Audio-over-IP Network Design

A Crestron DM NAX® audio-over-IP (AoIP) digital audio distribution system routes and manages local audio sources as well as cloud-based streaming services over standard gigabit Ethernet infrastructure. The DM NAX AoIP platform is based on AES67 standards, and is interoperable with third-party AES67 devices for added flexibility and scalability. DM NAX AoIP network traffic is multicast by design, so careful and thorough network design is critical to a successful deployment. For a proper installation of a DM NAX AoIP audio distribution system, refer to the best practices that follow.

NOTE: Additional content pertaining to systems with DM NVX® AV-over-IP traffic is available in the DM NVX AV-over-IP System Design Guide.

Minimum Network Requirements

Several network switch hardware and firmware features are required in order for an install to successfully support DM NAX AoIP.

Required network switch features and settings:
- 1 Gbps port for each connected DM NAX endpoint
- Non-blocking backplane
- Layer 3
- IGMPv2 snooping
- IGMPv2 Querier
- Fast-Leave (also known as immediate leave)
Recommended network switch settings:
- Layer 3 packet prioritization (DSCP) for Quality of Service (QoS)
  
  NOTE: This should be considered a hard requirement for any systems with mixed DM NAX and DM NVX traffic
Inter-switch uplink requirements (if needed)
- Must have sufficient bandwidth for all encoder and decoder traffic to be passed along the uplink (allocate 1 Gbps of traffic per device)

Network Design Overview

DM NAX networks should be designed to isolate traffic on network segments specifically configured to handle DM NAX AoIP and DM NVX A/V-over-IP (AVoIP) traffic. This can be accomplished by using separate infrastructure or Virtual Local Area Networks (VLANs). DM NAX network segments may carry DM NAX multicast streams, DM NAX control, and/or other ancillary traffic.

NOTE: DM NAX devices do not support VLAN tagging, so only DM NAX devices with dual Ethernet ports can be used in conjunction with VLANs to fully isolate DM NAX AoIP traffic from other traffic types on a single network switch.

DM NAX devices with dual Ethernet ports can be configured to isolate network traffic so that one port is designated for control and media player traffic and the other port is designated for AoIP traffic.

When this Port Isolation feature is enabled, connect the control and media player port to the same network segment as the control system. This port will also need Internet access in order to support network streaming services.
Connect the AoIP port to the network segment that will handle AoIP and AVoIP streams, such as DM NAX audio, AES67 audio, or DM NVX AVoIP streams.

These segments can be handled via VLANs or physically separate switching hardware. If the AoIP traffic is relegated to separate network switches, only the AoIP network switches need to meet the Minimum Network Requirements listed above.

Networked AV devices other than DM NAX AoIP devices can be placed on the DM NAX AoIP network segment. The network bandwidth requirements will often be higher in this case, so ensure that the network hardware can support the bandwidth of both platforms. When AV devices such as DM NVX AVoIP endpoints are added to the network, it may be necessary to configure QoS settings such as DSCP priorities on the network switch. Refer to Quality of Service Configuration for further information.

A single DM NAX AoIP device can have several network addresses:

One IP address is required for device control, web configuration, and console access.
A discrete multicast address is required for each multicast stream transmitting from the device:
- DM NAX devices will typically have a multicast transmit stream available for each local source and media player on the device, but may also have additional transmit streams called Parallel Zone Outputs that mirror the audio signal of the local outputs of the device. For example, the DM‑NAX‑8ZSA has 8 transmit streams for the local inputs, 8 transmit streams for the local media players, and 8 Parallel Zone Output streams, for a total of 24 DM NAX transmit streams, each of which will require its own multicast address. Be sure to account for all available transmit streams of each DM NAX device when allocating multicast address ranges for DM NAX devices.
- During device configuration, the Commissioning function in the web user interface (UI) will automatically assign multicast addresses to the transmit streams in a specified address range. Alternatively, each transmit stream address can be assigned manually via the web UI or custom programming. Duplicate multicast addresses are not permissible, and will cause network collisions and unpredictable behavior at the receiving device. The Commissioning function prevents address duplication on a single DM NAX device, and Crestron Home® OS automatically manages multicast addressing on all DM NAX and DM NVX devices in a system to prevent duplicate addresses.

