You are on page 1of 32

Configuration Note for ASVALAN Certification of Cisco LAN Products

APL Date: August, 2007 (ASVALAN Version 4) This document is intended to provide guidance to both Cisco and Customer personnel in the deployment of Ciscos Assured Services Voice Application Local Area Network (ASVALAN) certified solution. It is intended to supplement the information available in product documentation regarding specific configuration items and guidelines required for ASVALAN certification.

Contents
These release notes contain the following sections:

Introduction to the ASVALAN Certification, page 1 Certified Cisco Products, page 6 Configuration Guidelines for DoD LAN Features, page 12 Certified Network Topologies, page 20 Related Documentation, page 30 Obtaining Documentation, Obtaining Support, and Security Guidelines, page 31

Introduction to the ASVALAN Certification


Cisco Systems has completed ASVALAN certification of Ciscos LAN products in conjunction with PBX1 and PBX2 certification of Ciscos Unified Communications solutions to provide one of the few end-to-end Voice over Internet Protocol (VoIP) product lines that have been fully tested and certified. You can deploy a Cisco Unified Communications solution into your network confident that it will measure up to the strict Defense Information Systems Agency (DISA) standards.

Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

2007 Cisco Systems, Inc. All rights reserved.

Introduction to the ASVALAN Certification

All equipment connected to the Defense Information Systems Network (DISN) must be certified for interoperability (IO) and information assurance (IA). Section 353 of Public Law 107-314 establishes statutory requirements for installation and connection policy and procedures regarding the Defense Switch Network (DSN). The Department of Defense (DoD) documents that provide policy guidance for DoD voice networks include:

CJCSI 6211.02B "DISN Connection Policy, Responsibilities, and Processes" establishes policy, responsibilities, and connection approval process requirements for subnetworks of DISN. CJCSI 6215.01B "Policy for DoD Voice Networks" establishes policy and prescribes responsibilities for use and operation of the DoD voice networks (specifically DSN and the Defense RED Switch Network (DRSN)). DoDI 8100.3 "DoD Voice Networks" directs Joint Interoperability and Information Assurance testing of all components connected, or planned for connection, to the DSN, DRSN, or PSTN. DoDD 8500.1 "Information Assurance" directs all Information Technology to be IA tested and certified before connection to the DISN.

The Generic Switching Center Requirements (GSCR) document specifies technical requirements for telecommunications equipment to be used in the DoD network in support of voice, video, and data services. The DoD voice network consists of three major networks: the DSN, DRSN, and tactical networks. The GSCR includes requirements for the following different switch types:

Tandem Switch End Office Switch (EO) Multi-Function Switch (MFS) Small End Office Switch (SMEO) Remote Switching Unit (RSU) Private Branch eXchange 1 (PBX1) Private Branch eXchange 2 (PBX2) Digital Voice eXchange (DVX) or tactical switch ASVALAN Conference Bridge Customer Premise Equipment (CPE) Network Element Video TeleConference (VTC) Network Manager Signaling Transfer Point (STP)

The GSCR also includes requirements for other equipment that connects to a voice network:

Though heavily focused on Time Decision Multiplexing (TDM) technology, the GSCR was updated in 2003 to include requirements for VoIP. These requirements are included in Appendix 3 of the GSCR. VoIP implementation within the DSN will take place in two major phases:
1.

Phase 1 involves IP islands interconnected via the traditional DSN, which consists of circuit-switched systems and TDM transmission facilities. As such, the existing non-IP systems provide for the standardized interoperability between various IP-based systems. Phase 2 involves full network-wide IP interoperability and replaces the traditional circuit-switch and TDM technology.

2.

The current version of Appendix 3 only addresses Phase 1.

Configuration Note for ASVALAN Certification of Cisco LAN Products

OL-11204-01

Introduction to the ASVALAN Certification

The certification process is the responsibility of the DISA Voice Connection Approval Office (VCAO). Certification consists of two different activities:

Interoperability testing This testing ensures end-to-end interoperability of voice switching systems by verifying that all Telecom equipment connected to the DSN meets applicable GSCR. The focus of testing is to ensure that Military Unique Features (MUF), such as Multilevel Precedence and Preemption, are met. Information Assurance, or security, testing This testing is composed of three (3) phases:

Phase I: Security Technical Implementation Guide (STIG) compliance, Functional Security Tests with emphasis on GR-815 Phase II: IP Penetration Testing Phase III: Air Force Information Operations Center (AFIOC) Testing

The testing validates product compliance with Federal and DoD IA requirements. Vendors must have a sponsor for certification testing. Figure 1 outlines the certification process:
Figure 1 DISA Certification Process

Interoperability Certification
Vendor/ Sponsor Submits Voice Connection Approval Office (VCAO)

Information Assurance (IA) Certification


Vendor/ Sponsor Submits

Interop Product Testing

IA Product Testing DISN = Defense Information Systems Network DAA = Designated Approval Authority

Joint Staff Validation

Both Certifications Required For Placement On Approved Products List A PL

DISN DAA Validation

The Joint Interoperability Test Command (JITC) at Ft. Huachuca in Sierra Vista, AZ, performs the certification testing. Upon successful completion of both test activities, JITC places the certified product/system on DISA's Approved Products List (APL). DoD customers may only purchase and deploy equipment listed on the APL. Recently, the certification process was updated to shorten the time required for certification. Historically, certification testing typically took 14-18 months from the time the request was submitted until the product/system was placed on the APL. The new process targets six months. A certification is valid for three years.

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

181869

Product Receives Interop Cert to Connect to DISN

Product Receives IA Cert to Connect to DISN

Introduction to the ASVALAN Certification

Customers can deploy equipment and configurations that are not certified under special circumstances. This requires a waiver or an Interim Certificate to Operate (ICTO).

