Fabien MEDAT Consultant CISCO - CRU · IP Network Infrastructure (IEEE 802 LAN) IP Network...

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Fabien MEDATConsultant CISCO

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

22

• Introduction

• LLDP-MED

• Vlan & 802.1X

• Communications Voix & Vidéo

Signalisation : SIP

Codecs, RTP,

Contrôle d’admission

Sécurité

• Gestion de présence, Messagerie instantanée

SIP/SIMPLE

XMPP

• Autres standards

• Questions & Réponses


3

Applications

Call Agent

IP Sofphone

SIPH323

Station

d’audioconférence

Poste

Wi-Fi

Poste IP

Poste analogique

IP Sofphone Video

Terminal

Q.931

Q.SIG

Terminal

Video

Passerelle

H.323

Postes

analogiques

et H323

H.323

Gatekeeper

Annuaire

OpenLDAP

Messagerie


4

IP Network

Infrastructure

(IEEE 802 LAN)

IP Network

Infrastructure

(IEEE 802 LAN)

LLDP-MED Communication Device Endpoints (Class III)

• Supports IP communication end user

• E.g. IP Telephone, Softphone, etc.

LLDP-MED Network Connectivity Devices

• Provide IEEE 802 network access to

LLDP-MED Endpoints

• E.g. L2 / L3 switch, bridge, etc

IP Network

Infrastructure

(IEEE 802 LAN)

IP Network

Infrastructure

(IEEE 802 LAN)

LLDP-MED Communication Device Endpoints (Class III)

• Supports IP communication end user

• E.g. IP Telephone, Softphone, etc.

LLDP-MED Network Connectivity Devices

• Provide IEEE 802 network access to

LLDP-MED Endpoints

• E.g. L2 / L3 switch, bridge, etc

MED – Media Endpoint DiscoveryPrimarily for telephony needs

• Interoperability between vendors

• Inventory management: Location, version, etc

• E-911, emergency service aided by location management

• Troubleshooting: duplex, speed, network policy

• Fast start, automatic network policy convergence: L2, L3, VLAN

• LLDP has to enabled for LLDP-MED

• Selective MED TLV’s can be enabled/disabled at interface level

Cisco Confidential 5© 2010 Cisco and/or its affiliates. All rights reserved.

EAP-MD5 & EAP-TLS support

EAP-TLS processus

1. Phone certificate presented is validated (expiry and CA Root trust)

2. CRL verified (Certificate revoked?)

3. Common Name (CN) is checked against the DB and RADIUS parameters returned to the Switch.

4. Phone is allowed onto the network

802.1x

EAP-TLS

RADIUSAAA

Switch

MIC/LSC

AAA Cert

Cisco CA

CRL


• Support d’une authentification « voice domain» et « data domain» sur le même port

• La partie « data domain » reste identique

• La partie « voice domain »:

Pas d’assignement dynamique de VLAN

Support de 802.1x ou MAC Authentication Bypass

Une seule MAC est autorisée

Desktop PCAuthentification 802.1x

Authentification802.1x

Téléphone


8

SIP VoIP Network

Calling Party

PSTN

Called Party

PSTN

INVITE

100 Trying

180 Ringing

100 Trying INVITE

200 OK200 OK

180 Ringing

ACK ACK

RTP stream

BYE BYE

200 OK 200 OK


INVITE

200 OK (Offer SDP)

ACK (Answer SDP)

Delayed Offer

INVITE (Offer SDP)

200 OK (Answer SDP)

ACK

Early Offer

SDP Offer/Answer Model for SIP

Caller Callee Caller Callee


10

H.323 VoIP Network

Flux RTP / RTCP

Setup

Call Proceeding

Alerting

Connect

H.225

(TCP Port 1720)

H.245 (Dynamic

TCP Ports)

Media (UDP)

Capabilities Exchange

Open Logical Channel

Open Logical Channel Acknowledge

Gatekeeper

Signalisation

Media


11

Digital Gateways Analog Gateways

PSTN

PSTN

PBX

Phone

Fax

Modem

PBX

T1 CAST1 PRI/E1 PRIBRI


• All PSTN signaling terminates on gateway

• H.225 communication between gateway and CallManager

• H.323 is a “peer-to-peer” protocol

Framing

PRI Layer 3

Layer 2

Cisco CallManager

PS

TN

H.225

TDM IP


• Framing and layer 2 signaling terminates at the gateway

• Layer 3 signaling is backhauled to the CallManager

• MGCP is a “client-server” protocol

• MGCP 0.1 with CallManager only

Framing

PRI Layer 3

Layer 2

Q.931 Backhaul over TCP

Cisco CallManager

PS

TN

MGCP over UDP

Call Signaling

TDM IP


Protocol

Feature

H.323 SIP MGCP

Interoperability Breadth of products and interface

Breadth of products and interface

Less than H.323/SIP. E.g.: no FXO will caller-ID on MGCP.

Dialplan Configuration Distributed dialplan configuration/potentially higher administration(6)

Distributed dialplan configuration/potentially higher administration(6)

Centralized dialplan configuration/low administration(1)

Power of IOS Dialpeer Utilize features configured with IOS dialpeer/Intelligent

Utilize features configured with IOS dialpeer/Intelligent

Can’t utilize features configured with IOS dialpeers

Audio Preservation

(Failover between CCMs)

Audio is preserved(2) Audio is preserved(3) Audio is preserved

Audio Preservation

(CCM SRST failover)

Audio is preserved(4) Audio is preserved(3) Audio is preserved(5)

(1) Dialpeer configurations are still needed when MGCP fallbacks to local control (H.323, SIP, POTs dialpeers).

