Smart Business Communications System 1.1 Design Guide pptx

Smart Business Communications System 1.1 Design GuideOverview The Cisco Smart Business Communications System is designed for small- and medium-sized businesses SMB to provide voice, data

Americas Headquarters

Cisco Systems, Inc

170 West Tasman Drive

Cisco Validated Design

The Cisco Validated Design Program consists of systems and solutions designed, tested, and documented to facilitate faster, more reliable, and more predictable customer deployments For more information visit www.cisco.com/go/validateddesigns

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY,

"DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,

CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES

THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE USERS ARE SOLELY RESPONSIBLE FOR THEIR

APPLICATION OF THE DESIGNS THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO

CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc and/or its affiliates in the United States and certain other countries

All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0801R)

Smart Business Communications System 1.1 Design Guide

© 2008 Cisco Systems, Inc All rights reserved.

C O N T E N T S

Overview 3

Solution Components 5

Secure Network Foundation 6

Local Area Network Design 6

Virtual Local Area Networks 7

Trivial File Transfer Protocol 12

Domain Name System 13

Network Address Translation 13

Call Processing Capabilities 21

Call Coverage Features 22

Call Handling Features 22

IP Phone Features 22

Remote IP Phones 23

Ephones and Ephone-DNs 24

Mailboxes, Users, and Groups 30

Auto Attendant (AA) 31

Wireless LAN—The Cisco Mobility Express 32

Wireless LAN Overview 32

Cisco Mobility Express Solution 32

Autonomous Wireless Networks 33

Controller-based Wireless Networks 34

Selecting the Optimal WLAN Solution 35

Key Design Recommendations for Cisco Mobility Express Solution 36

System Management 36

Cisco Configuration Assistant 37

Network Monitoring 37

Cisco Monitor Manager 37

Cisco Monitor Director 37

External Application Integration 37

References 38

Product References 38

Technology References 38

Bill of Materials 40

Smart Business Communications System 1.1 Design Guide

Overview

The Cisco Smart Business Communications System is designed for small- and medium-sized businesses (SMB) to provide voice, data, video, security, and wireless capabilities—while integrating with existing applications, such as calendar, E-mail, and customer relationship management (CRM) The Cisco Smart Business Communications System provides a complete portfolio of Cisco Unified Communications products, as well as wired and wireless networking solutions It provides access to the right mix of key communications, productivity, and business applications

This document provides practical design guidance for a secure business networking solution where everyday communications are made more efficient Cisco partners and resellers can help

small-to-medium businesses (SMBs) leverage the full value of their voice and data networks by deploying reliable and secure Cisco Unified Communications 500 Series devices (UC520), Cisco Catalyst Express 520 Series switches (CE520), Cisco 500 Series Wireless Express Mobility Controllers (WLC526), autonomous or controller-based (AP521 or LAP521) access points (AP), and IP end points from Cisco Systems The Cisco Smart Business Communications System is provisioned using Cisco Configuration Assistant (CCA)—an easy-to-use Graphical User Interface (GUI)-based tool The design

guidance provided in this document and the implementation guidance covered in the Smart Business Communications System 1.1 Implementation Guide combine to provide a verified reference that ensures

each individual system component, and those configurable using Cisco Configuration Assistant, work well together

This design guide explains how to implement a secure voice and data network that supports up to 48 voice users and up to 250 data users with centralized, controller-based WLAN capability The core of this design is the Cisco Unified Communications 500 Series device, which provides data networking, integrated security, local call processing, integrated messaging, and voice gateway services A Cisco 871w router at a home office or mobile worker location provides data networking as well as integrated security services, but leverages the main office for call processing, messaging, and voice gateway services

To summarize this solution, the Cisco Smart Business Communications System provides the following capabilities:

• Wide Area Network (WAN) access

• Local Area Network (LAN) switching

• Controller-based Wireless LAN roaming connectivity

• Integrated security

• Call processing

• Integrated messaging

• GUI-based provisioning using Cisco Configuration Assistant

• GUI-based network management using Cisco Monitor Director Agent and Cisco Monitor DirectorThis design provides enhanced functionality; however, it is implemented with the objective of reducing overall system complexity This enables partners and customers with varying levels of technical knowledge to deploy the Cisco Smart Business Communications System solution

