Cisco VOIP Deployment Guide PbxLAN

Configuration Note for ASVALAN Certification of Cisco LAN Products

APL Date: August, 2007 (ASVALAN Version 4)

This document is intended to provide guidance to both Cisco and Customer personnel in the deployment of Cisco’s Assured Services Voice Application Local Area Network (ASVALAN) certified solution. It is intended to supplement the information available in product documentation regarding specific configuration items and guidelines required for ASVALAN certification.

Contents These release notes contain the following sections:

• Introduction to the ASVALAN Certification, page 1

• Certified Cisco Products, page 6

• Configuration Guidelines for DoD LAN Features, page 12

• Certified Network Topologies, page 20

• Related Documentation, page 30

• Obtaining Documentation, Obtaining Support, and Security Guidelines, page 31

Introduction to the ASVALAN CertificationCisco Systems has completed ASVALAN certification of Cisco’s LAN products in conjunction with PBX1 and PBX2 certification of Cisco’s Unified Communications solutions to provide one of the few end-to-end Voice over Internet Protocol (VoIP) product lines that have been fully tested and certified. You can deploy a Cisco Unified Communications solution into your network confident that it will measure up to the strict Defense Information Systems Agency (DISA) standards.

Americas Headquarters:

©2007 Cisco Systems, Inc. All rights reserved.

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

http://www.nsa.gov/snac/routers/C4-040R-02.pdf

Introduction to the ASVALAN Certification

All equipment connected to the Defense Information Systems Network (DISN) must be certified for interoperability (IO) and information assurance (IA). Section 353 of Public Law 107-314 establishes statutory requirements for installation and connection policy and procedures regarding the Defense Switch Network (DSN). The Department of Defense (DoD) documents that provide policy guidance for DoD voice networks include:

• CJCSI 6211.02B "DISN Connection Policy, Responsibilities, and Processes" — establishes policy, responsibilities, and connection approval process requirements for subnetworks of DISN.

• CJCSI 6215.01B "Policy for DoD Voice Networks"— establishes policy and prescribes responsibilities for use and operation of the DoD voice networks (specifically DSN and the Defense RED Switch Network (DRSN)).

• DoDI 8100.3 "DoD Voice Networks"— directs Joint Interoperability and Information Assurance testing of all components connected, or planned for connection, to the DSN, DRSN, or PSTN.

• DoDD 8500.1 "Information Assurance"— directs all Information Technology to be IA tested and certified before connection to the DISN.

The Generic Switching Center Requirements (GSCR) document specifies technical requirements for telecommunications equipment to be used in the DoD network in support of voice, video, and data services. The DoD voice network consists of three major networks: the DSN, DRSN, and tactical networks. The GSCR includes requirements for the following different switch types:

• Tandem Switch

• End Office Switch (EO)

• Multi-Function Switch (MFS)

• Small End Office Switch (SMEO)

• Remote Switching Unit (RSU)

• Private Branch eXchange 1 (PBX1)

• Private Branch eXchange 2 (PBX2)

• Digital Voice eXchange (DVX) or tactical switch

The GSCR also includes requirements for other equipment that connects to a voice network:

• ASVALAN

• Conference Bridge

• Customer Premise Equipment (CPE)

• Network Element

• Video TeleConference (VTC)

• Network Manager

• Signaling Transfer Point (STP)

Though heavily focused on Time Decision Multiplexing (TDM) technology, the GSCR was updated in 2003 to include requirements for VoIP. These requirements are included in Appendix 3 of the GSCR. VoIP implementation within the DSN will take place in two major phases:

1. Phase 1 involves IP islands interconnected via the traditional DSN, which consists of circuit-switched systems and TDM transmission facilities. As such, the existing non-IP systems provide for the standardized interoperability between various IP-based systems.

2. Phase 2 involves full network-wide IP interoperability and replaces the traditional circuit-switch and TDM technology.

The current version of Appendix 3 only addresses Phase 1.

2Configuration Note for ASVALAN Certification of Cisco LAN Products

OL-11204-01


The certification process is the responsibility of the DISA Voice Connection Approval Office (VCAO). Certification consists of two different activities:

• Interoperability testing —This testing ensures end-to-end interoperability of voice switching systems by verifying that all Telecom equipment connected to the DSN meets applicable GSCR. The focus of testing is to ensure that Military Unique Features (MUF), such as Multilevel Precedence and Preemption, are met.

• Information Assurance, or security, testing— This testing is composed of three (3) phases:

– Phase I: Security Technical Implementation Guide (STIG) compliance, Functional Security Tests with emphasis on GR-815

– Phase II: IP Penetration Testing

– Phase III: Air Force Information Operations Center (AFIOC) Testing

The testing validates product compliance with Federal and DoD IA requirements.

Vendors must have a sponsor for certification testing.

Figure 1 outlines the certification process:

Figure 1 DISA Certification Process

The Joint Interoperability Test Command (JITC) at Ft. Huachuca in Sierra Vista, AZ, performs the certification testing. Upon successful completion of both test activities, JITC places the certified product/system on DISA's Approved Products List (APL). DoD customers may only purchase and deploy equipment listed on the APL.

Recently, the certification process was updated to shorten the time required for certification. Historically, certification testing typically took 14-18 months from the time the request was submitted until the product/system was placed on the APL. The new process targets six months. A certification is valid for three years.

Joint Staff Validation

Product Receives

Interop Cert to Connect to DISN

Voice Connection Approval Office (VCAO)

IA Product Testing

DISN DAA Validation

Product Receives IA Cert to

Connect to DISN

Vendor/ Sponsor Submits

APL

Interoperability Certification Information Assurance (IA) Certification

Both Certifications Required For PlacementOn Approved Products

List

Vendor/ Sponsor Submits

DISN = Defense Information Systems Network

DAA = Designated ApprovalAuthority

Product Testing

Interop

1818

69


OL-11204-01


Customers can deploy equipment and configurations that are not certified under special circumstances. This requires a waiver or an Interim Certificate to Operate (ICTO).

• Waivers:

– Urgent operations need, validated by operational chain of command and the Chairman of the Joint Chiefs of Staff

– To accommodate new or emerging technology pilot programs previously coordinated with and recommended by the DSN and validated by the Chairman of the Joint Chiefs of Staff.

• ICTO:

– Shall not be granted for more than 12 months

– The equipment to be purchased must be in the process of certification and the vendors must have the ability to pass certification within 12 months.

