki server cs-label revoke certificate-serial-number