Figure 1 shows a typical network topology of Smart Business Communication System:

Figure 1 Smart Business Communications System 1.1 Topology

WAN connectivity on the UC520 device is provided through a FastEthernet port by connecting the UC520 LAN port to the LAN port of the device provided by the Internet service provider—such as a cable or DSL modem PSTN trunks can be either analog FXO, ISDN BRI, T1/E1 PRI or a mix of two such connections Data connectivity is not supported on via BRI or PRI of a UC520 device—only voice can be used

At Home Office (optional)

Mobile Worker

At any public place(optional)

Cisco ConfigurationAssistant andCisco Monitor Director Agent

Cable/DSLModem

Cisco Monitor Director

Solution Components

Two general network schemes are addressed in this publication: fully wired networks; and networks supporting wireless clients Table 1 provides a list of the hardware platforms used to build the system without wireless Table 2 provides a list of hardware and capacity to add the wireless solution in Smart Business Communications System system PSTN voice calls, and Analog stations capacity as same as shown in Table 1

Note Even though one AP can support seven 802.11b or 12 802.11g wireless IP phones, very large numbers

of wireless data users on a single AP might impact wireless voice quality

Table 3 lists the various software applications required to provision and manage all of the products in the design summarized in this publication Download the latest version of software to a common directory of your laptop PC

Table 1 Hardware Platforms for SBCS Wired-only Solution—Sample Configuration

Number of Voice-Users

Wired Data-Users

PSTN Voice Calls 1

1 The VIC slot in all models can be used to increase the number of supported PSTN calls or analog stations by four.

Analog Stations 1 UC Device Access Switch

Wireless

1 Up to three autonomous Cisco IOS-based AP-521s (including a UC520W’s integrated AP) can be used to increase coverage when there are fewer users, but those users are spread across a large area Only controller-based WLANs be used for more that 16 voice-users Smart Business Communications System solution.

LAP521

33-48 56 Up to 240 UC520-48U WS-CE520-24PC (2) WLC526 (1-2), LAP521s (4-12)

The Bill of Materials for the design described in this document is provided in the “Bill of Materials” section on page 40.

Secure Network Foundation

The Secure Network Foundation (SNF) addresses small business requirements for a secure network infrastructure SNF design implements the LAN, WAN, and integrated security services and thus builds the foundation for the Cisco Smart Business Communications System The SNF design is flexible, modular, and scalable and allows future introduction of enhanced capabilities in network It is a fully adapted design for the unified communications need of a small business with up to 48 voice-users and

up to 250 data-users

Local Area Network Design

For larger deployments, LAN designs consist of core, distribution, and access layers Core and distribution layers are often collapsed into one layer for smaller deployments LAN designs are typically deployed in one of three ways Each of these deployment options provides certain benefits These three types of LAN designs are:

• Layer-2 switching between all layers

Table 3 Software Applications Required

Cisco Configuration Assistant, Version 1.5 from:

http://www.cisco.com/go/configassist (click download software)Upgrading UC520 device Version 4.2.6 of UC520-Complete ZIP/TAR with all components

from: http://www.cisco.com/cgi-bin/tablebuild.pl/UC520

Upgrading CE520 switch http://www.cisco.com/kobayashi/sw-center/index.shtml

Click Switches Software On next web page click LAN Switches

and navigate to download Cisco IOS software for applicable Catalyst Express 520 switch

Upgrading WLC-526 Controller http://www.cisco.com/cgi-bin/tablebuild.pl/520_series_Wireless_

• Layer-3 routing between the core and distribution layers, with Layer-2 switching between the distribution and access layers

• Layer-3 routing between all layersThe LAN design used in this system consists only of Layer-2 switching, mainly because of its simplicity The design, regardless of the number of users supported, contains only an access layer, no redundant components, and a loop-free, Layer-2 topology

Virtual Local Area Networks

Virtual LANs (VLANs) are logical connections that enable groups of devices, such as PCs, desktops, and IP phones, to communicate as if they were connected to the same physical wire even though they might be connected to completely different LAN switches

