Nortel Guide For Planning and Deploying Converged VoIP Networks To Enterprises 1.2

> Nortel Guide for Planning and
Deploying Converged VoIP

Networks to Enterprises
Document Date: November 2005

Document Version: 1.2
Nortel Guide for Planning and Deploying Converged VoIP Networks to Enterprises
Copyright © 2005 Nortel Networks

All rights reserved. November 2005
The information in this document is subject to change without notice. The statements,
configurations, technical data, and recommendations in this document are believed to be accurate
and reliable, but are presented without express or implied warranty. Users must take full
responsibility for their applications of any products specified in this document. The information in
this document is proprietary to Nortel Networks Inc.
The software described in this document is furnished under a license agreement and may be used
only in accordance with the terms of that license.
Trademarks
Nortel, the Nortel logo, the Globemark, and CallPilot, are trademarks of Nortel Networks.
All other Trademarks are the property of their respective owners.
History
Date Issue Comments
26 August 2005 1.0 First release.

10 October 2005 1.1 Second release. Added “Checklist of best practices for sales,
deployment, and support” section.
1 November 2005 1.2 Added Nortel copyright and trademark info, removed “Nortel
Confidential” page footer.
2
Contents
Introduction................................................................................................................................................. 4
Checklist of best practices for sales, deployment, and support .................................................................. 5
Sales and Sales Engineering ................................................................................................................... 5
Deployment............................................................................................................................................. 5
Beginning Support .................................................................................................................................. 6
General Best Practices ................................................................................................................................ 7
IP Telephony............................................................................................................................................... 9
Multimedia Applications .......................................................................................................................... 10
Call Servers........................................................................................................................................... 10
Messaging (CallPilot) ........................................................................................................................... 13
Campus Ethernet Switching Design Considerations ................................................................................ 15
Core Network........................................................................................................................................ 15
Edge ...................................................................................................................................................... 16
Security ................................................................................................................................................. 17
Diagnostics / Management.................................................................................................................... 17
Campus WLAN Design Considerations ................................................................................................... 19
WAN/Branch Design Considerations ....................................................................................................... 22
VPN Router 6.0..................................................................................................................................... 22
Encryption............................................................................................................................................. 23
DiffServ................................................................................................................................................. 23
Network Security Considerations ............................................................................................................. 25
Network Management............................................................................................................................... 28
Deployment............................................................................................................................................... 29
References................................................................................................................................................. 31
Nortel Technical Support Portal ........................................................................................................... 31
Layered Defense approach to network security.................................................................................... 31
3
Introduction
This guide is a collection of practices, principles, and advice that helps you avoid problems when
you deploy large converged voice/data network systems. The items in this guide come from lessons
learned by Nortel support staff, installers, and customers while installing and configuring actual
networks under real-world conditions.
Our intent is that this document is perpetually under construction. If you have any suggestions,
questions, comments, or concerns, please click here to email us. We look forward to incorporating
your feedback in future revisions.
4
Checklist of best practices for sales, deployment, and support

The following best practices are those that Nortel teams have found to be the most critical to successful
deployments of large converged VoIP networks.
Sales and Sales Engineering

Create a solution architecture drawing for the proposed deal. Review the solution architecture
with all members of the deployment team before presentation to the customer:
Sales
Sales Engineering
NETS Solutions Support team
ATS (Deployment)
PLM as needed
The team must verify the solution for:

Technical viability
Orderability
Deployability
Supportability
Availability
Complex VoIP deals must include in the quote:

Network monitoring devices (sniffers)
A Health Check to ensure that the existing data network supports real time applications.
Methods for post-deployment support access are in place (for example, VPN access)
Periodic network health audits after the customer accepts the network
Agreement with the customer to maintain a detailed change log to track:
o Changes in data network architecture (for example, changes in subnets or changes in
routing)
o Changes in voice assignments (for example, IP sets added, deleted, moved, or changed)
Create a Livelink repository to capture project information including Solution Architecture.

Make this repository available to Deployment and Support groups.
Deployment
Perform network health check on existing networks before deployment begins
Receive and pre-stage 3rd party devices (for example, servers)
Load and test all software and applications during pre-staging
Ensure network monitoring devices are installed and working before deployment begins
5
Maintain a change log to track all changes to data and voice network throughout (and after)
deployment.
Update Livelink repository with current Solution information
Beginning Support
Ensure network monitoring devices are installed and working before support begins
Ensure change logs are up to date and a process is in place to continue their use before support
begins
Ensure support team can access customer’s network (for example, VPN connectivity)
Ensure support engineer’s understand the customer’s network and have access to the Livelink
repository incl. Solutions Architecture drawing.
Perform periodic network health audits of customer’s network
o Reference change log
o Reference network monitoring devices
o Correlate network performance issues to change log.
6
General Best Practices

This section collects Best Practices that apply to all major aspects of converged networks.
Develop and document naming/numbering conventions to be used in configuration of systems.