– Must be signed by the ASD and cannot be delegated

Both of these processes require approval by the entire chain of command at the purchasing military installation and approval by the Office of the Secretary of Defense (OSD). No ICTO’s have been granted since Public Law 107-314 was passed. Since this process goes through the entire chain of command, we cannot expect any ICTOs to be granted. The certificate is viewed as unobtainable.

Equipment purchased prior to the passage of public law has been grandfathered and is not required to go through certification unless some aspect of the configuration or architecture changes. For example, if a customer with a non-certified system wants to change/add hardware or software, or even add phones, they must either 1) sponsor the vendor for additional testing at JITC which can add months to the purchase cycle, or 2) upgrade their equipment, often at considerable cost, to a configuration that is already on the APL.

From a VoIP perspective, there are two different system configurations:

• IP Centric— IP centric architectures are designed around an IP core packet switching system. These solutions have distributed IP devices that function together to perform the functions of a circuit switch. The connectivity to the rest of the DSN architecture is via T1 PRI, T1 CAS or SS7 interfaces.

• IP Enabled— The IP enabled approach utilizes traditional TDM circuit switches that offer VoIP as a line instrument. This solution has a TDM circuit switch as the core device with VoIP provided as a line function similar to other analog or digital telephony instruments. The DSN interface requirements are provided via the circuit switch and the connectivity to the IP LAN is via Ethernet.

From a LAN perspective, there are two different system configurations:

• Converged— An IP network used to transmit a combination of voice, video, and/or data services. The converged definition applies to a singular camp, post, base, or station IP network that will be used to provide IP services along with the addition of DSN VoIP services.

• Non-converged— A network that is used solely to provide DSN VoIP services. A separate IP network will be used to provide IP data services.

The key ASVALAN requirements include:

• ASVALAN networks shall be designed to support a full duplex switched topology

• The ASVALAN shall have a hardware availability of .99999 (non-availability of no more than five minutes per year (min/yr))

• ASVALAN shall have no single point of failure that can cause an outage of more than 64 telephony subscribers

The LAN architecture consists of three layers:

• Access or edge layer— End user connections


OL-11204-01

http://tools.cisco.com/Support/VBC/jsp/Codec_Calc1.jsp

http://jitc.fhu.disa.mil/apl/dsn/apl_cisco.html


• Distribution or building layer (optional)— Demarcation point between the access and core layers

• Core layer— High-speed switching backbone to switch packets as fast as possible

Cisco's ASVALAN certified solution is a converged system and was one of the first LAN systems to achieve ASVALAN certification. Figure 2 depicts the ASVALAN architecture:

Figure 2 ASVALAN Architecture

Currently, PBX1 equipment is certified separately from the LAN equipment. Any certified VoIP system can be deployed with any certified ASVALAN system with the exception of any VOIP system certified with a C2VGLAN (most initial JITC certified VOIP systems were tested this way). These initial certifications are only for joint use in the DSN in conjunction with the C2VGLAN.

The remainder of this document describes various typical LAN configurations that are approved as part of this certification. In support of these descriptions, this document uses the following terms:

• Single switch, internally redundant— Single switch chassis with redundant Supervisor modules, redundant power supplies, and redundant uplinks from separate modules (if applicable)

• Redundant switches, no internal redundancy— Two switch chassis with single Supervisor, redundant power supplies optional in each chassis, redundant uplinks (one from each chassis, if applicable)

IP IP IP IP

DSN

DSN Switch/Gateways(MFS, EO, SMEO, PBX)

CoreRouter/Switch

DistributionRouter/Switch

DistributionRouter/Switch

AccessRouter/Switch

AccessRouter/Switch

IP telephony subscribers

ASVALAN

ASVALAN(SUT)

DSNEOIP

= Assured Services Voice Application Local Area Network

= Defence Switched Network= End Office= Internet Protocol

MFSPBX

SMEOSUTVoIP

= Multifunction Switch = Private Branch Exchange= Small End Office= System Under Test= Voice over Internet Protocol

1818

70


OL-11204-01

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/index.htm


http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r70docs/index.htm


http://www.cisco.com/univercd/cc/td/doc/product/ong/15454sdh/454sdh70/index.htm


http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html



Certified Cisco Products

• Collapsed core/access layer switch—Mostly used in small networks; single internally redundant switch serves as core switch, and also includes access layer ports for user connectivity

All Cisco products that have been placed on DISA’s APL can be found at the link below. The certification letters included here contain detailed information about the testing and related results.


Certified Cisco ProductsThe following sections detail the products and software releases that have been submitted for certification and approved by DISA. To deploy an ASVALAN certified network, you must follow the following guidelines:

• You must use only certified hardware

• You must use only the certified software releases

• You must use only a certified ASVALAN topology

Certified Hardware and Software

Catalyst 6500 Series Switches

Table 1 outlines the modules that have been certified for the Catalyst 6500 and 6500E series chassis. It also details in what ASVALAN certification they were tested and with what IOS version they are certified.

Table 1 Catalyst 6500 Series Switches ASVALAN Certification Details

Module ASVALAN 4 12.2(18)SXF7 Expires 8/28/10

ASVALAN 3 12.2(18)SXF3 Expires 10/5/09

PBX1 Certification w/LAN 12.2(18)SXD3 Expires 5/6/08

WS-C6148A-RJ-45 X

WS-SUP32-GE-3B X

WS-SUP720 X X

WS-SUP720-3B X X

WS-SUP720-3BXL X X

WS-X6148-21AF X X

WS-X6148-45AF X X

WS-X6148A-45AF X X

WS-X6148A-GE-45AF X X

WS-X6148A-GE-TX X X

WS-X6148-GE-45AF X X

WS-X6148-GE-TX X X

WS-X6148-RJ-21 X X X

WS-X6148-RJ21V X X X

WS-X6148-RJ-45 X X X


OL-11204-01



Catalyst 4500 Series Switches

Table 2 outlines the modules that have been certified for the Catalyst 4500 series chassis. It also details in what ASVALAN certification they were tested and with what IOS version they are certified.


