Avaya VoIP on Cisco Best Practices by PacketBase

Avaya IP Communications Overview, Interoperability with Cisco Networks, and Best Practices Miguel Corteguera

QoS Requirements Delay (one way between endpoints): ITU spec is 150ms or less Avaya recommends 80ms or less for “business quality audio” Delay over 150ms could be acceptable depending on customer expectations, codec, etc. Delay over 250ms causes “talk over” problems Jitter (variation in delay): Less than 20ms recommended Defaults can handle up to 30ms (dependent on sampling rate) Packet loss: Less than 1% recommended Additional information: Avaya Labs – IP Voice Quality Network Requirements http://support.avaya.com/elmodocs2/audio_quality/IP-Networking_Req_Issue_3-1.pdf

General Approaches Trust application / device traffic Endpoints and gateways tag packets with 802.1P/DSCP values All except IPSI settings controlled through network region screen Advantage: Easy to implement, works with AutoQoS Disadvantage: Less control Switches classify and tag at the edge ACL’s at the edge will look tag packets according to port / VLAN/ protocol / port range / etc. Advantage: Strict control Disadvantage: Requires in depth knowledge of protocols, more time consuming, more complex configurations Mix of the two above For example: Endpoint traffic is classified at the edge while gateway traffic is trusted Regardless of the approach chosen a uniform QoS policy is recommended throughout the enterprise Make it as “cookie cutter” as possible

LAN IP Telephones should be placed in a subnet of a “manageable” size Typically a class C subnet (24 bit) Keeps broadcast traffic low Limit VLANs to a single closet or switch when possible Isolates failures (including power outages, maintenance, etc.) from affecting other areas Use 802.1P for L2 switches and links If using more intelligent switches it is possible to configure QoS based entirely on DSCP (802.1Q to support different voice/data VLANs is still recommended)

QoS and Cisco LAN Switches QoS is disabled by default on all current switches QoS capabilities and settings vary depending on switch / module Cat 2950 Cat 3550 Cat 2960, 2970, 3560, and 3750 Catalyst 4500 Sup2+ through Sup5, Cat 4948 Cat 6500: Varies depending on Supervisor module and line card Enterprise QoS Solution Reference Network Design Guide Version 3.3 http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a008049b062.pdf

QoS Configuration Screen Covers all endpoints, gateways, CLANs, Media Processors Does NOT cover the IPSI’s

This is only required if the IPSI communication is over the customer network. Setting QOS (default =46) in CM “change ipserver-interface x” only sets the diffserv value for control traffic from the S87x0 to the IPSI . The QOS (default = 40) in the IPSI board only sets the diffserv value for control traffic from the IPSI to the S87x0. Each IPSI board needs to be set to match. Step 1. In the “change ipserver-interface x” select “Enable QOS to yes”. The default diffserv will then be 46. Step 2. Telnet to the IPSI board by doing the following: In the CLI type “pingall –a” to get the ipsi board location Type “ipsisession –p <IPSI IP_ADDRESS>” Type “telnet < IPSI IP_ADDRESS>” [IPSI]: ipsilogin Login: craft Password: serv1ces Type “show qos” Type “set diffserv 46” Type “reset” IPSI’s on the network and QoS

VLAN VLAN on ip-interface screen, 3 different options: “ n” = No tagging, so no 802.1Q/P frames on that port “ 0” = 802.1p values with VLAN id of 0 Some Ethernet switches will take 0 to mean native VLAN. Some reject it (Cisco 4000 and 4500 from some reports) 1 – 4094 = 802.1p values with VLAN id of x (1-4094) Recommendation: Set to “n” and prioritize at the switch Alternative (more complex): Tag with a value of 1 to 4094 and setup as a trunk. Setting it to “0” is not recommended as the results are not always predictable

Recommendations for WAN Connectivity Use LLQ (Low Latency Queuing) IOS version 12.2 or higher is generally recommended Use fragmentation for links < 768k Voice should not consume more than 75% of available bandwidth* Use traffic shaping for Frame Relay & do NOT exceed CIR Keep in mind L2 overhead http://tools.cisco.com/Support/VBC/jsp/Codec_Calc1.jsp http://www.packetizer.com/iptel/bandcalc.html Use cRTP “when needed” – keep in mind latency and CPU overhead Selecting the right codec and options Generally G711 for the LAN and G729 over the WAN (configure mappings through network region form) Silence Suppression can save you some bandwidth but at the possible cost of voice clipping Use Call Admission Control (CAC) so that you don’t over-run the bandwidth limit in LLQ

Sample LLQ Configuration (Complex) class-map match-any voipAudio match ip dscp 46 class-map match-any voipSig match ip dscp 34 class-map match-any ipsiSig match ip dscp 36 policy-map voipQoS class ipsiSig bandwidth 128 class voipAudio priority 768 class voipSig bandwidth 48 class class-default fair-queue random-detect dscp-based interface Serial0 description T1 ip address 172.16.0.1 service-policy output voipQoS

Sample LLQ Configuration (Frame Relay) class-map match-all voip-fr match ip dscp 46 (all traffic that have DSCP 46) class-map match-all vosig-fr match ip dscp 34 (all traffic that have DSCP 34) policy-map llq class voip-fr priority 100 (Reserve 100Kbps priority bw for DSCP 46) class vosig-fr bandwidth 8 (Reserve 8Kbps non-priority bw for DSCP 34) class class-default fair-queue (All other traffic in WFQ) interface Serial3/3 frame-relay traffic-shaping frame-relay class Frame_Class_1 (Applies FRTS) map-class frame-relay Frame_Class_1 no frame-relay adaptive-shaping frame-relay cir 256000 (256Kbps CIR) frame-relay bc 2560 (Tc = 10ms = be /CIR = 2560 / 256000) frame-relay be 0 (Must be 0) frame-relay fragment 320 (figure calculated for 256K CIR) service-policy output llq (Apply policy map)

Fragmentation http://www.cisco.com/warp/public/788/voice-qos/voip-ov-fr-qos.html http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800b75d2.html For Frame Relay (FRF.12): map-class frame-relay VoIPovFR !--- Some output omitted. frame-relay fragment 80 For point-to-point circuits (MLP): ppp multilinkppp multilink interleaveppp multilink fragment-delay 20

WAN and Network Regions LAN/WAN PSTN C-LAN MedPro Subnet FROM (TO Address or Mask) NetReg 192.168.1.0 _ 24 1 192.168.2.0 _ 24 2 _._._._ _._._._ _ _._._._ _._._._ _ _._._._ _._._._ _ 192.168.1.0 192.168.2.0 G.711 G.729 Avaya Communication Manager Network Region Configuration Guide: http://support.avaya.com/elmodocs2/comm_mgr/r3/netw-region-tutorial-cm30-1005.pdf Network Region Job Aid: http://support.avaya.com/elmodocs2/intmgmt/r3/14_300283_2.pdf 1 2

Network Region Different configuration options for controlling calls between sites (Call Admission Control)…

Suggested IP-Network Region Assignment IP-Network Regions Usage Comments 01 - 199 Locations For media gateways, CLANs, MedPros, IP stations, VAL boards, port network cabinets (NR 1 assigned to fiber-pnc cabinets for IGAR processing) 200-202 Virtual Region Call Admission Control: A means to control the number of calls or bandwidth limits between NRs with limited WAN bandwidth. Could be used for a pool of directly connected CLANs if needed for IP phone registration. 203 - 248 Miscellaneous/Virtual Used for IP phones, CMAPI, Soft phones and other IP endpoints that need an IP Network Region different from its media gateway 249 <reset IP network-region x> Use NR 249 for systems at ACM 3.0 or earlier. ACM 3.1 adds a new option to the command at left, to reset IP phones. 250 Adjuncts and IP Trunk dedicated CLANs IP connected adjuncts: CMS, Intuity, CAS, SAT, dedicated IP trunk CLANs prior to CM 3.1, etc. Not connected to any other Network Regions, e.g., to avoid IP phones trying to use these resources.