In this design, VLANs are used to group voice devices on the Cisco Voice VLAN (assigned the value of 100) and data devices on the Cisco Data VLAN (assigned the value of 1) In contrast to large unified network designs, this design uses only two VLANs even after adding centralized controller-based WLAN When AP-521s are used to expand the WLAN, VLANs are assigned in same manner as with the integrated AP In this design, WLC-526 and LAP-521 are used to build a centralized, controller -based WLAN This design continues to use only two VLANs by manually synchronizing VLANs between the WLC-526 and UC520 Use of only two VLAN makes it very simple to separate the two types of devices and eases other tasks, such as Dynamic Host Configuration Protocol (DHCP) server administration and

IP addressing

Figure 2 illustrates the Layer-2 characteristics of the LAN design

Figure 2 Layer-2 LAN in Smart Business Communications System 1.1 Design

Note One benefit of using IEEE 802.1q trunking on Cisco IP Phones is that it permits PC access via an IP

phone port Most Cisco IP Phones have a built-in three-port switch: One port is invisible and is used internally for IP phones using the Voice VLAN; one port is used to connect a PC using the Data VLAN;

Cisco-Data VLAN 100

Cisco-Voice VLAN 1Native VLAN for 802.1Q802.1Q Trunk over physical connection between Switchports

UC520

IP

and, one port is used to connect the IP phone to a switch using an IEEE 802.1q trunk With this setup, when an IP phone is added to a switch there is no loss of ports The PC that is to be connected to the switch can be connected to the network via the access port of the IP phone.

IEEE 802.1Q Trunking

Trunking enables the physical connections between devices to carry traffic from multiple VLANs configured on these devices It is pre-configured on the UC520 and CE520 WLC-526s and LAP-521s (or AP-521s) are configured to match this factory default trunking configuration A native VLAN (such

as VLAN 1 in this solution) is required to configure the IEEE 802.1Q trunk When deployed in this manner, security risks—such as VLAN hopping and double IEEE 802.1Q tagging attacks—are mitigated

Spanning Tree

The Spanning Tree Protocol (STP) is used by Layer-2 devices to enable them to dynamically discover loops in the network and to block them STP is not an issue in this design because no physical loops exist However, STP is enabled as a precautionary measure to prevent any issues in the event that two switches are connected together with two separate cables STP provides following capabilities:

• Fast convergence using IEEE 802.1w; enabled by default

• PortFast or fast-start feature: Supported for Desktop, IP phone + Desktop, Printer, and Server SmartPort roles

The IEEE 802.1d-based STP dictates that the port starts out blocking, and then immediately moves through the listening and learning phases, before going to the forwarding or disabled state Cisco switches use the IEEE 802.1w standard where disabled, blocking, and listening states are merged in discarded state, and thus enable fast convergence

The PortFast, or fast-start, feature of STP assumes that the port is not part of a loop, immediately moves

to the forwarding state, and does not go through the blocking, listening, or learning states It does not disable STP, but makes STP skip the initial steps (unnecessary steps, in this circumstance) on the selected port

SmartPort Roles

The SmartPort roles are Cisco-verified feature templates based on the type of devices (such as desktops,

IP phones, servers, and switches) that are connected to the switch ports These templates consistently and reliably configure essential Layer-2 switching, security, Power-over-Ethernet (PoE) for IP phones and wireless APs, and Quality of Service (QoS) features with minimal effort and expertise The templates also streamline the configuration process by reducing redundant command entries and preventing problems caused by switch port misconfiguration The SmartPort role for a switchport is selected from a drop-down menu in GUI-based provisioning application A SmartPort role reflects the type of device to be connected

Table 4shows the recommended SmartPort roles for this design

Cisco Smart Assist

Cisco Smart Assist is a collection of features that provided auto-configuration and service activation between Cisco products and applications This technology enables plug-and-play functionality to reduce setup time and optimize network setting It is embedded in Cisco configuration assistant Cisco Smart Assist features are supported on all products in the Smart Business Communications System These features facilitate:

• Improved ease-of-set up and deployment of Cisco products

• Optimized network performance and security

• Simplified ongoing operation of growing Cisco networksCisco Smart Assist features take place as devices and applications are discovered within the Cisco network These features implement pre-defined network settings or behaviors in areas such as network security, QoS, and software activation

