Home
>
Lucent Technologies
>
Communications System
>
Lucent Technologies DEFINITY Enterprise Communications Server Release 8.2 Administration For Network Connectivity Manual
Lucent Technologies DEFINITY Enterprise Communications Server Release 8.2 Administration For Network Connectivity Manual
Have a look at the manual Lucent Technologies DEFINITY Enterprise Communications Server Release 8.2 Administration For Network Connectivity Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 413 Lucent Technologies manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Japan TTC Q931-a Private Networking Protocols 401 Administration for Network Connectivity 555-233-504— Issue 1 — April 2000 CID: 77730 B Private Networking TTC Q931-a Protocols The TTC defined private networking ISDN protocol is largely based upon ITU-T Q.931 protocol. DEFINITY ECS supports the following TTC defined protocols: Basic Call support as defined in JT-Q931-a “Digital Interface between PBXs (Common Channel Signaling) — Layer 3” Number Identification Services as defined in JT-Q951-a “Digital Interface between PBXs (Supplementary Services) — Number Identification Services” Differences from ITU-T Q.931 include: •symmetrical operation as Peers similar to QSIG protocol, i.e. No Network/User definition •different protocol discriminator •Progress Indicator IE not supported in DISCONNECT messages •Timers T310 and T313 are disabled •Sending Complete IE not supported •NOTIFY messages are not supported.
Japan TTC Q931-a Private Networking Protocols B Private Networking Administration for Network Connectivity CID: 77730 555-233-504 — Issue 1 — April 2000 402 Setting Up TTC Q931-a Complete the following steps to set up TTC connections. Begin Steps 1 Verify that you have the appropriate DEFINITY circuit pack for integration 2 Enter “change system-parameters customer-options” on the command line of your system administration screen. 3 On page 1, verify that the G3 Version field is V8 or later 4 On page 2, verify that ISDN-PRI field is y. 5 Administer the TTC DS-1 circuit pack. Check for the following field entries: ~Connect field — pbx ~Interface — peer-master or peer-slave ~Peer Protocol — TTC ~D-channel: (This item must match between the local and receiving switches) ~Channel Numbering — sequential or timeslot (This item must match between the local and receiving switches) 6 Administer or check the TTC ISDN trunk group(s) associated with the DS1 circuit pack. Check for the following field entries on page 1 of the Trunk Group screen: ~Group type: isdn ~Supplementary Service protocol — a ~Outgoing Display? y Check for the following field entries On page 2 ~Disconnect Supervision — y ~Numbering format — public, private, unknown, unk-pvt ~Send Called/Busy/Connected Number — y ~Sending Calling Number — y ~Send Name — n End
403Administration for Network Connectivity555-233-504 — Issue 1 — April 2000 CID: 77730 C Security Issues This Appendix briefly discusses issues related to system security for DEFINITY ECS in a TCP/IP network environment. Network Security Issues This section describes a strategy to ensure the security of an intranet that is connected to DEFINITY ECS R7 or later systems. Overview The TCP/IP connectivity available with Release 7 and later of DEFINITY ECS makes it possible to connect one or more DEFINITY ECS systems in a network that includes connections to a company’s existing data network (LAN or intranet). This integration of networks introduces the possibility of unauthorized access — to the DEFINITY network through the LAN/intranet and to the LAN/intranet through the DEFINITY network. Security concerns Security can mean many different things. The strategy described here focuses on three key concerns from a customer perspective: 1 How can a customer network be protected from unauthorized outside access through a DEFINITY ECS? That is, how can a hacker be prevented from dialing into a DEFINITY ECS and getting on the customer LAN? 2 How can a customer network be protected from unauthorized access by Lucent services personnel? 3 How can a DEFINITY ECS be protected from unauthorized access through the customer LAN? Security solutions The first and most important line of defense in any security strategy is access control. Damage to the network or theft of proprietary information by hackers can be prevented by completely denying access to unauthorized users. Access control can be provided by three means: •network topology •network administration •authentication