WS-X6148V-GE-TX X X

WS-X6348-RJ21V X

WS-X6348-RJ-45 X

WS-X6348-RJ45V X

WS-X6416-GE-MT X

WS-X6516A-GBIC X X

WS-X6516-GBIC X X X

WS-X6516-GE-TX X X

WS-X6548-GE-45AF X X

WS-X6548-GE-TX X X

WS-X6548-RJ-21 X X

WS-X6548-RJ-45 X X

WS-X6548V-GE-TX X X

WS-X6704-10GE X X

WS-X6708-10G03C X

WS-X6708-10G-3CXL X

WS-X6724-SFP X X

WS-X6748-GE-TX X X

WS-X6748-SFP X X

WS-X6816-GBIC X X

WS-X6K-S2-MSFC2 X X

WS-X6K-S2U-MSFC2 X

WS-X6K-SUP2-2GE X X

Table 1 Catalyst 6500 Series Switches ASVALAN Certification Details (continued)

Module ASVALAN 4 12.2(18)SXF7 Expires 8/28/10

ASVALAN 3 12.2(18)SXF3 Expires 10/5/09

PBX1 Certification w/LAN 12.2(18)SXD3 Expires 5/6/08

Table 2 Catalyst 4500 Series Switches ASVALAN Certification Details

Module ASVALAN 4 12.2(31)SGA1 Expires 8/28/10

ASVALAN 3 12.2(31)SG Expires 10/5/09

PBX1 Certification w/LAN 12.2(20)EWA Expires 5/6/08

WS-X4013+ X

WS-X4013+10GE X

WS-X4124-RJ45 X X X


OL-11204-01


Cisco ONS 15454

Table 3 outlines the modules that have been certified for the ONS 15454. The ONS 15454 was tested as a network element and not as a component of the ASVALAN.

Other Switches

Table 4 outlines additional switches and corresponding IOS versions that have been certified by JITC.

WS-X4148-RJ21 X X X

WS-X4148-RJ45 X X X


WS-X4224-RJ45V X

WS-X4232-GB-RJ X

WS-X4232-RJ-XX X

WS-X4248-RJ21V X X

WS-X4248-RJ45V X X

WS-X4302-GB X X X

WS-X4306-GB X X X

WS-X4515 Sup IV X X X

WS-X4516 X X

WS-X4516-10GE X X

WS-X4524-GB-RJ45V X X

WS-X4548-GB-RJ45 X X

WS-X4548-GB-RJ45V X X

Table 2 Catalyst 4500 Series Switches ASVALAN Certification Details (continued)

Module ASVALAN 4 12.2(31)SGA1 Expires 8/28/10

ASVALAN 3 12.2(31)SG Expires 10/5/09

PBX1 Certification w/LAN 12.2(20)EWA Expires 5/6/08

Table 3 Cisco ONS 15454 ASVALAN Certification Details

Module Network Element 7.0 Expires 10/5/09

15454-TCC2P-K9 X

15454-ML1000-2 X

15454-XC-VXC-10G X

15454-10G-S1 X

15454-ML100T-12 X

15454-MRC-I-12 with ONS-SI-2G-S1

X

ONS-SI-622-I1 X


OL-11204-01


The switches in the tables above have been certified for use in specific areas of the network: Core, Distribution, or Access. Table 5 specifies in which area of the network those switches are certified.

Table 4 Other Switches ASVALAN Certification Details

Model ASVALAN 4 IOS Code Expires 8/28/10

ASVALAN 3 IOS Code Expires 10/5/09

PBX1 Certification w/LAN IOS Code Expires 5/6/08

Catalyst 3750 12.2(35)SE2 12.2(25)SEE N/A

Catalyst 3560 N/A 12.2(25)SE ‘E” Family

12.1(19)EA1d

Catalyst 3550 12.2(35)SE N/A 12.1(22)EA1a

Catalyst 2940 N/A 12.1(22)EA7 N/A

Catalyst 2950 N/A 12.1(22)EA7 N/A

Catalyst 2960 N/A 12.2(25)SEE N/A

Table 5 Summary of Switches Certified by JITC for ASVALAN

Layer Configuration Cat 6500 w/Sup720, Sup II

Cat 6500 w/Sup32

Cat 4500 w/Sup V. Sup IV

Cat 4500 w/Sup II+

Core L2 X X X

L3 X X X

Single Chassis, Internally Redundant

X X

Dual Chassis, No Internal Redundancy

X X X

Dual Chassis, Internally Redundant

X X

Distribution L2 X X X

L3 X X X


X X


X X X


X X

Multiple Chassis, Multiple Processor


OL-11204-01


Access L2 X X X X

L3 X X X

Stand-alone Chassis, < 64 Users


X X X


X X X


X X


Shared Access X X X X

Layer Configuration Cat 3750 Cat 3560 Cat 3550 Cat 2960, 50, 40 Cisco ONS 15454

Distribution L2 X

L3 X





X

Table 5 Summary of Switches Certified by JITC for ASVALAN

Layer Configuration Cat 6500 w/Sup720, Sup II

Cat 6500 w/Sup32

Cat 4500 w/Sup V. Sup IV

Cat 4500 w/Sup II+


OL-11204-01


Keep in mind the following when using the certified switches in your network:

• Internally redundant means that the switch utilizes dual supervisors and dual power supplies

• Dual core architecture provides redundancy utilizing HSRP and OSPF

– OSPF timers must be modified to meet failover requirements

– Reference bandwidth configuration must be modified on all switches in the OSPF network to support 10 Gig links

router ospf 1607log-adjacency-changesauto-cost reference-bandwidth 100000nsfarea 0.0.0.0 authentication message-digesttimers throttle spf 10 100 5000timers throttle lsa all 10 100 5000timers lsa arrival 80redistribute connected subnetsredistribute static subnetspassive-interface defaultno passive-interface Vlan210no passive-interface Vlan226no passive-interface Vlan320no passive-interface Vlan321no passive-interface Vlan322network 100.0.0.0 0.3.255.255 area 0.0.0.0

• Reliability and availability are a function of configuration

• Any link which supports more than 64 phones must be redundant

Access L2 X X X X

L3 X X X

Stand-alone Chassis, < 64 Users

X X X





X

Shared Access X X X

Network Element

Transport X

Layer Configuration Cat 3750 Cat 3560 Cat 3550 Cat 2960, 50, 40 Cisco ONS 15454


OL-11204-01

Configuration Guidelines for DoD LAN Features

Configuration Guidelines for DoD LAN FeaturesThis section discusses the following LAN features:

• Quality of Service (QoS), page 12

• Security, page 17

Quality of Service (QoS)The following sections discuss the QoS features applicable to the ASVALAN certification:

• QoS Requirements, page 12

• Special Consideration for Cisco Unified Communications Manager, page 14

• Cisco Distribution and Access Layer QoS Configurations, page 14

QoS Requirements

Per GSCR Appendix 3 Section A3.3.2.2 Traffic C2VGLAN Traffic Prioritization:

Within the converged LAN, different types of traffic are expected. The following is a listing of traffic streams prioritized from highest to lowest.