Power-over-Ethernet

Power-over-Ethernet (PoE) is a 48-volt DC power supply capability provided over standard Ethernet unshielded twisted-pair (UTP) cable PoE enables IP phones, AP-521s, LAP-521s, and other inline powered devices (PDs) to obtain power via an Ethernet connection The switches providing PoE must be inline power-capable Deploying inline power-capable switches that are powered with uninterrupted power supplies (UPS) ensures that all devices remain operational during power failure situations and that

IP phones can still make and receive calls CE520 switches used in this design provide inline power by default The CE520 used in this design supports both Cisco PoE inline power and the IEEE 802.3af PoE standard All 24 PoE ports on the CE520-24PC can supply up to 15.4W (IEEE 802.3af standard maximum) of PoE for a total of 370W of inline power

Table 4 Recommended Smartports Role

Recommended Port Role

Recommended Device Connection

UC520 8-port internal Switch: FastEthernet port 1/0 to 1/7 IP Phone+Desktop IP Phone/Desktop

Access Point AP-521/LAP-521Access Point WLC-526

switchWAN Port: FastEthernet 0/0 Cannot be changed LAN port of DSL/Cable

Modem

Access Point AP-521/LAP-521Access Point WLC-526Expansion Slots: GigabitEthernet 1 to 2 Switch UC520 or another

WS-CE520 switch

Wide Area Network Design

Wide Area Networks (WANs) are built with many technologies and are delivered by different types of service providers Some WAN access methods provide guaranteed levels of service for bandwidth and quality based on Service Level Agreement (SLA); others provide best effort services Table 5 provide a list of both guaranteed and best effort WAN services

The WAN access method used for this design is based on a DSL or cable connection This is a best effort type of service However, this option is growing in popularity due to the lower monthly price, the ease

of installation, and the higher bandwidth available with the service

The UC520 in the main office and the Cisco 871w in the home office are connected to a modem device and provided by a service provider via designated WAN port, which is a FastEthernet port on either device

Layer-3 Design

Layer-3 functionality provides the capabilities necessary to forward traffic between Layer-2 switching segments, or VLANs Layer-3 designs consist of several components, including IP addressing, Network Address Translation (NAT), and IP routing This section covers each of these components and describes how they are deployed within the design presented

IP addressing can be assigned in either a static or dynamic method If a static method is used, specific addresses are assigned to devices by a network administrator or service provider This method is recommended for a device that must maintain a consistent address because it is offering services to other devices An example of this type of device is an E-mail server

If a dynamic method is used, the Dynamic Host Configuration Protocol (DHCP) assigns IP addresses to devices as they are needed This eases the administration of IP addresses because they need not be statically assigned to end points For example, DHCP enables users to move their devices, such as laptops, to different locations without having to manually change the IP address of the device DHCP also helps preserve IP addresses because they can be reallocated if an end point no longer needs an IP address In addition to IP addresses, DHCP can deliver other network information, such as a default gateway, subnet mask, and server addresses to reduce the configuration effort and time

Figure 3 shows the DHCP server running on the UC520

Table 5 WAN Services

Figure 3 DHCP Server Running on the UC520

This design deploys a combination of static and dynamic IP addressing It is important to note that the

IP addresses are separated into two distinct domains One domain is managed by the service provider and the other is managed by the customer (or partner) The UC520 WAN interface resides in the service provider domain and is assigned an IP address, either statically or via DHCP, by the service provider The UC520 LAN interfaces, switchports, and servers reside in the customer domain and are assigned static IP addresses because other devices rely on them for services such as E-mail, Internet access, and default gateway routing The remaining end points, including the PCs, desktops, and IP phones, reside

in the customer domain are assigned dynamic IP addresses using the DHCP pools

The DHCP service is provided by the UC520 in this design The DHCP server running on the UC520 is configured with the address ranges for the Cisco Data and Cisco Voice VLANs The DHCP server also provides a default gateway IP address to the end points For the Cisco Voice VLAN, the DHCP server is configured with option 150 in order to provide the TFTP server address to the IP phones Finally, the DHCP server is configured with specific addresses that are excluded from the dynamic address range because they are assigned to the UC520 itself, additional switches, WLC-526s and servers and must not

be assigned to other devices

The UC520 is configured with an additional DHCP scope that serves remote locations This DHCP address pool is allocated for the Virtual Private Network (VPN) tunnel endpoint at remote location This VPN tunnel endpoint is located either on the WAN interface of Cisco 871w or on the mobile worker laptop with software VPN client

