nortel guide for planning and deploying converged voip networks to enterprises 1.2

> Nortel Guide for Planning and Deploying Converged VoIP Networks to Enterprises

Document Date: November 2005 Document Version: 1.2

2

Nortel Guide for Planning and Deploying Converged VoIP Networks to Enterprises

Copyright © 2005 Nortel Networks All rights reserved. November 2005

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Inc.

The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license.

Trademarks Nortel, the Nortel logo, the Globemark, and CallPilot, are trademarks of Nortel Networks.

All other Trademarks are the property of their respective owners.

History Date Issue Comments

26 August 2005 1.0 First release.

10 October 2005 1.1 Second release. Added “Checklist of best practices for sales, deployment, and support” section.

1 November 2005 1.2 Added Nortel copyright and trademark info, removed “Nortel Confidential” page footer.

3


Contents Introduction................................................................................................................................................. 4 Checklist of best practices for sales, deployment, and support .................................................................. 5

Sales and Sales Engineering ................................................................................................................... 5 Deployment............................................................................................................................................. 5 Beginning Support .................................................................................................................................. 6

General Best Practices ................................................................................................................................ 7 IP Telephony............................................................................................................................................... 9 Multimedia Applications .......................................................................................................................... 10

Call Servers........................................................................................................................................... 10 Messaging (CallPilot) ........................................................................................................................... 13

Campus Ethernet Switching Design Considerations ................................................................................ 15 Core Network........................................................................................................................................ 15 Edge ...................................................................................................................................................... 16 Security ................................................................................................................................................. 17 Diagnostics / Management.................................................................................................................... 17

Campus WLAN Design Considerations ................................................................................................... 19 WAN/Branch Design Considerations ....................................................................................................... 22

VPN Router 6.0..................................................................................................................................... 22 Encryption............................................................................................................................................. 23 DiffServ................................................................................................................................................. 23

Network Security Considerations ............................................................................................................. 25 Network Management............................................................................................................................... 28 Deployment............................................................................................................................................... 29 References................................................................................................................................................. 31

Nortel Technical Support Portal ........................................................................................................... 31 Layered Defense approach to network security.................................................................................... 31

4


Introduction This guide is a collection of practices, principles, and advice that helps you avoid problems when you deploy large converged voice/data network systems. The items in this guide come from lessons learned by Nortel support staff, installers, and customers while installing and configuring actual networks under real-world conditions.

Our intent is that this document is perpetually under construction. If you have any suggestions, questions, comments, or concerns, please click here to email us. We look forward to incorporating your feedback in future revisions.

mailto:[email protected]?subject=Feedback on Nortel Guide for Planning and Deploying Converged VoIP Networks to Enterprises

5


Checklist of best practices for sales, deployment, and support The following best practices are those that Nortel teams have found to be the most critical to successful deployments of large converged VoIP networks.

Sales and Sales Engineering

Create a solution architecture drawing for the proposed deal. Review the solution architecture with all members of the deployment team before presentation to the customer:

Sales Sales Engineering NETS Solutions Support team ATS (Deployment) PLM as needed

The team must verify the solution for: Technical viability Orderability Deployability Supportability Availability

Complex VoIP deals must include in the quote: Network monitoring devices (sniffers) A Health Check to ensure that the existing data network supports real time applications. Methods for post-deployment support access are in place (for example, VPN access) Periodic network health audits after the customer accepts the network Agreement with the customer to maintain a detailed change log to track:

o Changes in data network architecture (for example, changes in subnets or changes in routing)

o Changes in voice assignments (for example, IP sets added, deleted, moved, or changed)

Create a Livelink repository to capture project information including Solution Architecture. Make this repository available to Deployment and Support groups.

Deployment Perform network health check on existing networks before deployment begins Receive and pre-stage 3rd party devices (for example, servers) Load and test all software and applications during pre-staging Ensure network monitoring devices are installed and working before deployment begins

6


Maintain a change log to track all changes to data and voice network throughout (and after) deployment.

Update Livelink repository with current Solution information

Beginning Support Ensure network monitoring devices are installed and working before support begins Ensure change logs are up to date and a process is in place to continue their use before support

begins Ensure support team can access customer’s network (for example, VPN connectivity) Ensure support engineer’s understand the customer’s network and have access to the Livelink

repository incl. Solutions Architecture drawing. Perform periodic network health audits of customer’s network

o Reference change log o Reference network monitoring devices o Correlate network performance issues to change log.