Leave room in your numbering convention for future expansion
Benefit:
You can more quickly and effectively locate problem devices if DNs, TNs, and IP addresses are
assigned according to a logical system.
Make sure that installation and maintenance staff are aware of applicable electrostatic
discharge (ESD) procedures, and that they follow them at all times.
Benefit:
Helps eliminate ESD as a source of problems with network equipment.
Always perform a Network Assessment / Health Check prior to installation to ensure data
network is capable of transmitting voice. Perform regular assessments after large
changes/additions are made to the network/system configuration.
Benefit:
• Reduces I.T. Manager Fear of Failure of VoIP Implementation
• Minimize Time and cost lost to Cutover/Acceptance Issues
• Establish Network Readiness baseline for the future
• Provide Statistical and Graphic Depiction of VoIP Performance
Create a clean and traceable setup when wiring closets and switch rooms.
Benefit:
Well-organized network infrastructure is easier to upgrade and much faster to troubleshoot. The time
spent keeping wiring organized and labeled is returned many times over in avoiding confusion about
the layout, avoiding problems, and faster resolution of problems that do arise.
Maintain a database of the various devices (Including 3rd party devices and applications) in
the network: Include information such as:
• Software and firmware versions running on each device
• Physical location of each device (including rack and slot)
• NT/Rls # of various cards
Benefit:
Helps you keep track of the devices in your network and the software and firmware running on them.
7
After the system is installed and fully operational, perform and store a full backup of the
system and system software in a safe environment in case system recovery is required.
Benefit:
Helps you recover quickly from resets in which system software or configurations are lost or
corrupted.
Maintain a database log of maintenance and configuration activities done within the network,
including both voice and data equipment. Consider keeping a hardcopy of the log onsite.
Useful information includes:
• Date of activity
• Name of person/group performing activity
• Type/details of activity being performed
• Problems encountered during activity
• Tests performed to verify success of maintenance/configuration activity
• Storage location of log files/screen captures etc.
Benefit:
Helps you trace problems and issues back to network changes.
Perform a rigorous assessment of the power output required for POE to determine how much
input power (power supplies) you will need for the installation.
Benefit:
Makes sure that you have enough power for all POE devices, and that you know how much AC
power is required in the wiring closets for the installation.
Ensure that all devices have power and ground connections as described in the installation
guides.
Benefit:
Eliminates many potential sources of trouble. Ground and power issues are often anomalous, and are
sometimes very hard to trace back to the root cause.
8
IP Telephony
Set All LAN interfaces to auto-negotiate instead of fixing their data rate and duplex settings.
Benefit:
Fixed settings for rate and duplex may result in mismatches, causing packet loss and voice quality
issues.
Always assign telephony to a separate VLAN from data devices.

Benefit:
Separating data and voice into different VLANs improves security and voice quality, and prevents
compromise of telephony services
Have the E-911 plan approved and signed by customer.

Benefit:
The E-911 plan establishes the degree of accuracy to which the location of an emergency call is
reported. Going over the plan with customers ensures that they understand the regulatory and
liability issues surrounding 911 emergency call service.
Have a backup power plan approved by the customer. Make sure they understand the
telephony impact of power failure. Consider factors such as the time required to bring up
emergency generators.
Benefit:
Ensures that the customer understands the issues around power and resiliency. Helps achieve reliable
telephone services, and manages customer expectations for service survival in power failure.
9
Multimedia Applications
Call Servers
Document port configurations (for example, duplex settings), port statistics, protocols being
used at various OSI layers etc. for data devices in network.
Benefit:
Problems reported on the VOIP side are often data network issues, so understanding the underlying
data network helps understand VOIP problems.
Create a database that captures IP address ranges for various devices in the system (including
IP phones), their physical location, and their corresponding DNs and TNs.
Benefit:
A logical system for assigning IP addresses helps you pinpoint problem devices, especially where
the network spans more than one physical site.
Consider developing a process to determine who is logged into the switch at all times. For
example, you might allow network management only from a dedicated PC or range of PCs,
and implement unique login names for users on those machines.
Benefit:
Helps you keep records of who is doing what, so data network maintenance activities doesn’t
interfere with the voice network.
Ensure that all activities done while logged into any device within the network are captured
(logged). Document storage location of log files in a database for easy retrieval.
Benefit:
Log commands used on switches or network devices for troubleshooting. This record helps you track
causes and effects regarding maintenance activities.
Develop a plan for remote access to all points in the system should it be required. Have the
equipment on hand and connected. Nortel recommends using Contivity VPN products for
secure remote access.
Benefit:
Planning and implementing a system for remote access drastically shortens the time required to
access and troubleshoot the equipment. Using Contivity VPN products for remote access protects
proprietary network management data.
10
When performing complex maintenance tasks and troubleshooting problems, have a sniffer
running continuously on the Signaling Server TLAN (and ELAN if possible). Document the
process for accessing files reliably (for example, ftp location and login details). Consider how
sniffer information can be shared remotely.
Benefit:
Sniffer captures can reduce troubleshooting time and increase your chances of being able to
reproduce the problem for RCA (root cause analysis).
Configure test phones in wiring closets in separate zones at each site.