IGAR (Intra Gateway Alternate Routing) IGAR is triggered when: BW limit reached by CAC-BL Network performance deterioration by Dynamic-CAC VoIP resource exhaustion No codec, network not meant for voice traffic IGAR forced, or “always on” IGAR is not triggered when: Two parties in the same network region IGAR not enabled in system IGAR not enabled between two network regions

How Does IGAR Work? IGAR Construction Sequence: A station to station call Outgoing trunk call Incoming trunk call Call association with in-band DTMF tones Alerting of called party Call answer NR-2 NR-1 PSTN IP Network Outgoing Trunk Call Incoming Trunk Call X X  90021…90021…90021  IP IGC

IGAR Considerations BHCC Impact One call becomes three Assuming original call was IP Station to IP Station No use of VoIP resources typical (shuffling) IGAR uses two PSTN trunks (outgoing and incoming) Requires use of VoIP resource Traverses TDM backplane of media gateways: time slots occupied IP Network Availability and Fault Tolerance Does an IP network backup path exist? IGAR is not a WAN failure remedy. Traffic Engineering ASD contains no IGAR sensitivity at this time. Advanced Traffic can be modified for each location using IGAR Call progress delays

Protocols and Ports Registration (H.225 RAS) = UDP 1719 Signaling (H.225 Q.921) = TCP 1720 Voice (RTP) = UDP 2048-65535 (configurable) Media Gateways (H.248) = TCP 2945 (TCP 1039 for encrypted communication) Port networks (“classic” media gateways) = TCP 5010 (5011 and 5012 as well for ESS) For additional information see Appendix B of the Implementation Guide: http://support.avaya.com/elmodocs2/comm_mgr/r3_1/pdfs/245600_4_3.pdf

Cisco Inspection Features These features attempt to inspect the H.323 message content to validate the message. (no) fixup protocol h323 (PIX) (no) ip inspect <name> h323 (IOS global) (no) ip inspect <name> {in|out} (IOS interface) (no) ip nat service h323 (IOS global) (no) ip nat service ras (IOS global) In the past, these features have often erroneously misinterpreted valid H.323 messages and message fragments and dropped them. Avaya H.323 messages are valid and should not be dropped. If Avaya IP phones fail to register for no apparent reason, check to see if these features are enabled. If so, disable them.

Powering IP Phones Midspan 6, 12, and 24 ports Local Power 2 flavors – one with battery backup 802.3af Compliant Ethernet Switch Tested with Extreme, Foundry, 3COM, HP, Nortel, and others Cisco 3550 ( 3550-24PWR) Not “officially” supported by Cisco as an 802.3af compliant switch but it works with most Avaya IP phones (4602*, 4610, 4620, 4630SW, and 4612/24 with 30A switch base) Note: 4602 telephones in H.323 mode requires “power inline delay shutdown” command to work correctly. http://www.avaya.com/master-usa/en-us/resource/assets/applicationnotes/ciscoilp.pdf 802.3af Cisco Ethernet switches: 6148, 6148X2, and 6548 blades (6348 not upgradeable) 4248 (10/100) and 4548 (10/100/1000) blades (4148 not upgradeable) 3560 (3560-24PS & 3560-48PS) 3750 (3750-24PS & 3750-48PS) Note: The 48 port versions of the 3560 & 3750 have over-subscribed power supplies and can only power 24 ports at full power, 48 ports at half power, or anywhere in between. In other words be careful with class 0 or class 3 devices. The “E” version of these switches do not have this limitation. 4 and 9 port Etherswitch HWIC’s Plus other recent switches References: http://www.avaya.com/master-usa/en-us/resource/assets/applicationnotes/poe-cisco.pdf Cat 6x00 series: http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper0900aecd80233a77.shtml Cat 4x00 series: http://www.cisco.com/en/US/products/hw/switches/ps4324/products_white_paper09186a00801f44be.shtml http://tools.cisco.com/cpc/launch.jsp

IP Phone registration process DHCP Discover Offer DHCP Server Offers: IP ADDR Subnet Mask Default Gateway Site Specific Option: GateKeeper IP Addr (8) GateKeeper Port QoS Parameters TFTP/HTTP Address (8) TFTP Get TFTP Put TFTP Server TFTP/HTTP Puts: Boot Code (First Time) Application Code (First Time) Config (QoS) Registration, Admission, Status H.323 and Feature Functionality Enter Extension Enter Password Validates: -Extension -Password Provides: -Access to medias -Feature / Functionality

Separate Voice / Data VLANs PSTN C-LAN Media Processor Untagged Packets Tagged and Untagged Packets Untagged Packets Tagged and Untagged Packets 802.1p/Q, DSCP, Port Range 802.1p/Q, DSCP, Port Range “ Data” VLAN = 10 “ Voice” VLAN = 100

DHCP Process – Dual VLAN DHCP Discover Offer IP address in VLAN 10 DHCP Server Offers: IP ADDR Subnet Mask Default Gateway Offers: IP ADDR Subnet Mask Default Gateway Site Specific Option (176): GateKeeper IP Addr (8) GateKeeper Port QoS Parameters: VLAN = 100 TFTP/HTTP Address (8) DHCP Discover DHCP Server Offer IP address in VLAN 10 DHCP Release DHCP Server DHCP Discover Using VLAN Tagging (100) DHCP Server Offer IP address in VLAN 100 User PC Note: Starting with 1.8 telephone firmware phones will “remember” the voice VLAN and will not need to go back to the native VLAN unless they are moved to a different subnet.

IOS based switch (alternative method) interface FastEthernet0/10 switchport trunk encapsulation dot1q switchport trunk native vlan <data vlan> switchport trunk allowed vlan 1,<data vlan>,<voice vlan> switchport mode trunk switchport nonegotiate no cdp enable spanning-tree portfast trunk IOS based switch (recommended method) interface FastEthernet0/24 switchport host switchport nonegotiate switchport access vlan <data vlan> switchport voice vlan <voice vlan> no cdp enable Note: “switchport host” sets the switch port mode to access, enables spanning tree PortFast, and disables channel grouping (EtherChannel). Cisco IOS switch configs for dual VLANs

CatOS based switch (alternative method) set port channel 1/1 off set spantree portfast enable trunk set cdp disable 1/1 set vlan <data vlan> 1/1 set trunk 1/1 nonegotiate dot1q clear trunk 1/1 1-9,11-19,21-1005 Notes: “nonegotiate” mode forces the port to become a trunk port but prevents it from sending DTP frames to its neighbor. The data and voice vlans are omited in the “clear trunk” statement (10 and 20 in this example) CatOS based switch (recommended method) set port host 1/1 set cdp disable 1/1 set vlan <data vlan> 1/1 set port auxiliaryvlan 1/1 <voice vlan> Note: “set port host” sets channel mode (EtherChannel) to off, enables spanning tree PortFast, sets trunk mode to off, and disables the dot1q tunnel feature. Cisco CatOS switch configs for dual VLANs

Trust Preference Exception If the PC attached to the IP phone sends tagged Ethernet frames and cannot be trusted… Apply the following to the 46xxsettings.txt file. SET VLANSEP 1 SET PHY2VLAN <value> (typically 0) SET PHY2PRIO <value> (typically 0) All tagged frames coming from the PC are re-written with the two values specified. As of 46xx H.323 firmware R2.4, and 96xx H.323 firmware R1.1. Then classify based on 802.1p. mls qos trust cos (IOS interface command) In order for the Cisco switch to re-tag DSCP based on 802.1p values use: “ mls qos map cos-dscp 0 8 16 24 32 40 46 56” set port qos <mod/port> trust trust-cos (CatOS command)

IEEE standard for device discovery (like CDP but standards based) LLDP-MED (Media Endpoint Discovery) (ANSI/TIA-1057) is an extension to LLDP specifically for VoIP applications. LLDP and LLDP-MED have more information content than CDP, allowing for advanced features Type-Length-Value (TLV) elements used to communicate values Supported on: 46xx R2.6 (August 2006) and later versions 96xx R1.2 (January 2007) and later versions Link Layer Discovery Protocol (LLDP) (aka 802.1ab)

LLDP TLV’s for Avaya IP Telephones

LLDP TLV’s for Avaya IP Telephones (continued) Note: Documented in the LAN Admin Guide for the 4600/9600 telephones.

