manualshive.com logo in svg

Avaya IP Office (R3.0), Руководство пользователя

Пользовательский мануал для Avaya IP Office (R3.0) доступен для скачивания бесплатно на нашем сайте. Получите инструкцию по установке и настройке продукта, чтобы использовать его с максимальной эффективностью. Посетите manualshive.com, чтобы загрузить руководство пользователя прямо сейчас.

Поделиться
Скачать
background image

 

Overview of Secure VPN Implementation - Page 19 

VPN and VoIP 

Telephony 

IP Office incorporates many advance telephony features which can be used in 
conjunction with VPN networking to provide secure speech over the Internet. Using 
such features as Small Community Networking, it is possible to create a virtual PABX 
that is transparent to the physical location. 

VoIP 

IP Office marks VPN packets with the DSCP value of the encapsulated VoIP packet. 
Under normal condition this allows IPSec or L2TP encapsulated packets to be 
distinguished and prioritized over non-voice traffic. Necessarily on slow speed links, 
packets may be re-ordered or dropped in support of voice quality when running QoS 
mechanisms. However, IPSec and LT2P packets cannot be excessively re-ordered 
which is an issue when mixing IPSec with VoIP and non-VoIP traffic over a heavily 
congested link. 
IPSec is the primary VPN security protocol and is a licensable IP Office feature. To 
support IPSec with VoIP and non-VoIP traffic IP Office running version 3.0+ software 
employs a pre-emptive IPSec QoS mechanism that ensures that QoS is applied to 
packets before the IPSec process. This way, IPSec packet loss and packet re-ordering 
is significantly reduced. 
The IPSec QoS feature is only available to IPSec. If it is a requirement to run L2TP with 
a mix VoIP and non-VoIP traffic then L2TP must be encapsulated in IPSec. 
Under link congestion the IPSec QoS works on a pre-emptive basis by controlling the 
amount of packets that are sent to the IPSec engine and prioritizes VoIP traffic over 
non-VoIP traffic. In this way packet discard, when it occurs, will be on the inbound 
router interface. The provisions of the IPSec QoS mechanism allow for QoS support on 
slow speed xDSL links for example. 
For voice traffic, IP Office performs concurrent call load restrictions on a per call basis 
and does not assume the bandwidth requirement. The IP line is used to configure 
concurrent call restrictions and works on the basis of an “allowed number of calls” 
irrespective of bandwidth. Hence, whilst IP Office is configured in terms of “an allowed 
number of calls” and not bandwidth requirements, it is important to understand the 
bandwidth requirement and calculations for any VoIP link. The bandwidth used by a 
given compression type for a single VoIP stream over a given VPN technology can be 
calculated using the formula shown below. 
 

RTP Bandwidth:  

(L2_  Tunneling _ VoIP_ Payload) X Payload_per_sec X Bit__conversion

 

 

For Fax traffic, the bandwidth used can be calculated using the formula shown below. 

  

(L2_  Fax_ Payload) X Payload_per_sec 

 

Notes

1.  These calculations are strictly to estimate the "media" transport portion of the 

bandwidth. Even for the Media transport, an implementation dependent additional 
factor (e.g., 10%) should be considered to cover RTCP traffic, transitory effects, 
etc.  For example, even when header compression is used, it it not effective on 
100% of the packets. 

2.  Separate bandwidth must be allocated for signaling, including call setup and small 

community network signaling between systems. This traffic should be given a 
separate "assured forwarding" queue treatment, rather than the expedited 
forwarding required for RTP, but still must be given bandwidth needed. 
 

 

An example of the Bandwidth Requirement Calculation is shown on page 21 and a 
table of the Bandwidth Calculation Variables used in the formula is shown on page 20. 

IP Office (R3.0) Virtual Private Networking 

Overview of Secure VPN Implementation - Page 19 

40DHB0002UKER Issue 3 (4th February 2005) 

Typical VPN Deployment 

Содержание IP Office (R3.0)

Страница 1: ...IP Office R3 0 Virtual Private Networking 40DHB0002UKER Issue 3 4th February 2005...

Страница 2: ...ient VPN 18 Guidelines 18 VPN and VoIP 19 Bandwidth Calculation Variables 20 Bandwidth Requirement Calculation 21 Example 1 21 Example 2 22 Guidelines 22 Maximum Load 23 Configuration 24 IPSec Configu...

Страница 3: ...ec Framework 6 Figure 3 LT2P Tunneling Modes 7 Figure 4 Inbound Unprotected Packet 9 Figure 5 Inbound Unprotected Packet Type Detection 10 Figure 6 L2TP Implementation 12 Figure 7 Logical LAN Implemen...