1. Voice and Video Signaling and LAN Network Management (highest)

2. Voice and Video Media Stream

3. Data Traffic (lowest)

Voice (Bearer Traffic)

A summary of the key QoS requirements and recommendations for Voice (bearer traffic) are:

• Voice traffic should be marked to DSCP EF (46) or COS 5 per the QoS Baseline and RFC 3246.

• LAN shall be engineered for a theoretical packet loss of zero for voice packets; actual or measured voice packet loss within the LAN shall not exceed 0.05% averaged over any 5-minute period.

• Per GSCR Appendix 3 Section A3.2.7 Latency: Packet delay (latency) is the length of time it takes a packet to traverse the LAN. Each element of the network adds to packet delay, including Ethernet switches, routers, distance traveled through the network, firewalls, and jitter buffers. The one-way packet delay for packets of an established call (signaling and media) within the LAN for a DSN VoIP system shall be 5 milliseconds (msec) or less as averaged over any five minute period.

• Per GSCR Appendix 3 Section A3.3.1.2 Jitter: Jitter is defined as the statistical average variance in delivery time between packets or datagrams. Jitter is introduced by the variable transmission delay over the network. Removing jitter requires collecting packets and holding them long enough to allow the slowest packets to arrive in time to be played in the correct sequence, which causes additional delay. For voice media packets, jitter shall be 5 msec or less as averaged over any five minute period. (Jitter is not a problem for signaling packets, since they do not occur in streams.)

• Per GSCR Appendix 3 Section A3.3.4.4.1 Bandwidth: Bandwidth required per subscriber is 178.4 kbps (89.2 kbps each direction) for each IP call. This is based on G.711 with IP overhead (87.2 kbps) with VoIP signaling (2 kbps) included. Bandwidth available for Ethernet full duplex LANs is 20 Mbps (10 Mbps upstream and 10 Mbps downstream) and 200 Mbps (100 Mbps upstream and 100 Mbps downstream) for 10Base-T and 100Base-T, respectively. (For the purposes of this document, bandwidth is defined in the sense used in TDM telephony systems, i.e., the bandwidth of a T1 trunk


OL-11204-01


is 1.544 Mbps for each direction, for a total full duplex bandwidth of 3.088 Mbps.) In order to provide non-blocking bandwidth for trunk traffic, 4.185 Megabits per second (Mbps) shall be reserved in the LAN for each T1 trunk between the Gateway and DSN. This bandwidth requirement is based on 24 simultaneous two-way non-compressed G.711 conversations (24x 174.4 kbps). Bandwidth shall be guaranteed through the use of CoS/QoS as described in this appendix. (Based on overhead bits included in the bps calculations, vendor implementations may use different bps calculations and hence arrive at slightly different bps numbers. This is acceptable to the government, but does not negate the number of IP telephone subscribers that are allowed per 10, 100, 1000 Mbps link as specified in GSCR Sections A3.3.4.4.2 through A3.3.4.5.1.1).

Voice quality is directly affected by all three QoS quality factors: loss, latency and jitter. Packet loss causes voice clipping and skips. The packetization interval determines the size of samples contained within a single packet. Assuming a 20 ms (default) packetization interval, the loss of two or more consecutive packets results in a noticeable degradation of voice quality. Network congestion can lead to both packet drops and variable packet delays. Voice packet drops from network congestion are usually caused by full transmit buffers on the egress interfaces somewhere in the network. As links or connections approach 100% utilization, the queues servicing those connections become full. When a queue is full, new packets attempting to enter the queue are discarded. Because network congestion can be encountered at any time within a network, buffers can fill instantaneously. This instantaneous buffer utilization can lead to a difference in delay times between packets in the same voice stream. This difference, called jitter, is the variation between when a packet is expected to arrive and when it actually is received. To compensate for these delay variations between voice packets in a conversation, VoIP endpoints use jitter buffers to turn the delay variations into a constant value so that voice can be played out smoothly. VoIP networks are typically designed for very close to zero percent VoIP packet loss, with the only actual packet loss being due to L2 bit errors or network failures

Packet delay can cause either voice quality degradation due to the end-to-end voice latency or packet loss if the delay is variable. If the end-to-end voice latency becomes too long (250 ms, for example), the conversation begins to sound like two parties talking on a CB radio. If the delay is variable, there is a risk of jitter buffer overruns at the receiving end. Eliminating drops and delays is even more imperative when including fax and modem traffic over IP networks. If packets are lost during fax or modem transmissions, the modems are forced to "retrain" to synchronize again. Because of its strict service-level requirements, VoIP is well suited to the Expedited Forwarding Per-Hop Behavior, as defined in RFC 3246 (formerly RFC 2598). It should therefore be marked to DSCP EF (46) and assigned strict priority servicing at each node, regardless of whether such servicing is done in hardware (as in Catalyst switches via hardware priority queuing) or in software (as in Cisco IOS routers via LLQ).

Note A tool for quickly and accurately calculating VoIP bandwidth requirements (factoring in the codec, the use of cRTP and L2 overhead) can be found at: http://tools.cisco.com/Support/VBC/jsp/Codec_Calc1.jsp

Call Signaling Traffic

The following are key QoS requirements and recommendations for Call-Signaling traffic:

• Call-Signaling traffic should be marked as DSCP CS6 (48) per the JITC Requirements.

• Per previous section and GSCR Appendix 3: 4 kbps per phone of guaranteed bandwidth is required for voice control traffic; more may be required, depending on the call signaling protocol(s) in use.

Cisco Unified Communications products generally mark signaling traffic at either AF31 or CS3. These values must be modified to meet the certification requirements defined above


OL-11204-01


Call signaling protocols include (but are not limited to) H.323, H.225, Session Initiated Protocol (SIP) and Media Gateway Control Protocol (MGCP). Each call signaling protocol has unique TCP/UDP ports and traffic patterns that should be taken into account when provisioning QoS policies for them.

Special Consideration for Cisco Unified Communications Manager

Cisco Unified Communications Manager has configurable parameters that define the DSCP markings of various packet flows including voice and video streams, signaling streams, and data streams. These parameters must be set as required by the GSCR and are configurable in both the Service Parameters and Enterprise Parameters configuration pages on the Cisco Unified Communications Manger.