LLDP is supported in Cisco 2960, 3560, and 3750 switches with IOS 12.2(37)SE as of May 2007. http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a008081da9e.html Supported in 4500’s 12.2(44)SG http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_5184.html Supported in 6500’s as of August 2007 in 12.2(33)SXH (Sup32/Sup720) http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html Enabled by default in earlier versions 12.2(37) and 12.2(40) on 2960. 3560, and 3750 http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/scg1.html Disabled by default in 12.2(44) http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/scg.html What works today Can be used to learn information about the phone and troubleshoot Display model, serial number, HW/FW versions, MAC address, speed/duplex, voice VLAN, and 802.1p/DSCP tags. What doesn’t work today Currently the phones do not report detailed power information to the switch (802.3af class is used). Currently the phones can not learn the voice VLAN using LLDP. DHCP must still be used. Avaya uses the LLDP “VLAN Name” TLV (Type-Length-Value) that is an optional part of the core 802.1AB/LLDP standard. Cisco uses the LLDP-MED TLV called "Network Policy“. 46XX fix targeted for release 2.9 (~August 2008) 96XX fix targeted for Spring 2009 LLDP on Cisco Switches and Interoperability with Avaya Telephones

c3560#show lldp neigh Capability codes: (R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device (W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other Device ID Local Intf Hold-time Capability Port ID AVA5096F3 Fa0/23 120 B,T 0004.0d50.96f3 AVAEBBD65 Fa0/24 120 B,T 0004.0deb.bd65 Total entries displayed: 2 LLDP – “show lldp neighbor”

c3560#show lldp neigh det Chassis id: 135.20.73.72 Port id: 0004.0d50.96f3 Port Description - not advertised System Name: AVA5096F3 System Description - not advertised Time remaining: 100 seconds System Capabilities: B,T Enabled Capabilities: B,T Management Addresses: IP: 135.20.73.72 OID: 2B 06 01 04 01 FF 69 01 45 01 0D Auto Negotiation - supported, enabled Physical media capabilities: 10base-T(HD) 10base-T(FD) 100base-TX(HD) 100base-TX(FD) Pause(FD) Symm Pause(FD) Media Attachment Unit type: 16 LLDP – “show lldp neighbor detail” (Part 1 of 2)

MED Information: MED Codes: (NP) Network Policy, (LI) Location Identification (PS) Power Source Entity, (PD) Power Device (IN) Inventory H/W revision: 4625D01A F/W revision: b25d01a2_7.bin S/W revision: a25d01a2_7.bin Serial number: 051618400158 Manufacturer: Avaya Model: 4625 Capabilities: NP, IN Device type: Endpoint Class III Network Policy(Voice): VLAN dot1p, tagged, Layer-2 priority: 6, DSCP: 46 Power requirements - not advertised --------------------------------------------- LLDP – “show lldp neighbor detail” (Part 2 of 2)

802.1X Port-based Network Access Control 802.1X requires a device to authenticate before it can receive any network services – security feature. Supported in 46xx H.323 firmware R2.6+ 96xx H.323 firmware R1.1+ vlan 20 vlan 10 1/1

Three Authentication Methods Single-Supplicant single-host. Single device authenticates and only that device is permitted access on the port. Single-Supplicant multi-host. Single device authenticates, and that opens up the port for multiple devices, without authentication. Single Supplicant could be IP phone or PC, with the other one piggybacking. Multi-Supplicant (most secure). Multiple devices authenticate on a single port. Only authenticated devices are permitted access.

Avaya IP Telephone Supplicant Supports the MD5-Challenge EAP method (there are many EAP methods). Upon initial bootup, phone displays prompts for EAP ID and password. Default EAP ID is MAC address, minus separating colons, in upper case. EAP password is 12 numeric characters maximum. After initial provisioning, EAP ID and password are stored in flash (similar to extension and password). ID and password submitted automatically to Authenticator in authentication and re-authentication requests.

Avaya 802.1X Interoperability with Cisco Switches Avaya document describing 802.1X feature and functionality in Avaya IP Telephones. http://support.avaya.com/elmodocs2/security/802_1x-LLDP.pdf Avaya IP phones are 802.1X supplicants, and support multi-supplicant authentication. They also support passing through 802.1X credentials from the attached computer. Multi-supplicant authentication method is the most secure, requiring both the IP phone and the attached PC to authenticate independently. Avaya IP Telephones with 802.1X supplicant work well as a single device (no PC attached) with a Cisco switch. A multi-supplicant capability is required to be able to support both the phone and PC as supplicants Cisco 3560 and 3750 switches support support multi-supplicant (which Cisco calls Multidomain authentication (MDA)) in IOS 12.2(35)SE and later releases. http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00807743fb.html Cisco 4500 switches also support MDA in IOS 12.2(37)SG and later releases http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a008082a244.html#wp1244094 The Catalyst 6500 (using CatOS) supports a multi-supplicant mode but it does not support voice VLANs in that mode Note: Cisco IP phones are not 802.1X Supplicant. They become trusted devices via CDP. http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a008048e0d6.html

Cisco CatOS 802.1X – Single-Supplicant Switch set port host 1/1 set cdp disable 1/1 set vlan 10 1/1 set port auxiliaryvlan 1/1 20 set port dot1x port-control auto set port dot1x multiple-host enable set port dot1x re-authentication enable “ port-control auto” means 802.1x controls the port. “ multiple-host enable” means a single authenticated Supplicant enables access to multiple hosts. “ re-authentication enable” means the Supplicant has to re-authenticate periodically.

Cisco IOS 802.1X – Single-Supplicant Switch interface FastEthernet1/1 switchport host switchport nonegotiate switchport access vlan 10 switchport mode access switchport voice vlan 20 no cdp enable dot1x port-control auto dot1x multi-hosts dot1x reauthentication Note: These commands are analogous to the CatOS commands in the previous slide.

Cisco IOS 802.1X – Multi-Domain Authentication interface FastEthernet1/0/1 switchport mode access The port is set to access unconditionally and operates as a non-trunking, single VLAN interface switchport access vlan 89 Configure the interface as a static access port with the VLAN ID of theaccess mode VLAN (data VLAN) switchport voice vlan 88 The VLAN to be used for voice traffic. dot1x pae authenticator (default dot1x value displayed by switch) dot1x port-control auto Enable IEEE 802.1x authentication on the port and cause the port to change to the authorized or unauthorized state based on the IEEE 802.1x authentication exchange. dot1x host-mode multi-domain Enable MDA on a switch port. dot1x reauthentication Enables periodic re-authentication of the client. dot1x timeout reauth-period 30 Set the number of seconds between re-authentication attempts. These commands are analogous to the CatOS commands in the previous slide. http://www.avaya.com/master-usa/en-us/resource/assets/applicationnotes/802_1x_ciscomda.pdf

Band Width Usage Station Idle BW for an IP Phone = 55bps H.248 GW idle BW = (i.e. G700) = 55bps IPSI GW idle BW (i.e. G650) = 11kps Incremental signaling per call ~ 4000 Octets Signaling factors # of users Link Type Call Type # of call attempts

BHCC vs IPSI Bandwidth The simulated call scenario is a general business case . BHCC IPSI bandwidth is based on 150 IP endpoints originating and answering 10 second duration ISDN trunk calls.

