Alcatel OmniPCX Enterprise

VPN Overflow
NOTE:

Product specifications contained in this document are subject to change

without notice. Products and services described in this document may not be
offered in every country. For the most current information, please contact
your Alcatel representative or your Alcatel equipment provider.

Copyright (c) 2006 Alcatel. All rights reserved for all countries. This
document may not be reproduced in whole or in part without the express
written permission of Alcatel.

Alcatel® and the Alcatel logo are registered trademarks of Alcatel. All other
trademarks are the property of their respective owners.

The CE mark indicates that this product conforms to the following Council
Directives:
- 89/336/CEE (concerning electro-magnetic compatibility)
- 73/23/CEE (concerning electrical safety)
- 1999/5/CE (R&TTE)

 
 
 
 

Chapter 1
Overview

 General ....................................................................................................... 1.1

 Service characteristics ............................................................................... 1.1
 Use ................................................................................................................ 1.1
 Reference to related modules ............................................................ 1.2

Chapter 2
Detailed description

 Principle ..................................................................................................... 2.1

 VPN hop ........................................................................................................ 2.1
 VPN numbers ............................................................................................... 2.2
 VPN hop establishment .............................................................................. 2.3
 Example ........................................................................................................ 2.4
 Access authorisation to the service ................................................ 2.5
 Principle ....................................................................................................... 2.5
 Inhibiting the mechanism ........................................................................... 2.5
 Limiting VPN calls .................................................................................. 2.6
 Interaction with the overflow services ........................................... 2.8
 Interaction of an internal private call (subscriber - subscriber) ............. 2.9
 Interaction of a private call (trunk - subscriber) ....................................... 2.9

 
  0-1
 
 

 Interaction with ARS ............................................................................ 2.10

 "Pre-defined" thresholds ........................................................................... 2.12
 Adjustable threshold: (for accurate management with precise cost
calculation) .................................................................................................. 2.13
 Charging ................................................................................................... 2.14
 Charging ticket ....................................................................................... 2.15

Chapter 3
Configuration procedure

 General ....................................................................................................... 3.1

 Software protection ............................................................................... 3.1
 Declaration of the VPN timeout ......................................................... 3.1
 Declaration of VPN hops ..................................................................... 3.2
 Declaring the trunk groups ................................................................. 3.3
 Declaring VPN numbers ....................................................................... 3.4
 Declaring local VPN numbers .................................................................... 3.4
 Declaring remote VPN numbers ................................................................. 3.5
 Managing the service access ............................................................ 3.7
 For the user .................................................................................................. 3.7
 For an incoming trunk group ..................................................................... 3.8
 Validating the VPN service ................................................................. 3.8

Chapter 4
Configuration examples

 Description ............................................................................................... 4.1

0-2  
 
  
 

Chapter 5
Maintenance

 Incidents .................................................................................................... 5.1

 The LOOKVPN command .................................................................... 5.3
 Local VPN configuration ............................................................................. 5.3
 Local VPN numbers ..................................................................................... 5.4
 User configuration ....................................................................................... 5.4
 VPN cost thresholds per category ............................................................. 5.4
 VPN service configuration .......................................................................... 5.5
 VPN call counter .......................................................................................... 5.6

 
  0-3
 
 

0-4  
 
 
 

1 

1.1 General
The virtual private network (VPN) service is used in addition to a homogeneous ABC private
network. It allows ABC calls to overflow on the public network in the event of ABC logical link
congestion. This is a means of by-passing B channel congestion in an ABC network. This
service is more complex and completes the existing offer:
- private/public overflow,
- automatic call-back on congested logical link,
- trunk group overflow
The number of VPN overflows used by a call is limited to 2.
The VPN overflow is also used for the particular case of voice on IP (see module ABC link
through IP - Overview ).

1.1.1 Service characteristics

The VPN overflow service enables:
- routing of ABC-F communications in the event of a congested logical link by overflow on
the public network,
- support for communications of all types of equipment,
- maintaining of ABC-F services (in an ABC-F sub-network),
- maintaining of ABC-F native routing optimisation,
- additional user barring level as regards the service,
- limitation of the number of calls by VPN hop: see module VPN overflow - Detailed
description § Limiting VPN calls ,
- interaction with ARS: see module VPN overflow - Detailed description § Interaction with
ARS ,
- the communications support between two sub-networks connected by a QSIG-GF bundle
with VPN hop in a sub-network, (see module VPN overflow - Detailed description ),
- the voice on IP (see module ABC link through IP - Overview ).

1.1.2 Use
The possible uses of the service include:
Bandwidth optimisation
In the case of an ABC-F network where the inter-node traffic presents peak periods, the
network administrator can select to lease from the operator only the amount of bandwidth
required for nominal traffic (E1 type split operator service) and to implement the VPN overflow
service. The excess traffic corresponding to the peak period times is then routed by VPN
overflow. The inherent cost of the leased link is therefore optimised as regards the nominal

    

   
!  1-1
Chapter 1 
! 

traffic while the service during peak periods is not degraded.

Connecting a low traffic node
In the case of an ABC-F network with a node where the traffic to the network is low, it is
possible to use VPN overflow in conjunction with a hybrid logical link for node connection.
Therefore, a hybrid logical link with no B channel is used to connect the node to the rest of the
ABC-F network. All the communications with the network are then obtained via the VPN
overflow service. With this type of configuration, there is no need to lease a link from the public
operator.

1.2 Reference to related modules

VPN overflow is described in the following modules:
- Functional description (see module VPN overflow - Detailed description ),
- Management(see module VPN overflow - Configuration procedure ),
- Management examples(see module VPN overflow - Configuration examples ),
- Maintenance(see module VPN overflow - Maintenance ).

1-2     

   
! 
 
 

2
  

2.1 Principle
In a homogeneous ABC network, VPN overflow consists in using public network B channels
for the voice part of a communication, while the signaling part transits over the private network
in the same way as for an ordinary ABC communication. This means the communication
retains an ABC-F2 service level.