Waivers:

Urgent operations need, validated by operational chain of command and the Chairman of the Joint Chiefs of Staff To accommodate new or emerging technology pilot programs previously coordinated with and recommended by the DSN and validated by the Chairman of the Joint Chiefs of Staff. Shall not be granted for more than 12 months The equipment to be purchased must be in the process of certification and the vendors must have the ability to pass certification within 12 months. Must be signed by the ASD and cannot be delegated

ICTO:

Both of these processes require approval by the entire chain of command at the purchasing military installation and approval by the Office of the Secretary of Defense (OSD). No ICTOs have been granted since Public Law 107-314 was passed. Since this process goes through the entire chain of command, we cannot expect any ICTOs to be granted. The certificate is viewed as unobtainable. Equipment purchased prior to the passage of public law has been grandfathered and is not required to go through certification unless some aspect of the configuration or architecture changes. For example, if a customer with a non-certified system wants to change/add hardware or software, or even add phones, they must either 1) sponsor the vendor for additional testing at JITC which can add months to the purchase cycle, or 2) upgrade their equipment, often at considerable cost, to a configuration that is already on the APL. From a VoIP perspective, there are two different system configurations:

IP Centric IP centric architectures are designed around an IP core packet switching system. These solutions have distributed IP devices that function together to perform the functions of a circuit switch. The connectivity to the rest of the DSN architecture is via T1 PRI, T1 CAS or SS7 interfaces. IP Enabled The IP enabled approach utilizes traditional TDM circuit switches that offer VoIP as a line instrument. This solution has a TDM circuit switch as the core device with VoIP provided as a line function similar to other analog or digital telephony instruments. The DSN interface requirements are provided via the circuit switch and the connectivity to the IP LAN is via Ethernet. Converged An IP network used to transmit a combination of voice, video, and/or data services. The converged definition applies to a singular camp, post, base, or station IP network that will be used to provide IP services along with the addition of DSN VoIP services. Non-converged A network that is used solely to provide DSN VoIP services. A separate IP network will be used to provide IP data services. ASVALAN networks shall be designed to support a full duplex switched topology The ASVALAN shall have a hardware availability of .99999 (non-availability of no more than five minutes per year (min/yr)) ASVALAN shall have no single point of failure that can cause an outage of more than 64 telephony subscribers Access or edge layer End user connections

From a LAN perspective, there are two different system configurations:

The key ASVALAN requirements include:


The LAN architecture consists of three layers:

Configuration Note for ASVALAN Certification of Cisco LAN Products

OL-11204-01

Introduction to the ASVALAN Certification

Distribution or building layer (optional) Demarcation point between the access and core layers Core layer High-speed switching backbone to switch packets as fast as possible

Cisco's ASVALAN certified solution is a converged system and was one of the first LAN systems to achieve ASVALAN certification. Figure 2 depicts the ASVALAN architecture:
Figure 2 ASVALAN Architecture

DSN

DSN Switch/Gateways (MFS, EO, SMEO, PBX) ASVALAN (SUT)

Core Router/Switch

Distribution Router/Switch

Distribution Router/Switch

Access Router/Switch

Access Router/Switch

IP

IP

IP

IP

IP telephony subscribers ASVALAN = Assured Services Voice Application Local Area Network DSN = Defence Switched Network EO = End Office IP = Internet Protocol MFS PBX SMEO SUT VoIP = Multifunction Switch = Private Branch Exchange = Small End Office = System Under Test = Voice over Internet Protocol

Currently, PBX1 equipment is certified separately from the LAN equipment. Any certified VoIP system can be deployed with any certified ASVALAN system with the exception of any VOIP system certified with a C2VGLAN (most initial JITC certified VOIP systems were tested this way). These initial certifications are only for joint use in the DSN in conjunction with the C2VGLAN. The remainder of this document describes various typical LAN configurations that are approved as part of this certification. In support of these descriptions, this document uses the following terms:

Single switch, internally redundant Single switch chassis with redundant Supervisor modules, redundant power supplies, and redundant uplinks from separate modules (if applicable) Redundant switches, no internal redundancy Two switch chassis with single Supervisor, redundant power supplies optional in each chassis, redundant uplinks (one from each chassis, if applicable)

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

181870

Certified Cisco Products

Collapsed core/access layer switchMostly used in small networks; single internally redundant switch serves as core switch, and also includes access layer ports for user connectivity

All Cisco products that have been placed on DISAs APL can be found at the link below. The certification letters included here contain detailed information about the testing and related results. http://jitc.fhu.disa.mil/apl/dsn/apl_cisco.html

Certified Cisco Products


The following sections detail the products and software releases that have been submitted for certification and approved by DISA. To deploy an ASVALAN certified network, you must follow the following guidelines:

You must use only certified hardware You must use only the certified software releases You must use only a certified ASVALAN topology

Certified Hardware and Software


Catalyst 6500 Series Switches

Table 1 outlines the modules that have been certified for the Catalyst 6500 and 6500E series chassis. It also details in what ASVALAN certification they were tested and with what IOS version they are certified.
Table 1 Catalyst 6500 Series Switches ASVALAN Certification Details

Module

ASVALAN 4 ASVALAN 3 12.2(18)SXF7 12.2(18)SXF3 Expires 8/28/10 Expires 10/5/09 X X X X X X X X X X X X X X X X X X X X X X X X X X X X

PBX1 Certification w/LAN 12.2(18)SXD3 Expires 5/6/08

WS-C6148A-RJ-45 WS-SUP32-GE-3B WS-SUP720 WS-SUP720-3B WS-SUP720-3BXL WS-X6148-21AF WS-X6148-45AF WS-X6148A-45AF WS-X6148A-GE-45AF WS-X6148A-GE-TX WS-X6148-GE-45AF WS-X6148-GE-TX WS-X6148-RJ-21 WS-X6148-RJ21V WS-X6148-RJ-45

X X X

Configuration Note for ASVALAN Certification of Cisco LAN Products

OL-11204-01

Certified Cisco Products

Table 1

Catalyst 6500 Series Switches ASVALAN Certification Details (continued)

Module

ASVALAN 4 ASVALAN 3 12.2(18)SXF7 12.2(18)SXF3 Expires 8/28/10 Expires 10/5/09 X X X X X X X

PBX1 Certification w/LAN 12.2(18)SXD3 Expires 5/6/08 X

WS-X6148-RJ45V WS-X6148V-GE-TX WS-X6348-RJ21V WS-X6348-RJ-45 WS-X6348-RJ45V WS-X6416-GE-MT WS-X6516A-GBIC WS-X6516-GBIC WS-X6516-GE-TX WS-X6548-GE-45AF WS-X6548-GE-TX WS-X6548-RJ-21 WS-X6548-RJ-45 WS-X6548V-GE-TX WS-X6704-10GE WS-X6708-10G03C WS-X6708-10G-3CXL WS-X6724-SFP WS-X6748-GE-TX WS-X6748-SFP WS-X6816-GBIC WS-X6K-S2-MSFC2 WS-X6K-S2U-MSFC2 WS-X6K-SUP2-2GE

X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X

Catalyst 4500 Series Switches

Table 2 outlines the modules that have been certified for the Catalyst 4500 series chassis. It also details in what ASVALAN certification they were tested and with what IOS version they are certified.
Table 2 Catalyst 4500 Series Switches ASVALAN Certification Details

Module

ASVALAN 4 ASVALAN 3 12.2(31)SGA1 12.2(31)SG Expires 8/28/10 Expires 10/5/09 X X X X