IPSI Bandwidth BHCC Per PN Usage Per Station Average IPSI Bandwidth (Kbps) full duplex Average IPSI TCP/IP packets per second 1K Light Traffic 17.3 Kbps 21 2.5K 30.5 Kbps 37 5K Moderate Traffic 52.2 Kbps 61 7.5K 73.8 Kbps 85 10K Heavy Traffic 83.5 Kbps 107

IPSI Bandwidth Provisioning A general rule of thumb for IPSI Control traffic bandwidth allocation is to add an additional 64Kbps of signaling bandwidth to the minimum required bandwidth in order to manage peak (burst) traffic loads and either round up or down to nearest DS0. For example; for 5K busy hour calls using encrypted PPP links to control remote port networks, as described in the previous example, you would guarantee 128Kbps (69.3Kbps + 64Kbps) for IPSI signaling bandwidth across the WAN link. BHCC Ethernet PPP MLPPP Frame Relay 1K 64Kbps 64Kbps 64Kbps 64Kbps 1K w/ encryption 64Kbps 64Kbps 64Kbps 64Kbps 2.5K 128Kbps 128Kbps 128Kbps 128Kbps 2.5K w/ encryption 128Kbps 128Kbps 128Kbps 128Kbps 5K 128Kbps 128Kbps 128Kbps 128Kbps 5K w/ encryption 128Kbps 128Kbps 128Kbps 128Kbps >=7.5K 192Kbps 192Kbps 192Kbps 192Kbps >=7.5K w/ encryption 192Kbps 192Kbps 192Kbps 192Kbps

Voice Bearer Bandwidth Ethernet (on the wire) Codec Data Rate Packet Size Voice Sample Redncy. IP IPsec IP IP + 802.1Q IPsec + 802.Q FR ATM AAL5 PPP kbps ms Bytes Kbps Kbps Kbps Kbps Kbps Kbps Kbps Kbps SPEECH G.711 64 20 160 80.0 102.8 87.2 88.0 110.8 82.4 106.0 83.2 G.726 40 20 100 56.0 78.8 63.2 64.0 86.8 58.4 84.8 59.2 G.729 8 20 20 24.0 46.8 31.2 32.0 54.8 26.4 42.4 27.2 G.723 5.3 30 20 16.0 31.2 20.8 21.3 36.5 17.6 28.3 18.1 WIDE BAND G.722 64 10 80 96.0 141.6 110.4 112.0 157.6 100.8 127.2 102.4 G.722.1 24 20 60 40.0 62.8 47.2 48.0 70.8 42.4 63.6 43.2 Siren14 24 20 60 40.0 62.8 47.2 48.0 70.8 42.4 63.6 43.2 FoIP T.38 9.6 30 36 0 17.6 32.8 22.4 22.9 38.1 19.2 28.3 19.7 Fax Relay 9.6 30 36 0 20.3 35.5 25.1 25.6 40.8 21.9 28.3 22.4 Pass Thru 64 10 80 0 96.0 141.6 110.4 112.0 157.6 100.8 127.2 102.4

Video Bearer Bandwidth (Traditional Video) Just as with voice codecs the bandwidth consumed “on the wire” is greater than the bandwidth used by the application because of protocol (IP/UDP) overhead. Calculate 15% to 20% for additional overhead. Also remember that video traffic is bursty and not constant like voice.

DSP Resource Capacity Audio FoIP & MoIP Board Code Name DSP Channels G.711 G.729 G.723 G.726 T.38 Fax Relay Pass Throu TN2303AP HW3 Prowler 8 DSP, 1 Core ea (8 channels/core) 64 64 32 32 N/A 16 16 64 TN2303AP HW11+ Cruiser 2 DSP, 4 Cores ea (8 channels/core) 64 64 32 32 N/A 16 16 64 MM760 2 DSP, 4 Cores ea (8 channels/core) 64 64 32 32 32 16 16 64 G700's VoIP 2 DSP, 4 Cores ea (8 channels/core) 64 64 32 32 32 16 16 64 G350's VoIP 2 DSP, 2 Cores ea (8 channels/core) 32 32 16 16 16 8 8 32 G250's VoIP 2 DSP, 2 Cores ea (8 channels/core) 10 10 10 10 10 TN2602 Crossfire 4 DSP, 4 Cores ea (20 channels/core) 320 320 320 N/A 320 320 320 320

These are features provided by the Cisco network which you can take advantage of whether using Cisco IP Telephony or Avaya IP Telephony. BPDU guard : Protects against Spanning Tree instability caused by unauthorized/rogue devices. When a port with BPDU guard receives a BPDU, it is put into errdisable state. Root guard : Prevents other switches, including unauthorized/rogue switches, from becoming root. Dynamic ARP Inspection (DAI): Prevents ARP spoofing and man-in-the-middle attacks, for both static and dynamic IP addresses, without requiring any changes on the end hosts. ARP requests are rate-limited and ARPs are checked to ensure legitimacy.Violations can cause ports to shut down temporarily or permanently. IP Source Guard: Ensures packets’ IP and MACs addresses are legitimate using the DHCP snooping binding table. This feature dynamically prevents impersonation attacks (IP spoofing). DHCP Snooping : Prevents unauthorized/rogue DHCP servers from handing out bogus IP addresses. Security and Stability Features on the Cisco network

Port Security: Prevents MAC flooding attacks by limiting the number of MAC addresses that can appear on a port. MACs are flushed after 5 minutes when a device is disconnected and re-learned when a device is plugged in. Violations can shut down an offending port, and its phone, for a pre-defined lock-down period, or permanently. VLAN Access Control Lists, or VACLs : Same as Access Control Lists (ACL) but within a vlan (within a subnet) instead of between vlans (between subnets, across a L3 boundary). Permits tighter control of traffic within a vlan. Traditionally, traffic had to cross a L3 boundary to get filtered through an ACL. Traffic Policing: Limits the amount of traffic allowed. Traffic can be policed at an aggregate level per port, per VLAN, or per flow - a new feature called MicroFlow Policing can police traffic per source and destination IP address. Extremely effective in throttling Denial-Of-Service attacks, where high volumes of traffic are flooded to a target node. Security and Stability Features on the Cisco network (part 2)

Capabilities built into the system SNMP Support on Communication Manager Versions 1, 2, and 3 Major and minor alarms send out as SNMP traps (with ability to filter in CM 3.1+) MIB for access to certain operational information and counters SNMP Support for IP sets Disabled by default Read only MIB Ability to designate which SNMP managers can query it Syslog coming CM 4.0 Additional tools available VoIP Monitoring Manager Jitter, Delay and Packet Loss collection and thresholds Converged Network Analyzer Active discovery and monitoring using agents built into phones and gateways Optional capability of re-routing at sub-second speed for multi-path networks Fault and Performance Manager System status view and reports Management

Best Practices: Recommendations Ethernet port setup Servers and TN boards Configure as access ports and trust DSCP Set speed and duplex to 100/Full (except for a few rare exceptions like TN799C and MapD that only support 10Mb). Set description on port to match device (example: “CLAN 1A12”) Gateways (G250, G350, G700) Set speed and duplex to 100/Full If being used as a voice gateway only: Configure the connection as an access port If being used as an Ethernet switch connecting to a Cisco switch or router: Configure the connection as a trunk port (to support multiple VLANS) Telephones Configure using voice VLAN (auxiliary VLAN in CatOS). Set speed and duplex to auto. Trust DSCP or COS Define a standard port range for RTP/RTCP. Use values between 16384 and 32767. Define at least 1280 ports. Use Call Admission Control to protect bandwidth overrun for remote sites (any sites with constrained bandwidth). Maintain correlation between a physical site and network region Exception: regions used for dedicated CLAN connectivity (such as CMS)

Best Practices: Recommendations IPSI connected gateways are more sensitive to packet loss compared to H.248 gateways Use CM 3.1.4+ since several enhancements were made with 3.1.3 http://support.avaya.com/japple/css/japple?temp.documentID=308584&temp.productID=136527&temp.releaseID=282185&temp.bucketID=162024&PAGE=Document Diverse network routes are recommended CNA Adaptive Path Control (license included for 1000+ station CM 4.0 systems) ideal Static routes and/or policy routing may be used as well Evaluate connectivity, outages, SLA’s for WAN circuits Consider Converged Network Analyzer for reporting and for path control for sites with multiple circuits. Remember carrier SLA’s are usually averaged to a 5 minute period. Consider a method to keep control over software and firmware versions Maintain all firmware consistent within each system (gateways, circuit packs, phones, etc.) Try to maintain consistency between several systems as much as possible Consider upgrading older systems as new systems are added or changed. Have a lab system where new versions of software/firmware as well as new features can be tested.

