VoIP and LAN Design



VoIP and LAN DesignGroup 4UMUC CMIT 495Scope:This document covers World Wide Trading Company (WWTC) requirements for both an upgraded Voice over Internet Protocol (VoIP) system and a new network backbone. The goal of the upgrades are to create a fast and modular network that can be scaled as the business grows. The network will be secure without prohibiting outside connections. Each major failure point within the network will have redundancies that permit failover capabilities if device failure occurs. At the network edge, two separate Internet Service Providers (ISPs) will be used to connect to the internet, and thus to other sites across a corporate WAN.Equipment:WWTC will require a network capable of incredible speeds, redundancy, VoIP capabilities, and effective but non-intrusive security. The Enterprise Edge will have two ISP connections, one to Google Fiber and one to Verizon FiOS business. The Edge Routers will be Cisco 12006 series with 30Gbps throughput for future expansion. The Virtual Private Network (VPN) concentrator will be a Cisco VPN 3060, allowing for 100 Mbps of encrypted information to pass through the network. Security will be accomplished by the inbuilt firewalls in the Edge Routers, as well as three Cisco 5585 series firewalls. These firewalls come with an expanded capacity to filter malware and report to a network security management server with analytical data. The network core will utilize two Catalyst 6503-E switches in a dual-redundant setup. Each of these switches will be capable of pushing over 10Gbps on each port. Distribution level switching will be managed by four Catalyst 4503 series switches, with two in the server farm and two connecting to the office area. All access level connections will be performed by Catalyst 2960 series switches. Power over Ethernet (PoE) versions of the 2960s will be utilized in the office space to power phones and wireless access points. The office switches will have 48 ports each, providing over 100% growth capacity. The Wireless network will consist of a 5508 series wireless controller and eight 1142 series access points. Each access point will be capable of handling several hundred connections at once, but optimally will handle 30 at a time. Normal user telephones will be 7965G VoIP phones, while receptionists and the executive assistant will receive the same phones with the 7916 expansion module to allow for more hotkey buttons. The conference room will have an 8831 conference phone installed to allow for maximum area coverage during teleconferences. The central hub for the phones, as well as any video conferencing systems will be a Cisco Unified Communications Manager running version 10.5. The table below lists in detail what devices will be utilized on the Local Area Network (LAN).Access SwitchesModelCountEthernet PortsFiber PortsFeaturesLocationCatalyst 2960S-48FPD-L7482PoE on all portsUser Access LevelCatalyst 2960S-24TD-L4242?Net Mgt + DMZCatalyst 2960S-48TD-L6482?Server FarmDistribution SwitchesModelCountEthernet PortsCard SlotsLocationCatalyst WS-C4503-E422Distribution Level + Server FarmDistribution Line CardsModelCountFiber PortsSpeedConnection TypeWS-X4712-SFP+E81210Gbps/portSFP+Distribution Supervisory EnginesModelCountSpeedCatalyst 4500 Engine 7L-E448 Gbps/cardCore SwitchesModelCountEthernet PortsCard SlotsCatalyst 6503-E223Core Line CardsModelCountFiber PortsSpeedConnection Type6904-40G61610Gbps/portSFP+Core Supervisory EnginesModelCountSpeedFeaturesCatalyst 6500 Engine 720280 Gbps/cardHardware IPv6 SupportWireless Access PointsModelCountBandsStandardsSpeedFeaturesAIR-LAP1142N-x-K982a/g/n300Mb/sPoE, built in ant.Wireless ControllerModelCountSupported APsFiber PortsSpeedFeaturesAIR-CT5508-25-K912581Gbps/portDirect Connect APVoIP PhonesModelCountFeatures7965G150Bridges Ethernet, PoE7965G + 7916 Expansion Module4Expanded button capacity8831 Conference Phone1Conference CapabilitiesCall ManagerModelCountDevices SupportedFeatures10.5 on Dedicated Server140,000IPv6, IPsec, QoS, VideoconferenceFirewallsModelCountSpeedSessionsFeatures5585-X40 ASA/FirePOWER310Gbps1,800,000Firewall, Malware, ReportingRoutersModelCountSpeedSlotsFeaturesLocationCisco 12006 Edge Router230Gbps6IPv6 CapableEnterprise EdgeRouter Slot CardsModelCountSpeedFiber PortsFeatures12000-OC-12c/STM-4c ISE430Gbps4Error reporting, QoS12000-4-P-GE-ISE41Gbps0Ethernet Ports12000 Processor 12N/AN/APrimary Processor12000 Processor 22N/AN/AIncreases routing speedVPN ConcentratorModelCountSpeedConc. UsersSecurity FeaturesCisco VPN 30601100Mbps5,000Hardware IPSec EncryptionIP Scheme, VLANS, & Routing Protocol:The internal IP scheme for WWTC