Figure 2.1: VPN Overflow

2.1.1 VPN hop

During the establishment of a private ABC-F call, when the path linking the subscribers finds a
congested logical link in the B channels and if the VPN overflow service is present, then the
routing application provides a route integrating a VPN overflow.
To cross the congested part of the network, a communication on the public network is
activated between the nodes specified by the routing. The number called is a special number:
the VPN number. It is a DDI number reserved for the VPN service. It is associated with the
destination node and is known on the originating (or initial) node. The link obtained in this way
between the two nodes is called the VPN hop .
On the destination node, the two components of the communication must be united (voice part
and signaling part). A correlation is used for this purpose. This correlation is a reference used
to retrieve the parts of a communication. It is transported in the ABC signaling and in the public
network communication. To ensure its uniqueness across the network, the correlation includes
a reference to the calling party node.
In order to operate, the VPN service therefore requires:
- ABC logical links,
- access to the public network, all types of access with DDI are possible (digital or analog),
- DDI numbers reserved for the VPN service.

    

   " #!   $%
!&#!  2-1
Chapter 2 " #!   $%
!&#! 

2.1.2 VPN numbers

The following conventions are used in this document:
- the VPN hop originating node (originating node) is the node connected to the congested
logical link at the calling subscriber end,
- the VPN hop destination node is the node connected to the congested logical link at the
called subscriber end.

Figure 2.2: VPN numbers

Therefore, to set up the VPN hop, a public network communication between the nodes linked
by the congested logical link needs to be established. Public numbers are reserved for this
purpose.
Local VPN number
This is a DDI number in the destination node numbering plan. It is reserved for the VPN
service and is used to receive incoming VPN calls. It is provided to the originating node for a
given VPN hop in an ABC-F signaling message and is only used during the incoming VPN call
establishment phase. Once the call is established, the VPN number is available once again for
another VPN hop.
The local VPN number is associated with a numbering plan descriptor (NPD). This enables the
numbering sequence to be established from the transcoding of the local VPN number and the
Installation Number of the descriptor.
Several local VPN numbers can be declared for a same VPN hop on the destination node.
They are not connected to the hop but to the node. They are used for all the hops arriving on
this the node.
Remote VPN number
This is a number declared on the originating node which refers to a local VPN number on a
destination node. The declaration of the remote VPN numbers is carried out automatically by
the broadcast process.
A routing table can be assigned to the remote VPN number. This is a table of the same type as

2-2     

   " #!   $%
!&#! 
 " #!   $%
!&#! 

the one used in ARS. It is used to obtain the numbering sequence which will be used (as a
priority) to reach the destination node and must be completed in management.

2.1.3 VPN hop establishment

Chronologically, the VPN hop is established as follows:
Phase Description
1 The originating node is
informed by the routing of the
number (in the ABC-F sense)
of the destination node. It
sends a VPN number request
to the destination node (in the
ABC-F signaling channel).
2 The destination node:
- searches for a free local
VPN number,
- develops the numbering
sequence used to reach
this local VPN number,
- sends an ABC signaling
message containing the
VPN number and the
associated numbering
sequence.
3 The originating node:
- checks that the local VPN
number received is known
(declared as a remote
number)
- looks for any associated
routing table numbers,
- dials on the public network,
the content of the table if it
exists or the numbering
sequence received in the
ABC-F message.
4 The destination node receives
the VPN call:
- it establishes the
correlation with the ABC-F
signaling
- the local VPN number
becomes available again.

    

   " #!   $%
!&#!  2-3
Chapter 2 " #!   $%
!&#! 

Phase Description
5 The call is carried to the called
subscriber.

2.1.4 Example
The establishment of a private call with ABC-F2 service quality, between a node A user and a
node D user while there is a B channel congestion on one or more logical links on the path
between A and D, is possible using the VPN overflow service.

Figure 2.3: VPN overflow in a homogenous ABC network

1. When user A dials user D's number, the routing application informs call processing that the
logical link between nodes B and C is congested (in B channels) and supplies a list of
nodes for routing the voice part of the call. The voice part of the call follows:
- the ABC-F logical links in the uncongested part of the network,
- the public network in order to bypass the congested network parts.
The route supplied by the routing application indicates the nodes where public network
access must be carried out, as well as the VPN cost and the control indications used to
authorize the route.
2. A call with B channel is generated from node A to node B. The route calculated by node A
is transported to node B by the ABC-F protocol.
3. The incoming VPN call generates, in the B node, a new request for the routing application
to obtain a route "without B channel" to node C. Then the call is routed to node C with a

2-4     

   " #!   $%
!&#! 
 " #!   $%
!&#! 

"without B channel" characteristic and with a "VPN number" request.

4. Node C processes the "VPN number" request and provides node B with a free "local VPN
number" and a DDI number relative to the "local VPN number" supplied.
5. On reception of the information, node B checks that the free "local VPN number" is known
in its translator. If a routing list is associated with this number, the call is carried out with
the contents of this list, otherwise the call is established with the "local VPN number"
received from node B.
6. In node C, a correlation is established between the incoming public call ("with B channel")
and the previous private ABC call ("without B channel"). The VPN route calculated in the
originating node is once again analyzed and a private ABC call "with B channel" is
established to node D as for an ordinary private call.
7. The incoming call in node D is processed as an ordinary private call. The ABC-F protocol
messages are routed in transparent mode while those specific to VPN overflow are filtered.
All the ABC-F services are available.

2.2 Access authorisation to the service

For the VPN calls, barring is not applied. A specific VPN access authorization mechanism is
implemented on VPN overflow. Call restrictions are based on the comparison between the
VPN overflow cost and the VPN cost limit allocated by management to each user in his public
network access category. This determines whether a VPN call is authorized or not.