Recommendations Example of table to track versions…

Other Resources Avaya Avaya IP Voice Quality Network Requirements (EF-LB1500-02) http://support.avaya.com/elmodocs2/audio_quality/lb1500-02.pdf Security Documentation http://support.avaya.com/japple/css/japple?PAGE=avaya.css.OpenPage&temp.template.name=SecurityDocumentation All Cisco related app notes (can search within results) http://www.avaya.com/gcm/master-usa/en-us/resource/filter.htm&Filter=Type:Application%20Notes;CollectionSearch:cisco Cisco Documentation Enterprise QoS Solution Reference Network Design Guide Version 3.3 http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a008049b062.pdf

Conference Rates ● Audio pool The audio pool contains bandwidth for all audio calls, including the audio-component of multimedia calls. ● Normal video pool The normal video pool contains bandwidth for the video portion of a call made by a normal (non-priority) video user. You can set this pool to be shared. When this pool is shared, audio-only calls are allowed to borrow bandwidth from this pool. ● Priority video pool The priority video pool contains bandwidth that is dedicated to priority video users only. Audio calls and normal video users are not allowed to borrow bandwidth from this pool. However, if all of the priority video pool bandwidth is currently in use, priority video users can borrow bandwidth from the normal video pool, if available.

Avaya IP Telephony on a Cisco Infrastructure Sung Moon

Themes Which features are inherent in the network infrastructure? Features that are present in the network, regardless of the application using the network. Which features are inherent in the application? Features that are present in the application, regardless of the network infrastructure being used. What dependencies exist between the two? Features that require interaction between the application and the network infrastructure. What conflicts exist between the two? Features that should be disabled because they are disruptive or irrelevant to the other device.

Baseline This session assumes that, from a fundamental networking standpoint, the enterprise networking staff has followed Cisco’s best practices and guidelines, and has established a sound underlying network. Those of you who have access to Cisco Networkers material, see “RST-2031 Multilayer Campus Architectures and Design Principles.” The topics covered in this session are additional best practice items to integrate the Avaya solution into a sound Cisco network infrastructure. This session does not cover every possible way to implement, or poorly implement, the underlying Cisco network.

General References Avaya IP Telephony Implementation Guide – Communication Manager r5.X http://support.avaya.com/elmodocs2/comm_mgr/r5.0/doccd/avayadoc/245600_6.pdf Catalyst 6500 Series Command Reference Release 7.6 Catalyst 6500 Series Switch Cisco IOS Command Reference Release 12.2SX

Core, Distribution, Access Architecture

Cisco Network Security Features – Application Agnostic These Network Features Work with both the Cisco and Avaya IP Telephony Solutions

BPDU Guard and Root Guard BPDU guard protects against Spanning Tree instability caused by unauthorized/rogue devices. When a port with BPDU guard receives a BPDU, it is put into errdisable state. Root guard prevents other switches, including unauthorized/rogue switches, from becoming root. These network features work whether the IP telephony application is Cisco or Avaya.

Port Security Prevents MAC flooding and mitigates unauthorized access on a port by… Limiting the number of MAC addresses that can access the port. Permitting only a specific MAC address or addresses to access the port. This network feature works whether the IP telephony application is Cisco or Avaya.

DHCP Snooping Limits DoS attacks on authorized DHCP servers by rate-limiting the number of DHCP requests on a port. Prevents unauthorized/rogue DHCP servers from handing out bogus IP addresses. This network feature works whether the IP telephony application is Cisco or Avaya.

Dynamic ARP Inspection Protects against ARP poisoning by dropping bogus gratuitous ARPs. Limits ARP flooding and port scanning by rate-limiting ARP requests from client ports. This network feature works whether the IP telephony application is Cisco or Avaya.

IP Source Guard Protects against IP address spoofing on a port, by only permitting traffic sourced from the IP address assigned by the DHCP server. This network feature works whether the IP telephony application is Cisco or Avaya.

VLAN Access Control Lists (VACL) Same as Access Control Lists (ACL) but within a vlan (within a subnet) instead of between vlans (between subnets, across a L3 boundary). Permits tighter control of traffic within a vlan. Traditionally, traffic had to cross a L3 boundary to get filtered through an ACL. This network feature works whether the IP telephony application is Cisco or Avaya.

Summary These Cisco network security features work whether the IP telephony application is Cisco or Avaya. BPDU guard and root guard. Port security. DHCP snooping. Dynamic ARP inspection. IP source guard. VACL. There are many others, but these are some of the features.

Key Points Separate the network features from the IP telephony features. Don’t falsely attribute network benefits to the IP telephony solution. If a Cisco network feature provides value with a Cisco IP telephony solution, it will also provide value with an Avaya IP telephony solution. Also, don’t falsely attribute network faults to the IP telephony solution.

Other Cisco Network Features Some That We Don’t Need or Want Some That Interfere with Our Signaling One That We Do Want

Cisco Features We Don’t Need or Want on the Ports Connected To Avaya Devices EtherChannel Primarily for switch-to-switch links. Comparable to the 802.3ad link aggregation standard. Cisco CatOS negotiates this by default. Dynamic Inter-Switch Link Protocol (DISL) and Dynamic Trunking Protocol (DTP) Used between Cisco switches (proprietary) to negotiate trunking and trunk encapsulation. Enabled by default when trunking is enabled. Cisco Discovery Protocol (CDP) For information exchange between Cisco devices (proprietary). Enabled by default, but Cisco’s security group considers this a risk since CDP reveals quite a bit of information in clear text.

Cisco Feature We DO Want on the Ports Connected To Avaya IP Phones PortFast Bypasses the Listening and Learning states, which take about 50sec with legacy Spanning Tree Protocol. Immediately puts the port into Forwarding state. Hosts, meaning devices that are not L2 switches, do not need to go through the Listening and Learning states. They should immediately start forwarding traffic. Rapid Spanning Tree preferred over legacy Spanning Tree Fast, robust routing protocols (OSPF, EIGRP) preferred ove others (RIP, IGRP).

Key Points Disable network features that we don’t need and can’t use. Cleaner. Less risk. Easier to troubleshoot in some cases. Inspection features – H.323 and otherwise – often misinterpret valid messages. They appear to be optimized for Cisco messages. Enable network features that help us. PortFast was explicitly covered. Rapid Spanning Tree preferred over legacy Spanning Tree. Fast, robust routing protocols (OSPF, EIGRP) preferred over others (RIP, IGRP).

Avaya IP Telephones Dual-VLAN Environment

Cisco Auxiliary VLAN and Cisco Voice VLAN Do Avaya IP phones work with these? YES! And they are preferred. Is there an alternative? Yes, use 802.1Q trunking.

Dual-VLAN Implementation vlan 10 vlan 20 1/1 v10,v20

Cisco CatOS Auxiliary VLAN (preferred) set port host 1/1 set cdp disable 1/1 set vlan 10 1/1 set port auxiliaryvlan 1/1 20 “ set port host” sets channel mode (EtherChannel) to off, enables spanning tree PortFast, sets trunk mode to off, and disables the dot1q tunnel feature. These must be done separately if “set port host” is not available or not invoked. v10 is native to this port (data); v20 is the auxiliary vlan (voice).

Cisco CatOS 802.1Q Trunk (alternative) set port channel 1/1 off set spantree portfast enable trunk set cdp disable 1/1 set vlan 10 1/1 set trunk 1/1 nonegotiate dot1q clear trunk 1/1 1-9,11-19,21-1005 “ nonegotiate” mode forces the port to become a trunk port but prevents it from sending DTP frames to its neighbor. v10 is native to this port; v20 is the only other allowed vlan.