(2) Requires 12.4.4XC/12.4.9T and CCM4.1.3-SR2 Release .

(3) Configure SIP minimum-session-expiration header under global SIP configuration mode.

(4) Requires disabling TCP timer. (5) ISDN calls are not preserved. (6) if used without a call agent with centralized dial plan

Cisco Confidential 15© 2010 Cisco and/or its affiliates. All rights reserved.

AAC-LD (Low Delay)Cisco TelePresence

L16 (Linear PCM 16-bit)

G.722

iSAC

G.722.1

G.711 (μ-law/A-law)

iLBC

G.728

GSM Enhanced Full Rate

GSM Full Rate

G.729 (Annex A, Annex B)

GSM Half Rate

G.723.1

Sorted by audio quality

Wideband(16 kHz sampling rate)

Narrowband(8 kHz sampling rate)

Super-wideband(48 kHz sampling rate)

64 kbps(per channel)

256 kbps

64 kbps

10 - 32 kbps

32 kbps

64 kbps

16 kbps

16 kbps

13 kbps

13 kbps

8 kbps

7 kbps

7 kbps

Bitrate


... ...

...

GK

Gatekeepers

LocationsCAC

GatekeeperCAC

Central

Site

Branch 2Branch 1

CiscoRSVP Agent

CUCMCluster

RSVPReservation

CiscoRSVP Agent

RSVPReservationCisco

RSVPAgent


Unified CM Cluster

IP WANHQ

Branch

RSVP

Reservations

RSVP

Agent

RSVP Agent

CME

CUBE

PSTN

SIP GWCVP

SIP Trunk

IP PSTN

CUBE


Certificats:

• Call Manager : self-signed

• Téléphones : MIC ou LSC

Manufacturing Installed Certificate “MIC”

Installé dans la mémoire permanente des téléphones

Signé par le CA Cisco

Locally Significant Certificate (LSC)

Installé par l’autorité de certification locale

Prioritaire par rapport au “MIC”

Peut-être effacé par un “factory reset”


IP

TCP

TLS

HTTP SCCP SIP LDAP

Supporte une multitude d’applications • Besoin d’une méthode sécurisée

pour échanger un secret partagé

• Bi-directional PKI pour

l’authentification mutuelle

• Echange secret partagé RSA

• Computes Hashed Message

Authentication Code (HMAC)

• Hash MD5 ou SHA1

• Crypto conventionnelle en

utilisant un secret partagé

• DES, 3DES, AES

• RC2, RC4

• IDEA

• Bi-directional PKI pour l’Authentification

• Intégrité HMAC

• Encryption pour Confidentialité


20

Partie Authentifiée

timestamp

PV X CC M PT sequence number

synchronization source (SSRC) identifier

contributing sources (CCRC) identifiers

…

RTP extension (optional)

RTP payload

SRTP MKI -- 0 bytes for voice

Authentication tag -- 4 bytes for voice

Partie Encryptée

• RFC 3711 pour le transport sécurisé

• Utilise AES-128 pour l’authentification et l’encryption

• Performant, faible overhead


21

IPSec et SRTP vers les

passerelles MGCP et

H323

TLS sur les trunks SIP

TLS et SRTP

Pour les Applications

TLS

IPSec

SRTP


• Presence turns real-time communications into “right-time” communications that allows people to reach the right person, at right time, in the right place, using the right device

• XMPP (eXtensible Messaging and Presence Protocol)

– GoogleTalk

–Facebook

–Jabber/Cisco (Webex Connect / CU Presence Server)

• SIMPLE (Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions)

– Cisco Unified Communication Systems

– Microsoft Live Communication Server

– Yahoo Messenger (with some SIP extension)


SIP Request• INVITE

• REGISTER

• SUBSCRIBE

• NOTIFY

• PUBLISH

• MESSAGE

• INFO

• REFER

• OPTIONS

SIP Response• 1xx

• 2xx

• 3xx

• 4xx

• 5xx

• 6xx

Session Initial Protocol is an application-layer control protocol that can establish, modify, and terminate multimedia sessions.

SIMPLE


• Standard Etabli de l’industrie-Développé par Communauté Open source Jabber (1999)

-Formalisé comme standard par l’IETF (2002-2004)

-Enrichi continuellement par la fondation du standard XMPP

• Communité de développeurs très active-+ 60+ clients XMPP développés & supportés sur sept différents types de poste de travail, mobile, & plateformes web

-+20 XMPP serveurs developpés pour des opérateurs XMPP

-Libraire logiciel XMPP pour développeurs applications XMPP en 17 langages de développement différents

• Nombre de services XMPP en croissance -Cisco Unified Presence, Cisco WebEx Connect, Google Talk, Live Journal Talk, Nimbuzz, Ovi, …


[email protected]/123

cisco.com


- DHCP

- IPv6

- 802.1q pour isolation du Vlan Voix

- Codec Vidéo normalisés (H263, H264, …)

- Intégration annuaire LDAP (Open LDAP, …)

- Intégration PKI entreprise (support CA externe avec certificats X509)

Thank you.

Fabien MEDAT Consultant CISCO - CRU · IP Network Infrastructure (IEEE 802 LAN) IP Network...

Documents

Transcript of Fabien MEDAT Consultant CISCO - CRU · IP Network Infrastructure (IEEE 802 LAN) IP Network...