7


General Best Practices This section collects Best Practices that apply to all major aspects of converged networks.

Develop and document naming/numbering conventions to be used in configuration of systems. Leave room in your numbering convention for future expansion Benefit: You can more quickly and effectively locate problem devices if DNs, TNs, and IP addresses are assigned according to a logical system.

Make sure that installation and maintenance staff are aware of applicable electrostatic discharge (ESD) procedures, and that they follow them at all times. Benefit: Helps eliminate ESD as a source of problems with network equipment.

Always perform a Network Assessment / Health Check prior to installation to ensure data network is capable of transmitting voice. Perform regular assessments after large changes/additions are made to the network/system configuration. Benefit: • Reduces I.T. Manager Fear of Failure of VoIP Implementation • Minimize Time and cost lost to Cutover/Acceptance Issues • Establish Network Readiness baseline for the future • Provide Statistical and Graphic Depiction of VoIP Performance

Create a clean and traceable setup when wiring closets and switch rooms. Benefit: Well-organized network infrastructure is easier to upgrade and much faster to troubleshoot. The time spent keeping wiring organized and labeled is returned many times over in avoiding confusion about the layout, avoiding problems, and faster resolution of problems that do arise.

Maintain a database of the various devices (Including 3rd party devices and applications) in the network: Include information such as: • Software and firmware versions running on each device • Physical location of each device (including rack and slot) • NT/Rls # of various cards Benefit: Helps you keep track of the devices in your network and the software and firmware running on them.

8


After the system is installed and fully operational, perform and store a full backup of the system and system software in a safe environment in case system recovery is required. Benefit: Helps you recover quickly from resets in which system software or configurations are lost or corrupted.

Maintain a database log of maintenance and configuration activities done within the network, including both voice and data equipment. Consider keeping a hardcopy of the log onsite. Useful information includes: • Date of activity • Name of person/group performing activity • Type/details of activity being performed • Problems encountered during activity • Tests performed to verify success of maintenance/configuration activity • Storage location of log files/screen captures etc. Benefit: Helps you trace problems and issues back to network changes.

Perform a rigorous assessment of the power output required for POE to determine how much input power (power supplies) you will need for the installation. Benefit: Makes sure that you have enough power for all POE devices, and that you know how much AC power is required in the wiring closets for the installation.

Ensure that all devices have power and ground connections as described in the installation guides. Benefit: Eliminates many potential sources of trouble. Ground and power issues are often anomalous, and are sometimes very hard to trace back to the root cause.

9


IP Telephony Set All LAN interfaces to auto-negotiate instead of fixing their data rate and duplex settings. Benefit: Fixed settings for rate and duplex may result in mismatches, causing packet loss and voice quality issues.

Always assign telephony to a separate VLAN from data devices. Benefit: Separating data and voice into different VLANs improves security and voice quality, and prevents compromise of telephony services

Have the E-911 plan approved and signed by customer. Benefit: The E-911 plan establishes the degree of accuracy to which the location of an emergency call is reported. Going over the plan with customers ensures that they understand the regulatory and liability issues surrounding 911 emergency call service.

Have a backup power plan approved by the customer. Make sure they understand the telephony impact of power failure. Consider factors such as the time required to bring up emergency generators. Benefit: Ensures that the customer understands the issues around power and resiliency. Helps achieve reliable telephone services, and manages customer expectations for service survival in power failure.

10


Multimedia Applications

Call Servers

Document port configurations (for example, duplex settings), port statistics, protocols being used at various OSI layers etc. for data devices in network. Benefit: Problems reported on the VOIP side are often data network issues, so understanding the underlying data network helps understand VOIP problems.

Create a database that captures IP address ranges for various devices in the system (including IP phones), their physical location, and their corresponding DNs and TNs. Benefit: A logical system for assigning IP addresses helps you pinpoint problem devices, especially where the network spans more than one physical site.

Consider developing a process to determine who is logged into the switch at all times. For example, you might allow network management only from a dedicated PC or range of PCs, and implement unique login names for users on those machines. Benefit: Helps you keep records of who is doing what, so data network maintenance activities doesn’t interfere with the voice network.

Ensure that all activities done while logged into any device within the network are captured (logged). Document storage location of log files in a database for easy retrieval. Benefit: Log commands used on switches or network devices for troubleshooting. This record helps you track causes and effects regarding maintenance activities.