Cisco IOS Voice VLAN (preferred) interface FastEthernet1/1 switchport host switchport nonegotiate switchport access vlan 10 switchport voice vlan 20 no cdp enable “ switchport host” sets the switch port mode to access, enables spanning tree PortFast, and disables channel grouping (EtherChannel). These must be done separately if “switchport host” is not available or not invoked. v10 is native to this port (data); v20 is the voice vlan.

Cisco IOS 802.1Q Trunk (alternative) interface FastEthernet1/1 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate switchport trunk native vlan 10 switchport trunk allowed vlan 10,20 no cdp enable spanning-tree portfast trunk “ nonegotiate” prevents DISL/DTP negotiations. v10 is native to this port; v20 is the only other allowed vlan.

Automatic Discovery of Voice VLAN Can Avaya IP phones auto-discover the voice vlan? YES! with Link Layer Discovery Protocol (LLDP) and the LLDP Media Endpoint Discovery (LLDP-MED) extension. 46xx H.323 firmware R2.6. 96xx future release – check w/ Product Management. Cisco switch must also support LLDP/LLDP-MED, but Cisco is not there yet (planned for the future). No, with Cisco’s current proprietary Cisco Discovery Protocol (CDP) implementation.

In the Absence of LLDP/LLDP-MED Avaya IP phone must pass through data vlan on initial bootup, which is a bootup… Out of the box. After phone has been factory defaulted (Mute C-L-E-A-R-#). After values have been reset (Mute R-E-S-E-T-#-#). IP phone goes directly to voice vlan on subsequent bootups . If you never want the phone to operate on the data vlan, the DHCP option 176/242 string for v10 only needs… L2QVLAN=20 Then the option 176/242 string for v20 needs the full text: MCIPADD= addr1 ,HTTPSRVR= addr1 ,VLANTEST=0 46xx H.323 R2.6 and later should use VLANTEST=60 .

In the Absence of LLDP/LLDP-MED (cont) If the IP phone should operate on the data vlan in case the voice vlan experiences a lengthy outage, or if the phone is mobile and will be moved between locations with different voice VIDs… Option 176/242 string for v10: MCIPADD= addr1 ,HTTPSRVR= addr1 ,L2QVLAN=20,VLANTEST=XX Option 176/242 string for v20: MCIPADD= addr1 ,HTTPSRVR= addr1 ,VLANTEST=XX In either case, populate the 46xxsettings.txt file with the L2 priorities for signaling and audio. SET L2QSIG <value> SET L2QAUD <value>

Key Points We do work on Cisco’s auxiliary vlan and voice vlan. With LLDP/LLDP-MED, we can auto-discover the voice vlan, not just on a Cisco network but on any network. Although we choose not to interoperate with CDP (proprietary) because of the security risks, we have a very feasible method of learning the voice vlan without CDP.

IEEE 802.1X Authentication 46xx H.323 firmware R2.6 96xx H.323 firmware R1.1

Port-based Network Access Control 802.1X requires a device to authenticate before it can receive any network services – security feature. Neither the IP phone nor the PC can even get an IP address without first passing 802.1X authentication. vlan 20 vlan 10 1/1

802.1X Terminology Supplicant Device that needs access to the network. Presents credentials to Authenticator. Authenticator Ethernet switch or wireless access point. Intermediary between Supplicant and Authentication Server. RADIUS client. Authentication Server Holds credentials database for all Supplicants. RADIUS server.

802.1X Protocols Extensible Authentication Protocol (EAP) is the authentication framework for 802.1X. EAP over LAN (EAPOL) is the delivery mechanism for EAP between the Supplicant and Authenticator. EAP messages are encapsulated in the RADIUS EAP-Message attribute.

Avaya IP Telephone Supplicant Supports only the MD5-Challenge EAP method (there are many EAP methods). Upon initial bootup, phone displays prompts for EAP ID and password. Default EAP ID is MAC address, minus separating colons. EAP password is 12 numeric characters maximum. After initial provisioning, EAP ID and password are stored in flash (similar to extension and password). ID and password submitted automatically to Authenticator in authentication and re-authentication requests.

Cisco IP Telephone Supplicant Not there yet. Cisco plans on adding it in the future. Cisco phones currently only pass through EAPOL frames. PC authenticates using 802.1X (EAP). Cisco IP phone is trusted based on CDP. CDP is easy to spoof (clear text). If a device sends a CDP packet like the one a Cisco phone would send, that device becomes trusted. See the Cisco security notice. http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a008048e0d6.html

IP Telephone DOT1X Parameter Sent via DHCP option 176/242 (DOT1X=<value>). Or sent via 46xxsettings.txt (SET DOT1X <value>). Or entered manually via keypad (Mute 8-0-2-1-9-#). DOT1X=0 (default) – EAPOL multicast frames are passed through between PC and Authenticator. Proxy logoff is disabled. DOT1X=1 – Same as 0, but proxy logoff is enabled; phone logs off for PC when it detects PC has disconnected from phone. DOT1X=2 – EAPOL multicast frames are NOT passed through between PC and Authenticator. EAPOL multicast frames are exchanged between phone and Authenticator. EAPOL unicast frames are always transmitted between devices, regardless of DOT1X value.

Two Types of Ethernet Switch Authenticators Single-Supplicant, or port-based switch. Only one device can be authenticated per port. Port can be limited to just the authenticated device. Or a single authenticated device can open up the port for multiple devices, without authentication. Typically sends EAPOL multicast frames to connected device. Examples: Cisco 4500 or 3750, Avaya C363T. Multi-Supplicant, or MAC-based switch. Multiple devices can be authenticated per port, and only those devices are permitted access. Typically sends EAPOL unicast frames to connected device(s). Eamples: Cisco 6500, Extreme, Avaya G250/G350.

Single-Supplicant Switch vlan 10 vlan 20

Cisco IOS 802.1X – Single-Supplicant Switch interface FastEthernet1/1 switchport host switchport nonegotiate switchport access vlan 10 switchport mode access switchport voice vlan 20 no cdp enable dot1x port-control auto dot1x multi-hosts dot1x reauthentication These commands are analogous to the CatOS commands in the previous slide.

Multi-Supplicant Switch (not quite there yet) vlan 10 vlan 20

Multi-Supplicant Limitations Cisco supports multi-supplicant mode (“multiple-authentication” command) only on the 6500 CatOS platform. Only supported on a single-vlan access port. Not supported on a trunk port or a multi-vlan access port (MVAP). MVAP is a port with a data vlan and a voice vlan. This means that Avaya IP phones must use the single-supplicant multi-host option, even though Cisco does not recommend this (because they don’t want other people’s phones to work on their switch). http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00803f5786.html#wp1060636 “ You cannot enable the multiple-authentication option on an 802.1X-enabled auxiliary VLAN port. We recommend that you do not enable the multiple-host option on an 802.1X-enabled auxiliary port.”

Cisco CatOS 802.1X – Multi-Supplicant Switch (if and when it is supported on MVAP) set port host 1/1 set cdp disable 1/1 set vlan 10 1/1 set port auxiliaryvlan 1/1 20 set port dot1x port-control auto set port dot1x multiple-authentication enable set port dot1x re-authentication enable “ port-control auto” means 802.1x controls the port. “ multiple-authentication enable” means that multiple Supplicants can authenticate on this port. “ re-authentication enable” means each Supplicant has to re-authenticate periodically.

Key Points 802.1X is the port-based network access control standard. Multi-Supplicant authentication method is the most secure, requiring both the IP phone and the attached PC to authenticate independently. Avaya IP phones are 802.1X Supplicants, and support multi-Supplicant authentication. Cisco switches do not yet support multi-Supplicant mode on MVAP. Cisco IP phones are not 802.1X Supplicants, and become trusted devices via CDP. Avaya IP phones can authenticate on any network that supports 802.1X. Cisco IP phones cannot authenticate on any network, and are trusted devices only on a Cisco network.

Reference Avaya document describing 802.1X feature and functionality in Avaya IP Telephones. http://support.avaya.com/elmodocs2/security/802_1x-LLDP.pdf LLDP and LLDP-MED (see appendix) are also discussed in this document.

