Upload
hoangkhanh
View
215
Download
0
Embed Size (px)
Citation preview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
Fabien MEDATConsultant CISCO
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
22
• Introduction
• LLDP-MED
• Vlan & 802.1X
• Communications Voix & Vidéo
Signalisation : SIP
Codecs, RTP,
Contrôle d’admission
Sécurité
• Gestion de présence, Messagerie instantanée
SIP/SIMPLE
XMPP
• Autres standards
• Questions & Réponses
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
3
Applications
Call Agent
IP Sofphone
SIPH323
Station
d’audioconférence
Poste
Wi-Fi
Poste IP
Poste analogique
IP Sofphone Video
Terminal
Q.931
Q.SIG
Terminal
Video
Passerelle
H.323
Postes
analogiques
et H323
H.323
Gatekeeper
Annuaire
OpenLDAP
Messagerie
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
4
IP Network
Infrastructure
(IEEE 802 LAN)
IP Network
Infrastructure
(IEEE 802 LAN)
LLDP-MED Communication Device Endpoints (Class III)
• Supports IP communication end user
• E.g. IP Telephone, Softphone, etc.
LLDP-MED Network Connectivity Devices
• Provide IEEE 802 network access to
LLDP-MED Endpoints
• E.g. L2 / L3 switch, bridge, etc
IP Network
Infrastructure
(IEEE 802 LAN)
IP Network
Infrastructure
(IEEE 802 LAN)
LLDP-MED Communication Device Endpoints (Class III)
• Supports IP communication end user
• E.g. IP Telephone, Softphone, etc.
LLDP-MED Network Connectivity Devices
• Provide IEEE 802 network access to
LLDP-MED Endpoints
• E.g. L2 / L3 switch, bridge, etc
MED – Media Endpoint DiscoveryPrimarily for telephony needs
• Interoperability between vendors
• Inventory management: Location, version, etc
• E-911, emergency service aided by location management
• Troubleshooting: duplex, speed, network policy
• Fast start, automatic network policy convergence: L2, L3, VLAN
• LLDP has to enabled for LLDP-MED
• Selective MED TLV’s can be enabled/disabled at interface level
Cisco Confidential 5© 2010 Cisco and/or its affiliates. All rights reserved.
EAP-MD5 & EAP-TLS support
EAP-TLS processus
1. Phone certificate presented is validated (expiry and CA Root trust)
2. CRL verified (Certificate revoked?)
3. Common Name (CN) is checked against the DB and RADIUS parameters returned to the Switch.
4. Phone is allowed onto the network
802.1x
EAP-TLS
RADIUSAAA
Switch
MIC/LSC
AAA Cert
Cisco CA
CRL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• Support d’une authentification « voice domain» et « data domain» sur le même port
• La partie « data domain » reste identique
• La partie « voice domain »:
Pas d’assignement dynamique de VLAN
Support de 802.1x ou MAC Authentication Bypass
Une seule MAC est autorisée
Desktop PCAuthentification 802.1x
Authentification802.1x
Téléphone
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
8
SIP VoIP Network
Calling Party
PSTN
Called Party
PSTN
INVITE
100 Trying
180 Ringing
100 Trying INVITE
200 OK200 OK
180 Ringing
ACK ACK
RTP stream
BYE BYE
200 OK 200 OK
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
INVITE
200 OK (Offer SDP)
ACK (Answer SDP)
Delayed Offer
INVITE (Offer SDP)
200 OK (Answer SDP)
ACK
Early Offer
SDP Offer/Answer Model for SIP
Caller Callee Caller Callee
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
10
H.323 VoIP Network
Flux RTP / RTCP
Setup
Call Proceeding
Alerting
Connect
H.225
(TCP Port 1720)
H.245 (Dynamic
TCP Ports)
Media (UDP)
Capabilities Exchange
Open Logical Channel
Open Logical Channel Acknowledge
Gatekeeper
Signalisation
Media
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
11
Digital Gateways Analog Gateways
PSTN
PSTN
PBX
Phone
Fax
Modem
PBX
T1 CAST1 PRI/E1 PRIBRI
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• All PSTN signaling terminates on gateway
• H.225 communication between gateway and CallManager
• H.323 is a “peer-to-peer” protocol
Framing
PRI Layer 3
Layer 2
Cisco CallManager
PS
TN
H.225
TDM IP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Framing and layer 2 signaling terminates at the gateway
• Layer 3 signaling is backhauled to the CallManager
• MGCP is a “client-server” protocol
• MGCP 0.1 with CallManager only
Framing
PRI Layer 3
Layer 2
Q.931 Backhaul over TCP
Cisco CallManager
PS
TN
MGCP over UDP
Call Signaling
TDM IP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Protocol
Feature
H.323 SIP MGCP
Interoperability Breadth of products and interface
Breadth of products and interface
Less than H.323/SIP. E.g.: no FXO will caller-ID on MGCP.
Dialplan Configuration Distributed dialplan configuration/potentially higher administration(6)
Distributed dialplan configuration/potentially higher administration(6)
Centralized dialplan configuration/low administration(1)
Power of IOS Dialpeer Utilize features configured with IOS dialpeer/Intelligent
Utilize features configured with IOS dialpeer/Intelligent
Can’t utilize features configured with IOS dialpeers
Audio Preservation
(Failover between CCMs)
Audio is preserved(2) Audio is preserved(3) Audio is preserved
Audio Preservation
(CCM SRST failover)
Audio is preserved(4) Audio is preserved(3) Audio is preserved(5)
(1) Dialpeer configurations are still needed when MGCP fallbacks to local control (H.323, SIP, POTs dialpeers).