Benefit:
Lets you try out changes and test for problems without interfering with customer activities.
In the event of a failure on the Call Server or Signaling Server, be prepared to provide the
following information (at a minimum):
• Report logs
• History files
• Configuration records/config files
• Database configuration (on call server)
• Patches loaded on system
• Network diagram
Benefit:
This is what Tech Support will ask. Having the answers handy will make the support call faster and
more effective.
Once you have duplicated a problem, try to simplify the call scenario as much as possible and
still retain the problem. For example, if the problem occurs with a conference call, see if it also
happens with a regular call.
Benefit:
Reduces problem to essential elements for easier troubleshooting.
When chasing an intermittent problem, maintain a database that captures dates, times, and
details of the symptoms.
Benefit
Helps you identify patterns that lead to the root cause. Helps you eliminate the intermittent nature of
the problem and understand how to duplicate the problem at will.
11
Develop a questionnaire template that end users can use to record problem specifics. Structure
questions so that responses cannot be ambiguous (i.e. maximize usefulness of information
provided). Tailor the questionnaire to each problem. Include information such as:
• Time of day
• What happened
• Is this a new installation (was the feature previously functional?)
• What changed before problem occurred?
• What workarounds, if any, are available?
Benefit:
Helps eliminate vagueness and ambiguity when tracking problems back from problem reports.
When reporting or documenting a call scenario, record the path of devices traversed (for
example, set A on switch X ->set B on switch Y ->Call Pilot on switch Z. If the path in data
network can be determined, provide this information as well
Benefit:
Tracing the voice path helps refine the problem to its essential elements and helps to eliminate issues
and devices that are unlikely to be involved.
When capturing traces and logs for a given problem, provide similar records for both good
and bad call scenarios if possible.
Benefit:
Comparing the records for good and bad calls helps identify key differences between functional
systems and problem systems.
When troubleshooting Voice Quality Issues:

• Perform an environmental audit of the location: (for example, carpeted room, noisy devices/fans
running in background?)
• Collect details of the problem using the echo checklist (as documented in the IPL Expert Guide)
• Provide recordings/captures of voice quality problems being experienced
Benefit:
Helps to refine the problem description and to eliminate subjective elements.
Develop and document the escalation process and contact list (including name, contact
information and role) to be used in the event of a problem.
Benefit:
Establishing an escalation contact list before problems are encountered speeds problem resolution
because you don’t lose time talking to the wrong people or getting the wrong people involved.
12
When troubleshooting a problem:

• Verify that the system has latest suite of patches installed. Make sure you have installed the latest
dependency list (Deplists) for Call Server, Signaling Server and Media Gateway Cards.
• Remove all obsolete patches from the call server & signaling server
• Review individual/site specific PEPs to see if they could be the cause of the problem on site.
Benefit:
Helps eliminate problems caused by old patches or unforeseen interaction between patches.
Messaging (CallPilot)
Verify the compatibility of all systems software levels being integrated and ensure all levels of
client software are current (CallPilot Manager/Reporter, Desktop Client, and MyCallPilot).
Especially in upgrades, make sure client and server versions are compatible. See Distributor
Technical References and General Release Bulletins for compatibility information.
Benefit:
Reduces the risk of problems by ensuring compatibility between system software elements.
Ensure that CallPilot, (along with all other components) has all current PEPs (Product
Enhacement Packages).
Benefit:
The PEPs incorporate the latest fixes and updates. Having the latest set ensures the highest level of
functionality.
Have your list of telephone DNs and TNs before starting the CallPilot installation.
Benefit:
You’ll need the list of DNs and TNs to get the system running, so having the list ready beforehand
saves time during the installation.
The VAS ID associated with the ELAN must use SECU=YES whether it is used by SCCS or
CallPilot.
Benefit:
Keeps SCCS and CallPilot from attempting to claim each other’s resources.
Ensure the ELAN and CLAN are not on the same subnet.
Benefit:
Prevents congestion on the CLAN from interfering with VoIP traffic on the ELAN.
13
Do not use the Windows control panel on the CallPilot server to change the server name.
Instead, use the CallPilot Config Wizard.
Benefit:
Changing the server name using the Config Wizard also changes the name in the CallPilot server
configuration. Changing the name using the Windows control panel doesn’t change the name in the
CallPilot configuration, and causes inconsistencies between the OS and CallPilot applications.
Ensure that current and supported anti-virus software is installed on the CallPilot system. See
the DTRs for a list of supported, validated AV software and recommended settings.
Benefit:
The CallPilot Server is a W2K server, and may be vulnerable to the same types of malicious
software as other Windows machines.
Develop and implement a comprehensive test plan for all implemented CallPilot features
before going live. Don’t just test one or two features and conclude that the system is customer-
ready.
Benefit:
Helps you find potential problems before going live.
Review and understand the log files during the implementation process to ensure
stability/sanity of the system.
Benefit:
Some innocuous-seeming log entries might mean big problems later. Make sure you know what’s
getting logged and why.
14
Campus Ethernet Switching Design Considerations