PBX1 Certification w/LAN 12.2(20)EWA Expires 5/6/08

WS-X4013+ WS-X4013+10GE WS-X4124-RJ45

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

Certified Cisco Products

Table 2

Catalyst 4500 Series Switches ASVALAN Certification Details (continued)

Module

ASVALAN 4 ASVALAN 3 12.2(31)SGA1 12.2(31)SG Expires 8/28/10 Expires 10/5/09 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X

PBX1 Certification w/LAN 12.2(20)EWA Expires 5/6/08 X X X

WS-X4148-RJ21 WS-X4148-RJ45 WS-X4148-RJ45V WS-X4224-RJ45V WS-X4232-GB-RJ WS-X4232-RJ-XX WS-X4248-RJ21V WS-X4248-RJ45V WS-X4302-GB WS-X4306-GB WS-X4515 Sup IV WS-X4516 WS-X4516-10GE WS-X4524-GB-RJ45V WS-X4548-GB-RJ45 WS-X4548-GB-RJ45V
Cisco ONS 15454

X X X

Table 3 outlines the modules that have been certified for the ONS 15454. The ONS 15454 was tested as a network element and not as a component of the ASVALAN.
Table 3 Cisco ONS 15454 ASVALAN Certification Details

Module

Network Element 7.0 Expires 10/5/09 X X X X X X X

15454-TCC2P-K9 15454-ML1000-2 15454-XC-VXC-10G 15454-10G-S1 15454-ML100T-12 15454-MRC-I-12 with ONS-SI-2G-S1 ONS-SI-622-I1


Other Switches

Table 4 outlines additional switches and corresponding IOS versions that have been certified by JITC.

Configuration Note for ASVALAN Certification of Cisco LAN Products

OL-11204-01

Certified Cisco Products

Table 4

Other Switches ASVALAN Certification Details

Model

ASVALAN 4 ASVALAN 3 IOS Code IOS Code Expires 8/28/10 Expires 10/5/09 12.2(35)SE2 N/A 12.2(35)SE N/A N/A N/A 12.2(25)SEE 12.2(25)SE E Family N/A 12.1(22)EA7 12.1(22)EA7 12.2(25)SEE

PBX1 Certification w/LAN IOS Code Expires 5/6/08 N/A 12.1(19)EA1d 12.1(22)EA1a N/A N/A N/A

Catalyst 3750 Catalyst 3560 Catalyst 3550 Catalyst 2940 Catalyst 2950 Catalyst 2960

The switches in the tables above have been certified for use in specific areas of the network: Core, Distribution, or Access. Table 5 specifies in which area of the network those switches are certified.
Table 5 Summary of Switches Certified by JITC for ASVALAN

Layer

Configuration

Cat 6500 w/Sup720, Sup II X X

Cat 6500 w/Sup32 X X

Cat 4500 w/Sup V. Sup IV X X X

Cat 4500 w/Sup II+

Core

L2 L3

Single Chassis, Internally X Redundant Dual Chassis, No Internal X Redundancy Dual Chassis, Internally Redundant Distribution L2 L3 X X X X X X

X X X X X

Single Chassis, Internally X Redundant Dual Chassis, No Internal X Redundancy Dual Chassis, Internally Redundant Multiple Chassis, Multiple Processor X X

X X

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

Certified Cisco Products

Table 5

Summary of Switches Certified by JITC for ASVALAN

Layer

Configuration

Cat 6500 w/Sup720, Sup II X X

Cat 6500 w/Sup32 X X

Cat 4500 w/Sup V. Sup IV X X

Cat 4500 w/Sup II+ X

Access

L2 L3 Stand-alone Chassis, < 64 Users

Single Chassis, Internally X Redundant Dual Chassis, No Internal X Redundancy Dual Chassis, Internally Redundant Multiple Chassis, Multiple Processor Shared Access X X X X

X X X

Layer Distribution

Configuration L2 L3 Single Chassis, Internally Redundant Dual Chassis, No Internal Redundancy Dual Chassis, Internally Redundant Multiple Chassis, Multiple Processor

Cat 3750 X X

Cat 3560

Cat 3550

Cat 2960, 50, 40 Cisco ONS 15454

Configuration Note for ASVALAN Certification of Cisco LAN Products

10

OL-11204-01

Certified Cisco Products

Layer Access

Configuration L2 L3

Cat 3750 X X

Cat 3560 X X

Cat 3550 X X X

Cat 2960, 50, 40 Cisco ONS 15454 X X

Stand-alone Chassis, < 64 X Users Single Chassis, Internally Redundant Dual Chassis, No Internal Redundancy Dual Chassis, Internally Redundant Multiple Chassis, Multiple Processor Shared Access Network Element Transport X X X

X X

Keep in mind the following when using the certified switches in your network:

Internally redundant means that the switch utilizes dual supervisors and dual power supplies Dual core architecture provides redundancy utilizing HSRP and OSPF

OSPF timers must be modified to meet failover requirements Reference bandwidth configuration must be modified on all switches in the OSPF network to support 10 Gig links
router ospf 1607 log-adjacency-changes auto-cost reference-bandwidth 100000 nsf area 0.0.0.0 authentication message-digest timers throttle spf 10 100 5000 timers throttle lsa all 10 100 5000 timers lsa arrival 80 redistribute connected subnets redistribute static subnets passive-interface default no passive-interface Vlan210 no passive-interface Vlan226 no passive-interface Vlan320 no passive-interface Vlan321 no passive-interface Vlan322 network 100.0.0.0 0.3.255.255 area 0.0.0.0

Reliability and availability are a function of configuration Any link which supports more than 64 phones must be redundant

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

11

Configuration Guidelines for DoD LAN Features

Configuration Guidelines for DoD LAN Features


This section discusses the following LAN features:

Quality of Service (QoS), page 12 Security, page 17

Quality of Service (QoS)


The following sections discuss the QoS features applicable to the ASVALAN certification:

QoS Requirements, page 12 Special Consideration for Cisco Unified Communications Manager, page 14 Cisco Distribution and Access Layer QoS Configurations, page 14

QoS Requirements
Per GSCR Appendix 3 Section A3.3.2.2 Traffic C2VGLAN Traffic Prioritization: Within the converged LAN, different types of traffic are expected. The following is a listing of traffic streams prioritized from highest to lowest.
1. 2. 3.

