Lucent Technologies DEFINITY Enterprise Communications Server Release 8.2 Administration For Network Connectivity Instructions Manual

							Japan TTC Q931-a Private Networking Protocols 
401
Administration for Network Connectivity
555-233-504— Issue 1 — April 2000 CID: 77730
B  Private Networking
TTC Q931-a Protocols
The TTC defined private networking ISDN protocol is largely based upon ITU-T 
Q.931 protocol.  DEFINITY ECS supports the following TTC defined protocols:
Basic Call support as defined in JT-Q931-a “Digital Interface between PBXs 
(Common Channel Signaling) — Layer 3”
Number Identification Services as defined in JT-Q951-a “Digital Interface between 
PBXs (Supplementary Services) — Number Identification Services”
Differences from ITU-T Q.931 include:
•symmetrical operation as Peers similar to QSIG protocol, i.e. No Network/User 
definition
•different protocol discriminator
•Progress Indicator IE not supported in DISCONNECT messages
•Timers T310 and T313 are disabled
•Sending Complete IE not supported
•NOTIFY messages are not supported. 
						

							Japan TTC Q931-a Private Networking Protocols B  Private Networking
Administration for Network Connectivity
CID: 77730 555-233-504 — Issue 1 — April 2000
402
Setting Up TTC Q931-a
Complete the following steps to set up TTC connections.
Begin
Steps
1  
Verify that you have the appropriate DEFINITY circuit pack for integration 
2  Enter “change system-parameters customer-options” on the command line of 
your system administration screen.
3  On page 1, verify that the G3 Version field is V8 or later
4  On page 2, verify that ISDN-PRI field is y.
5  Administer the TTC DS-1 circuit pack. 
Check for the following field entries:
~Connect field — pbx
~Interface — peer-master or peer-slave
~Peer Protocol — TTC
~D-channel: (This item must match between the local and receiving switches)
~Channel Numbering — sequential or timeslot  (This item must match between 
the local and receiving switches)
6  Administer or check the TTC ISDN trunk group(s) associated with the DS1 
circuit pack.
Check for the following field entries on page 1 of the Trunk Group screen:
~Group type: isdn
~Supplementary Service protocol — a
~Outgoing Display? y
Check for the following field entries On page 2
~Disconnect Supervision — y
~Numbering format — public, private, unknown, unk-pvt
~Send Called/Busy/Connected Number — y
~Sending Calling Number — y
~Send Name — n
End 
						

							403Administration for Network Connectivity555-233-504 — Issue 1 — April 2000  CID: 77730
C    Security Issues
This Appendix briefly discusses issues related to system security for DEFINITY ECS in a TCP/IP 
network environment.
Network Security Issues
This section describes a strategy to ensure the security of an intranet that is connected to DEFINITY 
ECS R7 or later systems. 
Overview
The TCP/IP connectivity available with Release 7 and later of DEFINITY 
ECS makes it possible to connect one or more DEFINITY ECS systems in a 
network that includes connections to a company’s existing data network 
(LAN or intranet). This integration of networks introduces the possibility of 
unauthorized access  — to the DEFINITY network through the LAN/intranet 
and to the LAN/intranet through the DEFINITY network.
Security concerns
Security can mean many different things. The strategy described here focuses 
on three key concerns from a customer perspective:
1  How can a customer network be protected from unauthorized outside access 
through a DEFINITY ECS? That is, how can a hacker be prevented from dialing 
into a DEFINITY ECS and getting on the customer LAN?
2  How can a customer network be protected from unauthorized access by Lucent 
services personnel?
3  How can a DEFINITY ECS be protected from unauthorized access through the 
customer LAN?
Security solutions
The first and most important line of defense in any security strategy is access 
control. Damage to the network or theft of proprietary information by hackers 
can be prevented by completely denying access to unauthorized users.
Access control can be provided by three means:
•network topology
•network administration
•authentication  
						