Cisco Distribution and Access Layer QoS Configurations

Access layer switches approved by JITC include the Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 3550, Catalyst 2960, Catalyst 2950, and the Catalyst 2940 switches. QoS configurations vary by platform and the following sections provide examples for each. Much like the QoS configurations for IOS gateways, the primary focus of the Access Layer switch QoS configuration is to prioritize voice signaling traffic over that of voice media and standard data packets.

Catalyst 6500

By default, voice bearer traffic of CoS 5 is mapped to DSCP 46 default and voice signaling traffic CoS 3 is mapped to DSCP 24. It may be necessary to remap the CoS 3 signaling traffic to DSCP 48 to meet the GSCR requirements. Ports that are connected to IP Phones are trusting CoS. When you use a Catalyst 6500 series switch to provide connectivity to Unified Communications Manager servers, or other hosts in the distribution layer, the ports are configured to trust DSCP. The certified configurations are shown below:

no mls flow ip no mls flow ipv6 mls qos map cos-dscp 0 8 16 48 34 46 48 56 mls qos map ip-prec-dscp 0 8 16 48 34 46 48 56 mls qosredundancy mode ssospanning-tree mode rapid-pvst! interface FastEthernet3/1 switchport switchport access vlan 21 switchport mode access switchport voice vlan 22 no ip address load-interval 30 mls qos trust cosspanning-tree portfast!interface Port-channel31 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 12,22,32,42,331 switchport mode trunk no ip address load-interval 30 mls qos trust dscp no mls qos channel-consistency storm-control broadcast level 5.00


OL-11204-01


!

Catalyst 4500

By default, voice bearer traffic of CoS 5 is mapped to DSCP 46 default and voice signaling traffic CoS 3 is mapped to DSCP 24. It may be necessary to remap the CoS 3 signaling traffic to DSCP 48 to meet the GSCR requirements. Transmit queue 3 is configured as the high priority queue. Auto QoS is used to configure QoS parameters for ports that are connected to Cisco IP Phones. When you use a Catalyst 4500 series switch to provide connectivity to Unified Communications Manager servers, or other hosts in the distribution layer, the ports are configured to trust DSCP. The certified configurations are shown below:

qos dblqos map dscp 32 33 34 35 36 37 38 39 to tx-queue 2qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4qos map cos 5 to dscp 46 qos map cos 3 to dscp 48 redundancy mode ssoqosspanning-tree mode rapid-pvst!interface GigabitEthernet4/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 323 switchport mode trunk load-interval 30 qos trust dscp flowcontrol receive off storm-control broadcast level 5.00 tx-queue 3 priority high channel-group 23 mode on!interface FastEthernet3/35 switchport access vlan 263 switchport mode access switchport voice vlan 262load-interval 30speed 100 duplex full qos trust cos auto qos voip trust storm-control broadcast level 5.00 tx-queue 3 bandwidth percent 33 priority high shape percent 33 spanning-tree portfast service-policy output autoqos-voip-policy

Catalyst 3750, 3560, and 2960

By default, voice bearer traffic of CoS 5 is mapped to DSCP 46 and voice signal traffic CoS 3 is mapped to DSCP 24. It may be necessary to remap the CoS 3 signaling traffic to DSCP 48 to meet the GSCR requirements. The priority queue is enabled. Auto QoS is used to configure switch-wide ingress and egress queue usage as well as trust parameters for ports that are connected to Cisco IP Phones. When you use a Catalyst 3750 switch to provide connectivity to Unified CallManager servers, or other hosts in the distribution layer, the ports are configured to trust DSCP.


OL-11204-01


When auto QoS is enabled, all of the following mls qos commands with the exception of the mls qos map command, are entered automatically when enabling auto QoS. The certified configurations are shown below:

mls qos map cos-dscp 0 8 16 48 32 46 48 56mls qos srr-queue input bandwidth 90 10mls qos srr-queue input threshold 1 8 16mls qos srr-queue input threshold 2 34 66mls qos srr-queue input buffers 67 33 mls qos srr-queue input cos-map queue 1 threshold 2 1mls qos srr-queue input cos-map queue 1 threshold 3 0mls qos srr-queue input cos-map queue 2 threshold 1 2mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7mls qos srr-queue input cos-map queue 2 threshold 3 3 5mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7mls qos srr-queue input dscp-map queue 1 threshold 3 32mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47mls qos srr-queue output cos-map queue 1 threshold 3 5mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7mls qos srr-queue output cos-map queue 3 threshold 3 2 4mls qos srr-queue output cos-map queue 4 threshold 2 1mls qos srr-queue output cos-map queue 4 threshold 3 0mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39mls qos srr-queue output dscp-map queue 4 threshold 1 8mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7mls qos queue-set output 1 threshold 1 138 138 92 138mls qos queue-set output 1 threshold 2 138 138 92 400mls qos queue-set output 1 threshold 3 36 77 100 318mls qos queue-set output 1 threshold 4 20 50 67 400mls qos queue-set output 2 threshold 1 149 149 100 149mls qos queue-set output 2 threshold 2 118 118 100 235mls qos queue-set output 2 threshold 3 41 68 100 272mls qos queue-set output 2 threshold 4 42 72 100 242mls qos queue-set output 1 buffers 10 10 26 54mls qos queue-set output 2 buffers 16 6 17 61mls qos!interface FastEthernet1/0/24 switchport access vlan 261 switchport mode access switchport voice vlan 260 load-interval 30speed 100 duplex full srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 mls qos trust cos auto qos voip trust storm-control broadcast level 5.00 spanning-tree portfast!interface FastEthernet0/36


OL-11204-01


switchport access vlan 17 switchport mode access switchport voice vlan 18 load-interval 30 duplex full mls qos trust dscp storm-control broadcast level 5.00 spanning-tree portfast

Catalyst 2950 and 2940

By default, voice bearer traffic of CoS 5 is mapped to DSCP 46 and voice signal traffic CoS 3 is mapped to DSCP 24. It may be necessary to remap the CoS 3 signaling traffic to DSCP 48 to meet the GSCR requirements. Auto QoS is used to configure switch-wide egress queue usage and trust parameters for ports that are connected to Cisco IP Phones.

wrr-queue bandwidth 10 20 70 1wrr-queue cos-map 1 0 1wrr-queue cos-map 2 2 4wrr-queue cos-map 3 6 7wrr-queue cos-map 4 3 5mls qos map cos-dscp 0 8 16 48 32 46 48 56!interface FastEthernet0/2 switchport access vlan 27 switchport trunk native vlan 27 switchport mode access switchport voice vlan 28load-interval 30 speed 100 duplex full mls qos trust device cisco-phone mls qos trust cos storm-control broadcast level 5.00 storm-control multicast level 70.00 auto qos voip trust spanning-tree portfast

SecurityThis section discusses the following security features applicable to the ASVALAN certification:

• Port Security

• Administration of Passwords

• Network Configuration

Port Security

Port security is used to block input to Ethernet ports when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are expected for that port. any unused ports should be shutdown.