Voice and Video Signaling and LAN Network Management (highest) Voice and Video Media Stream Data Traffic (lowest)

Voice (Bearer Traffic)

A summary of the key QoS requirements and recommendations for Voice (bearer traffic) are:

Voice traffic should be marked to DSCP EF (46) or COS 5 per the QoS Baseline and RFC 3246. LAN shall be engineered for a theoretical packet loss of zero for voice packets; actual or measured voice packet loss within the LAN shall not exceed 0.05% averaged over any 5-minute period. Per GSCR Appendix 3 Section A3.2.7 Latency: Packet delay (latency) is the length of time it takes a packet to traverse the LAN. Each element of the network adds to packet delay, including Ethernet switches, routers, distance traveled through the network, firewalls, and jitter buffers. The one-way packet delay for packets of an established call (signaling and media) within the LAN for a DSN VoIP system shall be 5 milliseconds (msec) or less as averaged over any five minute period. Per GSCR Appendix 3 Section A3.3.1.2 Jitter: Jitter is defined as the statistical average variance in delivery time between packets or datagrams. Jitter is introduced by the variable transmission delay over the network. Removing jitter requires collecting packets and holding them long enough to allow the slowest packets to arrive in time to be played in the correct sequence, which causes additional delay. For voice media packets, jitter shall be 5 msec or less as averaged over any five minute period. (Jitter is not a problem for signaling packets, since they do not occur in streams.) Per GSCR Appendix 3 Section A3.3.4.4.1 Bandwidth: Bandwidth required per subscriber is 178.4 kbps (89.2 kbps each direction) for each IP call. This is based on G.711 with IP overhead (87.2 kbps) with VoIP signaling (2 kbps) included. Bandwidth available for Ethernet full duplex LANs is 20 Mbps (10 Mbps upstream and 10 Mbps downstream) and 200 Mbps (100 Mbps upstream and 100 Mbps downstream) for 10Base-T and 100Base-T, respectively. (For the purposes of this document, bandwidth is defined in the sense used in TDM telephony systems, i.e., the bandwidth of a T1 trunk

Configuration Note for ASVALAN Certification of Cisco LAN Products

12

OL-11204-01

Configuration Guidelines for DoD LAN Features

is 1.544 Mbps for each direction, for a total full duplex bandwidth of 3.088 Mbps.) In order to provide non-blocking bandwidth for trunk traffic, 4.185 Megabits per second (Mbps) shall be reserved in the LAN for each T1 trunk between the Gateway and DSN. This bandwidth requirement is based on 24 simultaneous two-way non-compressed G.711 conversations (24x 174.4 kbps). Bandwidth shall be guaranteed through the use of CoS/QoS as described in this appendix. (Based on overhead bits included in the bps calculations, vendor implementations may use different bps calculations and hence arrive at slightly different bps numbers. This is acceptable to the government, but does not negate the number of IP telephone subscribers that are allowed per 10, 100, 1000 Mbps link as specified in GSCR Sections A3.3.4.4.2 through A3.3.4.5.1.1). Voice quality is directly affected by all three QoS quality factors: loss, latency and jitter. Packet loss causes voice clipping and skips. The packetization interval determines the size of samples contained within a single packet. Assuming a 20 ms (default) packetization interval, the loss of two or more consecutive packets results in a noticeable degradation of voice quality. Network congestion can lead to both packet drops and variable packet delays. Voice packet drops from network congestion are usually caused by full transmit buffers on the egress interfaces somewhere in the network. As links or connections approach 100% utilization, the queues servicing those connections become full. When a queue is full, new packets attempting to enter the queue are discarded. Because network congestion can be encountered at any time within a network, buffers can fill instantaneously. This instantaneous buffer utilization can lead to a difference in delay times between packets in the same voice stream. This difference, called jitter, is the variation between when a packet is expected to arrive and when it actually is received. To compensate for these delay variations between voice packets in a conversation, VoIP endpoints use jitter buffers to turn the delay variations into a constant value so that voice can be played out smoothly. VoIP networks are typically designed for very close to zero percent VoIP packet loss, with the only actual packet loss being due to L2 bit errors or network failures Packet delay can cause either voice quality degradation due to the end-to-end voice latency or packet loss if the delay is variable. If the end-to-end voice latency becomes too long (250 ms, for example), the conversation begins to sound like two parties talking on a CB radio. If the delay is variable, there is a risk of jitter buffer overruns at the receiving end. Eliminating drops and delays is even more imperative when including fax and modem traffic over IP networks. If packets are lost during fax or modem transmissions, the modems are forced to "retrain" to synchronize again. Because of its strict service-level requirements, VoIP is well suited to the Expedited Forwarding Per-Hop Behavior, as defined in RFC 3246 (formerly RFC 2598). It should therefore be marked to DSCP EF (46) and assigned strict priority servicing at each node, regardless of whether such servicing is done in hardware (as in Catalyst switches via hardware priority queuing) or in software (as in Cisco IOS routers via LLQ).

Note

A tool for quickly and accurately calculating VoIP bandwidth requirements (factoring in the codec, the use of cRTP and L2 overhead) can be found at: http://tools.cisco.com/Support/VBC/jsp/Codec_Calc1.jsp
Call Signaling Traffic

The following are key QoS requirements and recommendations for Call-Signaling traffic:

Call-Signaling traffic should be marked as DSCP CS6 (48) per the JITC Requirements. Per previous section and GSCR Appendix 3: 4 kbps per phone of guaranteed bandwidth is required for voice control traffic; more may be required, depending on the call signaling protocol(s) in use.

Cisco Unified Communications products generally mark signaling traffic at either AF31 or CS3. These values must be modified to meet the certification requirements defined above

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

13

Configuration Guidelines for DoD LAN Features

Call signaling protocols include (but are not limited to) H.323, H.225, Session Initiated Protocol (SIP) and Media Gateway Control Protocol (MGCP). Each call signaling protocol has unique TCP/UDP ports and traffic patterns that should be taken into account when provisioning QoS policies for them.

Special Consideration for Cisco Unified Communications Manager


Cisco Unified Communications Manager has configurable parameters that define the DSCP markings of various packet flows including voice and video streams, signaling streams, and data streams. These parameters must be set as required by the GSCR and are configurable in both the Service Parameters and Enterprise Parameters configuration pages on the Cisco Unified Communications Manger.

Cisco Distribution and Access Layer QoS Configurations


Access layer switches approved by JITC include the Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 3550, Catalyst 2960, Catalyst 2950, and the Catalyst 2940 switches. QoS configurations vary by platform and the following sections provide examples for each. Much like the QoS configurations for IOS gateways, the primary focus of the Access Layer switch QoS configuration is to prioritize voice signaling traffic over that of voice media and standard data packets.