							Network Security Issues C  Security Issues
Administration for Network Connectivity
CID: 77730 555-233-504 — Issue 1 — April 2000
404
A second line of defense can be thought of as damage control — how to limit the 
amount of damage that can be done if someone does gain unauthorized access to the 
system? Damage control can be provided by application restrictions.
Each of these control methods is described below.
Access control — 
network topologyNetwork topology refers to how the DEFINITY ECS network is connected to the 
customers network.
Private network
One option to restrict access is to make sure that the DEFINITY ECS network is not 
connected to any other network; that is, the DEFINITY ECS network is private. This 
topology clearly solves all three access security concerns mentioned above. However, 
a private network is not an option for all customers.
Private segment
Another topology is to put the DEFINITY ECS network on a private segment, behind 
a router or a firewall. This approach can also solve all three concerns above by 
implementing packet filtering in the router/firewall such that only legitimate traffic 
can pass through.
Open network
One other topology that may be chosen is a completely open network, where 
DEFINITY ECS nodes are placed on the customer network just like any other piece 
of data networking equipment. An open network topology addresses none of the three 
security concerns above, and other methods of access control must be used for these 
installations.
Access control — 
network administrationNetwork administration refers to how a DEFINITY ECS (specifically, the C-LAN 
circuit pack) is administered in terms of dial-up PPP ports and routing information. A 
carefully administered system has only dialup ports in service for DCS and adjunct 
sessions that will be established at boot time. This means that normally there will not 
be any ports available for a hacker to dial into. Additionally, the C-LAN circuit pack 
should be administered only with routes specific to the DCS and adjunct nodes. This 
ensures that anyone getting into a DEFINITY ECS can only get to other DCS or 
adjunct nodes, not anywhere else on the customer network. Careful administration 
will address concerns #1 and #2 above.
Note that no new access to the system access terminal (SAT), such as network-based 
SAT, is introduced in Release 7. As in earlier releases of DEFINITY ECS, all port 
and route administration can be done only via the SAT, and all changes are logged.
Access control — 
authenticationAuthentication also plays a role in providing access control to dial-up PPP ports. All 
of these ports can be protected by Challenge Handshake Authentication Protocol 
(CHAP). This provides an extra level of assurance that no unauthorized user will be 
able to connect to a PPP port on C-LAN. 
						

							Network Security Issues 
405
Administration for Network Connectivity
555-233-504— Issue 1 — April 2000 CID: 77730
C  Security Issues
Damage control — 
application restrictionsRelease 7 provides damage control by what can be termed application restrictions. 
This simply means that DEFINITY ECS R7 has been designed to support only 
specific applications; that is, DCS and adjuncts. Other applications that could present 
security risks have been deliberately disabled. Specifically, there is no support for 
telnet or rlogin into or out of a DEFINITY ECS, making it difficult for anyone to 
maneuver between the DEFINITY ECS network and the customer network. 
Additionally, because of the application restrictions, little damage can be done by 
someone attempting to hack into a DEFINITY ECS from the customer network 
(concern #3). It would be very difficult, via the network, to modify administration or 
perpetrate toll fraud. At worst, a hacker could cause a temporary interruption of DCS, 
CMS, or Intuity connections.
In SummaryAll three security concerns presented above can be addressed by a combination of one 
or more of the security methods described here. Probably the two most important 
methods to prevent unauthorized access to a network are:
1  Choose a network topology for the DEFINITY ECS network that satisfies 
security needs. 
2  Carefully administer the DEFINITY ECS network to minimize the possibility of 
the LAN or intranet being accessed by unauthorized personnel. 
						

							Network Security Issues C  Security Issues
Administration for Network Connectivity
CID: 77730 555-233-504 — Issue 1 — April 2000
406 
						

							407Administration for Network Connectivity555-233-504 — Issue 1 — April 2000  CID: 77730
D  Capacities and Performance
This Appendix discusses issues related system capacities and performance for DEFINITY ECS in 
an IP network environment. It provides a method of estimating the number of C_LAN and 
MedPro circuit packs that are needed to support various levels of traffic.
This appendix provides performance and traffic configuration guidelines for the C-LAN (TN799B) and the 
MedPro (TN802B) circuit packs. It assumes DEFINITY switch connections in which both signaling and voice 
data are carried over a LAN or WAN using TCP/IP.
Capacities and Resource Requirements
The following table gives capacity limits for IP connections for DEFINITY ECS and 
the IP Interface circuit packs. 
For DEFINITY Capacity Limits
Number of network regions
£10
Number of C-LAN circuit packs
£10
Number of MedPro circuit packs
£46 for the r 
13 for the si and csi
Number of simultaneous 
TCP/UDP connections per C-LAN
£508 
Number of audio streams per 
TN802B
£22 using G.723.1 or G.729A codecs
31 using G.711 codec 
						

							 D  Capacities and Performance
Administration for Network Connectivity
CID: 77730 555-233-504 — Issue 1 — April 2000
408
The following table gives the number of sockets (connections) needed for IP 
softphones and H.323 trunks.
As a worst-case example of these limits, assume 1000 active H.323 endpoints, each 
requiring 3 C-LAN connections and G.723 codec processing. This configuration 
would require 3x1000/508 = 6 C-LANS and 1000/22 = 46 MedPros.
For C-LANNumber of Sockets Required
Number of sockets per 
road-warrior application
(The H.323 sockets are held up 
while registered if the endpoint is 
administered as a Permanent user or 
while the call is active if administered 
as an As Needed user
)
=3 (1 DCP + 2 H.323)
2 (1 DCP + 1 H.323 with tunneling)
Number of sockets per 
telecommuter application
=1 (while registered)
Number of sockets per Native 
Mode station
=1 per call with tunneling
2 per call without tunneling
Number of sockets per H.323 Tie 
trunk 
(the numbers depend on whether 
signaling groups are shared by trunks 
and whether tunneling is used
)
=sharing & tunneling: 1 /sig grp (default)
sharing, no tunneling: 1 /sig grp + 1/call
no sharing, tunneling: 1 /call
no sharing, no tunneling: 2 /call
Number of sockets per H.323 
DID trunk
=2 (while on call) 
						