Core Network
Implement dual-active switch fabrics in chassis.
Benefit:
Doubles amount of bandwidth available, ensures no single point of failure can bring down the core
network.
Implement N+1 power redundancy, making sure power supplies are on different AC circuits.
Benefit:
Ensures that the failure of a single power supply or AC supply circuit won’t affect the core network.
Implement N-1 resiliency for closet uplinks using SMLT.

Benefit:
Lets you use the full bandwidth of all gigabit uplinks; doesn’t require Spanning Tree. SMLT also
provides also provides sub-second failover and recovery in the event of a switch or link failure.
For SMLTs, terminate IST (inter-switch trunk) on different modules within the chassis and
only on non-blocking ports. Also, terminate the ISTs on the lowest-numbered ports and slots.
Benefit:
Terminating ISTs at different modules within core switches makes sure that the failure of a port or
module doesn’t bring down the IST. Having the IST on non-blocking ports ensures zero packet loss
between the switches in the terabit cluster. Using the lowest-numbered ports and slots for the ISTs
ensures the fastest initialization of the ISTs.
Ensure some type of fiber fault management is enabled on uplink ports (autonegotiation,
LACP, VLACP, SFFD).
Benefit:
Otherwise, one port might continue sending without realizing the far-end port can’t receive.
Implementing fiber fault management ensures that, in the event of a single fiber fault, the entire port
is deactivated.
Configure Virtual Router Redundancy Protocol (VRRP) for default gateway.

Benefit:
If one core switch goes down, the users’ default gateway remains available.
Configure QoS in the core switches, and configure Diffserv Core ports (trusted ports) to honor
DSCP marking from IP phones.
Benefit:
Ensures that VoIP traffic is prioritized over all other data traffic in the network.
15
Edge
On edge stackable switches (for example 460/470 and 5500s), install return cable for failsafe,
resilient stacking.
Benefit:
In the case of switch failure, the return cable maintains the integrity of the stack so that no switches
in the stack become isolated.
Implement Dual active switch fabrics on the 8300 edge switch chassis.
Benefit
Having dual fabrics lets you terminate uplinks on two different modules in 8300 chassis, eliminating
single point of failure and doubling the uplink bandwidth.
Implement N+1 power redundancy (redundant power supplies for chassis or RPS for switch
stacks) and make sure power supplies are on different AC circuits
Benefit:
Ensures that the failure of a single power supply or AC supply circuit won’t affect the network. This
consideration is especially critical where the edge network supports POE devices (access points,
phones, card readers).
Terminate uplinks on edge switches using DMLT to distribute uplink ports across different
switches in the stack or different modules in the chassis.
Benefit:
Dual homing uplinks ensures no single point of failure.
Enable Spanning Tree Faststart on all end user ports

Benefit:
Helps workstations connect to the network faster while still preventing looping at the desktop.
FastStart assumes ports are non-looping and blocks port only if loop detected.
Configure QoS in the edge switches, and configure Diffserv Access ports and filters to mark
the DSCP for VoIP traffic.
Benefit:
Ensures VoIP traffic is prioritized over all other data traffic in the network. Although IP phones can
mark their own DSCP, it is safer to have the edge switch mark the traffic. This approach prevents
PCs from marking their traffic and defeating the intent of the QoS.
16
Security
Change default login name/password and default SNMP community strings
Benefit:
Prevents unauthorized access to switching equipment using Nortel default passwords and
community strings.
Create management Access Control Lists to limit the number of people able to manage
network devices.
Benefit:
Restricts management access only to authorized users at authorized management stations.
Use RADIUS authentication for management of network devices.

Benefit:
Provides a centralized mechanism for authentication and alleviates the need to continually change
passwords on each network device.
Use SSH and SNMPv3 to encrypt switch management traffic.

Benefit:
Prevents users from sniffing network traffic to gain unauthorized access to management traffic and
passwords.
Deploy EAPOL on all user switch ports

Benefit:
Ensures end user network authentication. Prevents unauthorized access.
Diagnostics / Management
Always leave at least one port available for port mirroring traffic.
Benefit:
Lets you easily connect a sniffer to the device without having to disconnect users.
Use the syslog feature to write log information to a separate server.