2.2.1 Principle
Each VPN hop defined in an ABC network has an associated VPN cost in management. This
cost is proportional to the financial cost of an average duration communication between nodes
located at the two ends of the VPN link. They are static, included between 1 and 254, and are
used by the routing application to calculate the global cost of a route including one or two
(maximum) VPN overflows.
Each subscriber has, in his public network access category, a VPN cost threshold completed.
This parameter is used to determine the VPN hops that are authorized for the subscriber. A
user can only use a VPN hop for his call if the VPN cost threshold that has been allocated to
him is greater than the VPN cost of the hop.
VPN threshold VPN Overflow
-1 VPN overflow never authorized.
0 Authorized overflow on VPN uncontrolled arcs.
254 VPN overflow always authorized
0<Threshold<254 Authorized VPN overflow on the arcs with a cost lower than the
threshold.

The public trunk groups also have a VPN threshold used to define the VPN overflow
authorization for calls incoming via this trunk group.
On establishing a call that implements a VPN overflow, the caller (user or trunk) VPN cost
threshold is compared with the VPN cost of the route. The call is accepted if the caller VPN
cost threshold is greater than the VPN cost of the route.

2.2.2 Inhibiting the mechanism

    

   " #!   $%
!&#!  2-5
Chapter 2 " #!   $%
!&#! 

The access control mechanism can be inhibited for a given VPN hop. In certain cases, it may
prove essential to authorize systematic overflow regardless of the threshold cost of the users.
This is the case for a node connected via a hybrid logical link with no B channels (signaling
only) and where the communications are systematically obtained by VPN overflow. In this
case, the communications coming from the node connected by this type of logical link have no
other solution than to perform a VPN overflow.
A management data item for VPN hops is used to validate or inhibit the access control
mechanism. This operation can be carried out selectively for the voice or data qualities of a
communication.
- When the access authorization is operational, a controlled VPN hop is obtained.
- When the access authorization is not operational, a uncontrolled VPN hop is obtained.

Figure 2.4: Access control mechanism

2.3 Limiting VPN calls

VPN calls are limited at two levels:
- at trunk group level, the % IT VPN parameter gives the maximum percentage of channels
that can be used simultaneously for VPN overflow with respect to the total number of trunk
group channels. This enables some trunk group channels to be reserved for standard calls
(to the public network for example). However, standard calls on the trunk group may use
all trunk group resources.
For an IP trunk group, the percentage of inter-node calls over an IP network cannot
therefore be more than the value of the % IT VPN parameter. However, the number of
channels used by H323 calls is not checked, these calls may therefore fully occupy the
trunk group.
- for a VPN hop between two nodes, two parameters are used to limit the number of IP and
non IP calls.

2-6     

   " #!   $%
!&#! 
 " #!   $%
!&#! 

• For a VPN hop on IP, the advantage is that the number of calls can be limited by
direction (to a given node) to take network bandwidth limitations into account. This is
because managing % IT VPN on the IP network does not allow limitation by direction
as the same trunk group can be used for overflow to several nodes.
• For a VPN hop on a support other than IP, another advantage is that limitation by
direction can be configured and trunk group resources distributed on the different
directions. A minimum number of calls (by direction) can thus be ensured.
Counters are used to monitor these thresholds. When a limit is reached, an incident is
generated and the standard overflow mechanisms are used (see § Interaction with the
overflow services ).

Figure 2.5: Monitoring number of VPN calls

Example of use on an IP network:
Example 1: the IP and VPN topologies are identical, thresholds can be directly calculated from
the bandwidth available on each IP thread.

    

   " #!   $%
!&#!  2-7
Chapter 2 " #!   $%
!&#! 

Figure 2.6: Identical IP and VPN topologies

Example 2: the IP and VPN topologies are different: the thresholds for each VPN hop can be
calculated from the maximum number of calls on each IP thread.

Figure 2.7: Different IP and VPN topologies

2.4 Interaction with the overflow services

Several services are offered to overcome congestion in an ABC network:
- VPN overflow, used to bypass B channel congestion while maintaining the ABC-F service
level,
- automatic call-back on busy logical link (CCBL) is used to defer the call until a logical link is
available,
- private/public overflow intervenes in the case of a failure on the logical link. Calls are

2-8     

   " #!   $%
!&#! 
 " #!   $%
!&#! 

routed over the public network. The ABC-F service level is not maintained.

2.4.1 Interaction of an internal private call (subscriber - subscriber)

Figure 2.8: Interaction of a private call (subscriber - subscriber)

2.4.2 Interaction of a private call (trunk - subscriber)

    

   " #!   $%
!&#!  2-9
Chapter 2 " #!   $%
!&#! 

Figure 2.9: Interaction of a private call (trunk - subscriber)

2.5 Interaction with ARS

2-10     

   " #!   $%
!&#! 
 " #!   $%
!&#! 

Figure 2.10: Interaction with ARS

Break-out call and VPN overflow
In the case of external trunk group seize with logical link without B channel or congested
logical link, we are dealing with an ARS inter-operation and a VPN overflow.

    

   " #!   $%
!&#!  2-11
Chapter 2 " #!   $%
!&#! 

Figure 2.11: Break-out call and VPN

Each route in a routing list has an associated "ARS_VPN" threshold (similar to VPN costs and
thresholds). This threshold can assume a value between a minimum (- 1) and a maximum
(254). In the context of an ARS route (external trunk group seize), if it is necessary to cross a
logical link without B channel or a congested logical link (by VPN overflow), this route will only
be used if the VPN cost of the overflow is less than, or equal to, the "ARS_VPN" threshold of
the route.
Remark: Comments
The VPN threshold associated with the caller is not taken into account since barring by
subscriber is already carried out by ARS.
To ensure easy management of standard cases, certain threshold values have been
pre-defined.

2.5.1 "Pre-defined" thresholds

- "ARS_VPN" threshold = -1: the route never overflows on VPN
- "ARS_VPN" threshold = 0: the ARS route is authorized to overflow on the VPN
uncontrolled hops (default value).
- Application: this is used to cross the logical links without B channels (or assimilated arcs)
by inhibiting crossing where logical links are used when they are not congested.
- "ARS_VPN" threshold = 254: in case of a VPN overflow, regardless of the cost, this route
is used.
- Application: case of an F trunk group to an attendant always advantageous for
international calls.

2-12     

   " #!   $%
!&#! 
 " #!   $%
!&#! 

