Assess the Current Data Infrastructure
The most important aspect of a successful implementation is ensuring that your data infrastructure is stable before you attempt to deploy voice applications. There are many factors to consider. QoS, availability, and security are the top three. The following sections help you determine whether the network can support the level of service to which telephony users are accustomed.
Implement Quality of Service
Voice is a delay-sensitive application. You have to ensure that the network components can support consistent delay characteristics to keep voice sounding natural and smooth. You have to configure the network devices to provide a priority queue for voice packets in case network congestion occurs. For a complete guide to implementing QoS, read "Cisco AVVID Network Infrastructure Enterprise Quality of Service Design," available at the following link or search Cisco.com for "Quality of Service Solutions Reference Network Design" or "Cisco AVVID Network Infrastructure."
Maintain the Highest Availability Possible
Network availability has many facets. To maintain the highest level of availability, focus on power and network design, as discussed in the following sections.
Make Sure You Have an Uninterruptible Power Supply
To maintain service in the event of a power failure, you should provide uninterruptible power for all network devices, such as servers, switches, and routers. Whether you rack-mount uninterruptible power supplies (UPS) in each closet or provide a centralized UPS for the entire building, redundant power is crucial. When putting UPSs in your closets, the most important decisions are how long the battery backup must last and what receptacles your switches should use. In addition, it's important to use a UPS that conditions power so that you can protect your switching equipment from power spikes.
Ensure an Optimum Operational Environment
All network devices should be placed in locations with stable environmental characteristics such as adequate heat dissipation, ventilation, and air conditioning. Excessive heat has a large impact on mean time between failures (MTBF). Although it is surprising, some deployments actually store servers and switches in broom closets and under desks. Improper care of your equipment contributes to environmental and security hazards that can disable or degrade your voice deployment. Security is discussed in detail in Chapter 6, "Securing the Environment."
For exact specifications on operating temperatures, see the data sheets posted on Cisco.com at the following link. You also can search Cisco.com for the phrase "data sheet" coupled with the product name (for example, "CallManager Attendant Console data sheet" or "Cisco CallManager version data sheet").
Build Redundancy into Your Network Design
Your network design should have a redundant core (central site) and distribution layer switching. Network designs that employ a single switch in the distribution layer with two supervisor modules do not provide the desired level of redundancy. Should you incur a software bug that causes the switch to reset spontaneously, an entire building could be adversely affected. For more information on network designs, see the "Cisco IP Telephony Solution Reference Network Design" document at the following link, or search Cisco.com for "CallManager SRND."
In traditional PBX deployments, one best practice is the wiring of user ports in a given area to different line cards on the PBX. In this case, a line card outage would not result in an entire area or department being without phone service. This technique can be replicated on the data network, but if you have an existing network, it takes a significant amount of labor to recable each wiring closet. You must weigh the cost versus the benefit in your environ-ment.
A separate server farm layer in your network, connected in a redundant fashion to the core, is highly recommended. This lets you keep servers off the core and distribution switches, which is critical to running a network that can be upgraded and maintained without service interruption. When servers are attached to core and distribution layer switches, performing upgrades and maintenance is more difficult, because rebooting a switch after an upgrade causes a server outage. If you are a voice support person, be sure to work with your data networking team to follow the network design recommendations outlined in the SRND.
It's critical to ensure that the data network is as secure as possible before adding voice. When planning for IP telephony, you should take many security facets into account:
Physical securityFirst and foremost, physical security is important. At a bare minimum, do not leave any network devices, including servers, routers, and switches, in open areas that do not have locked doors. Keep access limited to key individuals, and, if possible, use electronic door locks that provide an access log.
Virus/worm mitigationMitigating the effect of viruses and worms is important at both the network and server level. At the network level, viruses and worms consume bandwidth resources that can adversely affect communications between the various devices. At the server level, they can attack the various IP telephony servers and render them unusable.
At a bare minimum, you should run Cisco Security Agent (CSA) on all IP telephony servers. CSA is provided in a headless version free of charge from Cisco. To download it, go to the following link or search Cisco.com for "Cisco Security Agent":
Layer 2 securityUnprotected IP networks are vulnerable to various man-in-the-middle attacks, Dynamic Host Configuration Protocol (DHCP) rogue server attacks, DHCP starvation, and Address Resolution Protocol (ARP) spoofing/poisoning attacks. Cisco has enabled IOS and CatOS software to defeat these attacks. Features such as port security, DHCP snooping, dynamic ARP inspection, and IP SourceGuard mitigate these attacks and keep the network available for IP telephony use. See Chapter 6 for more information.
Routing protocol securityUse neighbor authentication when configuring your routing protocols. Without it, hackers can form neighbor adjacencies with your routers and inject invalid routes into the network. Cisco's RIPv2, EIGRP, OSPF, and BGP implementations all support authenticated neighbors.
Firewall policyIf you have a firewall between the IP voice network subnets and the traditional data subnets, be sure your firewall policy allows the passing of all necessary protocols to ensure functionality. Be ready to approach your network security group to make changes to the firewalls if applicable. For more information about security, see Chapter 6.
The key message is this: plan for security to ensure availability. Making sure your network is protected is critical to ongoing success and uptime.
For more in-depth information on security, see Chapter 6. Also refer to the white paper "SAFE: IP Telephony Security in Depth," located at the following link or search Cisco.com for "SAFE IP telephony security."
Document the Current Data Infrastructure
The importance of up-to-date documentation cannot be overstated. Be sure to have both physical and logical representations of the network to assist in troubleshooting. It's also essential to have copies of the topological diagrams saved in a portable format such as PNG, JPG, or GIF to give technical support personnel easy access to data. Not everyone will have identical network diagramming packages, so having documentation in a usable format speeds up the troubleshooting process.