Benefit:
Using syslog provides a log of events that helps troubleshooting issues. Having the log on a separate
server prevents the log from getting erased in a switch reset or failure.
Configure SNMP trap receivers for all the switches in the infrastructure to capture relevant
information
Benefit:
Lets you maintain a log of network events that you can use monitor network health.
17
Deploy change control software that maintains a database of switch configurations

Benefit:
Maintains a record of network configuration. Ensures configurations are consistent, current, and
correct. Facilitates consistent communication about network configuration among system
management staff.
Backup device configurations to a network server every time a change is made.

Benefit:
Lets you easily restore device configurations in case of a reset. Lets you easily revert to a previously
known configuration in case of a configuration problem.
18
Campus WLAN Design Considerations

When conducting an initial site survey and estimating the number of APs, plan the network
for capacity not coverage.
Benefit:
Trying to cover the maximum area possible per AP leads to oversubscription, loss of performance,
and user dissatisfaction. All users share the throughput of one cell, or specifically one channel in the
area of the AP. This is compounded by the variable data rate of the cell. One user at the far edge of a
cell can bring the entire cell to a combined (shared) throughput of 1-2 Mbps. If you plan the network
with maximum cell sizes in a dense office environment, it can mean up to 50 users all sharing 1
Mbps. The practice of maximizing cells is like adding more hub ports to the network. The practice of
shrinking cell sizes and increasing the number of APs is like segmenting the WLAN.
Once the number of APs needed to cover a site is known, plan for N+1 switches to control the
APs.
If one model of WLAN Security Switch 2300 is used throughout, the number of switches needed is
simply N+1, where N is the minimum number of switches needed to support the number of APs at
the site. For example, 20 APs would require at minimum two WSS 2360s, so three should be
installed. If a mix of WSS 2300 models are to be deployed, then the rule for N+1 redundancy is to
plan for the failure of the biggest switch and make sure there are enough AP slots available to
support the APs. For example if 2370s and 2360s are used together, then as long as there are 40 open
AP slots throughout the network, it is N+1 redundant.
Benefit
Makes the resilient against single WSS 2300 failures. Without the extra switch, APs would cease to
function if its controller were to fail. Note that resiliency can also be implemented as N+2 or greater
if desired.
19
For larger networks plan to deploy 802.11a coverage throughout and deploy client devices that
also support 802.11a when possible.
There are still some classes of devices, Wi-Fi handsets for example, that only support 802.11b.
However, most other devices don’t have this limitation and many PDAs now have 802.11a options.
In those cases, 802.11a should be preferred for WLAN connectivity.
Benefit
802.11a has better throughput than 802.11b, since the band is not as cluttered with devices such as
cordless phones, microwave ovens, DECT devices, and Bluetooth devices.
Due to the increased channel count of 802.11a, it is significantly easier to plan channel layouts
where channel re-use is needed. In addition, the larger channel space allows for 7 or 12 channel
plans which dramatically reduce the co-channel interference between like-channel cells compared to
the 3-channel plans of 802.11b/g. The end result is less RF interference, greater per-cell throughput,
and better network scaling. Although 802.11g by itself offers comparable throughput to 802.11a,
APs will often shift into compatibility mode and reduce throughput significantly for the entire cell,
including for 802.11g capable devices.
Use MLT to connect WLAN Security Switch 2300s to the core, preferably a Split-MLT core.
Benefit
MLT combined with an SMLT core maximizes the uplink bandwidth available (because it is active-
active not active-standby) while also providing network resiliency.
Do not implement “closed system” (removing the SSID from the beacon) as a security
measure, especially if there are other WLANs in the neighborhood.
Benefit
Since the SSID can easily be learned by other means such as eavesdropping, hiding it is not an
effective security measure and is not worth the negative impacts on roaming.
Use firewalls where possible, especially when using weaker authentication methods.
Benefit
MAC authentication and static WEP are not very secure methods of authenticating clients. Client
limitations may dictate the use of these methods and if so, they should be combined with firewalls to
limit the impact in the event that security is compromised. For example, VoWLAN handsets should
only be able to reach the telephony VLAN and signaling servers. All other ports and destinations
should be blocked.
20
Plan to minimize the amount of data traffic sharing the same band with VoWLAN. If possible,
keep all data on 802.11a (5 Ghz) channels and reserve 802.11b (2.4 Ghz) for voice.
Benefit
While there are QoS mechanisms that allow data and voice to share the same channel, they all work
best when the amount of data is kept to a minimum. SVP generally uses strict prioritization of voice
from AP to clients, but does not protect well against lots of upstream data traffic. WMM uses
weighted statistics to give preference to voice traffic, meaning lots of data devices sending traffic
can mitigate the preferred weighting of voice.
If data and voice share the same band, reduce the maximum call count per access point
according to the amount of minimum data that you want to support.
Benefit
This practice allows some amount of data throughput during busy call volumes. Otherwise, data
traffic may experience unacceptable throughput levels during those busy times.
Map all VoWLAN handsets into a single VLAN. Note that regardless of topology, the VLAN
does not have to be extended to all WSS 2300s. Only one or two switches must have a
connection to the VLAN—the remaining switches tunnel handsets to the switch that has the
connection to the VLAN.
Benefit
This configuration lets you minimize the number of WTM 2245s installed to support the VoWLAN
handsets. Instead of one WTM 2245 per VLAN, this configuration requires only one VLAN to have
a WTM 2245. It also makes the general network design much simpler—one firewall co-located with
the VLAN, etc.
In support of 221x VoWLAN handsets, specify a TFTP server address of 255.255.255.255 if