Catalyst 6500
By default, voice bearer traffic of CoS 5 is mapped to DSCP 46 default and voice signaling traffic CoS 3 is mapped to DSCP 24. It may be necessary to remap the CoS 3 signaling traffic to DSCP 48 to meet the GSCR requirements. Ports that are connected to IP Phones are trusting CoS. When you use a Catalyst 6500 series switch to provide connectivity to Unified Communications Manager servers, or other hosts in the distribution layer, the ports are configured to trust DSCP. The certified configurations are shown below:
no mls flow ip no mls flow ipv6 mls qos map cos-dscp 0 8 16 48 34 46 48 56 mls qos map ip-prec-dscp 0 8 16 48 34 46 48 56 mls qos redundancy mode sso spanning-tree mode rapid-pvst ! interface FastEthernet3/1 switchport switchport access vlan 21 switchport mode access switchport voice vlan 22 no ip address load-interval 30 mls qos trust cos spanning-tree portfast ! interface Port-channel31 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 12,22,32,42,331 switchport mode trunk no ip address load-interval 30 mls qos trust dscp no mls qos channel-consistency storm-control broadcast level 5.00

Configuration Note for ASVALAN Certification of Cisco LAN Products

14

OL-11204-01

Configuration Guidelines for DoD LAN Features

Catalyst 4500
By default, voice bearer traffic of CoS 5 is mapped to DSCP 46 default and voice signaling traffic CoS 3 is mapped to DSCP 24. It may be necessary to remap the CoS 3 signaling traffic to DSCP 48 to meet the GSCR requirements. Transmit queue 3 is configured as the high priority queue. Auto QoS is used to configure QoS parameters for ports that are connected to Cisco IP Phones. When you use a Catalyst 4500 series switch to provide connectivity to Unified Communications Manager servers, or other hosts in the distribution layer, the ports are configured to trust DSCP. The certified configurations are shown below:
qos dbl qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 2 qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4 qos map cos 5 to dscp 46 qos map cos 3 to dscp 48 redundancy mode sso qos spanning-tree mode rapid-pvst ! interface GigabitEthernet4/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 323 switchport mode trunk load-interval 30 qos trust dscp flowcontrol receive off storm-control broadcast level 5.00 tx-queue 3 priority high channel-group 23 mode on ! interface FastEthernet3/35 switchport access vlan 263 switchport mode access switchport voice vlan 262 load-interval 30 speed 100 duplex full qos trust cos auto qos voip trust storm-control broadcast level 5.00 tx-queue 3 bandwidth percent 33 priority high shape percent 33 spanning-tree portfast service-policy output autoqos-voip-policy

Catalyst 3750, 3560, and 2960


By default, voice bearer traffic of CoS 5 is mapped to DSCP 46 and voice signal traffic CoS 3 is mapped to DSCP 24. It may be necessary to remap the CoS 3 signaling traffic to DSCP 48 to meet the GSCR requirements. The priority queue is enabled. Auto QoS is used to configure switch-wide ingress and egress queue usage as well as trust parameters for ports that are connected to Cisco IP Phones. When you use a Catalyst 3750 switch to provide connectivity to Unified CallManager servers, or other hosts in the distribution layer, the ports are configured to trust DSCP.

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

15

Configuration Guidelines for DoD LAN Features

When auto QoS is enabled, all of the following mls qos commands with the exception of the mls qos map command, are entered automatically when enabling auto QoS. The certified configurations are shown below:
mls qos map cos-dscp 0 8 16 48 32 46 48 56 mls qos srr-queue input bandwidth 90 10 mls qos srr-queue input threshold 1 8 16 mls qos srr-queue input threshold 2 34 66 mls qos srr-queue input buffers 67 33 mls qos srr-queue input cos-map queue 1 threshold 2 1 mls qos srr-queue input cos-map queue 1 threshold 3 0 mls qos srr-queue input cos-map queue 2 threshold 1 2 mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7 mls qos srr-queue input cos-map queue 2 threshold 3 3 5 mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15 mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7 mls qos srr-queue input dscp-map queue 1 threshold 3 32 mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23 mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48 mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56 mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63 mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31 mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47 mls qos srr-queue output cos-map queue 1 threshold 3 5 mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7 mls qos srr-queue output cos-map queue 3 threshold 3 2 4 mls qos srr-queue output cos-map queue 4 threshold 2 1 mls qos srr-queue output cos-map queue 4 threshold 3 0 mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47 mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31 mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55 mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63 mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23 mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39 mls qos srr-queue output dscp-map queue 4 threshold 1 8 mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15 mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7 mls qos queue-set output 1 threshold 1 138 138 92 138 mls qos queue-set output 1 threshold 2 138 138 92 400 mls qos queue-set output 1 threshold 3 36 77 100 318 mls qos queue-set output 1 threshold 4 20 50 67 400 mls qos queue-set output 2 threshold 1 149 149 100 149 mls qos queue-set output 2 threshold 2 118 118 100 235 mls qos queue-set output 2 threshold 3 41 68 100 272 mls qos queue-set output 2 threshold 4 42 72 100 242 mls qos queue-set output 1 buffers 10 10 26 54 mls qos queue-set output 2 buffers 16 6 17 61 mls qos ! interface FastEthernet1/0/24 switchport access vlan 261 switchport mode access switchport voice vlan 260 load-interval 30 speed 100 duplex full srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 mls qos trust cos auto qos voip trust storm-control broadcast level 5.00 spanning-tree portfast ! interface FastEthernet0/36

Configuration Note for ASVALAN Certification of Cisco LAN Products

16

OL-11204-01

Configuration Guidelines for DoD LAN Features

switchport access vlan 17 switchport mode access switchport voice vlan 18 load-interval 30 duplex full mls qos trust dscp storm-control broadcast level 5.00 spanning-tree portfast

Catalyst 2950 and 2940


By default, voice bearer traffic of CoS 5 is mapped to DSCP 46 and voice signal traffic CoS 3 is mapped to DSCP 24. It may be necessary to remap the CoS 3 signaling traffic to DSCP 48 to meet the GSCR requirements. Auto QoS is used to configure switch-wide egress queue usage and trust parameters for ports that are connected to Cisco IP Phones.
wrr-queue bandwidth 10 20 70 1 wrr-queue cos-map 1 0 1 wrr-queue cos-map 2 2 4 wrr-queue cos-map 3 6 7 wrr-queue cos-map 4 3 5 mls qos map cos-dscp 0 8 16 48 32 46 48 56 ! interface FastEthernet0/2 switchport access vlan 27 switchport trunk native vlan 27 switchport mode access switchport voice vlan 28 load-interval 30 speed 100 duplex full mls qos trust device cisco-phone mls qos trust cos storm-control broadcast level 5.00 storm-control multicast level 70.00 auto qos voip trust spanning-tree portfast

Security
This section discusses the following security features applicable to the ASVALAN certification:

Port Security Administration of Passwords Network Configuration

Port Security
Port security is used to block input to Ethernet ports when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are expected for that port. any unused ports should be shutdown. Port security is enabled on all Ethernet ports with the following commands:
switchport mode access

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

17

Configuration Guidelines for DoD LAN Features

switchport switchport switchport switchport switchport

port-security port-security port-security port-security port-security

maximum 2 violation restrict aging type inactivity mac-address sticky

For more information on Port Security, refer to the following URL: http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_configuration_guide_chapt er09186a00801a5b31.html#wp1019841

ACLs
For routers within the enclave, apply site-specific policies (ACLs). Information Assurance (IA) STIGs require that voice and data traffic are completely isolated. ACLs are used to prevent non-voice traffic from connecting to a voice devices. For more information on applying ACLs to edge routers that communicate between enclaves, refer to the Router Configuration Security Guide, produced by the NSA, at the following URL: http://www.nsa.gov/snac/routers/C4-040R-02.pdf.