Figure 2.12: Pre-defined thresholds

2.5.2 Adjustable threshold: (for accurate management with precise cost

calculation)
- "ARS_VPN" threshold = X in [1.. 254]: if the VPN cost is less than or equal to the
threshold or if the VPN route only crosses VPN arcs that are uncontrolled, this route will be
used. Otherwise, the next ARS route will be evaluated.
- Application: used for fine adjustment of the VPN overflow conditions for a break-out call
according to the respective costs of other choices.

    

   " #!   $%
!&#!  2-13
Chapter 2 " #!   $%
!&#! 

Figure 2.13: Adjustable thresholds

2.6 Charging
For each VPN hop, a charging ticket is generated on the node where the VPN overflow took
place. An attribute on the charging ticket is used to identify the VPN character of the call.

2-14     

   " #!   $%
!&#! 
 " #!   $%
!&#! 

Figure 2.14: Charging ticket

Two ways of constructing the charging tickets can be selected.
If the “DPNSS address for VPN" attribute of the“System>Other System Param>Facilities
Customization" object is validated, the DPNSS address will be used to fill in the calling party
number. If it is not validated, the calling party number will be used.
For detailed information on the integrated charging application (see module Internal
accounting - Overview ).

2.7 Charging ticket

The charging ticket is printed in real-time by the integrated charging application and has the
following format:
1 2 3 4 5 6 7 8 9 A B
C D E F G H I J K L

1 = Subscriber C = Transfer source

2 = Name D = Trunk
3 = Code E = Called/caller number
4 = Date F = Time
5 = Service G = Duration
6 = Cost center H = Charge units
7 = Attendant I = Business number index
8 = Trunk group J = Business
9 = Trunk address K = Network Service
A = Subscriber L = Type of call
B = Quality

To recognise a call using VPN overflow, analyze the Network Service attribute ((K)).
Network Service

    

   " #!   $%
!&#!  2-15
Chapter 2 " #!   $%
!&#! 

This attribute is used to know the network services used during the call. It comprises six fields:
Field Meaning Value
V VPN I:ISVPN V:VPN
S ARS S :ARS
A Abbrev. C:central I:individual
T Charge unit D: during E: end S: start
M Mini Messaging M:mini mess.
R Forwarding B: busy R: no reply U:
unconditional

If the service is not used for the call, the corresponding field is left blank.
Therefore, if the VPN overflow has been implemented for the call, the V field in the network
service attribute will contain the letter V.

2-16     

   " #!   $%
!&#! 
 
 

3  

3.1 General
VPN overflow management includes the following actions:
- declaration of the VPN timer,
- VPN hop declaration, used to take into account VPN links by the routing application,
- declaration of the trunk groups,
- VPN number declaration, a small quantity of numbers must be reserved in the local
numbering plan to route the calls that are overflowing,
- management of service access authorizations,
- validation of the VPN service.
When the service has been correctly parametered, it must then be authorized on the node.
Note: For the particular case of voice on IP, see module ABC link through IP - Overview

3.2 Software protection

The “VPN Overflow" function is protected by a software lock.
The locks must be positioned on each node that performs the VPN overflow; lock #080
(ABCVPN) always takes the image of lock #019 (ABC)
Note: lock #0.19 (Corporate Networking (ABC, ABCVPN, ISVPN)) is used to interconnect several Call
Servers using the ABC protocol, whatever the infrastructure(leased line, IP, switched network...). This
license replaces the old ABC, ABCVPN, ISVPN licenses.

Figure 3.1: Charging ticket

Therefore only nodes N3 and N4 require a lock.

3.3 Declaration of the VPN timeout

This timer indicates the delay accepted between the ABC-F call and its overflow call to the

 '    

   ( !)
#!  &
% 
3-1
Chapter 3 ( !)
#!  &
% 

destination node by the VPN hop.

Object name:System > Timers
Attributes:
Timeout No. : 199.
Timer units : 300 (i.e. 30s).

3.4 Declaration of VPN hops

A VPN hop is a path in an external network linking two ABC nodes, through which the voice
part of a private communication transits. The VPN hops must be declared in all the network
nodes that have access to the ABC-VPN service. The broadcast mechanism updates this table
in the network.
Object name:Inter-Nodes Links > VPN Overflow
Attributes:
Node X - Node Y : Enter the numbers of the VPN hop extremity nodes, starting
with the smallest (X<Y),
Network 1 : Enter the node X adjacent network number. This number
must be included in the trunk group data,
Network 2 : Enter the node Y adjacent network number. This number
must be included in the trunk group data,
VPN hop cost : Enter the average cost in VPN hop units, between 1 and
254. This is used for call barring. For example, if the cost is
set at 3 and the set making the call is only authorized to use
routes with a cost below or equal to 2, then the VPN overflow
will not take place,
Mandatory VPN hop : used to inhibit cost control for the VPN hop.
quality 0 The cost of the VPN hop will not be taken into account in the
global cost calculation (sum of the costs of the segments
making up the route) of the route for a data call (quality 0).
For example, in the case of a logical link without B channels,
case of connection of a low traffic mode, this parameter must
be yes since the user has no other possibility for reaching
the ABC network except by using the VPN overflow.
Mandatory VPN hop : same as above for a voice call (quality 1).
quality 1
IP compression type : Select "Default", except in case of a VPN overflow used for
voice on IP.
Maximum number of IP : Used for VPN overflow on IP trunk group.
calls Enter the maximum number of calls allowed on the IP trunk
group.
Default value: -1 (no check).

3-2  '    

   ( !)
#!  &
% 

 ( !)
#!  &
% 

Maximum number of other : Used for VPN overflow on a non IP trunk group.
calls Enter the maximum number of calls allowed on the trunk
group.
Default value: -1 (no check).