will utilize the 10.100.0.0 – 10.100.4.119 range. The IP addresses will be divided up across the VLANs on the network, with summarization occurring at distribution and core switches. EIGRP will be utilized as the primary routing protocol on the network, with VLANs being routed to each other only at the core switches. EIGRP provides the ability to have auto-summarization, which reduces the administrative overhead for designing the network hierarchy (Benjamin, 2002). As the design of the offices appears to permit multiple users access to a single location, ports and switches will not be devoted to a single VLAN. Rather, user ports for all regional directorates, operations, and the president’s office will all have identical VLAN access lists (1001, 1004, 1005, 1006, 1007, 1008, 1009, and 1017.) The Wireless VLAN (1002) will only have access enabled on the ports going to the wireless access points, while the wireless controller will bridge the connections to the rest of the network via VLAN 1014. The internet gateway and VPN gateway VLANs (1015 and 1016) will be accessible via EIGRP routing in the core switches. Network monitoring and management will be kept separate from the network, as all devices used for high level administrative functions will run on VLAN 1010. This management subnet will contain devices that control access and configuration to the rest of the network. Within the management network will be two servers devoted to Dynamic Host Control protocol (DHCP), Active Directory (AD), Domain Name System (DNS), and Windows Server Update Services (WSUS). Each server will duplicate the capabilities for these services, but only one will be the network primary source while the other will be configured as a backup. The primary network management servers will be routed to the rest of the network at the core switches. This VLAN will be enabled at all locations to enable administrator access for troubleshooting. Security devices will have a specific VLAN (1011) for filtering and monitoring. The server farm will be on VLAN 1003, and the DMZ servers will be on VLAN 1013. All network switches and routers are inherently capable of providing IPv6 via multiple transition methods, allowing for the possibility of a conversion from IPv4 in the WORK:MaskNet IDFirst UsableLast UsableBroadcastAvail. IPsUsed IPsVLAN IDVoIP/2410.100.0.010.100.0.110.100.0.25410.100.0.2552541551001Wireless/2410.100.1.010.100.1.110.100.1.25410.100.1.2552542541002Server Farm/2410.100.2.010.100.2.110.100.2.25410.100.2.2552542401003Operations/2610.100.3.010.100.3.110.100.3.6210.100.3.6362551004NorthWest/2710.100.3.6410.100.3.6510.100.3.9410.100.3.9530161005SouthWest/2710.100.3.9610.100.3.9710.100.3.12610.100.3.12730161006NorthEast/2710.100.3.12810.100.3.12910.100.3.15810.100.3.15930161007SouthEast/2710.100.3.16010.100.3.16110.100.3.19010.100.3.19130161008Middle/2710.100.3.19210.100.3.19310.100.3.22210.100.3.22330161009Net Mgt/Mon/2710.100.3.22410.100.3.22510.100.3.25410.100.3.25530~201010Security/2710.100.4.010.100.4.110.100.4.3010.100.4.3130~161011Switches/2710.100.4.3210.100.4.3310.100.4.6210.100.4.6330231012DMZ Servers/2810.100.4.6410.100.4.6510.100.4.7810.100.4.7914~121013Wireless Mgt/2810.100.4.8010.100.4.8110.100.4.9410.100.4.951591014VPN Gate/2910.100.4.9610.100.4.9710.100.4.10210.100.4.103631015Internet Gate/2910.100.4.10410.100.4.10510.100.4.11010.100.4.111661016President/2910.100.4.11210.100.4.11310.100.4.11810.100.4.119641017Link IPs:Two ISPs will be utilized to access the internet and distant enterprise WAN locations. Fiber connections will be required for the high speed network traffic necessary in the financial services industry. Google Fiber and Verizon FiOS are the two largest competitors in the business fiber optic marketplace, so they will be utilized. Google Fiber offers business speeds of up to 10Gbps currently, and Verizon FiOS has business plans reaching 5Gbps (Verizon Inc, 2014) (Slinger, 2013). As the IP addresses assigned will be decided by the ISPs once an agreement has been reached, the IPs listed below are example connections based upon their static IPs available for sale. Each ISP will connect to only one of our edge routers, providing separate redundant WORK:MaskNet IDFirst UsableLast UsableBroadcastAvail. IPsUsed IPsVerizon ISP 1/30108.0.0.64108.0.0.65108.0.0.66108.0.0.6722Google ISP 2/30192.119.16.16192.119.16.17192.119.16.18192.119.16.1922High Level Diagram:Traffic enters the network on one of two edge routers, depending on the ISP delivering the data. From there the traffic either passes through a VPN concentrator (for VPN traffic) or through the DMZ. If the traffic is destined for the