Administration of Passwords
United States DoD customers are required to create and maintain passwords in accordance with the rules outlined in Appendix C of the Chairman Joint Chiefs of Staff Manual (CJCSM). Password complexity (9 character, upper/lower case, numeric, special characters) and password expiration are managed by the administrator of the system. If the TACACS+ server used for authentication is not able to utilize the Microsoft Windows complex password dll, you must make sure that all users are aware of and adhere to the password policy.

Network Configuration
United States DoD customer network deployments must have a Syslog server. The system administrator will configure all routers to log severity levels 0 through 6 events and send log data to a syslog server.
logging logging logging logging logging logging on buffered host <ip address of syslog server> console critical trap informational facility local7

Telnet must be disabled and ssh enabled on all VTY ports.


crypto 1024 ip ssh ip ssh ip ssh key gen rsa version 2 time-out 60 authentication-retries 3

line vty 0 15 exec-timeout 10 0 transport input ssh transport output ssh access-class 3 in password <complex password>

HTTP must be disabled on all ASVALAN components.

Configuration Note for ASVALAN Certification of Cisco LAN Products

18

OL-11204-01

Configuration Guidelines for DoD LAN Features

no ip http server no ip http secure-server

TACACS must be configured and enabled for local authentication.


aaa new-model aaa authentication login default group tacacs+ local enable aaa accounting exec default start-stop group tacacs+ ip tacacs source-interface Loopback0 tacacs-server host <ip address> tacacs-server directed-request tacacs-server key <key>

All of the following configuration commands must be entered from global configuration to meet IA requirements. Some commands are default and will not appear in the running configuration.
no service pad no service config no boot network service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service tcp-keepalives-in service tcp-keepalives-out no service dhcp no service config no service tcp-small-servers no service udp-small-servers no ip bootp server no ip finger no ip domain-lookup ip domain-name <domain> no ip source-route no ip gratuitous-arps ip tcp synwait-time 10 ip cef logging on logging buffered logging host 100.3.60.16 logging console critical logging trap informational logging facility local7

All IOS based network device must display a banner upon login that prohibits unauthorized use. A sample configuration is given below.
banner login $ ********************************************************************** This is a Department of Defense computer system. This computer system, including all related equipment, networks, and network devices (specifically including internet access), are provided only for authorized U.S. Government use. DOD computer systems may be monitored for all lawful purposes, including to ensure their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes active attacks by authorized DOD entities to test or verify the security of this system. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on or sent over this system, may be monitored. Use of this DOD computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

19

Certified Network Topologies

may be used for administrative, criminal, or other adverse action. Use of this system constitutes consent to monitoring for these purposes. ********************************************************************** $ banner motd $ ********************************************************************** This is a Department of Defense computer system. This computer system, including all related equipment, networks, and network devices (specifically including internet access), are provided only for authorized U.S. Government use. DOD computer systems may be monitored for all lawful purposes, including to ensure their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes active attacks by authorized DOD entities to test or verify the security of this system. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on or sent over this system, may be monitored. Use of this DOD computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal, or other adverse action. Use of this system constitutes consent to monitoring for these purposes. ********************************************************************** $

Certified Network Topologies


This section outlines the network topologies tested and certified by JITC. You can use any of these network configurations to design your network.

Core Layer OnlySingle Switch, Internally Redundant


Figure 3 shows the network configuration using a single switch that is internally redundant.

Configuration Note for ASVALAN Certification of Cisco LAN Products

20

OL-11204-01

Certified Network Topologies

Figure 3

Network Configuration for Core Layer OnlySingle Switch, Internally Redundant

Catalyst 6500 or Catalyst 4500

IP

IP

Applicability
This configuration is applicable to user communities of up to approximately 500 users, depending on the switch type and associated Ethernet Switch Cards. With this type of ASVALAN, the equipment will typically be located in a single communications closet. This configuration consists of a single, internally redundant switch. This switch serves as both the core and access switch. The switches certified for this configuration are the Catalyst 6500 and Catalyst 4500 series switches.

Special Considerations
For small locations with less than 64 users, no switch redundancy is required, so you can use the Catalyst 2940, Catalyst 2950, Catalyst 2960, Catalyst 3560, or Catalyst 3750 series switches.

Core Layer OnlyRedundant Switches, Internally Redundant


Figure 4 shows the network configuration using redundant switches that are internally redundant.

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

180668

21

Certified Network Topologies

Figure 4

Network Configuration for Core Layer OnlyRedundant Switches, Internally Redundant

Catalyst 6500 or Catalyst 4500

IP

IP

IP

IP

Applicability
This configuration is applicable to user communities of up to approximately 1000 users, depending on switch type. The LAN equipment can be located in a single communications closet or distributed among different closets, as long as the ASVALAN latency requirements are met (5 ms). This configuration consists of redundant core switches that are internally redundant. These switches serve as both core and access switches. The switches certified for this configuration are the Catalyst 6500 and Catalyst 4500 series switches.

Special Considerations
Redundant links to different modules are required between the two switches.

Core and Access LayersSingle Core Switch, Internally Redundant


Figure 5 shows the network configuration using a single core switch that is internally redundant.

Configuration Note for ASVALAN Certification of Cisco LAN Products

22

180670

OL-11204-01

Certified Network Topologies

Figure 5

Network Configuration for Core and Access LayersSingle Core Switch, Internally Redundant

Redundant uplinks to separate line cards in core switch. See Special Considerations

Catalyst 6500 or Catalyst 4500 Catalyst 6500 or Catalyst 4500 or Catalyst 3750 or Catalyst 3560 or Catalyst 2960 or Catalyst 2950 or Catalyst 2940 IP IP IP IP

Applicability
This configuration is applicable to a distributed user community (i.e., multiple communications closets). Uplink connections can be copper or fiber depending on network geography. This configuration consists of a single, internally redundant switch in the core and a separate switch (or switches) at the access layer. The switches certified for the core layer are the Catalyst 6500 and Catalyst 4500 series switches. The Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 2960, Catalyst 2950 or Catalyst 2940 series switches can be used for the access layer. Fiber transport using the ONS 15454 is also certified.

