Table of Contents
Advertisement
When tying the control network into the corporate network, strong access lists or firewalls
should be used to prevent Denial of Service (DoS) attacks and broadcast storms from
interfering with control network traffic. Appendix B identifies the ports that must be opened for
IPSI-controlled port networks.
A low latency queuing mechanism should be implemented on network elements in the control
network path. Control traffic should be tagged with DSCP 46 and 802.1p COS 6 Section 3
provides guidelines on setting up a LLQ or other suitable QoS design.
Security Concerns
The private control LAN has historically been a feature of the Multi-Connect configuration that
has added significant security and protection against network flooding attacks, viruses, and
unauthorized access. Naturally, with the control network and public network combined, this
protection is no longer inherently provided. Avaya recommends isolating the control network
from the enterprise network as much as possible.
Should an enterprise decide to combine the control and public networks, Avaya recommends
implementing firewalls or access control lists in order to protect the system from attacks and
unwanted traffic.
Firewalls should be placed between the enterprise network and control network segments
to protect the server against network attacks.
Firewalls should be implemented to prevent unauthorized access to the server from the
enterprise network in the case of a compromise of the enterprise network.
Firewalls should be implemented to prevent unauthorized access to the enterprise network
from the server in the case of a server compromise.
Firewalls should enforce protection rules that prevent the propagation of ANY traffic that is
not needed for VoIP communications. For a list of recommended settings in this area,
consult
Appendix B: Access
Other IP interfaces
The C-LAN and Media Processor connect directly to the customer's data network (that is, not
the control network). They must be reachable by IP Telephones on the network, so they should
be placed in the voice VLAN, should one exist, or should at least be reachable by all subnets
containing voice endpoints. The architecture of the system is such that traffic entering either the
C-LAN or MedPro cannot cross into the control network.
The IPSI connects to the control network and provide an interface between the S8700 servers
and the port network. It does not need to be reachable from the enterprise network.
list.
S8700 Multi-Connect
Issue 3.4.1 June 2005
339
Advertisement
Table of Contents