The DM NAX network segment must receive network services, including DNS, DHCP, Active Directory®, PTP, mDNS, and RADIUS services. Coordinate with IT staff to provide access to these services and to create the proper routes for the DM NAX network segment.

Multicast Network Traffic

DM NAX AoIP devices send and receive audio as multicast network traffic. This Internet Group Management Protocol (IGMP) multicast traffic replaces a fixed switching architecture to achieve AoIP audio distribution.

To implement DM NAX devices successfully, first segregate DM NAX traffic away from customer-facing networks with wireless access points and/or Internet access. This can be accomplished either via VLANs or physically‑separate switching hardware. In a network segment with multicast traffic, if traffic is not managed, all ports can be flooded by IGMP packets at any time, regardless of whether that traffic was intended to be received by the network device on that port. This leads to interference with network operation and can even be a means of implementing a denial‑of‑service attack on a network if done maliciously.

To ensure that only traffic between intended multicast senders and multicast receivers is present on a given port, IGMP Snooping must be supported and enabled on the network switch. IGMP Snooping is a feature that enables a network switch to limit multicast traffic only to ports between intended senders and receivers. DM NAX AoIP supports both versions of IGMP snooping: IGMPv2 and IGMPv3.

An IGMP Querier must also be available and enabled to ensure the network switch knows which ports should or should not receive multicast traffic. In a multiswitch topology, the switch with the lowest numerical IP address on the network is typically the default IGMP Querier. Only one IGMP Querier should be enabled and selected on a network. The default leave time for the IGMP Querier (typically 125 seconds) is sufficient for a DM NAX network.

Precision Time Protocol

Precision Time Protocol (PTP) is a clock synchronization protocol that keeps signal clocking aligned throughout a network. This is a crucial component of AoIP audio distribution, since it keeps audio synchronized and transmitting properly between networked audio devices in the system. Many interactions that are part of PTP are extremely time critical, and allow the protocol to achieve submicrosecond accuracy between networked clocks. This also makes PTP traffic extremely sensitive to high-bandwidth traffic if not managed properly.

PTP is multicast traffic, and needs to be able to reach all DM NAX or AES67-capable devices on a network in order to maintain clock synchronization. To keep units synchronized, a single clock in the system is designated as the PTP Leader Clock, and all other clocks in the system synchronize to that device's clock. This can be a DM NAX or AES67 AoIP device, or it can be a dedicated clock on the network. The leader clock assignment is decided based on a priority value associated with the clocks on the network:

DM NAX devices have a default priority of 254, and can be elected as the leader clock only if all other devices on the network have a priority of 254 or 255.
Any device with a priority value less than 254 would be assigned as the leader clock over a DM NAX device unless the DM NAX device was set to a lower value via the web UI. It is recommended to leave the clock priority value of DM NAX devices at its default value to allow a dedicated PTP clock on the network to be assigned as the leader.

Once a leader clock is selected, all other clocks on the network will be synchronized to that device. In the event that a leader clock becomes inaccessible, a new leader clock will be elected instantly. If network bandwidth becomes saturated and clock synchronization is compromised, noticeable drops in audio quality, broken routes, or audible distortions will occur. If these symptoms are occurring, enable QoS settings on the network switch to preserve consistent clock synchronization and good audio quality.

PTP packets also include a discrete Time To Live (TTL) value. TTL is a value which determines how many network router hops a given packet can traverse before it is discarded by the router. DM NAX PTP packets have a TTL value of 1, meaning the PTP traffic will not survive traversal through a router to another subnet. As a result, all DM NAX traffic must be relegated to a single subnet.