Special Considerations
You may use single uplinks to the core as long as the module in the core switch does not support more than 64 users total in the access layer switches. For example, if a single module in the core switch supports the uplink connection from two fully populated 24 port switches in the access layer (less than 64 users connected through a single module in the core), no redundant uplinks are required for the two access switches. However, if a single module in the core supports the uplink connection from five fully populated 24 port switches in the access layer (more than 64 users connected through a single module in the core), you must set redundant uplinks to two separate modules in the core switch for the five access layer switches. Link capacity required is a function of the number of subscribers and is defined in Table 6. Redundant uplinks to separate modules in the core switch are required if the access switch has more than 64 users or if the module in the core switch is supporting more than 64 users.

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

180671

23

Certified Network Topologies

Table 6

Link Capacity Requirements

Link Type Non-Converged

LAN BW 10 Mbps 100 Mbps 1 Gbps 10 Gbps 10 Mbps LP 100 Mbps LP 1 Gbps LP 10 Gbps LP

Users 641 641 641 641 1002 10002 100002 1000002 253 641 641 641 253 2504 25004 250004
kbps LAN LP Mbps - kilobits per second - Local Area Network - Link Pair - Megabits per second

Converged

10 Mbps 100 Mbps 1 Gbps 10 Gbps 10 Mbps LP 100 Mbps LP 1 Gbps LP 10 Gbps LP

LEGEND: ASVALAN BW Gbps IP

- Assured Services Voice Application LAN - Bandwidth - Gigabits per second - Internet Protocol

NOTES: 1. For single links, number of telephony subscribers is limited to a maximum of 64 because of single point of failure. This limit applies specifically to ASVALANs. 2. The number of users is calculated as bandwidth (BW) divided by 100 kbps per user. 3. The number of users was limited to 64 telephony subscribers per note 1 or 25% of total users per note 1, whichever was less. 4. For the converged network, voice traffic was engineered not to exceed 25% of total utilization using an estimated 100 kbps per voice call.

Core and Access LayersDual Core Switches, Not Internally Redundant


Figure 6 shows the network configuration using dual core switches that are not internally redundant.

Configuration Note for ASVALAN Certification of Cisco LAN Products

24

OL-11204-01

Certified Network Topologies

Figure 6

Network Configuration for Core and Access LayersDual Core Switches, Not Internally Redundant

Redundant uplinks to separate core switchs. See Special Considerations

Catalyst 6500 or Catalyst 4500 Catalyst 6500 or Catalyst 4500 or Catalyst 3750 or Catalyst 3560 or Catalyst 2960 or Catalyst 2950 or Catalyst 2940

64 users

IP

IP

IP

IP

Applicability
This configuration is applicable to a distributed user community (i.e., multiple communication closets). Uplink connections can be copper or fiber depending on network geography. This configuration consists of redundant core switches that are not internally redundant and a separate switch (or switches) at the access layer. The switches certified for the core layer are the Catalyst 6500 and Catalyst 4500 series switches. The Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 2960, Catalyst 2950 or Catalyst 2940 series switches can be used for the access layer. Fiber transport using the ONS 15454 is also certified.

Special Considerations
You may use single uplinks to the core as long as the Ethernet modules in the core switches are not supporting more than 64 users total in the access layer switches. For example, if a single module in the core supports the uplink connection from a fully populated 48 port switch, as shown in the access layer in Figure 6 (less than 64 users connected through a single module in the core), no redundant uplinks are required for the two access switches. However, if a single module in the core supports the uplink connection from five fully populated 24 port switches in the access layer (more than 64 users connected through a single module in the core), you must set redundant uplinks to two separate modules in the core switch for the five access layer switches. Link capacity required is a function of the number of subscribers. The link capacity requirements are defined in Table 6.

Core and Access LayersDual Core Switches, Internally Redundant


Figure 7 shows the network configuration using dual core switches that are internally redundant.

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

180672

25

Certified Network Topologies

Figure 7

Network Configuration for Core and Access LayersDual Core Switches, Internally Redundant

Redundant uplinks to separate core switches or the same core switch. See Special Considerations

Catalyst 6500 or Catalyst 4500 or Catalyst 3750

IP

IP

IP

IP

Applicability
This configuration is applicable to a distributed user community (i.e., multiple communication closets). Uplink connections can be copper or fiber depending on network geography. This configuration consists of redundant core switches that are internally redundant and a separate switch (or switches) at the access layer. The links between the core switches must use separate modules. The switches certified for the core layer are the Catalyst 6500 and Catalyst 4500 series switches. The Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 2960, Catalyst 2950, or Catalyst 2940 series switches can be used for the access layer. Fiber transport using the ONS 15454 is also certified.

Special Considerations
You can use single uplinks to the core as long as the Ethernet modules in the core switches are not supporting more than 64 users total in the access layer switches. For example, if a single module in the core supports only the uplink connection from two fully populated 24 port switches in the access layer (less than 64 users connected through a single module in the core), no redundant uplinks are required for those two access switches. However, if a single module in the core supports the uplink connection from five fully populated 24 port switches in the access layer (more than 64 users connected through a single module in the core), you must set redundant uplinks to two separate modules in the core switch for the five access layer switches. Because the core switches have internal redundancy, the redundant uplinks to the core can be to the same switch as the primary uplink, or to the separate core switch. Link capacity required is a function of the number of subscribers. The link capacity requirements are defined in Table 6.

Configuration Note for ASVALAN Certification of Cisco LAN Products

26

180673

OL-11204-01

Certified Network Topologies

Core, Distribution, and Access LayersDual Core Switches, Internally Redundant; Single Distribution Switch, Internally Redundant
Figure 8 shows the network configuration using dual core switches that are not internally redundant and dual distribution switches that are internally redundant.
Figure 8 Network Configuration for Core, Distribution, and Access LayersDual Core Switches, Internally Redundant; Single Distribution Switch, Internally Redundant

Catalyst 6500 or Catalyst 4500 Redundant uplinks to separate distribution switches. See Special Considerations >64 users >64 users >64 users

Catalyst 6500 or Catalyst 4500 or Catalyst 3750 Catalyst 6500 or Catalyst 4500 or Catalyst 3750 or Catalyst 3560 or Catalyst 2960 or Catalyst 2950 or Catalyst 2940

IP

IP

IP

IP

IP

IP

IP

IP

Applicability
This is typical of a large network. Uplink connections can be copper or fiber depending on network geography. This configuration consists of redundant switches in the core that are internally redundant, redundant switches in the distribution layer that are internally redundant, and a separate switch (or switches) at the access layer. The switches certified for the core and distribution layers are the Catalyst 6500 and Catalyst 4500 series switches. The Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 2960, Catalyst 2950, or Catalyst 2940 series switches can be used for the access layer. Fiber transport using the ONS 15454 is also certified.