3.5 Declaring the trunk groups

To access the external network, the VPN calls use trunk groups. As a rule, in an installation,
the same trunk group is used for public access and VPN access. When a public trunk group is
likely to send VPN calls, you must:
- have it taken into account by the routing application,
- limit the occupation level by VPN overflow in order to maintain sufficient service quality for
the external accesses.
The trunk group which carries out the VPN overflow may be of any type or any variant.
Object name: Trunk Groups > Trunk Group
Attributes:
VPN TS % : indicate (percentage) the trunk group B channel occupation
limit granted to the ABC-VPN service.
VPN Cost Limit for Incom. : Set the VPN cost threshold to be assigned to incoming calls
Calls by this trunk group:
-1 : indicates that the set is never authorized to make a VPN
call.
0 : indicates that the set can only use VPN uncontrolled hops
(case of connection of a low traffic node).
Supervised by Routing : Yes, used to have the resource taken into account by the
routing application.

During a call establishment on the public network, the usual procedure implies that there is a
connection followed by data exchange on the B channel. To call certain subscribers or
services, information may be sent in the B channel before the "connection" message. This is
the case of the "Minitel" in France. This procedure offers the advantage of delaying the start of
charging, since it begins as soon as the "connection" message has been sent.
In this case, and when there is a VPN overflow to reach the trunk group providing access to
these types of service, the VPN hop must be connected immediately. In this way, the
originating node can listen to the B channel.
Object name: Trunk Groups > Trunk Group
Attributes:
Immediat Trk Listening if VPN hop : Yes, used to connect the VPN hop immediately
when the trunk group sends information on the B
channel before the "connection" message.
IP compression type : Select "Default", except in case of a VPN
overflow used for voice on IP.

 '    

   ( !)
#!  &
% 
3-3
Chapter 3 ( !)
#!  &
% 

Figure 3.2: Example of a Minitel type service

3.6 Declaring VPN numbers

The VPN numbers are used during the VPN call establishment phase (voice part of an ABC
communication) and are re-used subsequently. The local VPN numbers are declared on the
PCX that receives the VPN calls. These same numbers are declared remote VPN numbers on
the PCXs likely to send a VPN call to the previous PCX.

3.6.1 Declaring local VPN numbers

On each node which may receive VPN calls, local VPN numbers must be declared. These
numbers are declared as prefixes in the numbering plan and are linked to a Numbering Plan
Descriptor (NPD) (see module Numbering conversion - Basic description ). The administrator
is responsible for evaluating the quantity of VPN numbers required.
However, to determine how many numbers are needed, it is possible to use an empirical
method based on incident n°4102 message monitoring (lack of VPN resource) which informs
the administrator of a missing VPN number.
Object name :Translator > Prefix Plan
Attributes:
Number : Enter the local VPN number in the local numbering plan.
Prefix Meaning : VPN overflow.
Prefix Information : Enter the number of the NPD descriptor to which the VPN number
belongs.
VPN Type : Select “Local (NPD No.)" for the management of a local VPN
overflow.

The DPN associated with the VPN number must be described and its Installation Number
(NDI) and Additional installation number entered.
In fact, the installation number (NDI) will be transported to the signaling at the same time as

3-4  '    

   ( !)
#!  &
% 

 ( !)
#!  &
% 

the local VPN number, and if no route list has been declared on the node which initiated the
VPN call, it will be used to construct the numbering sequence which will be dialed to establish
the VPN hop.
The NDI is generated and introduced systematically by the ISDN in the call establishment
message if the subscriber has not used the secret identity. It corresponds to the directory
number of the user installation from where the ISDN connection request was sent. This is a
number from the ISDN numbering plan.
The aditional installation number is used in the event of an inverse DDI translation failure. The
complete ISDN number is obtained by adding the number to the installation number (NDI).
Object name: Translator > External Numbering Scheme > Numbering Plan Description
Attributes:
Name : Give a name to the NPD.
Install. number source : Select “NPD source" as the installation number
source, i.e. this NPD (NPD: Numbering Plan
Descriptor = DPN : Numbering Plan Descriptor).

Installation number
Default number source
Default number (num. inst. sup.)
: Give the installation number, i.e. the the root of the
installations DDI number. This parameter appears only
if "Install number source = NPD source."
: Select the source of the default number or the
additional installation number; the entity, NPD or No
default number.
: Give an additional installation number, i.e. the number
of an accessible SDA set (e.g.: Attendant). This
parameter only appears if “Default number = NPD
source".

If necessary, complete the “Installation No (ISDN)" and “Num. inst. sup (ISDN)" parameters in
the Entities object.

3.6.2 Declaring remote VPN numbers

The broadcasting mechanism will declare the local VPN number created previously as the
remote VPN number on all the other nodes in the VPN. The automatic declaration is valid if
the numbering plan between the nodes is homogeneous.
- In this case, there is no need to call an ARS routing list.
- Otherwise, or if the automatic declaration does not take place, this must be done manually.
Object name: Translator > Prefix Plan
Attributes:
Number : enter the VPN number.
Prefix Meaning : VPN overflow.
Prefix Information : Where necessary, enter the number of an ARS routing list.
If the numbering plan between the nodes is homogeneous, there is
no need for a routing list. In this case, value - 1 indicates that there
is no ARS routing list.

 '    

   ( !)
#!  &
% 
3-5
Chapter 3 ( !)
#!  &
% 

VPN Type : Select “Remote (Route list No.)" for the remote VPN overflow
management.

Without routing table

In the case of remote VPN numbers declared without a routing list (case of an homogeneous
numbering plan between the nodes), the number to dial to reach the remote PCX is inferred
from the IDN received by the ABC signalling. You then have to complete the external call-back
translator. The latter is used to adapt the number received from the NDI of the entity - for a
subsequent call-back. This operation is required when the two PCXs in the VPN hop are in
different telecommunications zones and the number received differs from the numbering
sequence to be dialled on the PCX that initiated the VPN call.
Object name: Translator > External Numbering Scheme > Ext.Callback Translation
Attributes:
Basic Number : Enter the zone code: the first digit(s) of the number
received identify the call origin zone.
Nb. Digits To Be Removed : This number corresponds to the difference between the
remote directory number and the number to dial to reach
it.
Digits To Add : Indicate the numbering sequence to add, trunk group
seize prefix, inter-zone or international prefix.