Power over Ethernet Pretty Stable Now

802.3af Power Requirements Class Usage Minimum Power Levels Output at the PSE Maximum Power Levels at the PD 0 Default 15.4W 0.44 to 12.95W 1 Optional 4.0W 0.44 to 3.84W 2 Optional 7.0W 3.84 to 6.49W 3 Optional 15.4W 6.49 to 12.95W

Key Points We had some initial growing pains with 802.3af PoE during the proprietary to standard transition period. Be SURE that Cisco switches or switch blades are 802.3af devices, not the old switches and blades. Determine power budget based on 802.3af power requirements. Most Avaya 46xx sets are class 2 devices (4602, 4610, and 4621). Avaya 96xx sets are class 2 devices, except for the GigE sets and GigE adapters, which are class 3. Be careful w/ Cisco 48-port switches. They are not provisioned with enough power for all 48 ports.

Reference “ A Practical Guide to Power Over Ethernet (PoE) by Avaya” This document will be posted externally on http://www.avaya.com . Currently on http://enterpriseportal.avaya.com  Support  Anatomy of a Successful Cut page, which is accessible to Avaya employees and Business Partners.

Avaya Servers and IP Boards Server-Class Devices

Server-Class Devices IP telephones are user devices – serves a single user at a time. Avaya media servers, media gateways, and IP boards are servers or server-class devices – serves many users at a time. Recommendation : Lock down the speed and duplex settings of server-class devices and their connected Ethernet switch ports. User devices can be left at auto-negotiate.

Single-VLAN Ports Unlike IP phones that are themselves on a voice vlan with an attached PC on a data vlan, Avaya media servers and IP boards are single-vlan devices. Recommendation : Whatever the voice vlan is, make that the only vlan on the Ethernet switch port connected to an Avaya media server or IP board.

What About 802.1Q Tagging? An IP phone must tag to get on the voice vlan of the dual-vlan port. A media server or IP board has only one vlan on its port, so there is no need to tag to get on the proper vlan. As for L2 priority (802.1p), with Cisco’s “trust dscp” option (discussed in the following QoS section), there really is no need for L2 priority tagging for media servers and IP boards on a Cisco network. Properly configuring 802.1Q tagging for a single-vlan port on various Cisco switch platforms and OS versions is more trouble than it’s worth. Trusting the DSCP is cleaner and simpler.

Cisco CatOS Configuration set port host <mod/port> set cdp disable <mod/port> set vlan 20 <mod/port> set port speed <mod/port> 100 set port duplex <mod/port> full

Cisco IOS Configuration interface FastEthernetX/X switchport host switchport nonegotiate switchport access vlan 20 speed 100 duplex full no cdp enable

Avaya L1 and L2 Configurations Use the integrated Maintenance Web Interface to configure the media server’s speed and duplex (and L2 tagging). Use the SAT ip-interface form to configure the CLAN’s and media board’s speed and duplex (and L2 tagging). SSH to the IPSI board to configure its speed and duplex (and L2 tagging).

Key Points User devices (IP phones)… Can be left to auto-negotiate speed and duplex. Are dual-vlan devices that must apply 802.1Q tagging on a dual-vlan Ethernet switch port. Server-class devices (media servers and IP boards)… Should have speed and duplex fixed to 100/full. Are single-vlan devices that should be attached to single-vlan Ethernet switch ports. Do not require 802.1p/Q tagging.

Avaya Media Gateways L2/L3 Switches

Avaya Media Gateways Avaya media gateways (MG) have integrated L2/L3 switches, so they should be treated as network devices, and not as hosts. Lock down both ends of the uplink to 100/full(G700) or 1000/full(G350). Match the MG VIDs to the Cisco switch VIDs. MG user VIDs range from 1-3071. Establish 802.1Q trunking between the MG and Cisco switch if multiple vlans are used. Appropriately enable Rapid Spanning Tree, or legacy Spanning Tree if for some reason Rapid is not available. MG port should be non-edge port (default). Disable PortFast on Cisco switch (MG is a L2/L3 switch). Appropriately set the MG’s bridge priority so that it does NOT become root (lowest number = highest priority = root).

Switch to Switch Connectivity – Multiple VLANs

Cisco CatOS 802.1Q Trunk Uplink set port channel <mod/port> off set spantree portfast disable set cdp disable <mod/port> set vlan 10 <mod/port> set trunk <mod/port> nonegotiate dot1q clear trunk <mod/port> 1-9,11-19,21-1005 set port speed <mod/port> 100 (or 1000 for G350) set port duplex <mod/port> full PortFast is disabled because the connected device is another L2/L3 switch. We want Spanning Tree to operate fully. “ nonegotiate” mode forces the port to become a trunk port but prevents it from sending DTP frames to its neighbor. v10 is native to this port; v20 is the only other allowed vlan.

Cisco IOS 802.1Q Trunk Uplink interface FastEthernetX/X switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate switchport trunk native vlan 10 switchport trunk allowed vlan 10,20 speed 100 (or 1000 for G350) duplex full no cdp enable spanning-tree portfast disable PortFast is disabled. “ nonegotiate” prevents DISL/DTP negotiations. v10 is native to this port; v20 is the only other allowed vlan.

G700 802.1Q Trunk Uplink set interface inband 20 <ip_addr> <mask> set interface mgp 20 <ip_addr> <mask> (from MGP CLI configure mode) set spantree enable set spantree version rapid-spanning-tree set spantree priority <number> set port vlan 10 <mod/port> set port vlan-binding-mode <mod/port> static set port static-vlan <mod/port> 20 set port speed <mod/port> 100MB set port duplex <mod/port> full All commands are from the MG switch CLI, except for the one noted.

G350 802.1Q Trunk Uplink interface Vlan 20 ip address <ip_addr> <mask> icc-vlan pmi set spantree enable set spantree version rapid-spanning-tree set spantree priority <number> set port vlan 10 <mod/port> set port vlan-binding-mode <mod/port> static set port static-vlan <mod/port> 20 set port speed <mod/port> 1GB set port duplex <mod/port> full

Switch to Switch Connectivity – Single VLAN Similar configurations as before, but… v20 is the only vlan on the ports. 802.1Q trunking is not necessary.

Cisco CatOS Single-VLAN Uplink set port channel <mod/port> off set spantree portfast disable set cdp disable <mod/port> set vlan 20 <mod/port> set port speed <mod/port> 100 (could be 1000 for G350) set port duplex <mod/port> full PortFast is disabled because the connected device is another L2/L3 switch. We want Spanning Tree to operate fully. “ nonegotiate” mode forces the port to become a trunk port but prevents it from sending DTP frames to its neighbor. v20 is the only vlan on this port.

Cisco IOS Single-VLAN Uplink interface FastEthernetX/X switchport mode access switchport nonegotiate switchport access vlan 20 speed 100 (could be 1000 for G350) duplex full no cdp enable spanning-tree portfast disable PortFast is disabled. “ nonegotiate” prevents DISL/DTP negotiations. v10 is native to this port; v20 is the only other allowed vlan.

G700 Single-VLAN Uplink set interface inband 20 <ip_addr> <mask> set interface mgp 20 <ip_addr> <mask> (from MGP CLI configure mode) set spantree enable set spantree version rapid-spanning-tree set spantree priority <number> set port vlan 20 <mod/port> set port speed <mod/port> 100MB set port duplex <mod/port> full All commands are from the MG switch CLI, except for the one noted.

G350 Single-VLAN Uplink interface Vlan 20 ip address <ip_addr> <mask> icc-vlan pmi set spantree enable set spantree version rapid-spanning-tree set spantree priority <number> set port vlan 20 <mod/port> set port speed <mod/port> 100MB (or 1GB) set port duplex <mod/port> full

Key Points Avaya media gateways are L2/L3 switches and should be configured and treated as network devices, not as hosts. We often see the MG vlan left as 1 (default) and connected to the Cisco switch as a host. You can get away with this if the MG really is a standalone host (server class) operating with a single vlan, but you should still match the VIDs. If the Cisco switch uses a VID beyond 3071, you have no choice. Do NOT enable 802.1Q trunking if the VIDs don’t match. We often see a complete disregard for Spanning Tree between the enterprise Ethernet switch and the MG. Ranges from Spanning Tree not being enabled at all, to the MG having become root. Not good.