Special Considerations
You may use single uplinks to the core as long as the Ethernet modules in the core switches are not supporting more than 64 users total in the access layer switches. For example, if a single module in the core supports the uplink connection from a fully populated 48 port switch, as shown in the access layer on the right in Figure 8 (less than 64 users connected through a single module in the core), no redundant uplinks are required for the two access switches. No single module can support more than 64 users in total without redundancy. However, if a single module in the core supports the uplink connection from five fully populated 24 port switches in the access layer (more than 64 users connected through a single

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

180680

27

Certified Network Topologies

module in the core), you must set redundant uplinks to two separate modules in the core switch for the five access layer switches. Because the core switches have internal redundancy, the redundant uplinks to the core can be to the same switch as the primary uplink, or to the separate core switch. Link capacity required is a function of the number of subscribers. The link capacity requirements are defined in Table 6. Redundant uplinks to separate core switches are required if the access switch has more than 64 users or if the module in the core switch is supporting more than 64 users.

Core, Distribution, and Access LayersDual Core Switches, Internally Redundant; Dual Distribution Switches, Not Internally Redundant
Figure 9 shows the network configuration using dual core switches that are internally redundant and dual distribution switches that are not internally redundant.
Figure 9 Network Configuration for Core, Distribution, and Access LayersDual Core Switches, Internally Redundant; Dual Distribution Switches, Not Internally Redundant

Catalyst 6500 or Catalyst 4500

Redundant uplinks to separate distribution switches. See Special Considerations

Catalyst 6500 or Catalyst 4500 or Catalyst 3750 Catalyst 6500 or Catalyst 4500 or Catalyst 3750 or Catalyst 3560 or Catalyst 2960 or Catalyst 2950 or Catalyst 2940

IP

IP

IP

IP

IP

IP

IP

IP

Applicability
This configuration is typical of a larger network. Uplink connections can be copper or fiber depending on network geography. This configuration consists of internally redundant switches in the core, redundant switches in the distribution layer that are not internally redundant, and a separate switch (or switches) at the access layer. The switches certified for the core layer are the Catalyst 6500 and Catalyst 4500 series switches. The switches certified at the distribution layer are the Catalyst 6500 series, Catalyst 4500 series, and Catalyst 3750 series switches. In this scenario, redundant Catalyst 3750 series switches are in the distribution

Configuration Note for ASVALAN Certification of Cisco LAN Products

28

OL-11204-01

180681

Acronyms and Abbreviations

layer. Because the Catalyst 3750 series switch is a non-redundant switch, two switches are utilized to achieve redundancy. The Catalyst 6500 series, Catalyst 4500 series, Catalyst 3750, Catalyst 3560, Catalyst 2960, Catalyst 2950, or Catalyst 2940 series switches can be used for the access layer. UPlink connections can be copper or fiber depending on network geography. Fiber transport using the ONS 15454 is also certified.

Special Considerations
The redundant uplinks to the core can be to the same switch as the primary uplink, or to the separate core switch because the core switches have internal redundancy. Link capacity required is a function of the number of subscribers. The link capacity requirements are defined in Table 6.

Acronyms and Abbreviations


Table 7 defines the acronyms and abbreviations used in this publication.
Table 7 Acronyms

Acronym ACL AFIOC APL ASVALAN CAS CPE CJCSI CJCSM CoS DAA DDT DISA DISN DoD DoDD DoDI DRSN DSCP DSN DVX EO GSCR

Expansion Access Control List Air Force Information Operations Center Approved Products List Assured Services Voice Application Local Area Network Channel Associated Signaling Customer Premise Equipment Chairman of the Joint Chief of Staff Instruction Chairman Joint Chiefs of Staff Manual Class of Service Designated Approving Authority delay-to-dial-tone Defense Information Systems Agency Defense Information Systems Network Department of Defense Department of Defense Directive Department of Defense Instruction Defense RED Switch Network Differentiated Services Code Point Defense Switch Network Digital Voice eXchange End Office Switch Generic Switching Center Requirements

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

29

Related Documentation

Table 7

Acronyms

Acronym IA IAW ICTO IO IP JITC LAN MFS MGCP MUF NSA OSD PBX1 PBX2 PRI PSTN QoS RSU SIP SMEO STIG STP SUT TACACS TDM VCAO VoIP VTC

Expansion information assurance in accordance with Interim Certificate to Operate interoperability Internet Protocol Joint Interoperability Test Command Local Area Network Multi-Function Switch Media Gateway Control Protocol Military Unique Features National Security Agency Office of the Secretary of Defense Private Branch eXchange 1 Private Branch eXchange 2 Primary rate interface Public Switched Telephone Network Quality of Service Remote Switching Unit Session Initiation Protocol Small End Office Switch Security Technical Implementation Guide Signaling Transfer Point system under test Terminal Access Controller Access Control System Time Division Multiplexing Voice Connection Approval Office Voice over Internet Protocol Video TeleConference

Related Documentation
You can view the documentation for the products and software releases discussed in this document at the following URLs:

DISA Approved Products List for Cisco http://jitc.fhu.disa.mil/apl/dsn/apl_cisco.html Catalyst 6500 Series Switches, Software Release 12.2.(18)SXF3

Configuration Note for ASVALAN Certification of Cisco LAN Products

30

OL-11204-01

Obtaining Documentation, Obtaining Support, and Security Guidelines

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/index.htm

Catalyst 4500 Series Switches, Software Release 12.2.(31)SG http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/index.htm Catalyst 3750, Catalyst 3560-PoE 24, Catalyst 2960, Software Release 12.2(25)SEE http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2960/index.htm Catalyst 2940, Catalyst 2950, Software Release 12.1(22)EA7 http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/index.htm ONS-15454 SDH, Release 7.0 http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r70docs/index.htm ONS-15454 SDH, Release 7.0 http://www.cisco.com/univercd/cc/td/doc/product/ong/15454sdh/454sdh70/index.htm

Obtaining Documentation, Obtaining Support, and Security Guidelines


For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Configuration Note for ASVALAN Certification of Cisco LAN Products OL-11204-01

31

Obtaining Documentation, Obtaining Support, and Security Guidelines

This document is to be used in conjunction with the documents listed in the Certified Network Topologies sections. CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. 2007 Cisco Systems, Inc. All rights reserved.

Configuration Note for ASVALAN Certification of Cisco LAN Products

32

OL-11204-01