With routing table

Where necessary, the ARS routing list indicates the trunk group to seize and how to modify the
numbering sequence. On reception of the local VPN number following a VPN number request,
the node checks that the number received is indeed known in its numbering plan and if it has
an associated ARS routing list, it carries out the numbering on the trunk group defined in the
list and applies the routing list numbering recommendations. Several routes can be declared. If
the first one fails, an attempt is made on the second route, and so on until the last. As a last
resort, the mechanism without routing list will be used.
Object name:Translator > Automatic Route Selection > ARS route list > ARS route
Attributes:
Table No. : Indicate the number of a table which is not used by
the ARS service (do not use table number 0 as it
concerns private routing in ARS).
Route : Indicate a value between 1 and 10.
Name : Enter a route name.
Trunk Group : Indicate the number of the trunk group to be used
to access the public network. The trunk group may
be of any digital or analog type. The specified trunk
group must be local to the outgoing node of the
VPN hop.
Dialing Command Tabl. Id : Not used in VPN (0).
Nb. Digits To Be Removed : Enter the number of characters to be deleted,
starting with the beginning of the numbering to
adapt the dialling Between 0 and 20 (0 by default).

3-6  '    

   ( !)
#!  &
% 

 ( !)
#!  &
% 

Digits To Add : Enter the characters to insert in order to adapt the

numbering. The number contained in this field is
inserted before the number received. Up to 20
characters (0 - 9, A - D, * and #) may be entered.
Values A-D are only validated for an internal route.
This field is empty by default.
VPN Cost Limit : This parameter is not used directly by VPN. It is
used in ARS to determine the maximum cost which
may be used where necessary to make a VPN call
(by default 0).
Protocol Type : Depends on the type of trunk group.
NPD identifier : 11.
Type : Public.
Quality : Speech.

3.7 Managing the service access

3.7.1 For the user

The ABC-VPN service can be authorized or not for a set according to its rights. A VPN cost
limit defined in the categories is used to specify the rights of the set.
Object name: Categories > Access Category
Attributes:
Public Network : Enter a value between 1 and 31
Category

VPN Cost Limit

Night / Day / : Enter the cost value of a VPN route up to which the set is authorized
Mode1 / Mode2 to use this route. This value is between - 1 and 254.
-1 : indicates that the set is never authorized to make a VPN call
0 : indicates that the set can only use VPN uncontrolled hops (case of
connection of a low traffic node).

Object name: Categories > Access Category > Public Access Category
Attributes:
Public Network : Enter a value between 1 and 31.
Category
Area Number : Choose an area number between 1 and 64.
External accesses

Night / Day / : 1 : indicates that the set can use VPN hops,
Mode1 / Mode2 0 : Indicates that the set cannot use VPN hops.

 '    

   ( !)
#!  &
% 
3-7
Chapter 3 ( !)
#!  &
% 

3.7.2 For an incoming trunk group

Access to the ABC-VPN service for an incoming call by a trunk group, and subsequently
requiring a VPN call for its routing in the network, is subject to the same cost control as the
sets. The limit is fixed in the same way for all the calls arriving via this trunk group in the trunk
group data.
Object name: Trunk Groups > Trunk Group
Attributes:
VPN Cost Limit for Incom. Calls : Enter the cost value of a VPN route up to which
the incoming call is authorized to use this route.
This value is between - 1 and 254.
-1 : indicates that the call is never authorized to
make a VPN call.
0 : indicates that the call can only use VPN
uncontrolled hops (case of connection of a low
traffic node).

3.8 Validating the VPN service

The VPN service is only operational when all the previous declarations have been made for all
the nodes concerned. To avoid partial implementation of the service when all the declarations
have not been completed, a parameter is used to inhibit the service globally at node level.
Thus, VPN overflow implementation includes two phases:
- declaration and parametering of the services on the ABC network nodes,
- authorization of the service on the nodes.
Object name: System > Other System Param.
Attributes:
VPN service : True.

3-8  '    

   ( !)
#!  &
% 

 
 

4   

4.1 Description

Figure 4.1: VPN overflow in a homogenous ABC network

In this example, the three nodes are seeking to be reached by VPN overflow. The numbering
on node A is 0XXX, on node B 1XXX and on node C 2XXXX. The two trunk groups 12 and 21
are defined by their PCX address as shown on the figure.
Declaration of the Trunk Groups
Declaration of trunk group 12 Declaration of trunk group 21
VPN TS %: 50 VPN TS %: 50
VPN Cost Limit for Incom.Calls: 100 VPN Cost Limit for Incom.Calls: 100
Supervised by Routing: Yes Supervised by Routing: Yes
Immediat Trk Listening For VPN Call: Yes Immediat Trk Listening For VPN Call: Yes
Remote network: 10 Adjacent network: 10

The hop must be declared between two nodes which have incoming and outgoing access to
an external network. These hops must be declared in all the nodes of the sub-network where
the VPN hop is possible. The broadcast mechanism will update all the databases with this
table.
Declaration of VPN hops
Node X - Node Y: 1-2
Network 1: 10
Network 2: 10

     

   ( !)
#!  & $ 4-1
Chapter 4 ( !)
#!  & $

VPN hop cost: 5

VPN hop mandatory quality 0: False
VPN hop mandatory quality 1: False
Max. number of IP calls: -1
Max. number of other calls: -1

In order to define the VPN number, you must select the method, either with or without routing.
The method with routing uses the ARS functions to select the outgoing overflow trunk group. In
the event of a fault, it is used to go to the next route, and therefore to another trunk group.
The method without routing directly gives the number to be called in the local node.
The selection of the method with routing also uses the method without routing. In fact, the
method without routing is always the last possibility when all the routes have failed.
The following operation describes a VPN hop from node B to node A.
Configuration of VPN numbers
Declaration of the local VPN number: Node A Declaration of the remote VPN number: Node
B
Number: 0009 Number: 0009
Prefix meaning: VPN Overflow Prefix meaning: VPN Overflow
Prefix information: 11 * Prefix information: 1 (Route list)
VPN type: Local (NPD No.) VPN type: Remote (Route list No.)