Develop a plan for remote access to all points in the system should it be required. Have the equipment on hand and connected. Nortel recommends using Contivity VPN products for secure remote access. Benefit: Planning and implementing a system for remote access drastically shortens the time required to access and troubleshoot the equipment. Using Contivity VPN products for remote access protects proprietary network management data.

11


When performing complex maintenance tasks and troubleshooting problems, have a sniffer running continuously on the Signaling Server TLAN (and ELAN if possible). Document the process for accessing files reliably (for example, ftp location and login details). Consider how sniffer information can be shared remotely. Benefit: Sniffer captures can reduce troubleshooting time and increase your chances of being able to reproduce the problem for RCA (root cause analysis).

Configure test phones in wiring closets in separate zones at each site. Benefit: Lets you try out changes and test for problems without interfering with customer activities.

In the event of a failure on the Call Server or Signaling Server, be prepared to provide the following information (at a minimum): • Report logs • History files • Configuration records/config files • Database configuration (on call server) • Patches loaded on system • Network diagram Benefit: This is what Tech Support will ask. Having the answers handy will make the support call faster and more effective.

Once you have duplicated a problem, try to simplify the call scenario as much as possible and still retain the problem. For example, if the problem occurs with a conference call, see if it also happens with a regular call. Benefit: Reduces problem to essential elements for easier troubleshooting.

When chasing an intermittent problem, maintain a database that captures dates, times, and details of the symptoms. Benefit Helps you identify patterns that lead to the root cause. Helps you eliminate the intermittent nature of the problem and understand how to duplicate the problem at will.

12


Develop a questionnaire template that end users can use to record problem specifics. Structure questions so that responses cannot be ambiguous (i.e. maximize usefulness of information provided). Tailor the questionnaire to each problem. Include information such as: • Time of day • What happened • Is this a new installation (was the feature previously functional?) • What changed before problem occurred? • What workarounds, if any, are available? Benefit: Helps eliminate vagueness and ambiguity when tracking problems back from problem reports.

When reporting or documenting a call scenario, record the path of devices traversed (for example, set A on switch X ->set B on switch Y ->Call Pilot on switch Z. If the path in data network can be determined, provide this information as well Benefit: Tracing the voice path helps refine the problem to its essential elements and helps to eliminate issues and devices that are unlikely to be involved.

When capturing traces and logs for a given problem, provide similar records for both good and bad call scenarios if possible. Benefit: Comparing the records for good and bad calls helps identify key differences between functional systems and problem systems.

When troubleshooting Voice Quality Issues: • Perform an environmental audit of the location: (for example, carpeted room, noisy devices/fans

running in background?) • Collect details of the problem using the echo checklist (as documented in the IPL Expert Guide) • Provide recordings/captures of voice quality problems being experienced Benefit: Helps to refine the problem description and to eliminate subjective elements.

Develop and document the escalation process and contact list (including name, contact information and role) to be used in the event of a problem. Benefit: Establishing an escalation contact list before problems are encountered speeds problem resolution because you don’t lose time talking to the wrong people or getting the wrong people involved.

13


When troubleshooting a problem: • Verify that the system has latest suite of patches installed. Make sure you have installed the latest

dependency list (Deplists) for Call Server, Signaling Server and Media Gateway Cards. • Remove all obsolete patches from the call server & signaling server • Review individual/site specific PEPs to see if they could be the cause of the problem on site. Benefit: Helps eliminate problems caused by old patches or unforeseen interaction between patches.

Messaging (CallPilot)

Verify the compatibility of all systems software levels being integrated and ensure all levels of client software are current (CallPilot Manager/Reporter, Desktop Client, and MyCallPilot). Especially in upgrades, make sure client and server versions are compatible. See Distributor Technical References and General Release Bulletins for compatibility information. Benefit: Reduces the risk of problems by ensuring compatibility between system software elements.

Ensure that CallPilot, (along with all other components) has all current PEPs (Product Enhacement Packages). Benefit: The PEPs incorporate the latest fixes and updates. Having the latest set ensures the highest level of functionality.

Have your list of telephone DNs and TNs before starting the CallPilot installation. Benefit: You’ll need the list of DNs and TNs to get the system running, so having the list ready beforehand saves time during the installation.