DMZ, it interacts with the web servers there and then returns to the cloud (Danen, 2001). If, instead, the traffic is destined for the internal network it passes through a firewall and hits the core switches. From there the external VLAN data will be stripped and data will be passed to the VLAN appropriate to the destination of the traffic. Not all VLANs will be routed to each other, as some management, security, or confidential traffic must remain transparent to the rest of the network. The core switches also perform some small security and QoS work. The distribution layer and server farm distribution layers will act as the high speed primary points of cross-communication within the network when data does not need to leave a VLAN. They also will perform some QoS functionality. The user access switches will be utilized to connect all VoIP phones, workstations, and wireless Access Points back to the distribution layer. Access level switches in the DMZ and server farm will provide last-leg connections to the servers for the network. All connections with the Local Area Network (LAN) above access level will move across fiber optic cables. These cables will be connected to switches using 10 gigabit Small Form-Factor Pluggable (SFP+) transceivers which can be swiftly replaced if damaged. The maximum network capacity between all devices outside of the user level will be at a 1.25GB/s transfer rate. Access level connections will utilize short-run Ethernet Cat5e cables, capable of gigabit speeds but without fiber’s high cost of install and repair. Internet and External Telephone Traffic:The Cisco Unified Communications Manager (CUCM) version 10.5 will be the primary method for outside communications for all VoIP, videoconferencing, and other communications devices. The CUCM need to be synced via trunks with both ISPs’ Public Branch Exchanges (PBXs) to permit outside dialing and long distance phone calls. This allows all phone traffic to be passed over the IP network without requiring secondary lines dedicated to phones. Internal phone calls will be run on the G.711 codec at a 64Kbps bit rate for best sound quality. Each phone call, with QoS overhead and error correction, will use up 87.2 Kbps of bandwidth (Cisco Press, 2006). As there are 155 phones on the network, the absolute maximum load on the network for voice traffic would be approximately 13.5Mbps. This barely scratches the internal capacity of 10Gbps. As our external connections will be in the multiple Gbps range as well, the option to utilize G.711 at a 64Kbps bit rate will also be used. This must be agreed upon by the ISPs, as some require a downgrade to G.729 connections for trunked external lines.Wireless:The wireless requirements for WWTC include 3 lobby/receptionist areas, and one conference room. Each of these spaces will be covered by two 1142 series wireless access points. These access points have built in antenna, reducing installation costs. The access points also run on PoE, requiring only a single line run to an access PoE switch to function. All 8 of the access points will connect back to a 5508 series wireless controller. The controller will bridge the wireless network to the rest of the network as well as provide management and security functionality. The diagram below demonstrates the wireless layout, with the LAN connectivity transparent to the wireless devices.ReferencesBenjamin, H. (2002). CCNP Practical Studies: Routing. Indianapolis, IN: Cisco Press.Cisco Inc. (2012). Cisco Unified Communications Manager Version 10.5. Retrieved from Cisco: Inc. (2013). Cisco VPN 3060 Concentrator. Retrieved from Cisco: Inc. (2012). Cisco Unified IP Conference Phone 8831. Retrieved from Cisco: Inc. (2013). Cisco 12006 Router. Retrieved from Cisco: Inc. (2013). Cisco 5508 Wireless Controller. Retrieved from Cisco: Inc. (2013). Cisco Aironet 1140 Series. Retrieved from Cisco: Inc. (2014). Cisco ASA 5585 Adaptive Security Appliance. Retrieved from Cisco: Inc. (2014). Cisco Catalyst 2960 Series Switches. Retrieved from Cisco: Inc. (2014). Cisco Catalyst 4503-E Switch. Retrieved from Cisco: Inc. (2014). Cisco Catalyst 6503-E Switch. Retrieved from Cisco: Inc. (2014). Cisco Unified IP Phone 7965G. Retrieved from Cisco: Press. (2006, February 7). Voice Over IP - Per Call Bandwidth Consumption. Retrieved from Cisco Press: , V. (2001, March 29). Lock IT Down: Implementing a DMZ. Retrieved from TechRepublic: , M. (2013, October 9). Clarification for Small Businesses about Google Fiber. Retrieved from Google Fiber Blog: Inc. (2014). Business Fiber Optic Options. Retrieved from Verizon: ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download