* the NPD number

NPD
NPD No.: 11
Installation No (ISDN): 015567
Supplement.Install.No (ISDN): ---
Source Install. source NPD

Remote VPN - Without route list: Object Ext. Callback Translation

Basic number: 1
Nb.Digits To Remove: 00 . “0" is the prefix of the trunk group associated with trunk group X but
the trunk group used for the overflow is selected by the routing appliation (depending on the
VPN configuration). NDI It may therefore select a trunk group other than X.
Digits To Add: 00. The overflow operates even if "00" is an abbreviated number.
Remote VPN - With route list: Object ARS Route List > ARS Route
Table No.: 1
Route: 1
Trunk Group: 21 (trunk group for output to node A)
Nb.Digits To Remove: 1 (0009 -> 009)
Digits To Add: 0155674 (009 -> 0155674009)

4-2      

   ( !)
#!  & $
 ( !)
#!  & $

VPN Cost Limit: 0

In this case, transcoding must be provided on the incoming trunk group (12 on node A).
The public NPD of trunk group 12 must give a DDI number for the called party and 4009 must
be converted into 0009 in the DDI translator.

     

   ( !)
#!  & $ 4-3
Chapter 4 ( !)
#!  & $

4-4      

   ( !)
#!  & $
 
 

5 

5.1 Incidents
In the event of VPN service abnormal operation, incidents will be output. These incidents are
used to diagnose the operation of the VPN service.
Incident 4099: B channel choice error
This incident occurs during an attempt to establish a call by the ABC-F trunk if the remote
node rejects the proposed B channel. In normal operation, this incident should not occur since
the same number of B channels must be declared at each end of the link.
Three parameters are given:
- the number of the B channel that has been refused, used to verify link management,
- the number of the link, used to identify the remote node,
- the call direction (incoming or outgoing).
If this incident occurs, there is a problem in B channel management. The problem must be
resolved before implementing VPN overflow.
Incident 4100: Inconsistency of VPN node list
This incident indicates an incompatibility between the call to be established and the path
returned by the routing application. One parameter is given:
- the number of the remote node.
If this incident occurs, you must identify the operation which is concerned.
Incident 4101: Maximum number of trunks on an access is overflown
This incident is output if the number of equipments accessing the resources (B channels) is
greater than the number of resources.
If this incident occurs, it means that the link is under configured. It can occur even if VPN
overflow is not authorised on the system.
Incident 4102: Lack of VPN resources
VPN numbers are required for call establishment in VPN overflow. They are used from the
moment when the terminating node assigns this number to the originating node, up to the
moment of correlation (used to link the ABC signalling to the public network B channel) in the
terminating node. Call establishment can be of varying length depending on the overflow
medium (analog, ISDN, PCM, etc.).
This incident occurs if all the VPN numbers are being used when a VPN overflow occurs.
Three parameters are given:
- the value of the VPN service authorisation parameter on the node,
- the number of local VPN numbers declared on the node,
- the number of local VPN numbers being used on the node when the incident occurs. This
must be equal to the previous parameter, conditioning the incident.
If this incident occurs, check that VPN overflow is authorised on the node and increase the

     

   *!# % 5-1
Chapter 5 *!# %

number of VPN numbers.

Incident 4103: Incoming VPN call aborted
During the establishment of an ABC-F call (voice part of the call), an ABC-F trunk on the
remote node camps-on wait on a B channel coming from the local node ABC-F trunk. Incident
4103 is output (on the remote node) if, for any reason, the local trunk B channel does not
reach the remote trunk. These reasons can include: lack of ISDN resources in the incoming
trunk group, incorrect numbering, etc.
Three parameters are given:
- the local VPN number supplied for VPN overflow when the incident occurs,
- the number of the VPN overflow originating node,
- the number of the VPN overflow originating sub-network.
If this incident occurs, check the declaration of the remote VPN numbers and any associated
routing lists.
Incident 4104: Outgoing VPN overflow call aborted
This incident indicates that the outgoing VPN call could not be connected for a reason that has
not been determined. Possible reasons include: incorrect management of remote VPN
numbers or routing lists which are associated with these numbers.
Two parameters are given:
- the reason provided by the public network (if ISDN),
- the public number dialled by the node where the VPN overflow originated.
If this incident occurs, check that the numbering dialled does in fact correspond to the remote
node.
Incident 4105: VPN overflow called failed because of VPN overflow time-slots missing
The number of simultaneous VPN calls for a given trunk group is limited by a management
parameter. A counter indicates for each trunk group the occupation of the time slots. This
counter is shared by the routing application and the telephone application.
Parameters given:
- incoming call
- the number of the trunk group
- 0: indicates an incoming call
- outgoing call
- 1: indicates an outgoing call
If this incident occurs too often, check the configuration.
Incident 4108: VPN calling node receives VPN error
This incident appears on the calling VPN node. The node calls the routing application and
decides to carry out a VPN call due to saturation.
When a VPN call fails, and if the routing application accepts it, the node receives a VPN error
value. This value is presented along with a certain number of other parameters of this incident.
Therefore, this incident may appear at the same time as those previously presented.
The default values encountered are the following:

5-2      

   *!# %
 *!# %

140 : Incident 4102 must appear on the node concerned,

141 : Check the MAO configuration on all the nodes,
143 :143 : Impossible to obtain a conforming VPN overflow call. This may be due to a
configuration problem (ARS route list/Timer, etc.) or traffic.
144 :The incoming overflow call may not arrive. Check the MAO configuration on both nodes
(timer on the incoming node(s) and as the 143 on the outgoing node(s).
145 : Check the timer on the incoming node(s).
There is a letter: N (for DDI number) or L (for the list of nodes) after the error value, indicating
at which stage the call failed.
Then the list of nodes or VPN call is indicated. You may then check on these nodes if another
VPN incident was detected at the same time or if their configuration is correct.
Finally, the equipment number is indicated.
Example: 4108 = failed VPN call: err 143L NL 3 > 10- 7 eqt 297
Incident 4123 : Nber of IP calls reached on hop P1-P2 count=P3 - max=P4
This incident is transmitted when the maximum number of IP calls on the VPN hop between
two nodes (P1-P2) has been reached.
P4 gives the maximum value configured for this VPN overflow.
P3 gives the call counter value for this VPN overflow (which, at this time, is equal to the max.
value configured).
Incident 4124 : Nber of non IP calls reached on hop P1-P2 count=P3 - max=P4
This incident is transmitted when the maximum number of non IP calls on the VPN hop
between nodes P1-P2 has been reached.
P4 gives the maximum value configured for this VPN overflow.
P3 gives the call counter value for this VPN overflow (which, at this time, is equal to the max.
value configured).