The VAS ID associated with the ELAN must use SECU=YES whether it is used by SCCS or CallPilot. Benefit: Keeps SCCS and CallPilot from attempting to claim each other’s resources.

Ensure the ELAN and CLAN are not on the same subnet. Benefit: Prevents congestion on the CLAN from interfering with VoIP traffic on the ELAN.

14


Do not use the Windows control panel on the CallPilot server to change the server name. Instead, use the CallPilot Config Wizard. Benefit: Changing the server name using the Config Wizard also changes the name in the CallPilot server configuration. Changing the name using the Windows control panel doesn’t change the name in the CallPilot configuration, and causes inconsistencies between the OS and CallPilot applications.

Ensure that current and supported anti-virus software is installed on the CallPilot system. See the DTRs for a list of supported, validated AV software and recommended settings. Benefit: The CallPilot Server is a W2K server, and may be vulnerable to the same types of malicious software as other Windows machines.

Develop and implement a comprehensive test plan for all implemented CallPilot features before going live. Don’t just test one or two features and conclude that the system is customer-ready. Benefit: Helps you find potential problems before going live.

Review and understand the log files during the implementation process to ensure stability/sanity of the system. Benefit: Some innocuous-seeming log entries might mean big problems later. Make sure you know what’s getting logged and why.

15


Campus Ethernet Switching Design Considerations

Core Network

Implement dual-active switch fabrics in chassis. Benefit: Doubles amount of bandwidth available, ensures no single point of failure can bring down the core network.

Implement N+1 power redundancy, making sure power supplies are on different AC circuits. Benefit: Ensures that the failure of a single power supply or AC supply circuit won’t affect the core network.

Implement N-1 resiliency for closet uplinks using SMLT. Benefit: Lets you use the full bandwidth of all gigabit uplinks; doesn’t require Spanning Tree. SMLT also provides also provides sub-second failover and recovery in the event of a switch or link failure.

For SMLTs, terminate IST (inter-switch trunk) on different modules within the chassis and only on non-blocking ports. Also, terminate the ISTs on the lowest-numbered ports and slots. Benefit: Terminating ISTs at different modules within core switches makes sure that the failure of a port or module doesn’t bring down the IST. Having the IST on non-blocking ports ensures zero packet loss between the switches in the terabit cluster. Using the lowest-numbered ports and slots for the ISTs ensures the fastest initialization of the ISTs.

Ensure some type of fiber fault management is enabled on uplink ports (autonegotiation, LACP, VLACP, SFFD). Benefit: Otherwise, one port might continue sending without realizing the far-end port can’t receive. Implementing fiber fault management ensures that, in the event of a single fiber fault, the entire port is deactivated.

Configure Virtual Router Redundancy Protocol (VRRP) for default gateway. Benefit: If one core switch goes down, the users’ default gateway remains available.

Configure QoS in the core switches, and configure Diffserv Core ports (trusted ports) to honor DSCP marking from IP phones. Benefit: Ensures that VoIP traffic is prioritized over all other data traffic in the network.

16


Edge

On edge stackable switches (for example 460/470 and 5500s), install return cable for failsafe, resilient stacking. Benefit: In the case of switch failure, the return cable maintains the integrity of the stack so that no switches in the stack become isolated.

Implement Dual active switch fabrics on the 8300 edge switch chassis. Benefit Having dual fabrics lets you terminate uplinks on two different modules in 8300 chassis, eliminating single point of failure and doubling the uplink bandwidth.

Implement N+1 power redundancy (redundant power supplies for chassis or RPS for switch stacks) and make sure power supplies are on different AC circuits Benefit: Ensures that the failure of a single power supply or AC supply circuit won’t affect the network. This consideration is especially critical where the edge network supports POE devices (access points, phones, card readers).

Terminate uplinks on edge switches using DMLT to distribute uplink ports across different switches in the stack or different modules in the chassis. Benefit: Dual homing uplinks ensures no single point of failure.

Enable Spanning Tree Faststart on all end user ports Benefit: Helps workstations connect to the network faster while still preventing looping at the desktop. FastStart assumes ports are non-looping and blocks port only if loop detected.

Configure QoS in the edge switches, and configure Diffserv Access ports and filters to mark the DSCP for VoIP traffic. Benefit: Ensures VoIP traffic is prioritized over all other data traffic in the network. Although IP phones can mark their own DSCP, it is safer to have the edge switch mark the traffic. This approach prevents PCs from marking their traffic and defeating the intent of the QoS.