Страница 4: ...s Telecommuter Telecommuter Home Home Offices Offices Internet Internet Remote Remote Offices Offices Branch Branch Offices Offices Business Business Partners Partners Mobile Mobile Access Access Main...

Страница 5: ...nitor 3 0 Manager 3 0 Cisco IOS using pre shred mode only 12 2 NetScreen Remote VPN Client 10 0 General For secure VPNs the technologies that IP Office supports are IPSec L2TP Compulsory Voluntary opt...

Страница 6: ...approach It is important to understand that each of these groups serve a specific purpose and work together to provide a modular solution to Internet security problems By breaking IPSec into these se...

Страница 7: ...ol TCP IP L2TP tunneling encapsulates IP data packets in PPP for transmission through an IP network Upon receipt the IP and PPP headers are stripped away exposing the original IP data packet In this w...

Страница 8: ...lish the control connection Each L2TP tunnel requires a control connection to be established before any other L2TP messages can be issued It includes an Assigned Tunnel ID that is used to identify the...

Страница 9: ...f the inbound unprotected packet matches the condition on any configured IPSec form then a Security Association SA is formed with the specified Secure Gateway Once the SA is established the inbound pa...

Страница 10: ...establish the tunnel and thereby form the SA 2 ESP used to carry the encrypted data If the received IPSec packet is an ESP addressed to the IP Office then IP Office will check for a valid SA If a vali...

Страница 11: ...antages of IPSec L2TP and the symmetrical relationship between the two IPSec L2TP IPSec in L2TP L2TP Inside IPSec Advantages Encrypts data Disadvantages Packets must not be excessively re ordered in t...

Страница 12: ...an L2TP destination Any packet Check Routing Table Forward outside L2TP tunnel Queue Packet or Use Remote Gateway address to establish tunnel Forward inside L2TP tunnel Is the L2TP tunnel established...

Страница 13: ...on domain as the System LAN but uses a different MAC address and operates on a different subnet The Logical interface can be regarded as a secondary or a sub interface to the primary System LAN LAN1 i...

Страница 14: ...e feature allows single LAN systems to operate external and internal IP subnets in support of VPN networking NAT functionality is applied to traffic from LAN1 using the IP address assigned to the Logi...

Страница 15: ...re detailed in the diagram will be discussed with respect to the IP Office 3 0 VPN implementation The following elements will be discussed Public Access Public Interface IP Office VPN solutions Intern...

Страница 16: ...sed in conjunction an xDSL or Internet Router Both the Logical or the Physical LAN2 interface dual LAN systems can be used to provide Public Interface functionality as described in the following secti...

Страница 17: ...e physical LAN1 interface LAN2 X X The LAN2 is a second physical Ethernet interface NAT NAT allows multiple devices to communicate using a single IP address NAT Reverse Translation x x The function th...

Страница 18: ...transparently Using MS Windows once the IPSec connection has been established an L2TP connection can then be established over the IPSec VPN The IP Office Phone Manger Pro application can be used in co...

Страница 19: ...mechanism allow for QoS support on slow speed xDSL links for example For voice traffic IP Office performs concurrent call load restrictions on a per call basis and does not assume the bandwidth requir...

Страница 20: ...HC 46 Payload Payload The number of bytes per sample Type Value VOIP G711 G723 G729 Net 8K 160 24 20 20 Fax 14400 12000 9600 7200 72 60 48 36 Sample Rate Payload_per_sec The number of samples per seco...

Страница 21: ...t to the VoIP compression type that is to be used for G729 this value is 52 For L2TP the value is fixed for all compression types For the case where IPSec and L2TP are used in conjunction e g L2TP pro...

Страница 22: ...s 1 IP Office running 3 0 has been limited to 1Mbps of throughput for all traffic types 2 IP Office running 3 0 does not support IPHC for VPN networking 3 IPSec performs IP fragmentation in order to a...

Страница 23: ...ftware is because the IPsec encryption and decryption processing is now performed in hardware The encryption and decryption hardware for IPSec removes this processing overhead from the CPU In this way...

Страница 24: ...tions to trigger a Security Association SA The IP Security Menu Access to this menu is 1 With the Manager application open click on Tunnel 2 Click the IPSec radio button and then click OK 3 The follow...

Страница 25: ...dresses else the packet is discarded Local IP Address Mask defines the source IP address Remote IP Address defines destination IP address For any IP packet that is to be forwarded IP Office determines...

