S8700 Multi-Connect
Issue 3.4.1 June 2005
339
When tying the control network into the corporate network, strong access lists or firewalls
should be used to prevent Denial of Service (DoS) attacks and broadcast storms from
interfering with control network traffic. Appendix B identifies the ports that must be opened for
IPSI-controlled port networks.
A low latency queuing mechanism should be implemented on network elements in the control
network path. Control traffic should be tagged with DSCP 46 and 802.1p COS 6 Section 3
provides guidelines on setting up a LLQ or other suitable QoS design.
Security Concerns
The private control LAN has historically been a feature of the Multi-Connect configuration that
has added significant security and protection against network flooding attacks, viruses, and
unauthorized access. Naturally, with the control network and public network combined, this
protection is no longer inherently provided. Avaya recommends isolating the control network
from the enterprise network as much as possible.
Should an enterprise decide to combine the control and public networks, Avaya recommends
implementing firewalls or access control lists in order to protect the system from attacks and
unwanted traffic.
●
Firewalls should be placed between the enterprise network and control network segments
to protect the server against network attacks.
●
Firewalls should be implemented to prevent unauthorized access to the server from the
enterprise network in the case of a compromise of the enterprise network.
●
Firewalls should be implemented to prevent unauthorized access to the enterprise network
from the server in the case of a server compromise.
●
Firewalls should enforce protection rules that prevent the propagation of ANY traffic that is
not needed for VoIP communications. For a list of recommended settings in this area,
consult
Appendix B: Access list
.
Other IP interfaces
The C-LAN and Media Processor connect directly to the customer’s data network (that is, not
the control network). They must be reachable by IP Telephones on the network, so they should
be placed in the voice VLAN, should one exist, or should at least be reachable by all subnets
containing voice endpoints. The architecture of the system is such that traffic entering either the
C-LAN or MedPro cannot cross into the control network.
The IPSI connects to the control network and provide an interface between the S8700 servers
and the port network. It does not need to be reachable from the enterprise network.
Summary of Contents for Application Solutions
Page 1: ...Avaya Application Solutions IP Telephony Deployment Guide 555 245 600 Issue 3 4 1 June 2005 ...
Page 20: ...About This Book 20 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 21: ...Issue 3 4 1 June 2005 21 Section 1 Avaya Application Solutions product guide ...
Page 22: ...22 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 106: ...Call processing 106 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 124: ...Avaya LAN switching products 124 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 139: ...Issue 3 4 1 June 2005 139 Section 2 Deploying IP Telephony ...
Page 140: ...140 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 186: ...Traffic engineering 186 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 204: ...Security 204 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 228: ...Avaya Integrated Management 228 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 274: ...Reliability and Recovery 274 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 275: ...Issue 3 4 1 June 2005 275 Section 3 Getting the IP network ready for telephony ...
Page 276: ...276 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 356: ...Network recovery 356 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 366: ...Network assessment offer 366 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 367: ...Issue 3 4 1 June 2005 367 Appendixes ...
Page 368: ...Appendixes 368 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 394: ...Access list 394 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 414: ...DHCP TFTP 414 Avaya Application Solutions IP Telephony Deployment Guide ...