(2) Requires 12.4.4XC/12.4.9T and CCM4.1.3-SR2 Release .
(3) Configure SIP minimum-session-expiration header under global SIP configuration mode.
(4) Requires disabling TCP timer. (5) ISDN calls are not preserved. (6) if used without a call agent with centralized dial plan
Cisco Confidential 15© 2010 Cisco and/or its affiliates. All rights reserved.
AAC-LD (Low Delay)Cisco TelePresence
L16 (Linear PCM 16-bit)
G.722
iSAC
G.722.1
G.711 (μ-law/A-law)
iLBC
G.728
GSM Enhanced Full Rate
GSM Full Rate
G.729 (Annex A, Annex B)
GSM Half Rate
G.723.1
Sorted by audio quality
Wideband(16 kHz sampling rate)
Narrowband(8 kHz sampling rate)
Super-wideband(48 kHz sampling rate)
64 kbps(per channel)
256 kbps
64 kbps
10 - 32 kbps
32 kbps
64 kbps
16 kbps
16 kbps
13 kbps
13 kbps
8 kbps
7 kbps
7 kbps
Bitrate
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
... ...
...
GK
Gatekeepers
LocationsCAC
GatekeeperCAC
Central
Site
Branch 2Branch 1
CiscoRSVP Agent
CUCMCluster
RSVPReservation
CiscoRSVP Agent
RSVPReservationCisco
RSVPAgent
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Unified CM Cluster
IP WANHQ
Branch
RSVP
Reservations
RSVP
Agent
RSVP Agent
CME
CUBE
PSTN
SIP GWCVP
SIP Trunk
IP PSTN
CUBE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Certificats:
• Call Manager : self-signed
• Téléphones : MIC ou LSC
Manufacturing Installed Certificate “MIC”
Installé dans la mémoire permanente des téléphones
Signé par le CA Cisco
Locally Significant Certificate (LSC)
Installé par l’autorité de certification locale
Prioritaire par rapport au “MIC”
Peut-être effacé par un “factory reset”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
IP
TCP
TLS
HTTP SCCP SIP LDAP
Supporte une multitude d’applications • Besoin d’une méthode sécurisée
pour échanger un secret partagé
• Bi-directional PKI pour
l’authentification mutuelle
• Echange secret partagé RSA
• Computes Hashed Message
Authentication Code (HMAC)
• Hash MD5 ou SHA1
• Crypto conventionnelle en
utilisant un secret partagé
• DES, 3DES, AES
• RC2, RC4
• IDEA
• Bi-directional PKI pour l’Authentification
• Intégrité HMAC
• Encryption pour Confidentialité
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
20
Partie Authentifiée
timestamp
PV X CC M PT sequence number
synchronization source (SSRC) identifier
contributing sources (CCRC) identifiers
…
RTP extension (optional)
RTP payload
SRTP MKI -- 0 bytes for voice
Authentication tag -- 4 bytes for voice
Partie Encryptée
• RFC 3711 pour le transport sécurisé
• Utilise AES-128 pour l’authentification et l’encryption
• Performant, faible overhead
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
21
IPSec et SRTP vers les
passerelles MGCP et
H323
TLS sur les trunks SIP
TLS et SRTP
Pour les Applications
TLS
IPSec
SRTP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• Presence turns real-time communications into “right-time” communications that allows people to reach the right person, at right time, in the right place, using the right device
• XMPP (eXtensible Messaging and Presence Protocol)
– GoogleTalk
–Jabber/Cisco (Webex Connect / CU Presence Server)
• SIMPLE (Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions)
– Cisco Unified Communication Systems
– Microsoft Live Communication Server
– Yahoo Messenger (with some SIP extension)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
SIP Request• INVITE
• REGISTER
• SUBSCRIBE
• NOTIFY
• PUBLISH
• MESSAGE
• INFO
• REFER
• OPTIONS
SIP Response• 1xx
• 2xx
• 3xx
• 4xx
• 5xx
• 6xx
Session Initial Protocol is an application-layer control protocol that can establish, modify, and terminate multimedia sessions.
SIMPLE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• Standard Etabli de l’industrie-Développé par Communauté Open source Jabber (1999)
-Formalisé comme standard par l’IETF (2002-2004)
-Enrichi continuellement par la fondation du standard XMPP
• Communité de développeurs très active-+ 60+ clients XMPP développés & supportés sur sept différents types de poste de travail, mobile, & plateformes web
-+20 XMPP serveurs developpés pour des opérateurs XMPP
-Libraire logiciel XMPP pour développeurs applications XMPP en 17 langages de développement différents
• Nombre de services XMPP en croissance -Cisco Unified Presence, Cisco WebEx Connect, Google Talk, Live Journal Talk, Nimbuzz, Ovi, …
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
- DHCP
- IPv6
- 802.1q pour isolation du Vlan Voix
- Codec Vidéo normalisés (H263, H264, …)
- Intégration annuaire LDAP (Open LDAP, …)
- Intégration PKI entreprise (support CA externe avec certificats X509)
Thank you.