17


Security

Change default login name/password and default SNMP community strings Benefit: Prevents unauthorized access to switching equipment using Nortel default passwords and community strings.

Create management Access Control Lists to limit the number of people able to manage network devices. Benefit: Restricts management access only to authorized users at authorized management stations.

Use RADIUS authentication for management of network devices. Benefit: Provides a centralized mechanism for authentication and alleviates the need to continually change passwords on each network device.

Use SSH and SNMPv3 to encrypt switch management traffic. Benefit: Prevents users from sniffing network traffic to gain unauthorized access to management traffic and passwords.

Deploy EAPOL on all user switch ports Benefit: Ensures end user network authentication. Prevents unauthorized access.

Diagnostics / Management

Always leave at least one port available for port mirroring traffic. Benefit: Lets you easily connect a sniffer to the device without having to disconnect users.

Use the syslog feature to write log information to a separate server. Benefit: Using syslog provides a log of events that helps troubleshooting issues. Having the log on a separate server prevents the log from getting erased in a switch reset or failure.

Configure SNMP trap receivers for all the switches in the infrastructure to capture relevant information Benefit: Lets you maintain a log of network events that you can use monitor network health.

18


Deploy change control software that maintains a database of switch configurations Benefit: Maintains a record of network configuration. Ensures configurations are consistent, current, and correct. Facilitates consistent communication about network configuration among system management staff.

Backup device configurations to a network server every time a change is made. Benefit: Lets you easily restore device configurations in case of a reset. Lets you easily revert to a previously known configuration in case of a configuration problem.

19


Campus WLAN Design Considerations When conducting an initial site survey and estimating the number of APs, plan the network for capacity not coverage. Benefit: Trying to cover the maximum area possible per AP leads to oversubscription, loss of performance, and user dissatisfaction. All users share the throughput of one cell, or specifically one channel in the area of the AP. This is compounded by the variable data rate of the cell. One user at the far edge of a cell can bring the entire cell to a combined (shared) throughput of 1-2 Mbps. If you plan the network with maximum cell sizes in a dense office environment, it can mean up to 50 users all sharing 1 Mbps. The practice of maximizing cells is like adding more hub ports to the network. The practice of shrinking cell sizes and increasing the number of APs is like segmenting the WLAN.

Once the number of APs needed to cover a site is known, plan for N+1 switches to control the APs. If one model of WLAN Security Switch 2300 is used throughout, the number of switches needed is simply N+1, where N is the minimum number of switches needed to support the number of APs at the site. For example, 20 APs would require at minimum two WSS 2360s, so three should be installed. If a mix of WSS 2300 models are to be deployed, then the rule for N+1 redundancy is to plan for the failure of the biggest switch and make sure there are enough AP slots available to support the APs. For example if 2370s and 2360s are used together, then as long as there are 40 open AP slots throughout the network, it is N+1 redundant. Benefit Makes the resilient against single WSS 2300 failures. Without the extra switch, APs would cease to function if its controller were to fail. Note that resiliency can also be implemented as N+2 or greater if desired.

20


For larger networks plan to deploy 802.11a coverage throughout and deploy client devices that also support 802.11a when possible. There are still some classes of devices, Wi-Fi handsets for example, that only support 802.11b. However, most other devices don’t have this limitation and many PDAs now have 802.11a options. In those cases, 802.11a should be preferred for WLAN connectivity. Benefit 802.11a has better throughput than 802.11b, since the band is not as cluttered with devices such as cordless phones, microwave ovens, DECT devices, and Bluetooth devices. Due to the increased channel count of 802.11a, it is significantly easier to plan channel layouts where channel re-use is needed. In addition, the larger channel space allows for 7 or 12 channel plans which dramatically reduce the co-channel interference between like-channel cells compared to the 3-channel plans of 802.11b/g. The end result is less RF interference, greater per-cell throughput, and better network scaling. Although 802.11g by itself offers comparable throughput to 802.11a, APs will often shift into compatibility mode and reduce throughput significantly for the entire cell, including for 802.11g capable devices.

Use MLT to connect WLAN Security Switch 2300s to the core, preferably a Split-MLT core. Benefit MLT combined with an SMLT core maximizes the uplink bandwidth available (because it is active-active not active-standby) while also providing network resiliency.