Port security is enabled on all Ethernet ports with the following commands:

switchport mode access


OL-11204-01


switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security aging type inactivityswitchport port-security mac-address sticky

For more information on Port Security, refer to the following URL: http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_configuration_guide_chapter09186a00801a5b31.html#wp1019841

ACLs

For routers within the enclave, apply site-specific policies (ACLs). Information Assurance (IA) STIGs require that voice and data traffic are completely isolated. ACLs are used to prevent non-voice traffic from connecting to a voice devices.

For more information on applying ACLs to edge routers that communicate between enclaves, refer to the Router Configuration Security Guide, produced by the NSA, at the following URL: http://www.nsa.gov/snac/routers/C4-040R-02.pdf.

Administration of Passwords

United States DoD customers are required to create and maintain passwords in accordance with the rules outlined in Appendix C of the Chairman Joint Chiefs of Staff Manual (CJCSM). Password complexity (9 character, upper/lower case, numeric, special characters) and password expiration are managed by the administrator of the system. If the TACACS+ server used for authentication is not able to utilize the Microsoft Windows complex password dll, you must make sure that all users are aware of and adhere to the password policy.

Network Configuration

United States DoD customer network deployments must have a Syslog server. The system administrator will configure all routers to log severity levels 0 through 6 events and send log data to a syslog server.

logging onlogging bufferedlogging host <ip address of syslog server>logging console criticallogging trap informationallogging facility local7

Telnet must be disabled and ssh enabled on all VTY ports.

crypto key gen rsa 1024ip ssh version 2ip ssh time-out 60ip ssh authentication-retries 3

line vty 0 15exec-timeout 10 0transport input sshtransport output sshaccess-class 3 inpassword <complex password>

HTTP must be disabled on all ASVALAN components.


OL-11204-01

http://www.nsa.gov/snac/routers/C4-040R-02.pdf


no ip http server no ip http secure-server

TACACS must be configured and enabled for local authentication.

aaa new-modelaaa authentication login default group tacacs+ local enableaaa accounting exec default start-stop group tacacs+ip tacacs source-interface Loopback0tacacs-server host <ip address>tacacs-server directed-requesttacacs-server key <key>

All of the following configuration commands must be entered from global configuration to meet IA requirements. Some commands are default and will not appear in the running configuration.

no service padno service configno boot networkservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno service dhcpno service configno service tcp-small-serversno service udp-small-serversno ip bootp serverno ip fingerno ip domain-lookupip domain-name <domain>no ip source-route no ip gratuitous-arpsip tcp synwait-time 10ip ceflogging onlogging bufferedlogging host 100.3.60.16logging console criticallogging trap informationallogging facility local7

All IOS based network device must display a banner upon login that prohibits unauthorized use. A sample configuration is given below.

banner login $**********************************************************************This is a Department of Defense computer system. This computer system,including all related equipment, networks, and network devices (specificallyincluding internet access), are provided only for authorized U.S. Governmentuse. DOD computer systems may be monitored for all lawful purposes,including to ensure their use is authorized, for management of the system, tofacilitate protection against unauthorized access, and to verify securityprocedures, survivability, and operational security. Monitoring includes activeattacks by authorized DOD entities to test or verify the security of this system.

During monitoring, information may be examined, recorded, copied, and usedfor authorized purposes. All information, including personal information, placedon or sent over this system, may be monitored.

Use of this DOD computer system, authorized or unauthorized, constitutesconsent to monitoring of this system. Unauthorized use may subject you tocriminal prosecution. Evidence of unauthorized use collected during monitoring


OL-11204-01

Certified Network Topologies

may be used for administrative, criminal, or other adverse action. Use of thissystem constitutes consent to monitoring for these purposes.**********************************************************************

$ banner motd $**********************************************************************This is a Department of Defense computer system. This computer system,including all related equipment, networks, and network devices (specificallyincluding internet access), are provided only for authorized U.S. Governmentuse. DOD computer systems may be monitored for all lawful purposes,including to ensure their use is authorized, for management of the system, tofacilitate protection against unauthorized access, and to verify securityprocedures, survivability, and operational security. Monitoring includes activeattacks by authorized DOD entities to test or verify the security of this system.

During monitoring, information may be examined, recorded, copied, and usedfor authorized purposes. All information, including personal information, placed on or sent over this system, may be monitored.

Use of this DOD computer system, authorized or unauthorized, constitutesconsent to monitoring of this system. Unauthorized use may subject you tocriminal prosecution. Evidence of unauthorized use collected during monitoringmay be used for administrative, criminal, or other adverse action. Use of thissystem constitutes consent to monitoring for these purposes.**********************************************************************$

Certified Network TopologiesThis section outlines the network topologies tested and certified by JITC. You can use any of these network configurations to design your network.

Core Layer Only—Single Switch, Internally RedundantFigure 3 shows the network configuration using a single switch that is internally redundant.


OL-11204-01


Figure 3 Network Configuration for Core Layer Only—Single Switch, Internally Redundant

Applicability

This configuration is applicable to user communities of up to approximately 500 users, depending on the switch type and associated Ethernet Switch Cards. With this type of ASVALAN, the equipment will typically be located in a single communications closet.

This configuration consists of a single, internally redundant switch. This switch serves as both the core and access switch. The switches certified for this configuration are the Catalyst 6500 and Catalyst 4500 series switches.

Special Considerations

For small locations with less than 64 users, no switch redundancy is required, so you can use the Catalyst 2940, Catalyst 2950, Catalyst 2960, Catalyst 3560, or Catalyst 3750 series switches.

Core Layer Only—Redundant Switches, Internally RedundantFigure 4 shows the network configuration using redundant switches that are internally redundant.

Catalyst 6500 orCatalyst 4500

1806

68

IP IP


OL-11204-01


Figure 4 Network Configuration for Core Layer Only—Redundant Switches, Internally

Redundant

Applicability

This configuration is applicable to user communities of up to approximately 1000 users, depending on switch type. The LAN equipment can be located in a single communications closet or distributed among different closets, as long as the ASVALAN latency requirements are met (5 ms).