Страница 26: ...s 192 168 42 1 Mask 255 255 255 255 b IP Address 192 168 42 0 Mask 255 255 255 0 4 A single condition in terms of addressing can be specified for a given SA The SA condition can be applied between two...

Страница 27: ...rtant to understand the requirements in the detail of these tabs but it is however important that they are matched between two IPSec peers seeking to establish an SA During Phase 1 of negotiations IKE...

Страница 28: ...hide the IDs of the communicating device ID is slower but does hide the IDs of the communicating device Encryption DES or 3DES Set the encryption method Authentication MD5 128 bit default SHA 160 bit...

Страница 29: ...header Also authenticates the packet payload on a packet by packet basis AH No encryption encapsulation or confidentiality Only authentication and integrity Also authenticates portions of the IP head...

Страница 30: ...Remote Configuration Account Name and Password Used to set the PPP authentication parameters The Local name is the username that is used in outgoing authentication The Remote name is the username that...

Страница 31: ...Retransmission Interval Default 0 The time delay before retransmission Receive Window Size Default 4 The number of unacknowledged packest allowed Sequence numbers on Data Channel Default On When on ad...

Страница 32: ...o wait for response to a PPP keep alive message The connection is terminated if the peer fails to respond to 3 LCP Echo Requests Increasing this value will increases the time IP Office takes to determ...

Страница 33: ...Address of the next hop router see Guidelines below Gateway MAC Address The Ethernet MAC address of the next hop router see Guidelines below Firewall A Firewall Profile that is associated to this int...

Страница 34: ...ows and Unix systems Ethereal provides real time analysis of network traffic and capture to disk The application is available for download at http www ethereal com Some of the examples include packet...

Страница 35: ...N interface address Step 3 Within Manager right click the IP Route entity and create a new IP Route Add a default route for Internet access pointing to the Logical LAN interface IP Address un configur...

Страница 36: ...16 IP Mask 255 255 255 248 DHCP Disabled Enable NAT selected Firewall Profile un configured Firewall is optional in this configuration This configuration uses the NAT functionality on LAN2 Without thi...

Страница 37: ...ng for shared resources Internet access for corporate users Secure IP telephony between corporate sites Figure 19 IP Office to IP Office via Logical LAN The following step by step instructions describ...

Страница 38: ...required for each IP Office system in an SA Make sure the IPSec licences are valid on both systems Licence name IPSec Tunneling Step 4 For IP Office A create an IPSec tunnel Main tab Name IPSec_Tunne...

Страница 39: ...nnel The Gateway is the IPSec tunnel endpoint address Step 8 For IP Office B use the parameters shown in Steps 5 and 6 to complete the IKE and IPSec form configurations In order for an IPSec SA to be...

Страница 40: ...rporate office IP412 IPO_CO is the central VPN terminator and the PABX data router for several remote branch offices equipped with IP Office Small Office Editions Figure 20 L2TP IPSec IP Office to IP...

Страница 41: ...ion Step 2 For Branch No 1 create an L2TP tunnel and apply the same parameter values as in the previous step except for the parameter shown below Remote IP Address 217 37 65 126 The Remote IP Address...

Страница 42: ...3 0 IP Mask 255 255 255 0 Gateway un configured Destination L2TP 2 IP Address un configured IP Mask un configured Gateway 217 37 69 118 Destination LAN2 These routing entries will allow the tunnel to...

Страница 43: ...th tunnel endpoints must have the same shared secret Encryption set to DES Authentication set to MD5 Diffie Hellman Group Group 2 This is the time period before a new key is generated 86400 represents...

Страница 44: ...ssages appear This Signifies that the IPSec Tunnel is up When passing data through the tunnel you should see ESP packets on the protocol analyser Use SysMonitor to view PPP packet exchanges PPP echo R...

Страница 45: ...hed IPsec tunnel and is not be secured One of the key aspect to this application is that IP Office support Dynamic tunnels IP Office is able to create a Dynamic tunnel in the case were the IP address...

Страница 46: ...l ID Type IP address 217 37 69 116 My Identity Pre shared Key password Select Certificate None ID Type IP Address Port All Virtual Adapter Disable Internet Interface Local _NIC_Card_Name IP Address 21...

Страница 47: ...ocal IP Mask 255 255 255 0 Tunnel Endpoint IP Address LocalInterface Remote IP Address unconfigured Remote IP Mask unconfigured Tunnel Endpoint IP Address unconfigured A discrete name for the IPSec tu...

Страница 48: ...o MD5 This is the time period before a new key is generated 86400 represents one day in seconds Step 7 Check connection Activate the Security Policy on the Windows PC by right clicking the SoftRemote...