Do not implement “closed system” (removing the SSID from the beacon) as a security measure, especially if there are other WLANs in the neighborhood. Benefit Since the SSID can easily be learned by other means such as eavesdropping, hiding it is not an effective security measure and is not worth the negative impacts on roaming.

Use firewalls where possible, especially when using weaker authentication methods. Benefit MAC authentication and static WEP are not very secure methods of authenticating clients. Client limitations may dictate the use of these methods and if so, they should be combined with firewalls to limit the impact in the event that security is compromised. For example, VoWLAN handsets should only be able to reach the telephony VLAN and signaling servers. All other ports and destinations should be blocked.

21


Plan to minimize the amount of data traffic sharing the same band with VoWLAN. If possible, keep all data on 802.11a (5 Ghz) channels and reserve 802.11b (2.4 Ghz) for voice. Benefit While there are QoS mechanisms that allow data and voice to share the same channel, they all work best when the amount of data is kept to a minimum. SVP generally uses strict prioritization of voice from AP to clients, but does not protect well against lots of upstream data traffic. WMM uses weighted statistics to give preference to voice traffic, meaning lots of data devices sending traffic can mitigate the preferred weighting of voice.

If data and voice share the same band, reduce the maximum call count per access point according to the amount of minimum data that you want to support. Benefit This practice allows some amount of data throughput during busy call volumes. Otherwise, data traffic may experience unacceptable throughput levels during those busy times.

Map all VoWLAN handsets into a single VLAN. Note that regardless of topology, the VLAN does not have to be extended to all WSS 2300s. Only one or two switches must have a connection to the VLAN—the remaining switches tunnel handsets to the switch that has the connection to the VLAN. Benefit This configuration lets you minimize the number of WTM 2245s installed to support the VoWLAN handsets. Instead of one WTM 2245 per VLAN, this configuration requires only one VLAN to have a WTM 2245. It also makes the general network design much simpler—one firewall co-located with the VLAN, etc.

In support of 221x VoWLAN handsets, specify a TFTP server address of 255.255.255.255 if you don’t have new code to download to the handset. Whether you use static settings or DHCP provided settings, 255.255.255.255 is a special address that disables the software download to the handsets. When new handset code is deployed, simply change the TFTP server address on the DHCP server to the real address. After deploying, change the address back to 255.255.255.255 Benefit The handset checks upon power up for new code on the configured TFTP server. If the server is not present, the phone will not finish booting. In this situation the TFTP server is a single point of failure in the network. Since code upgrades are not very common it makes sense to disable the phone’s code checking except when upgrades are necessary.

22


WAN/Branch Design Considerations Ensure all WAN/Branch edge elements that carry VOIP Traffic (including any security-enforcing devices) have these features: • QoS protocols • Multiple queues • A strict priority scheduler • Forwarding as close to line rate as possible with sub-millisecond traversal delay • Fragmentation services such as MLPPP or FRF 12 Benefit: Helps ensure that you can guarantee QoS throughout the entire media transmission path.

Ensure all WAN/Branch edge elements that carry VOIP Traffic provide call security along the entire voice transmission path: • Use encrypted tunnels for data passing over MAN/WAN links • Use IP filters on interfaces to eliminate well-known malicious attacks that might originate from

within the corporate network. • Use logging services and enable system security auditing to track access and configuration

changes on all VoIP servers, firewalls and other network elements. • Use MAC-based access controls for devices capable of authentication using EAP • Use access lists and IP permit lists to restrict access to managed devices Benefit Helps ensure the security of VoIP traffic across the network.

VPN Router 6.0 The following recommendations apply to VPN Router series 6.0 VoIP features.

Avoid using compression on VoIP links (IPSec on FR). Typically, IPSec compression is enabled by default so you will need to disable it. Benefit: For small packets, such as VoIP traffic, compression tends to degrade performance.

23


Set the Tx-Ring buffer size equal to or less than the result of VoIP Max Delay Variation tolerance divided by the serialization delay. Benefit: The Ring-Buffer setting is the number of packets reserved by the I/O card to be transmitted. This value is the greatest number of data packets that could be queued and possibly 'block' a VoIP packet. For example, if your variation tolerance (i.e. max jitter) is 40 MSec and it takes 6 mSec to transmit a single (largest) data packet, you would set the ring buffer to 40/6 rounded down to the nearest integer, which is 6.