This configuration consists of redundant core switches that are internally redundant. These switches serve as both core and access switches. The switches certified for this configuration are the Catalyst 6500 and Catalyst 4500 series switches.


Redundant links to different modules are required between the two switches.

Core and Access Layers—Single Core Switch, Internally RedundantFigure 5 shows the network configuration using a single core switch that is internally redundant.


IP IP IP IP

1806

70


OL-11204-01


Figure 5 Network Configuration for Core and Access Layers—Single Core Switch, Internally

Redundant

Applicability

This configuration is applicable to a distributed user community (i.e., multiple communications closets). Uplink connections can be copper or fiber depending on network geography.

This configuration consists of a single, internally redundant switch in the core and a separate switch (or switches) at the access layer. The switches certified for the core layer are the Catalyst 6500 and Catalyst 4500 series switches. The Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 2960, Catalyst 2950 or Catalyst 2940 series switches can be used for the access layer. Fiber transport using the ONS 15454 is also certified.


You may use single uplinks to the core as long as the module in the core switch does not support more than 64 users total in the access layer switches. For example, if a single module in the core switch supports the uplink connection from two fully populated 24 port switches in the access layer (less than 64 users connected through a single module in the core), no redundant uplinks are required for the two access switches. However, if a single module in the core supports the uplink connection from five fully populated 24 port switches in the access layer (more than 64 users connected through a single module in the core), you must set redundant uplinks to two separate modules in the core switch for the five access layer switches.

Link capacity required is a function of the number of subscribers and is defined in Table 6. Redundant uplinks to separate modules in the core switch are required if the access switch has more than 64 users or if the module in the core switch is supporting more than 64 users.


Catalyst 6500 orCatalyst 4500 orCatalyst 3750 orCatalyst 3560 orCatalyst 2960 orCatalyst 2950 orCatalyst 2940

IP IP IP IP

1806

71

Redundant uplinks toseparate line cardsin core switch.

See Special Considerations


OL-11204-01


Core and Access Layers—Dual Core Switches, Not Internally RedundantFigure 6 shows the network configuration using dual core switches that are not internally redundant.

Table 6 Link Capacity Requirements

Link Type LAN BW Users

Non-Converged 10 Mbps 641

100 Mbps 641

1 Gbps 641

10 Gbps 641

10 Mbps LP 1002

100 Mbps LP 10002

1 Gbps LP 100002

10 Gbps LP 1000002

Converged 10 Mbps 253

100 Mbps 641

1 Gbps 641

10 Gbps 641

10 Mbps LP 253

100 Mbps LP 2504

1 Gbps LP 25004

10 Gbps LP 250004

LEGEND: ASVALAN - Assured Services Voice Application LANBW - BandwidthGbps - Gigabits per secondIP - Internet Protocol

kbps - kilobits per secondLAN - Local Area NetworkLP - Link PairMbps - Megabits per second

NOTES: 1. For single links, number of telephony subscribers is limited to a maximum of 64 because of single point of failure. This limit applies specifically to ASVALANs. 2. The number of users is calculated as bandwidth (BW) divided by 100 kbps per user.3. The number of users was limited to 64 telephony subscribers per note 1 or 25% of total users per note 1, whichever was less.4. For the converged network, voice traffic was engineered not to exceed 25% of total utilization using an estimated 100 kbps per voice call.


OL-11204-01


Figure 6 Network Configuration for Core and Access Layers—Dual Core Switches, Not

Internally Redundant

Applicability

This configuration is applicable to a distributed user community (i.e., multiple communication closets). Uplink connections can be copper or fiber depending on network geography.

This configuration consists of redundant core switches that are not internally redundant and a separate switch (or switches) at the access layer. The switches certified for the core layer are the Catalyst 6500 and Catalyst 4500 series switches. The Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 2960, Catalyst 2950 or Catalyst 2940 series switches can be used for the access layer. Fiber transport using the ONS 15454 is also certified.


You may use single uplinks to the core as long as the Ethernet modules in the core switches are not supporting more than 64 users total in the access layer switches. For example, if a single module in the core supports the uplink connection from a fully populated 48 port switch, as shown in the access layer in Figure 6 (less than 64 users connected through a single module in the core), no redundant uplinks are required for the two access switches. However, if a single module in the core supports the uplink connection from five fully populated 24 port switches in the access layer (more than 64 users connected through a single module in the core), you must set redundant uplinks to two separate modules in the core switch for the five access layer switches.

Link capacity required is a function of the number of subscribers. The link capacity requirements are defined in Table 6.

Core and Access Layers—Dual Core Switches, Internally RedundantFigure 7 shows the network configuration using dual core switches that are internally redundant.

1806

72


IP IP IP IP

Redundant uplinks toseparate core switchs.

See Special Considerations

64 usersCatalyst 6500 orCatalyst 4500 orCatalyst 3750 orCatalyst 3560 orCatalyst 2960 orCatalyst 2950 orCatalyst 2940


OL-11204-01


Figure 7 Network Configuration for Core and Access Layers—Dual Core Switches, Internally

Redundant

Applicability

This configuration is applicable to a distributed user community (i.e., multiple communication closets). Uplink connections can be copper or fiber depending on network geography.

This configuration consists of redundant core switches that are internally redundant and a separate switch (or switches) at the access layer. The links between the core switches must use separate modules. The switches certified for the core layer are the Catalyst 6500 and Catalyst 4500 series switches. The Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 2960, Catalyst 2950, or Catalyst 2940 series switches can be used for the access layer. Fiber transport using the ONS 15454 is also certified.


You can use single uplinks to the core as long as the Ethernet modules in the core switches are not supporting more than 64 users total in the access layer switches. For example, if a single module in the core supports only the uplink connection from two fully populated 24 port switches in the access layer (less than 64 users connected through a single module in the core), no redundant uplinks are required for those two access switches. However, if a single module in the core supports the uplink connection from five fully populated 24 port switches in the access layer (more than 64 users connected through a single module in the core), you must set redundant uplinks to two separate modules in the core switch for the five access layer switches. Because the core switches have internal redundancy, the redundant uplinks to the core can be to the same switch as the primary uplink, or to the separate core switch.


1806

73

Catalyst 6500 orCatalyst 4500 orCatalyst 3750

IP IP IP IP

Redundant uplinks toseparate core switchesor the same core switch. See Special Considerations


OL-11204-01


Core, Distribution, and Access Layers—Dual Core Switches, Internally Redundant; Single Distribution Switch, Internally Redundant

Figure 8 shows the network configuration using dual core switches that are not internally redundant and dual distribution switches that are internally redundant.