IP phones, desktops, and laptops at the home office also require dynamic IP address assignment The Cisco 871w router at the home office is configured with a DHCP address scope These IP addresses are for the devices connected to the LAN and WLAN of the home office

Table 6 provides the IP addressing scheme used in this design IP addresses under data VLAN 1 and voice VLAN 100 are pre-configured on UC520

Data VLAN Scope

Table 6 IP Addressing Scheme

WAN interface of the main office UC520

10.20.10.2/24 - 10.20.10.20/24 Dynamic (from main office

UC520)

Main office Cisco Data VLAN (1)

Trivial File Transfer Protocol

Trivial File Transfer Protocol (TFTP) is a simplified version of File Transfer Protocol (FTP) that allows files to be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password)

In a Unified Communications system, IP phones rely on a TFTP server to acquire configuration information This information is contained in a configuration file that is unique to each IP phone The file is assigned a name based on the MAC address of the IP phone For example, an IP phone with the

MAC address of ABCDEF123456 would be associated with a file named SEPABCDEF123456.cnf.xml

In addition to configuration information, such as the Cisco Unified Communications Manager Express source address at UC520 (in this case, 10.1.1.1), the file also contains the version of software for the IP phone If the IP phone does not have the version of software specified in the configuration file, it downloads the correct version

This design guide recommends configuring the UC520 as the TFTP server This is accomplished by using the IP address of the UC520 in Option 150 of the DHCP scope, which is used for voice devices and is part of the factory default configuration The configuration files and IP phone software are stored

192.168.10.1/24 - 192.168.10.10/24

Static

Main office data end points 192.168.10.11/24 -

192.168.10.254/24

DynamicMain office voice end points 10.1.1.11/24 - 10.1.1.254/24 DynamicVPN Tunnel endpoints at remote

location (optional)

192.168.20.1/24 - 192.168.20.10/24

Dynamic

Home office endpoints (connected to Cisco 871w) - optional

Table 6 IP Addressing Scheme (continued)

Figure 4 DHCP and TFTP Servers Running on the UC520

If the design includes the optional teleworker/home offices that are connected to the main office via the Internet, the IP phones at these locations must also be configured to use the UC520’s Cisco Unified Communications Manager Express source address (10.1.1.1 in this case) at the main office as the TFTP server

Domain Name System

A Domain Name System (DNS) is a system used on the Internet and in intranets for translating host

names of network devices into IP addresses Host names, such as www.cisco.com, are typically easier to

remember than IP addresses

Network Address Translation

Network Address Translation (NAT) translates a private IP address (defined by RFC-1918) to a public

IP address, which is recognized and routable in the public Internet It enables devices connected to private (inside) IP networks to communicate with the public (outside) Internet

There are three types of NAT:

• Static NAT—Static one-to-one mapping

• Dynamic NAT—Dynamic one-to-one mapping using address pools

• Overload NAT (often referred to as Port Address Translation or PAT)—Dynamic one-to-many

mapping of multiple private IP addresses to one public IP address

NAT is used on a UC520 that connects two networks in order to translate the private address space into the public address space For example, if a customer uses the IP address range of 192.168.10.0/24 for the devices on its private network, the customer must use NAT to translate those addresses into an IP address or range of IP addresses that are registered for use on the public Internet This allows for external communication NAT simplifies and conserves IP address usage by reducing the customer requirement for a large number of publicly registered IP addresses See Figure 5

TFTPServer

V

Voice VLAN Scope

Phone Configurationand SoftwareData VLAN Scope

UC520

Figure 5 Network Address Translation on UC520

In this design, overload NAT, or PAT, is configured by default on the UC520 because the number of IP addresses (provided or purchased from the DSL or cable provider) are insufficient to support one-to-one mapping of inside-to-outside addresses Typically, the customer is given only one public IP address that

is assigned to the WAN interface of the UC520 and is unique on the Internet When devices on the private network must access the Internet, the UC520 translates the IP address of the internal device into this external IP address and assigns a specific port number to this translation The port number helps the UC520 identify which translation is mapped to the internal device