For portions of the network where the network traffic is all VoIP (there is no data traffic) set TX-Ring to the expected number of concurrent VoIP sessions. Benefit: When data traffic is not a consideration, you can configure the TX-Ring buffer to maximize voice traffic effectiveness. (See above)

Encryption

Use AES encryption instead of 3DES. Benefit: AES is more efficient and introduces less latency than 3DES.

Avoid using IPSec Hardware Acceleration for VoIP. Benefit: IPSec hardware acceleration introduces latency by requiring extra trips across the PCI bus.

Disable IPSec Anti-Replay (on by default) Benefit: Anti-Reply provides a window of 32 packets per IPsec tunnel that are accepted by the receiver. If a packet is received outside of the window, it is dropped. Because VoIP packets are small and prioritized, there is a strong chance that whole data streams may be dropped (or be forced to retransmit) because 32 or more VoIP packets are transmitted before a data packet can make it through.

DiffServ

When using IPSec, frame relay compression, or frame relay fragmentation, mark DSCP on traffic ingress. Also, make sure that DiffServ PHB queue is enabled on the egress interface so that the VPN router can properly prioritize the voice traffic. Benefit: Marking on ingress enables the device to effectively apply QoS on the traffic being received. When traffic is marked on egress, only subsequent devices in the voice transmission path can apply any QOS on the VoIP stream.

24


Allow for WAN encapsulation overhead when setting EF (Expedient Forward) shaping rate. One shortcut is to set the EF shaping rate to the WAN data rate. Benefit: Disregarding the encapsulation overhead when setting the EF shaping rate can cause you to set an improper shaping rate, resulting in increased latency.

25


Network Security Considerations Use a Layered Defense approach to Security as described in “Layered Defense approach to network security” (http://www.nortel.com/solutions/security/collateral/nn108120-051705.pdf) Benefit Defense layers complement each other to protect information assets from any single point of security failure.

Define security policy in terms of clearly defined security zones with different access types. Define user roles and groups and map to security zones. Use firewall, filter and access control capabilities to enforce network access policies between these zones using the least privilege concept. Benefit: This approach allows appropriate protection for various classes of information assets. Limits access to applications and networks based on an authenticated user and their role in the organization

Control admission to your network by checking both user credentials and device compliance with your security policies: • Use strong passwords and common network-based authentication. • Check PCs for current anti-virus and personal firewall software before allowing them on the

network. Benefit Checking credentials ensures that only authorized users are granted access. Checking device compliance prevents introduction of network threats from mobile devices such as laptops that may have been exposed to worms and Trojan horses in other network environments such as home or public networks.

26


Gain Awareness of your network traffic, threats and vulnerabilities. Use that knowledge to defend against internal and external attacks. Detect and Prevent Attacks based on Vulnerability Context • Get to know your network including traffic types associated with each security zone. • Use the Intrusion Detection and Intrusion Protection capabilities of TPS (Threat Protection

System) to monitor the network for threat traffic, audit your security policy enforcement and react to threats in real-time by actively blocking threat traffic.

• Use passive asset inventory techniques to profile your network assets, assess vulnerability and refine IDS/IPS intelligence and response.

Benefit Network attacks pose serious risks to your business including service outages, information theft, defacement etc. Building a comprehensive Threat Protection System that understands your network, real-time threats and provides closed loop enforcement and active protection can eliminate network downtime and protect network assets from intrusion, hacking, worms, trojans and other threats.

Secure network Communication: • Secure private communications over public or untrusted networks. Use Virtual Private Networks

to connect tele-workers, road warriors, and partners to network applications. • Encrypt IP Telephony traffic to prevent eavesdropping, fraud and impersonation. • Use VPNs or Temporal Key Integrity Protocol (TKIP) for Wireless LAN or Wireless Mesh

communications. Benefit These practices protect the confidentiality and integrity of private communications originating from unsecured physical sites.

Use Anti-Spoofing, BOGON blocking and Denial of Service (DOS) prevention capabilities at security zone perimeters to block invalid traffic including incorrect packets and packets with invalid source addresses from entering or exiting your network. Benefit Studies show that a majority of threat traffic (such as denial of service attacks) use invalid or unassigned IP address ranges. Blocking these address ranges and recognizable DOS packets reduces impact to your network and network devices such as servers. Blocking these outgoing packets prevents your network from being used to propagate attacks against third-parties.