Страница 49: ...er Compression Mode unselected Multilink QoS unselected In support of numbered PPP interface mode add the following to IP tab of the WAN Service form Location A IP Address 10 10 20 1 IP Mask 255 255 2...

Страница 50: ...0 10 20 2 Remote Configuration IP Address 192 168 42 0 IP Mask 255 255 255 0 Tunnel Endpoint IP Address 10 10 20 1 See notes in step 3 above The Local Tunnel Endpoint IP Address is the near end tunnel...

Страница 51: ...ation A create an IPSec tunnel see The IP Security Menu on page 24 Main tab Local Configuration Name IPSec_Tunnel IP Address 192 168 42 0 IP Mask 255 255 255 0 Tunnel Endpoint IP Address 192 168 42 1...

Страница 52: ...e LAN1 IP address of Location A Step 5 For both IP Office Location A and Location B perform the following IKE Polices tab Shared Secret password Exchange Type ID port Encryption DES Authentication MD5...

Страница 53: ...Step 2 Within Manager for Office A create an IP Line and apply the following parameters Using the Line tab of the IP Line form Line Number 2 OutGoing Group ID 2 The IP Line is used to configure the V...

Страница 54: ...or IP Office B set the destination VoIP Gateway to the IP address of the Internal interface address of IP Office B Use VoIP tab of the IP Line to set the following parameters Gateway IP Address 192 16...

Страница 55: ...s Ensue the following parameters are configured Gatekeeper tab on the system form Auto Create Extension selected Gatekeeper Enable selected LAN1 tab on the System form DHCP Mode Server Ensure that the...

Страница 56: ...hange Carrier and local telephone companies to their local subscribers ESP Encapsulating Security Payload Within the IPSec architecture the packet format for algorithms and general issues associated w...

Страница 57: ...ame of the company which controls the US patent on the algorithm SA Security Association A relationship established between two or more entities to enable them to protect data they exchange The relati...

Страница 58: ...es has been transferred or licensed to Avaya All trademarks identified by or TM are registered marks or trademarks respectively of Avaya Inc All other trademarks are the property of their respective o...

Отзывы:

Нет отзывов

Похожие инструкции для IP Office (R3.0)

Canon PowerShot A530 Software User'S Manual preview
PowerShot A530
Бренд: Canon Страницы: 153
Canon PowerShot A420 Software User'S Manual preview
PowerShot A420
Бренд: Canon Страницы: 132
Canon PowerShot A460 Using Manual preview
PowerShot A460
Бренд: Canon Страницы: 135
Canon MultiPASS C50 Software User'S Manual preview
MultiPASS C50
Бренд: Canon Страницы: 198
Canon PowerShot A530 Software Starter Manual preview
PowerShot A530
Бренд: Canon Страницы: 98
KAPERSKY ADMINISTRATION KIT 6.0 Administrator'S Manual preview
ADMINISTRATION KIT 6.0
Бренд: KAPERSKY Страницы: 115
Xerox Phaser 6115 Getting Started preview
Phaser 6115
Бренд: Xerox Страницы: 28
TC Electronic RESTORATION SUITE User Manual preview
RESTORATION SUITE
Бренд: TC Electronic Страницы: 31
Juniper JUNOS PUS MOBILE SECURITY SUITE Datasheet preview
JUNOS PUS MOBILE SECURITY SUITE
Бренд: Juniper Страницы: 6
Xerox 701P40211 System Manual preview
701P40211
Бренд: Xerox Страницы: 110
Avaya IP Office CTI Link Programmer'S Manual preview
IP Office CTI Link
Бренд: Avaya Страницы: 28
Savin RW-470 Clients Installation Manual preview
RW-470 Clients
Бренд: Savin Страницы: 71
Minolta Fiery Z4 Operator'S Manual preview
Fiery Z4
Бренд: Minolta Страницы: 26
PNY S-Cure User Manual preview
S-Cure
Бренд: PNY Страницы: 15
Intrinsyc Telephony Modem Simulator Brochure preview
Telephony Modem Simulator
Бренд: Intrinsyc Страницы: 2
Nikon DI series Manual (Install To Pc) preview
DI series
Бренд: Nikon Страницы: 12
GRASS VALLEY K2 SUMMIT Datasheet preview
K2 SUMMIT
Бренд: GRASS VALLEY Страницы: 4
Nikon 25338 User Manual preview
25338
Бренд: Nikon Страницы: 240

Бренды по названию

Популярные бренды

Загрузить еще бренды