Note If a customer has a Demilitarized Zone (DMZ) where it provides host servers for external users, then

Static NAT is required DMZ is not common for SMBs and is not discussed in Smart Business Communication System network design

If the design includes teleworkers or home offices connected to the main office via the Internet, NAT is not explicitly configured on the Cisco 871w router at the home offices EasyVPN client on the Cisco 871w router invisibly configures overload NAT for LAN devices at a home office to map to a single IP address assigned by UC520 at the main office There is no split tunnel at home office router; both internal and external traffic travel through a VPN connection established with the UC520 at main office

IP Routing

IP routing protocols, such as Open Shortest Path First (OSPF) and Enhanced Interior Gateway Routing Protocol (Enhanced IGRP) are used in large designs that contain many different networks and multiple entry and exit points to the network from the service providers These protocols are essential for providing optimum and redundant forwarding paths for IP traffic

Device A10.1.1.11

UC520WS-CE520

Cable/DSL Modem

Inside

Device B10.1.1.12

Private IP Address Space

NAT Translation Table

However, in smaller deployments, such as the design described in this document, routing protocols are not necessary because they add a layer of provisioning and overhead that is unnecessary This design is for such small deployments without redundant paths to Internet There is only one entry and exit point

to the service provider via the designated WAN interface of the UC520 In light of these factors, only a simple static default route is required on the UC520 to forward traffic to the Internet For internal traffic, routing protocols are not necessary because the UC520 is directly connected to every Layer-2 VLAN within the design and serves as the default gateway for each VLAN

Network Time Protocol

The Network Time Protocol (NTP) is a standard protocol built on top of TCP/IP that ensures accurate local time synchronization within a network that consists of routers, switches, and other devices The time is maintained by a master source, which is typically a radio or atomic clock located on the Internet This protocol is capable of synchronizing distributed clocks within milliseconds over long time periods.NTP is critical in any network because it ensures that all devices contain accurate and synchronized time stamps This is especially important if the network contains IP communications components, such as UC520 and IP phones, all of which require time synchronization to function properly NTP also ensures that network events and messages, which are captured in error and security logs, traces and system reports, contain accurate time information that helps when troubleshooting and managing any network Additionally, NTP is important for collecting call detail records and generating billing reports

We recommend, if possible, referencing one of the master clocks located on the Internet as the NTP server within a network If this is not an option, the UC520 at the main office can be used as the NTP master as configured by default and the other network devices can reference this UC520 as the NTP server It is important to note that the UC520 is not the best option for the NTP master because the clock time is not maintained during UC520 reboots and power outages

Quality of Service

Quality of Service (QoS) relates to the ability of a network to provide differentiated service to selected types of network traffic over various underlying technologies such as DSL, cable, Frame Relay, ATM, and Ethernet QoS delivers improved and more predictable network service by providing the following:

• Dedicated bandwidth support for specific types of traffic

• Improved traffic loss characteristics

• Network congestion avoidance and management techniques

• Traffic shaping to smooth intermittent bursts

• Traffic prioritization across a network QoS can be used in both the LAN and WAN If voice traffic is sent and received via the WAN connection, then QoS must be configured in order to provide a certain amount of dedicated bandwidth and to prioritize voice over other types of network traffic

Basic Concepts of QoS

This section introduces some fundamental QoS concepts Traffic is classified as it enters the network, where it is marked for appropriate treatment Common methods to differentiate traffic are Layer-2 CoS

or IEEE 802.1p, Layer-3 Type of Service (ToS), or Layer-3 Differentiated Services Code Point (DSCP)

Each port on a network device has a series of input and output queues: input queues for ingress (inbound traffic) and output queues for egress traffic (outbound traffic) Queues are temporary storage areas for data The amount assigned for a queue (temporary storage) is known as buffer

Data waits in input queues before it can be taken in for switching; or waits in output queues before it can

be transmitted out When a frame arrives at a port at times of congestion, it is placed into a RX (input) queue The decision behind which queue the frame is placed in is done based on the CoS (Class of Service) value in the Ethernet header of the incoming frame

On egress, a scheduling algorithm is employed to empty the TX (output) queue For each queue, a weighting is used to dictate how much data will be emptied from the queue before moving onto the next queue The weighting assigned by a number from 1 to 255 assigned to each TX queue