End to End QoS Host Tags (802.1p) and Marks (DSCP) Network Classifies and Prioritizes

Can the Avaya IP Telephony Solution Work with Cisco AutoQoS? YES! because AutoQoS is mostly a network feature, independent of the IP telephony solution. That being said, AutoQoS has mixed reviews. It is not as automatic and simple as the name implies. The default queue sizes likely need to be tuned to match the bandwidth required for audio, signaling, and port network control. Know what commands are automatically being inserted. Apply AutoQoS as a starting point, then carefully examine the commands. AutoQoS cannot be covered in detail in this session. Consult Cisco’s documentation: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a008049b062.pdf Avaya application note: http://www.avaya.com/master-usa/en-us/resource/assets/applicationnotes/autoqos.pdf .

Tag and Mark at the Source The key is to tag (L2 priority – 802.1p) and mark (L3 priority – DSCP) according to what the network is expecting. Previously Cisco classified using these values. Now Cisco uses these values (IOS 12.2 accepts both). CoS DSCP Signaling 3 26 (AF31) Audio 5 46 (EF) CoS DSCP Signaling 3 24 (CS3) Audio 5 46 (EF)

Configure Priority Values for Servers and Gateways Servers Use the integrated Maintenance Web Interface to enable 802.1Q tagging on specific interfaces. Use the SAT ipserver-interface form to set the 802.1p and DSCP values. Media Gateways Use the MG switch CLI to enable 802.1Q tagging (dot1q trunk). Use the SAT ip-network-region form to set the 802.1p and DSCP values. Issue set qos control remote from the MGP CLI (configure mode) to apply the ip-network-region values.

Configure Priority Values for IP Boards CLAN and media boards Use the SAT ip-interface form to enable 802.1Q tagging on each board. Use the SAT ip-network-region form to set the 802.1p and DSCP values. SSH to the IPSI board to… Enable 802.1Q tagging. Set the 802.1p and DSCP values.

Configure Priority Values for IP Phones Enable 802.1Q tagging via LLDP or DHCP option 176/242 L2QVLAN parameter. Set the L2 values via the 46xxsettings.txt file. SET L2QSIG <value> SET L2QAUD <value> Use the SAT ip-network-region form to set the DSCP values. These values are automatically sent to the phones.

Trust Preference Cisco switches can classify based on the L2 802.1p value (trust cos) or the L3 DSCP value (trust dscp). Whenever possible, classify based on DSCP, because it survives end to end. mls qos trust dscp (IOS interface command) set port qos <mod/port> trust trust-dscp (CatOS command)

Trust Preference Exception If the PC attached to the IP phone sends tagged Ethernet frames and cannot be trusted… Apply the following to the 46xxsettings.txt file. SET VLANSEP 1 SET PHY2VLAN <value> (typically 0) SET PHY2PRIO <value> (typically 0) All tagged frames coming from the PC are re-written with the two values specified. As of 46xx H.323 firmware R2.4, and 96xx H.323 firmware R1.1. Then classify based on 802.1p. mls qos trust cos (IOS interface command) set port qos <mod/port> trust trust-cos (CatOS command)

Queues With respect to Cisco’s Low-Latency Queuing (LLQ) mechanism… Cisco puts audio (CoS 5, DSCP 46) in the priority queue. Cisco puts call signaling (CoS 3, DSCP 24) in a custom queue. For a Call Manager cluster with geographically separated servers, Cisco recommends putting the intra-cluster control traffic in the same queue as call signaling. Best practice is to apply the same queuing to the Avaya solution, using the same CoS/DSCP values when interoperating with Cisco AutoQoS . Audio (CoS 5, DSCP 46) in the priority queue. Call signaling (CoS 3, DSCP 24) in a custom queue. Port network control (IPSI signaling) (CoS 3, DSCP 24) in the same custom queue as call signaling.

QoS is a Complex Topic Not enough time to cover thoroughly in this session. See the aforementioned Implementation Guide. Section 2.2 covers audio bandwidth. Section 2.3 covers QoS. Appendix F has sample Cisco QoS configurations and a short discussion on queuing. Appendix H covers IPSI signaling bandwidth requirements, which are necessary to size the custom queue properly. As for call signaling (IP phone to CLAN), this is very tough to quantify. It varies with call load and feature activation, and it requires a large user sample to quantify. Best to measure the actual bandwidth consumption in production. It’s relatively very low compared to audio.

Key Points Avaya IP telephony works with Cisco AutoQoS. Tag or mark at the source. Classify based on L3 if possible, L2 if necessary. Calculate or measure the audio and various signaling bandwidth requirements. Size the priority and custom queues properly. Note: There is a Cisco feature out there that remarks the DSCP of an IP packet, and it is buggy. It periodically drops a TCP segment and every retransmission of that segment.

Supporting IP Telephony Why Maintenance Is Not Enough The quality of IP Telephony is dependent on devices other than the voice media servers and gateways The performance of your data network is critical to success Voice is the most demanding application running on the data network The data network has to be monitored in conjunction with the voice media servers and gateways There is a high probability that your current data network management tools are not equipped to manage the performance of your IP Telephony applications !

Maintenance Agreement and Proactive IP Support/RMS IPT Proactive real-time monitoring of the communications environment: Media Servers, Gateways and Data Infrastructure (everything in the blue squares is monitored by Avaya) Network LAN Switch Router LAN Switch Server Server Workstations Media Server Workstations Media Server IP Media Gateway Router Customer Branch Location Customer Main Location INADs Modem INADs Modem DCP Media Gateway

Real Life Scenario: IPT Monitoring Across the Network The Scenario: Cisco switch affecting remote Gateway location (G700). The Success Factors: ESP Surveillance Received alarms from both G700 and Cisco switch. ESP Correlation ESP was able to correlate two alarms to determine root cause of network outage. IPSS NOC Communication with Customer Engineer requested customer reset the Cisco switch to clear the issue (recent IOS upgrade had resulted in rolling reboots). The Result: We vastly reduced the network outage time by being able to determine the root cause of the incident.

Appendix: LLDP / LLDP–MED 46xx H.323 firmware R2.6

Overview Link Layer Discovery Protocol (LLDP) (IEEE 802.1AB) is a standard replacement for CDP and other proprietary discovery protocols. Adjacent devices exchange information at the link layer (L2). More information content than CDP, and thus more possible features. LLDP-MED (Media Endpoint Discovery) (ANSI/TIA-1057) is an extension to LLDP specifically for VoIP applications.

LLDP/LLDP-MED Information Exchange

LLDP/LLDP-MED to Avaya Parameters Mapping The following TLV Changes this IP Telephone Parameter IEEE 802.1 Organization Specific Port VLAN ID PHY2VLAN IEEE 802.1 Organization Specific VLAN Name L2Q=1, L2QVLAN Avaya/Extreme Proprietary Call Server IP Address MCIPADD Avaya/Extreme Proprietary File Server TLSSRVR, HTTPSRVR, TFTPSRVR Avaya/Extreme Proprietary 802.1Q Framing L2Q Avaya/Extreme Proprietary PoE Conservation Level Request Power conservation mode enabled/disabled

Key Points LLDP and LLDP-MED put Avaya and all other IP telephony and network vendors on equal ground. LLDP and LLDP-MED have more information content than CDP, allowing for advanced features (see reference). Cisco does not support LLDP yet, and continue to rely on their proprietary CDP, although they have stated intent to support LLDP in the future.

Reference Avaya document describing LLDP/LLDP-MED feature and functionality in Avaya IP Telephones. http://support.avaya.com/elmodocs2/security/802_1x-LLDP.pdf

Avaya VoIP on Cisco Best Practices by PacketBase

Related slideshows

More Related Content

Avaya VoIP on Cisco Best Practices by PacketBase

Editor's Notes