Figure 8 Network Configuration for Core, Distribution, and Access Layers—Dual Core

Switches, Internally Redundant; Single Distribution Switch, Internally Redundant

Applicability

This is typical of a large network. Uplink connections can be copper or fiber depending on network geography.

This configuration consists of redundant switches in the core that are internally redundant, redundant switches in the distribution layer that are internally redundant, and a separate switch (or switches) at the access layer. The switches certified for the core and distribution layers are the Catalyst 6500 and Catalyst 4500 series switches. The Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 2960, Catalyst 2950, or Catalyst 2940 series switches can be used for the access layer. Fiber transport using the ONS 15454 is also certified.


You may use single uplinks to the core as long as the Ethernet modules in the core switches are not supporting more than 64 users total in the access layer switches. For example, if a single module in the core supports the uplink connection from a fully populated 48 port switch, as shown in the access layer on the right in Figure 8 (less than 64 users connected through a single module in the core), no redundant uplinks are required for the two access switches. No single module can support more than 64 users in total without redundancy. However, if a single module in the core supports the uplink connection from five fully populated 24 port switches in the access layer (more than 64 users connected through a single

1806

80



IP IP IP IP IP IP IP IP

Redundant uplinks toseparate distributionswitches.See Special Considerations

>64users

>64users

>64users Catalyst 6500 or

Catalyst 4500 orCatalyst 3750 orCatalyst 3560 orCatalyst 2960 orCatalyst 2950 orCatalyst 2940


OL-11204-01


module in the core), you must set redundant uplinks to two separate modules in the core switch for the five access layer switches. Because the core switches have internal redundancy, the redundant uplinks to the core can be to the same switch as the primary uplink, or to the separate core switch.


Redundant uplinks to separate core switches are required if the access switch has more than 64 users or if the module in the core switch is supporting more than 64 users.

Core, Distribution, and Access Layers—Dual Core Switches, Internally Redundant; Dual Distribution Switches, Not Internally Redundant

Figure 9 shows the network configuration using dual core switches that are internally redundant and dual distribution switches that are not internally redundant.

Figure 9 Network Configuration for Core, Distribution, and Access Layers—Dual Core

Switches, Internally Redundant; Dual Distribution Switches, Not Internally

Redundant

Applicability

This configuration is typical of a larger network. Uplink connections can be copper or fiber depending on network geography.

This configuration consists of internally redundant switches in the core, redundant switches in the distribution layer that are not internally redundant, and a separate switch (or switches) at the access layer. The switches certified for the core layer are the Catalyst 6500 and Catalyst 4500 series switches. The switches certified at the distribution layer are the Catalyst 6500 series, Catalyst 4500 series, and Catalyst 3750 series switches. In this scenario, redundant Catalyst 3750 series switches are in the distribution



1806

81

IP IP IP IP IP IP IP IP

Redundant uplinks toseparate distributionswitches.See Special Considerations Catalyst 6500 or

Catalyst 4500 orCatalyst 3750 orCatalyst 3560 orCatalyst 2960 orCatalyst 2950 orCatalyst 2940


OL-11204-01

Acronyms and Abbreviations

layer. Because the Catalyst 3750 series switch is a non-redundant switch, two switches are utilized to achieve redundancy. The Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 2960, Catalyst 2950, or Catalyst 2940 series switches can be used for the access layer. UPlink connections can be copper or fiber depending on network geography. Fiber transport using the ONS 15454 is also certified.


The redundant uplinks to the core can be to the same switch as the primary uplink, or to the separate core switch because the core switches have internal redundancy.


Acronyms and AbbreviationsTable 7 defines the acronyms and abbreviations used in this publication.

Table 7 Acronyms

Acronym Expansion

ACL Access Control List

AFIOC Air Force Information Operations Center

APL Approved Products List

ASVALAN Assured Services Voice Application Local Area Network

CAS Channel Associated Signaling

CPE Customer Premise Equipment

CJCSI Chairman of the Joint Chief of Staff Instruction

CJCSM Chairman Joint Chiefs of Staff Manual

CoS Class of Service

DAA Designated Approving Authority

DDT delay-to-dial-tone

DISA Defense Information Systems Agency

DISN Defense Information Systems Network

DoD Department of Defense

DoDD Department of Defense Directive

DoDI Department of Defense Instruction

DRSN Defense RED Switch Network

DSCP Differentiated Services Code Point

DSN Defense Switch Network

DVX Digital Voice eXchange

EO End Office Switch

GSCR Generic Switching Center Requirements


OL-11204-01

Related Documentation

Related DocumentationYou can view the documentation for the products and software releases discussed in this document at the following URLs:

• DISA Approved Products List for Cisco


• Catalyst 6500 Series Switches, Software Release 12.2.(18)SXF3

IA information assurance

IAW in accordance with

ICTO Interim Certificate to Operate

IO interoperability

IP Internet Protocol

JITC Joint Interoperability Test Command

LAN Local Area Network

MFS Multi-Function Switch

MGCP Media Gateway Control Protocol

MUF Military Unique Features

NSA National Security Agency

OSD Office of the Secretary of Defense

PBX1 Private Branch eXchange 1

PBX2 Private Branch eXchange 2

PRI Primary rate interface

PSTN Public Switched Telephone Network

QoS Quality of Service

RSU Remote Switching Unit

SIP Session Initiation Protocol

SMEO Small End Office Switch

STIG Security Technical Implementation Guide

STP Signaling Transfer Point

SUT system under test

TACACS Terminal Access Controller Access Control System

TDM Time Division Multiplexing

VCAO Voice Connection Approval Office

VoIP Voice over Internet Protocol

VTC Video TeleConference

Table 7 Acronyms

Acronym Expansion


OL-11204-01

Obtaining Documentation, Obtaining Support, and Security Guidelines

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/index.htm

• Catalyst 4500 Series Switches, Software Release 12.2.(31)SG

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/index.htm

• Catalyst 3750, Catalyst 3560-PoE 24, Catalyst 2960, Software Release 12.2(25)SEE

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/index.htm

• Catalyst 2940, Catalyst 2950, Software Release 12.1(22)EA7


• ONS-15454 SDH, Release 7.0


• ONS-15454 SDH, Release 7.0



For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:



OL-11204-01


This document is to be used in conjunction with the documents listed in the Certified Network Topologies sections.

CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2007 Cisco Systems, Inc. All rights reserved.


OL-11204-01

Documents

Cisco VOIP Deployment Guide PbxLAN