you don’t have new code to download to the handset. Whether you use static settings or DHCP
provided settings, 255.255.255.255 is a special address that disables the software download to
the handsets. When new handset code is deployed, simply change the TFTP server address on
the DHCP server to the real address. After deploying, change the address back to
255.255.255.255
Benefit
The handset checks upon power up for new code on the configured TFTP server. If the server is not
present, the phone will not finish booting. In this situation the TFTP server is a single point of failure
in the network. Since code upgrades are not very common it makes sense to disable the phone’s code
checking except when upgrades are necessary.
21
WAN/Branch Design Considerations

Ensure all WAN/Branch edge elements that carry VOIP Traffic (including any security-
enforcing devices) have these features:
• QoS protocols
• Multiple queues
• A strict priority scheduler
• Forwarding as close to line rate as possible with sub-millisecond traversal delay
• Fragmentation services such as MLPPP or FRF 12
Benefit:
Helps ensure that you can guarantee QoS throughout the entire media transmission path.
Ensure all WAN/Branch edge elements that carry VOIP Traffic provide call security along the
entire voice transmission path:
• Use encrypted tunnels for data passing over MAN/WAN links
• Use IP filters on interfaces to eliminate well-known malicious attacks that might originate from
within the corporate network.
• Use logging services and enable system security auditing to track access and configuration
changes on all VoIP servers, firewalls and other network elements.
• Use MAC-based access controls for devices capable of authentication using EAP
• Use access lists and IP permit lists to restrict access to managed devices
Benefit
Helps ensure the security of VoIP traffic across the network.
VPN Router 6.0

The following recommendations apply to VPN Router series 6.0 VoIP features.
Avoid using compression on VoIP links (IPSec on FR). Typically, IPSec compression is
enabled by default so you will need to disable it.
Benefit:
For small packets, such as VoIP traffic, compression tends to degrade performance.
22
Set the Tx-Ring buffer size equal to or less than the result of VoIP Max Delay Variation
tolerance divided by the serialization delay.
Benefit:
The Ring-Buffer setting is the number of packets reserved by the I/O card to be transmitted. This
value is the greatest number of data packets that could be queued and possibly 'block' a VoIP packet.
For example, if your variation tolerance (i.e. max jitter) is 40 MSec and it takes 6 mSec to transmit a
single (largest) data packet, you would set the ring buffer to 40/6 rounded down to the nearest
integer, which is 6.
For portions of the network where the network traffic is all VoIP (there is no data traffic) set
TX-Ring to the expected number of concurrent VoIP sessions.
Benefit:
When data traffic is not a consideration, you can configure the TX-Ring buffer to maximize voice
traffic effectiveness. (See above)
Encryption
Use AES encryption instead of 3DES.
Benefit:
AES is more efficient and introduces less latency than 3DES.
Avoid using IPSec Hardware Acceleration for VoIP.

Benefit:
IPSec hardware acceleration introduces latency by requiring extra trips across the PCI bus.
Disable IPSec Anti-Replay (on by default)

Benefit:
Anti-Reply provides a window of 32 packets per IPsec tunnel that are accepted by the receiver. If a
packet is received outside of the window, it is dropped. Because VoIP packets are small and
prioritized, there is a strong chance that whole data streams may be dropped (or be forced to
retransmit) because 32 or more VoIP packets are transmitted before a data packet can make it
through.
DiffServ
When using IPSec, frame relay compression, or frame relay fragmentation, mark DSCP on
traffic ingress. Also, make sure that DiffServ PHB queue is enabled on the egress interface so
that the VPN router can properly prioritize the voice traffic.
Benefit:
Marking on ingress enables the device to effectively apply QoS on the traffic being received. When
traffic is marked on egress, only subsequent devices in the voice transmission path can apply any
QOS on the VoIP stream.
23
Allow for WAN encapsulation overhead when setting EF (Expedient Forward) shaping rate.
One shortcut is to set the EF shaping rate to the WAN data rate.
Benefit:
Disregarding the encapsulation overhead when setting the EF shaping rate can cause you to set an
improper shaping rate, resulting in increased latency.
24
Network Security Considerations