At the time of congestion packets may get dropped It results in TCP re-transmission making congestion even worse, which results in buffer overflow To avoid this situation threshold values are assigned to each queue Thresholds are imaginary levels that define utilization points at which the congestion

management algorithm can start dropping data from the queue

In the context of QoS, frames are assigned with different priorities based on CoS, and mapped to these thresholds As the buffer begins to fill and thresholds are breached, the frames identified by CoS to threshold mapping are dropped This mapping can be used in QoS decisions such follows:

• At what thresholds, frames with specific CoS values are eligible to be dropped (default)

• Which queue a frame is placed into, based on its CoS value (default)QoS policy (mapping) can override the default policies shown above:

• CoS values on an incoming frame to a DSCP value

• IP precedence values on an incoming frame to a DSCP value

• DSCP values to a CoS value for an outgoing frame

• CoS values to drop thresholds on receive queues

• CoS values to drop thresholds on transmit queues

• DSCP markdown values for frames that exceed policing statements

• CoS values to a frame with a specific destination MAC address

Figure 6 describes IP Precedence, DSCP, and ToS DSCP (Differentiated Services Code Point) is a five-bit value in the one-byte ToS (Type of Service) field in IPV4 header

Figure 6 QoS as Element of IPV4 ToS Field

LAN QoS

For this design, QoS in the LAN is dynamically configured via SmartPort roles when the templates are assigned to the switch ports The templates automatically map the CoS and DSCP values to specific queues and set the round robin queuing allocations for the switch ports

For example, if the IP phone+Desktop SmartPort role is assigned to a switch port, voice traffic from the

IP phone is always prioritized over the data traffic from the connected desktop device The voice traffic

is then sent to one of four available queues within the switch port of the device This queue is provisioned with a specific amount of dedicated bandwidth that is only available to voice traffic The other three queues share the remaining bandwidth in a round robin fashion for other data traffic

WAN QoS

In most networks, the connection between the integrated switchports in the LAN is typically 10 or 100 Mbps while the WAN connection ranges from only 1.5 Mbps to 10 Mbps This often creates a situation where the UC520 must process more traffic from the LAN than it can send on the WAN As a result, the WAN interface becomes congested because it cannot handle all of the traffic coming upstream from the LAN In the absence of QoS on WAN of UC520, critical outgoing traffic, such as routing, VoIP signaling, and real-time voice traffic will suffer Please note that congestion is not issue with downstream traffic received from the WAN because the LAN has more than enough bandwidth to handle the incoming traffic

To prevent congestion in outgoing traffic on the WAN interface, specific traffic classes must be designed and an adequate amount of bandwidth must be assigned to each class to ensure that all traffic is provided with the necessary QoS When VoIP is present in the network, a special Low Latency Queue (LLQ) must

be provisioned The LLQ is designed not only to provide a certain amount of bandwidth to voice bearer traffic, but also to prioritize voice bearer traffic over other types of traffic using expedited forwarding (EF) to help prevent delay, jitter, and packet retransmissions Voice signaling traffic requires special

VersionLength

treatment as well, but is not as delay-sensitive as the voice bearer traffic Therefore, voice signaling is allocated to a Class-Based Weighted Fair Queue (CBWFQ) with assured forwarding (AF) Finally, all other data traffic is assigned to the remaining CBWFQ, but is only provided with best effort service

Table 7 lists the traffic classes and bandwidth allocations used in this design If the design includes the optional teleworker/home office, the same parameters are used on Cisco 871w

Integrated Security Design

Network security, including wireless security, is critical to protect a business and its resources from various threats, such as viruses, worms, and denial-of-service (DoS) attacks When a comprehensive security strategy is implemented, protective measures can be implemented to identify, prevent, and mitigate security threats effectively Integrating these security measures into the network infrastructure components not only helps protect the network, but also eliminates the need for autonomous security devices The same functionality can be delivered and managed from existing devices

This section describes several areas of network security, including infrastructure protection, policy enforcement, and secure connectivity, all of which have been deployed within this design Each security function is integrated into the appropriate device within the network All of the network devices, including the UC520, CE520, WLC-526, LAP-521, and Cisco 871w, provide infrastructure protection services The UC520 also provides policy enforcement and secure connectivity services