Use intelligent traffic management (ITM) capabilities to guarantee bandwidth for critical applications including key business processes and IP Telephony. Benefit In the face of a network attack, ITM can mitigate the impact of threat traffic even if it cannot be classified or matched to a known threat signature. Guaranteeing bandwidth for critical applications allows service to continue in the face of an attack.

27


Employ DHCP Spoofing Prevention and ARP Spoofing Prevention to protect Local Area Networks. Benefit These LAN security practices protect devices from traffic interception, eavesdropping and man-in-the-middle attacks.

Keep your network, servers and clients updated and secure: • Disable unused services in the operating system of every network device, server and

management system to hardened them against attack. • Apply OS patches regularly as soon as they become available. • Regularly check with OS vendors for the latest security updates and guidelines. • Regularly test system software for viruses, worms and spyware. Integrate anti-virus software into

clients, network devices and management station to protect against new attacks. Benefit: Many security attacks exploit software defects and operating system vulnerabilities. Keeping your OS up-to-date and scanning for malicious software defends against security attacks that target these vulnerabilities.

Log, Correlate and Manage Security and Audit Event Information. Each network device should have standardized audit logs: • TCP Syslog, Secure Encrypted Event Logs, • Aggregated, Normalized Logs (ie neuSECURE) • Encrypted at rest – chain of custody – maintain integrity Benefit: Ensures the proper information is available and can be easily correlated by a single tool.

28


Network Management Don’t stop monitoring the network after the initial assessment. Continue to do regular checks to monitor voice quality. Deploy NetIQ Vivinet App Manager for real-time troubleshooting and service-level monitoring and voice quality monitoring. Benefit Helps you catch issues in which changes to the network might have unexpected adverse effect on IP telephony service.

Deploy PVQM (Proactive Voice Quality Management) with Phase II telephone handsets to monitor voice quality and enable troubleshooting in real-time. Benefit: PVQM helps you implement a real-time closed-loop system in which IP telephony calls are constantly monitored for packet loss and jitter.

Deploy Enterprise policy manager to manage access policies and roll out new policies and filters in real time. Benefit Lets you deploy filter policies, QOS policies, and network access policies with EAP/UBP. Lets you limits user access to the network until authentication.

29


Deployment Review the entire solution and strategy with the Pre-Sales Engineer and Account Representative Benefit: • Creates efficiency in the deployment • Allows for Implementation Design Review. • Eliminates confusion between the deployment team, and the end user. • Assures that those delivering the solution, PLM organizations, and Sales Professionals are in

agreement to the solution’s real time capabilities at the deployment window. (products POR at the beginning of the sales cycle may not correspond to the capabilities on the “in – service” date.)

• Assist in defining acceptance criteria and test plan. • Assures that the test plan incorporates the appropriate failover and redundancy planning.

Grant ownership and leadership to the Deployment Team from the start of the Deployment phase Benefit: Though it can be difficult for them to yield, account teams must allow the deployment specialist to manage the deployment process with their support. Confusion and lack of consistent communication with the customer will jeopardize the project.

Assign a Project Management Team Benefit: Converged deployments require skills from multiple areas. A team approach is critical. A single project manager cannot be effective deploying large scale converged solutions.

Make sure the project plan is well documented and all-encompassing Benefit: The integration of PSTS, LAN, WAN, Nortel and non-Nortel applications, third party hardware and software does not allow improvisation. The project plan is critical to avoid small issues from becoming show stoppers.

Conduct at least one customer information meeting (conference call). Benefit: • In the first of ongoing conferences with the customer, this call establishes the link from the pre-

sales vision to the implementation of that vision. • Increases customer confidence in the entire process. • Allows for any previous miscommunications to be identified and addressed.

30


Monitor network from day one of deployment (using network sniffers). Benefit: • Establish Network Readiness baseline for the future • Uncovers potential protocols or activities that might impact after deployment • Ensures rigid / formal change management process is in place

Capture information in repository for customer’s network. Benefit: This data may be required by NETS, and third party provider, or others that must troubleshoot issues post cutover.

31


References

Nortel Technical Support Portal http://www.nortel.com/support

The official Nortel source for documentation, software, bulletins, and other product information.

Layered Defense approach to network security

http://www.nortel.com/solutions/security/collateral/nn108120-051705.pdf

Nortel position paper on layered defense security.

32


nortel guide for planning and deploying converged voip networks to enterprises 1.2

Documents