Network Security Issues C Security Issues Administration for Network Connectivity CID: 77730 555-233-504 — Issue 1 — April 2000 404 A second line of defense can be thought of as damage control — how to limit the amount of damage that can be done if someone does gain unauthorized access to the system? Damage control can be provided by application restrictions. Each of these control methods is described below. Access control — network topologyNetwork topology refers to how the DEFINITY ECS network is connected to the customers network. Private network One option to restrict access is to make sure that the DEFINITY ECS network is not connected to any other network; that is, the DEFINITY ECS network is private. This topology clearly solves all three access security concerns mentioned above. However, a private network is not an option for all customers. Private segment Another topology is to put the DEFINITY ECS network on a private segment, behind a router or a firewall. This approach can also solve all three concerns above by implementing packet filtering in the router/firewall such that only legitimate traffic can pass through. Open network One other topology that may be chosen is a completely open network, where DEFINITY ECS nodes are placed on the customer network just like any other piece of data networking equipment. An open network topology addresses none of the three security concerns above, and other methods of access control must be used for these installations. Access control — network administrationNetwork administration refers to how a DEFINITY ECS (specifically, the C-LAN circuit pack) is administered in terms of dial-up PPP ports and routing information. A carefully administered system has only dialup ports in service for DCS and adjunct sessions that will be established at boot time. This means that normally there will not be any ports available for a hacker to dial into. Additionally, the C-LAN circuit pack should be administered only with routes specific to the DCS and adjunct nodes. This ensures that anyone getting into a DEFINITY ECS can only get to other DCS or adjunct nodes, not anywhere else on the customer network. Careful administration will address concerns #1 and #2 above. Note that no new access to the system access terminal (SAT), such as network-based SAT, is introduced in Release 7. As in earlier releases of DEFINITY ECS, all port and route administration can be done only via the SAT, and all changes are logged. Access control — authenticationAuthentication also plays a role in providing access control to dial-up PPP ports. All of these ports can be protected by Challenge Handshake Authentication Protocol (CHAP). This provides an extra level of assurance that no unauthorized user will be able to connect to a PPP port on C-LAN.
Network Security Issues 405 Administration for Network Connectivity 555-233-504— Issue 1 — April 2000 CID: 77730 C Security Issues Damage control — application restrictionsRelease 7 provides damage control by what can be termed application restrictions. This simply means that DEFINITY ECS R7 has been designed to support only specific applications; that is, DCS and adjuncts. Other applications that could present security risks have been deliberately disabled. Specifically, there is no support for telnet or rlogin into or out of a DEFINITY ECS, making it difficult for anyone to maneuver between the DEFINITY ECS network and the customer network. Additionally, because of the application restrictions, little damage can be done by someone attempting to hack into a DEFINITY ECS from the customer network (concern #3). It would be very difficult, via the network, to modify administration or perpetrate toll fraud. At worst, a hacker could cause a temporary interruption of DCS, CMS, or Intuity connections. In SummaryAll three security concerns presented above can be addressed by a combination of one or more of the security methods described here. Probably the two most important methods to prevent unauthorized access to a network are: 1 Choose a network topology for the DEFINITY ECS network that satisfies security needs. 2 Carefully administer the DEFINITY ECS network to minimize the possibility of the LAN or intranet being accessed by unauthorized personnel.
Network Security Issues C Security Issues Administration for Network Connectivity CID: 77730 555-233-504 — Issue 1 — April 2000 406
407Administration for Network Connectivity555-233-504 — Issue 1 — April 2000 CID: 77730 D Capacities and Performance This Appendix discusses issues related system capacities and performance for DEFINITY ECS in an IP network environment. It provides a method of estimating the number of C_LAN and MedPro circuit packs that are needed to support various levels of traffic. This appendix provides performance and traffic configuration guidelines for the C-LAN (TN799B) and the MedPro (TN802B) circuit packs. It assumes DEFINITY switch connections in which both signaling and voice data are carried over a LAN or WAN using TCP/IP. Capacities and Resource Requirements The following table gives capacity limits for IP connections for DEFINITY ECS and the IP Interface circuit packs. For DEFINITY Capacity Limits Number of network regions £10 Number of C-LAN circuit packs £10 Number of MedPro circuit packs £46 for the r 13 for the si and csi Number of simultaneous TCP/UDP connections per C-LAN £508 Number of audio streams per TN802B £22 using G.723.1 or G.729A codecs 31 using G.711 codec