Use a Layered Defense approach to Security as described in “Layered Defense approach to
network security” (http://www.nortel.com/solutions/security/collateral/nn108120-051705.pdf)
Benefit
Defense layers complement each other to protect information assets from any single point of security
failure.
Define security policy in terms of clearly defined security zones with different access types.
Define user roles and groups and map to security zones. Use firewall, filter and access control
capabilities to enforce network access policies between these zones using the least privilege
concept.
Benefit:
This approach allows appropriate protection for various classes of information assets. Limits access
to applications and networks based on an authenticated user and their role in the organization
Control admission to your network by checking both user credentials and device compliance
with your security policies:
• Use strong passwords and common network-based authentication.
• Check PCs for current anti-virus and personal firewall software before allowing them on the
network.
Benefit
Checking credentials ensures that only authorized users are granted access. Checking device
compliance prevents introduction of network threats from mobile devices such as laptops that may
have been exposed to worms and Trojan horses in other network environments such as home or
public networks.
25
Gain Awareness of your network traffic, threats and vulnerabilities. Use that knowledge to
defend against internal and external attacks. Detect and Prevent Attacks based on
Vulnerability Context
• Get to know your network including traffic types associated with each security zone.
• Use the Intrusion Detection and Intrusion Protection capabilities of TPS (Threat Protection
System) to monitor the network for threat traffic, audit your security policy enforcement and
react to threats in real-time by actively blocking threat traffic.
• Use passive asset inventory techniques to profile your network assets, assess vulnerability and
refine IDS/IPS intelligence and response.
Benefit
Network attacks pose serious risks to your business including service outages, information theft,
defacement etc. Building a comprehensive Threat Protection System that understands your network,
real-time threats and provides closed loop enforcement and active protection can eliminate network
downtime and protect network assets from intrusion, hacking, worms, trojans and other threats.
Secure network Communication:

• Secure private communications over public or untrusted networks. Use Virtual Private Networks
to connect tele-workers, road warriors, and partners to network applications.
• Encrypt IP Telephony traffic to prevent eavesdropping, fraud and impersonation.
• Use VPNs or Temporal Key Integrity Protocol (TKIP) for Wireless LAN or Wireless Mesh
communications.
Benefit
These practices protect the confidentiality and integrity of private communications originating from
unsecured physical sites.
Use Anti-Spoofing, BOGON blocking and Denial of Service (DOS) prevention capabilities at
security zone perimeters to block invalid traffic including incorrect packets and packets with
invalid source addresses from entering or exiting your network.
Benefit
Studies show that a majority of threat traffic (such as denial of service attacks) use invalid or
unassigned IP address ranges. Blocking these address ranges and recognizable DOS packets reduces
impact to your network and network devices such as servers. Blocking these outgoing packets
prevents your network from being used to propagate attacks against third-parties.
Use intelligent traffic management (ITM) capabilities to guarantee bandwidth for critical
applications including key business processes and IP Telephony.
Benefit
In the face of a network attack, ITM can mitigate the impact of threat traffic even if it cannot be
classified or matched to a known threat signature. Guaranteeing bandwidth for critical applications
allows service to continue in the face of an attack.
26
Employ DHCP Spoofing Prevention and ARP Spoofing Prevention to protect Local Area
Networks.
Benefit
These LAN security practices protect devices from traffic interception, eavesdropping and man-in-
the-middle attacks.
Keep your network, servers and clients updated and secure:

• Disable unused services in the operating system of every network device, server and
management system to hardened them against attack.
• Apply OS patches regularly as soon as they become available.
• Regularly check with OS vendors for the latest security updates and guidelines.
• Regularly test system software for viruses, worms and spyware. Integrate anti-virus software into
clients, network devices and management station to protect against new attacks.
Benefit:
Many security attacks exploit software defects and operating system vulnerabilities. Keeping your
OS up-to-date and scanning for malicious software defends against security attacks that target these
vulnerabilities.
Log, Correlate and Manage Security and Audit Event Information. Each network device
should have standardized audit logs:
• TCP Syslog, Secure Encrypted Event Logs,
• Aggregated, Normalized Logs (ie neuSECURE)
• Encrypted at rest – chain of custody – maintain integrity
Benefit:
Ensures the proper information is available and can be easily correlated by a single tool.
27
Network Management
Don’t stop monitoring the network after the initial assessment. Continue to do regular checks
to monitor voice quality. Deploy NetIQ Vivinet App Manager for real-time troubleshooting
and service-level monitoring and voice quality monitoring.
Benefit
Helps you catch issues in which changes to the network might have unexpected adverse effect on IP
telephony service.
Deploy PVQM (Proactive Voice Quality Management) with Phase II telephone handsets to
monitor voice quality and enable troubleshooting in real-time.
Benefit:
PVQM helps you implement a real-time closed-loop system in which IP telephony calls are
constantly monitored for packet loss and jitter.
Deploy Enterprise policy manager to manage access policies and roll out new policies and
filters in real time.
Benefit
Lets you deploy filter policies, QOS policies, and network access policies with EAP/UBP. Lets you
limits user access to the network until authentication.
28
Deployment
Review the entire solution and strategy with the Pre-Sales Engineer and Account
Representative
Benefit:
• Creates efficiency in the deployment
• Allows for Implementation Design Review.
• Eliminates confusion between the deployment team, and the end user.
• Assures that those delivering the solution, PLM organizations, and Sales Professionals are in
agreement to the solution’s real time capabilities at the deployment window. (products POR at
the beginning of the sales cycle may not correspond to the capabilities on the “in – service”
date.)
• Assist in defining acceptance criteria and test plan.
• Assures that the test plan incorporates the appropriate failover and redundancy planning.
Grant ownership and leadership to the Deployment Team from the start of the Deployment
phase
Benefit:
Though it can be difficult for them to yield, account teams must allow the deployment specialist to
manage the deployment process with their support. Confusion and lack of consistent communication
with the customer will jeopardize the project.
Assign a Project Management Team

Benefit:
Converged deployments require skills from multiple areas. A team approach is critical. A single
project manager cannot be effective deploying large scale converged solutions.
Make sure the project plan is well documented and all-encompassing

Benefit:
The integration of PSTS, LAN, WAN, Nortel and non-Nortel applications, third party hardware
and software does not allow improvisation. The project plan is critical to avoid small issues from
becoming show stoppers.
Conduct at least one customer information meeting (conference call).

Benefit:
• In the first of ongoing conferences with the customer, this call establishes the link from the pre-
sales vision to the implementation of that vision.
• Increases customer confidence in the entire process.
• Allows for any previous miscommunications to be identified and addressed.
29
Monitor network from day one of deployment (using network sniffers).

Benefit:
• Establish Network Readiness baseline for the future
• Uncovers potential protocols or activities that might impact after deployment
• Ensures rigid / formal change management process is in place
Capture information in repository for customer’s network.

Benefit:
This data may be required by NETS, and third party provider, or others that must troubleshoot issues
post cutover.
30
References
Nortel Technical Support Portal
http://www.nortel.com/support
The official Nortel source for documentation, software, bulletins, and other product information.
Layered Defense approach to network security

http://www.nortel.com/solutions/security/collateral/nn108120-051705.pdf
Nortel position paper on layered defense security.
31
32

Nortel Guide For Planning and Deploying Converged VoIP Networks To Enterprises 1.2

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Nortel Guide For Planning and Deploying Converged VoIP Networks To Enterprises 1.2

Încărcat de

Drepturi de autor:

Formate disponibile

> Nortel Guide for Planning and

Deploying Converged VoIP

Document Date: November 2005

Copyright © 2005 Nortel Networks

26 August 2005 1.0 First release.

Checklist of best practices for sales, deployment, and support

Sales and Sales Engineering

The team must verify the solution for:

Complex VoIP deals must include in the quote:

Create a Livelink repository to capture project information including Solution Architecture.

General Best Practices

Develop and document naming/numbering conventions to be used in configuration of systems.

Always assign telephony to a separate VLAN from data devices.

Have the E-911 plan approved and signed by customer.

Configure test phones in wiring closets in separate zones at each site.

When troubleshooting Voice Quality Issues:

When troubleshooting a problem:

Campus Ethernet Switching Design Considerations

Implement N-1 resiliency for closet uplinks using SMLT.

Configure Virtual Router Redundancy Protocol (VRRP) for default gateway.

Enable Spanning Tree Faststart on all end user ports

Use RADIUS authentication for management of network devices.

Use SSH and SNMPv3 to encrypt switch management traffic.

Deploy EAPOL on all user switch ports

Use the syslog feature to write log information to a separate server.

Deploy change control software that maintains a database of switch configurations

Backup device configurations to a network server every time a change is made.

Campus WLAN Design Considerations

In support of 221x VoWLAN handsets, specify a TFTP server address of 255.255.255.255 if

WAN/Branch Design Considerations

VPN Router 6.0

Avoid using IPSec Hardware Acceleration for VoIP.

Disable IPSec Anti-Replay (on by default)

Network Security Considerations

Secure network Communication:

Keep your network, servers and clients updated and secure:

Assign a Project Management Team

Make sure the project plan is well documented and all-encompassing

Conduct at least one customer information meeting (conference call).

Monitor network from day one of deployment (using network sniffers).

Capture information in repository for customer’s network.

Layered Defense approach to network security

S-ar putea să vă placă și