							 
409
Administration for Network Connectivity
555-233-504— Issue 1 — April 2000 CID: 77730
D  Capacities and Performance
Performance
OverviewThis section presents methods for estimating:
•the impact on the processor
•the impact on the TDM bus
•the number of C-LAN boards
•the number of MedPro boards
Given assumptions about:
•the number of H.323 endpoints:
~# of road-warrior applications
~# of telecommuter applications
~# of native H.323 phones
~# of H.323 Tie trunks
~# of H.323 DID trunks
•average number of C-LAN connections per H.323 endpoint
•number of audio streams per DSP
•grade of service (GOS)
•average call holding times
Definitions Offered Load.  The telephone traffic arriving at a system for processing. The offered 
load is equal to or greater than the carried load.
Carried Load .  The telephone traffic actually processed by a system. The carried 
load is equal to or less than the offered load.
Endpoint Carried Load.  The average number of IP Softphones + H.323 trunks on 
active calls to the DEFINITY system.
Socket Carried Load.  The average number of active C-LAN connections between 
the local DEFINITY system and the IP Softphones + H.323 trunk-connected remote 
DEFINITY systems.
Socket.  A software data structure associated with a connection between the C-LAN 
board and an endpoint.
Grade of Service (GOS).  If the call load offered to a system can exceed its 
maximum capacity, there is a probability that some calls will be blocked. The GOS is 
a specification of the probability that one or more calls will be blocked. The 
probability is expressed in the form, P0...0X. For example, a GOS of P01 specifies 
that, in the long run, calls will be block 1% of the time; P0001 specifies that calls will 
be blocked 1/100th of 1% of the time.
Full Availability.  The capacity is sized to the carried load. 
						

							 D  Capacities and Performance
Administration for Network Connectivity
CID: 77730 555-233-504 — Issue 1 — April 2000
410
Erlang.  The Erlang is a unit of measure of the intensity of telephone traffic. It 
measures the average utilization of a set of system resources during a given time 
period. For example, if a server (trunk) is busy for 30 seconds over a measurement 
period of 2 minutes, the traffic intensity for that measurement period is 0.25 
(30sec/120sec) Erlangs. An intensity of one Erlang represents the full utilization of 
one call server, or an average of 1/n
th utilization of n servers, over the measurement 
time period. Since the Erlang is time divided by time, it is a dimensionless unit.
The maximum capacity of one trunk is one Erlang and the maximum capacity of a 
group of trunks is equal to the number of trunks in Erlangs. For example, the 
maximum capacity of a group of 30 trunks is 30 Erlangs. If, during a given hour the 
utilization of the trunk group was 10 Erlangs, on average 10 trunks were busy. This 
could have happened for 10 one-hour calls (unlikely) or 600 one-minute calls, or any 
combination of calls and durations that result in 36,000 call-seconds.
Another measure of traffic intensity is the CCS, or hundred (century) call-seconds per 
hour. Since one Erlang is equal to 3600 call-seconds per hour, one Erlang is equal to 
36 CCS per hour. 
Erlang B.  The probability distribution used to estimate the number of trunks needed 
to carry a given amount of traffic for a “loss system.” It assumes that when a call 
arriving at random finds all trunks busy, it vanishes and doesn’t return (“lost calls 
cleared”). 
Erlang C.  The probability distribution used to estimate the number of trunks needed 
to carry a given amount of traffic for a “delay system.” It assumes that all calls will 
wait indefinitely to get through.
Processor performanceThe number of thousands busy-hour calls (KBHC) can be estimated as a function of 
the processor occupancy estimate (POE) and the time per call (T), in milliseconds, as 
follows:
KBHC 
£ 36*POE / T
The following table gives the estimated BHC capacity for the G3r and G3si models 
given various values of POE and T. 
TDM bus performanceThe impact of H.323 voice-only calls on the TDM bus is the same as for circuit 
switch voice calls.G3r G3si
T(ms)POE = 
57%POE = 
65%T(ms)POE = 
52%POE = 
60%
100 20,500 23,400 200 9,400 10,800
150 13,700 15,600 300 6,200 7,200
200 10,300 11,700 400 4,700 5,400