5.2 The LOOKVPN command

The lookvpn command is used to check the declaration of the vpn service on the node where
it is run.
- display the local VPN configuration (as of R3),
- display information concerning the local VPN numbers,
- display the VPN configuration of a user,
- display the VPN cost thresholds per public network access category,
- display the entire VPN service configuration on the node.

5.2.1 Local VPN configuration

To display the local VPN configuration, enter the command: lookvpn -config.

     

   *!# % 5-3
Chapter 5 *!# %


  

 

    
 
   

! " # $ # %& ' # ()* # +)( , (

+)( -   
 #  #  #  #  +)( .
 
  
 # /
 # ( # 0 # 12   
3 445

**! 
 
%6 7 258  !( 7 8014

%"
 9 : 


2 ;; 
7 2 ; ;;
7   
;; 7 

     

00 ;*;+)(;( 
<,( 8

< , =<$ 8
2 
;
7 ;  ; 7 
 ; 7 9, 7 > 00

()* 3 ( 
 ) *

7 *)( 3 *

 )  ( ?
>

5.2.2 Local VPN numbers

To display the information concerning a local VPN number, enter the command: lookvpn -l
VPN NO. index>.
(3)bsbmrp03> lookvpn -l 0
Table of vpn numbers for the local node
! " # $ # %&' # ()* # +)( , (
+)( -   
;;;;;; # ;;;;;;;; # ;;;;;; # ;;;; # ;;;;;;;;;;; +)( .
 
  
 # /
 # ( # 0 # 12 @  
3 445
;;;;;; # ;;;;;;;; # ;;;;;; # ;;;; # ;;;;;;;;;;;

To display all the local VPN numbers, enter the command: lookvpn -l all.

5.2.3 User configuration

To display a user's VPN configuration, enter the command: lookvpn -user .
(3)bsbmrp03> lookvpn -user 33000
SET : pub.cat = 2, entity_num = 3, state = 0 => limit_cost = 250

5.2.4 VPN cost thresholds per category

To display the VPN cost thresholds per public network access category, enter the command:
lookvpn -categ.
(3)bsbmrp03> lookvpn -categ

5-4      

   *!# %
 *!# %


+)( <   ) 9

 #  -  2  5 #

 # 50 50 2 2 #
2 # 2 2 2 2 #
5 # 50 50 2 2 #
 # 2 2 2 2 #
8 # 2 2 2 2 #
0 # 2 2 2 2 #
1 # 2 2 2 2 #
4 # 2 2 2 2 #
A # 2 2 2 2 #
B # 2 2 2 2 #
2 # 2 2 2 2 #
22 # 2 2 2 2 #
25 # 2 2 2 2 #
2 # 2 2 2 2 #
28 # 2 2 2 2 #
20 # 2 2 2 2 #
21 # 2 2 2 2 #
24 # 2 2 2 2 #
2A # 2 2 2 2 #
2B # 2 2 2 2 #
5 # 2 2 2 2 #
52 # 2 2 2 2 #
55 # 2 2 2 2 #
5 # 2 2 2 2 #
58 # 2 2 2 2 #
50 # 2 2 2 2 #
51 # 2 2 2 2 #
54 # 2 2 2 2 #
5A # 2 2 2 2 #
5B # 2 2 2 2 #
 # 2 2 2 2 #



5.2.5 VPN service configuration

To display the entire configuration of the VPN service on the node, enter the command:
lookvpn -test.
(3)bsbmrp03> lookvpn -test

     

   *!# % 5-5
Chapter 5 *!# %


+)(  =,,CD%*
     8 . 5  . 5  2  
- & 3 E &2 3 E
9 
 
 

        8 
    
F 
 
  3   7 +)(  3 /<%%

;-  ";
;
 7 2 
 5
"50 > < 7 2  
/
+ 7 2

    
 
   
! " # $ # %&' # ()* # +)( , (
# %">
> # +)( **! (

;;;;; # ;;;;; # ;;;;;; # ;;; # ;;;;;;;;;;;;;;;#;;;;;;;;;;;;;#;;;;;;;;;;;;;;

 # /
 # ( #  # 12 # 12 # 44512
;;;; # ;;;;; # ;;;;;; # ;;; # ;;;;;;;;;;;;;;;#;;;;;;;;;;;;;#;;;;;;;;;;;;;;

%"
 9 : 


2 ;; 
7 012 ; ;;
7   
;; 7 25
5 ;; 
7 00 ; ;;
7   
;; 7 25
 ;; 
7  ; ;;
7   
;; 7 

     

00 ;*;+)(;( 
<,( 8

< , =<$ 8
2 
;
7 ;  ; 7 
 ; 7 9, 7 > 00
012 ;*;+)(;( 
<,( 8

< , =<$ 8
2 
;
7 ;  ; 7 
 ; 7 9, 7 > 012

+  +)( -
  
 ;+)(;$E(9<C 7 


5.2.6 VPN call counter

  gives, for all VPN hops declared on the node, the current value of the call
counter and the max. number of calls allowed.
   2  5 gives, for the VPN hop between nodes 1 and 2, the current
value of the call counter and the max. number of calls allowed.
 
!)  2  5 resets the IP call counter to 0.
 
C%<  2  5 resets the non IP call counter to 0.
Caution: The last two commands should be used with care as they may result in the threshold
being exceeded if the counter is reset to 0 while VPN calls were in progress.

5-6      

   *!# %