The LAN infrastructure needs to be robust and redundant in order to support converged services. A typical LAN three-tier architecture is shown in Figure 2. In order to get LAN ready for data, voice, and video convergence over LAN and WLAN, separate changes need to happen at all tiers of the architecture. In the next section we describe required changes in the area of security, power over Ethernet (PoE), QoS, and WLAN integration.

Security

As stated, so far voice and data networks have addressed security by keeping two separate networks with minimum overlap in traffic. However, in converged network environments we are exposing critical services such as VoIP to data network vulnerability. Therefore, during the development of converged networks, all measures should be taken to protect and minimize the impact on data networks. Figure 2 shows the existing three-tier LAN architecture [1, 2]. The edge of the network (access layer) does not have any security deployed allowing anybody to connect to the Intranet. Most of the LAN infrastructure is not ready for converged communication. During a crisis, access-control lists are deployed at the building distribution level to protect from Malware.

Figure 2: Existing three-tier LAN architecture
click image for larger view
 

Based upon the quantity of building routers, the propagation of ACL can take several hours and during this time sensitive services such as voice may be impacted. In order to avoid this from happening a number of steps should be taken: only authorized machines should be allowed to be connected to the LAN and the ability to detect and remove offending devices at the access location must be developed. In this area, multiple capabilities and technologies need to be leveraged to protect the LAN and reduce the risk of failures due to malicious code. The IEEE 802.1X standard is one example that offers both wired and wireless devices a method to authenticate both the device and the user before allowing access to the network. Based on the Extended Authentication Protocol (EAP), the 802.1X standard allows direct communications using EAP between the end device and a backend authentication (RADIUS) server prior to allowing network access [3, 4]. Only authenticated users and devices are allowed to connect to the production VLAN. All other devices are either not allowed connection to the enterprise or can be placed on limited access networks. Since EAP is by design extensible, it can be expanded to include checking compliance with corporate policies such as operating system patches and virus signatures. When the device does not have the right credentials, it can be redirected to a different network where it can get patched or be limited to accessing the Internet only. This will guarantee that only trusted machines with the right credentials and posture (domain account, operating system level, patch level, configuration level, etc.) can access the Intranet, a feature that will enhance the security level for both voice- and data-using devices. In the future, stateful level inspection, network intrusion protection systems, or NBAR can also be performed at the distribution layer. This can provide protection from application-level attacks. The distribution layer should continue to be used as the first multi-layered defense with the access layer used to enforce connection policies and connection termination capabilities. Sub/Super VLAN (also known as private VLAN) technology can also be used to isolate some systems within a broadcast domain.

Special attention should also be given to keep all the critical services (DNS/DHCP/tftp, etc.) in separate protected domains or enclaves.

Power over Ethernet

With the advent of the 802.3af standard (Power over Ethernet, PoE) the number of cables used is decreased since power is supplied to the end device over the LAN connection. Moreover, if the edge device supports 802.1q trunking, this single connection can support both a dedicated VoIP device (hardphone) and another (data) device such as a desktop computer or a laptop computer connected through it. A single Ethernet port will thereby support both voice and data devices, and the 802.1q protocol will separate voice from data. It will also require that all access switches support PoE function. Enterprises should make the decision on PoE vs. non-PoE at access switches, based upon a return on investment type of analysis. In an existing building with the right switch it is not always necessary to have PoE-based line cards. Most VoIP hardphones can also use an external power supply that can be connected to a regular building power source. Therefore it is good practice to build all new networks with PoE but for existing buildings, using an existing external power supply is still a very cost-effective option.

Quality of Service

The main objective of QoS within LANs and WLANs is the prioritization of traffic during congestion. Since all the LAN traffic is bursty in nature, it can cause buffer (especially transmit buffer) over-runs and under-runs. The first step in a QoS is to identify the traffic and classify it to enable different traffic types to be processed differently. Typically, access control lists are used to identify the traffic using the source/destination IP address and TCP or UDP ports at Layer 4 or the application signature at Layer 7. Policing or shaping of the traffic can happen at the same device, or alternatively the packets may be marked with a specific priority at Class-of-Service (CoS) bits at Layer 2, Type-of-Service (ToS), or Differentiated-Service Code Point (DSCP) at Layer 3, and those markings can be used later on by other devices. To keep the QoS end-to-end, all intermediate routing/switching devices must trust the marked traffic to minimize the re-marking process. It is also best to identify and mark the traffic closest to the source (normally at the access layer switch in the wiring closet as shown in Figure 2) [5, 6]. Since most of the marking within the Intel LAN environment will be done by the applications running on a system or hardphone, it is essential to allow trust of the endpoint marking within the LAN and WLAN. It is also important to have separate queues for voice (latency sensitive) traffic and for other traffic, and a priority-scheduling scheme should be given to it. In the coming years, new applications/services are being planned to be deployed to improve the productivity of users. VoIP in LAN and WLAN is one of them. Convergence of multiple communication methods will also drive the need for QoS in LANs and WLANs.

WLAN Integration

Many enterprises treat WLAN as unsecure and hence require users to use VPN services before gaining access to corporate resources (Figure 3). This has been the general policy due to the well documented weak security of the Wireless Equivalent Privacy (WEP) security measure. With the latest development in WLAN security standards (802.11i, using WPA2 with authentication based on 802.1X authentication and AES encryption), however, the VPN component can be removed from the wireless network allowing the Access Point (AP) to directly pass traffic to the LAN infrastructure. Recent LAN security-related protocols, mainly MACsec (802.1ae) and MAC key security (802.1af), make the authentication and encryption schemes of WLAN and LAN converge.

Figure 3: Existing WLAN architecture
click image for larger view
 

New Converged Architecture

Figure 4 shows the integrated converged network where the WLAN is considered as an extension of the LAN, and the endpoint registers with the WLAN controller to provide services. As WLAN access technology changes from 802.11a/b/g to 802.11n, the same architecture can be used to support the new access technology providing enhanced throughput. VoIP becomes the primary voice technology within the building, and it connects to the legacy PBX to provide backward connectivity. However, all VoIP end nodes talk to each other, directly connected by the VoIP server.

Figure 4: Converged network architecture
click image for larger view