Figure 7 shows where the areas of security are deployed in the design

Table 7 Traffic Classes and Bandwidth Provisioning for the WAN

Traffic Class Description IP Precedence 1

1 Refer to Figure 6

Per Hop Behavior (PHB) Queuing Type

Bandwidth (BW) Guarantee

percentSignaling Voice

Signaling

Best Effort Data Traffic 0, 1, 4 Best Effort CBWFQ Remains after

PQ

Figure 7 Areas of Integrated Security Design

Infrastructure Protection

The network infrastructure is the foundation on which critical business applications, such as sales tools, voice services, and E-mail access are deployed As a result, the components of the network infrastructure are often targets of attacks that can directly or indirectly disrupt business operations In order to ensure the availability of the network, it is critical to implement the security tools and the security best practices that help protect each network component and the infrastructure as a whole

In this design, the UC520 is configured with infrastructure protection services using the Security Audit

feature of the Cisco Configuration Assistant (CCA) The security audit is performed on the UC520 during the initial configuration to ensure that:

• Unused services, such as IP source routing and IP BOOTP server, are disabled

• Necessary services, such as password encryption and logging, are enabled

• Secure device access for console, Telnet, SSH, and HTTP connections are enabled

The integrated switchports are configured with infrastructure protection services using the SmartPort feature Each SmartPort role configures specific security features based on the connected device These security features include items such as BPDU guard and filtering, broadcast storm control, and port security

Policy Enforcement

Policy enforcement defines the acceptable and unacceptable use of the network resources and other devices attached to the network For this design, a basic integrated firewall is deployed within the UC520

to uphold policy enforcement The firewall is configured with access and inspection rules on the WAN

interface and does not permit any external traffic into the network unless the traffic arrives via the VPN

(optional) or is a reply to a session that was originally sourced from the internal network

Spanning Tree Protection

Enable Necessary Services

Note There is no DMZ in this design, so an advanced firewall configuration is not required.

Secure Connectivity

Secure connectivity provides measures to protect against the interception and alteration of information being transported within untrusted environments The objective is to ensure the confidentiality of the information VPNs can be used to provide secure connectivity because they help extend the network from a main office to branch offices, home offices, and mobile workers

VPNs enable IP traffic to travel securely over a public IP network, such as the Internet, by encrypting all

of the traffic from one network to another or from one device to another To encrypt the information, protocols, such as the Digital Encryption Standard (DES) or Advanced Encryption Standard (AES), are employed In addition to encryption, other security features are used to build VPNs Authentication mechanisms, such as pre-shared keys or RSA signatures, are used to authenticate each side of the VPN tunnel; hash algorithms, such as Message Digest 5 (MD5) and Secure Hash Algorithm (SHA), are used

to authenticate the data sent within the tunnel Together, these security features form secure tunnels that help ensure voice and data privacy and authenticity In addition to the protocols that a VPN is comprised

of, there are several different types of VPNs, including site-to-site IPSec VPNs, Dynamic Multipoint IPSec VPNs, Easy VPNs, and Secure Socket Layer (SSL) VPNs Each option provides its own set of benefits for the appropriate deployment

For this design, EasyVPN is used for the optional teleworker/home office and mobile worker because it simplifies the deployment by centralizing the management of all devices to ensure that consistent policies are used and to ease the administration of remote devices There are two components with EasyVPN, a centralized server and the remote VPN devices/clients The server runs on the UC520 at the main office and delivers the VPN policies to the remote devices The remote VPN component runs on either the Cisco 871w router at the home office or a software-based VPN client on the laptop of a mobile worker The remote device receives the VPN policies from the server which minimizes the configuration requirements in remote home offices and mobile locations This design does not support split-tunneling, therefore all traffic from home office, including the traffic for Internet, travel through VPN connection established with the UC520 at main office Both the EasyVPN server and remote clients are easily configured using CCA See Figure 8

Figure 8 VPN Deployment

The recommendations listed in this section provide an ideal scenario It is important that any partner or customer compare these recommendations to an existing company security policy before implementing them Additionally, it is important to determine whether software clients, such as the Cisco EasyVPN client, support the recommendations and specific customer security policies