D Capacities and Performance Administration for Network Connectivity CID: 77730 555-233-504 — Issue 1 — April 2000 408 The following table gives the number of sockets (connections) needed for IP softphones and H.323 trunks. As a worst-case example of these limits, assume 1000 active H.323 endpoints, each requiring 3 C-LAN connections and G.723 codec processing. This configuration would require 3x1000/508 = 6 C-LANS and 1000/22 = 46 MedPros. For C-LANNumber of Sockets Required Number of sockets per road-warrior application (The H.323 sockets are held up while registered if the endpoint is administered as a Permanent user or while the call is active if administered as an As Needed user ) =3 (1 DCP + 2 H.323) 2 (1 DCP + 1 H.323 with tunneling) Number of sockets per telecommuter application =1 (while registered) Number of sockets per Native Mode station =1 per call with tunneling 2 per call without tunneling Number of sockets per H.323 Tie trunk (the numbers depend on whether signaling groups are shared by trunks and whether tunneling is used ) =sharing & tunneling: 1 /sig grp (default) sharing, no tunneling: 1 /sig grp + 1/call no sharing, tunneling: 1 /call no sharing, no tunneling: 2 /call Number of sockets per H.323 DID trunk =2 (while on call)
409 Administration for Network Connectivity 555-233-504— Issue 1 — April 2000 CID: 77730 D Capacities and Performance Performance OverviewThis section presents methods for estimating: •the impact on the processor •the impact on the TDM bus •the number of C-LAN boards •the number of MedPro boards Given assumptions about: •the number of H.323 endpoints: ~# of road-warrior applications ~# of telecommuter applications ~# of native H.323 phones ~# of H.323 Tie trunks ~# of H.323 DID trunks •average number of C-LAN connections per H.323 endpoint •number of audio streams per DSP •grade of service (GOS) •average call holding times Definitions Offered Load. The telephone traffic arriving at a system for processing. The offered load is equal to or greater than the carried load. Carried Load . The telephone traffic actually processed by a system. The carried load is equal to or less than the offered load. Endpoint Carried Load. The average number of IP Softphones + H.323 trunks on active calls to the DEFINITY system. Socket Carried Load. The average number of active C-LAN connections between the local DEFINITY system and the IP Softphones + H.323 trunk-connected remote DEFINITY systems. Socket. A software data structure associated with a connection between the C-LAN board and an endpoint. Grade of Service (GOS). If the call load offered to a system can exceed its maximum capacity, there is a probability that some calls will be blocked. The GOS is a specification of the probability that one or more calls will be blocked. The probability is expressed in the form, P0...0X. For example, a GOS of P01 specifies that, in the long run, calls will be block 1% of the time; P0001 specifies that calls will be blocked 1/100th of 1% of the time. Full Availability. The capacity is sized to the carried load.
D Capacities and Performance Administration for Network Connectivity CID: 77730 555-233-504 — Issue 1 — April 2000 410 Erlang. The Erlang is a unit of measure of the intensity of telephone traffic. It measures the average utilization of a set of system resources during a given time period. For example, if a server (trunk) is busy for 30 seconds over a measurement period of 2 minutes, the traffic intensity for that measurement period is 0.25 (30sec/120sec) Erlangs. An intensity of one Erlang represents the full utilization of one call server, or an average of 1/n th utilization of n servers, over the measurement time period. Since the Erlang is time divided by time, it is a dimensionless unit. The maximum capacity of one trunk is one Erlang and the maximum capacity of a group of trunks is equal to the number of trunks in Erlangs. For example, the maximum capacity of a group of 30 trunks is 30 Erlangs. If, during a given hour the utilization of the trunk group was 10 Erlangs, on average 10 trunks were busy. This could have happened for 10 one-hour calls (unlikely) or 600 one-minute calls, or any combination of calls and durations that result in 36,000 call-seconds. Another measure of traffic intensity is the CCS, or hundred (century) call-seconds per hour. Since one Erlang is equal to 3600 call-seconds per hour, one Erlang is equal to 36 CCS per hour. Erlang B. The probability distribution used to estimate the number of trunks needed to carry a given amount of traffic for a “loss system.” It assumes that when a call arriving at random finds all trunks busy, it vanishes and doesn’t return (“lost calls cleared”). Erlang C. The probability distribution used to estimate the number of trunks needed to carry a given amount of traffic for a “delay system.” It assumes that all calls will wait indefinitely to get through. Processor performanceThe number of thousands busy-hour calls (KBHC) can be estimated as a function of the processor occupancy estimate (POE) and the time per call (T), in milliseconds, as follows: KBHC £ 36*POE / T The following table gives the estimated BHC capacity for the G3r and G3si models given various values of POE and T. TDM bus performanceThe impact of H.323 voice-only calls on the TDM bus is the same as for circuit switch voice calls.G3r G3si T(ms)POE = 57%POE = 65%T(ms)POE = 52%POE = 60% 100 20,500 23,400 200 9,400 10,800 150 13,700 15,600 300 6,200 7,200 200 10,300 11,700 400 4,700 5,400