Quality of Service Configuration

Quality of Service (QoS) refers to a suite of features on network switches that are designed to preserve network traffic integrity in the event of compromising circumstances, such as bandwidth saturation. QoS is typically a mechanism of organizing different network traffic types hierarchically, so higher priority traffic has a better chance of being undisturbed by suboptimal network performance (at the expense of lower priority traffic). Configuring QoS can help ensure that time-critical events like PTP clock synchronization between AoIP devices do not fail, even as a network switch handles high utilization rates from surges in traffic bandwidth. Configuring QoS is necessary in VLANs that combine both DM NAX AoIP and DM NVX AVoIP traffic, since constant high-bandwidth traffic will be the standard for most ports on the VLAN.

DM NAX devices tag outgoing traffic with Differentiated Services Code Point (DSCP) headers as shown in the following table:

Prioritization	Traffic Type	DSCP Value
Highest	Time-critical PTP events	CS7 (56)
↓	Remaining PTP traffic	CS6 (48)
↓	Audio	EF (46)
Lowest	Other	BestEffort (0)

NOTES:

DM NAX traffic is tagged with DSCP values, not 802.1P IP Precedence values.
These DSCP values vary slightly from the AES67 standard so that DM NAX PTP and audio traffic can more easily be set to higher priorities than the values corresponding to DM NVX video traffic.
VLAN tagging is not supported on DM NAX devices.

Mixed DM NAX and DM NVX Network Segment

With the potential for DM NVX, AES67, control, and USB traffic to be passing on individual switch connections in a mixed DM NAX and DM NVX VLAN, any given port may approach or exceed 80% utilization (assuming 1 Gbps ports), at which point QoS can prioritize time-critical PTP negotiations. This prevents leader clock status or synchronization from being interrupted during near network saturation. Without QoS configuration, as port utilization approaches the point of saturation, PTP may no longer remain synchronized and audio signals throughout the network may begin to falter, distort, or cut out completely. QoS cannot fabricate additional bandwidth for the network switch: in the event of true bandwidth saturation, QoS settings cannot guarantee the timely delivery of high‑priority traffic.

Network Topologies

The relationships between network switches and their interconnection define a network’s topology. In a topology with multiple interconnected switches, there are two classes of network switches: edge switches and core switches.

Edge switches are connected via uplinks to other switches and routers, and typically have lower backplane bandwidth or processing power.
Core switches are switches to which edge switch uplinks connect, aggregating and managing traffic from the network's edge. As such, core switches must have sufficient bandwidth and processing power to manage all network traffic from all connected switches.

Connect devices such as control processors, touch screens, servers, personal computing devices, and DM NAX endpoints directly to network switches. In a large network with multiple layers of switch hierarchy, connect these devices to edge switches.

The following general rules apply for determining nonblocking switch fabric bandwidth:

The network core must support a fabric bandwidth and uplink speed equal to 1 Gbps multiplied by the lesser of the total number of anticipated encoder endpoints or the total number of anticipated decoder endpoints. DM NAX devices can act as both encoders and decoders simultaneously, while DM NVX devices may only operate as one or the other. Include any USB extenders in the endpoint count as well.
The network edge must support a fabric bandwidth and uplink speed equal to 1 Gbps multiplied by the greater of the total number of anticipated encoder endpoints or the total number of anticipated decoder endpoints. Include any USB extenders in the endpoint count as well.

Star

The basic recommended network topology for a DM NAX system is the star topology. Using a fully nonblocking switch, star topology allows any combination of one or more endpoints to connect to any other combination of endpoints.

The network switch in a star topology must support a backplane bandwidth greater than or equal to 1 Gbps multiplied by the total number of anticipated transmitting endpoints or receiving endpoints, whichever is greater.

Star Topology Using a Nonblocking Network Switch

Tree

A tree network is a combination of more than one star network existing on a core switching infrastructure. The tree network allows for failure in one attached star network without widely effecting the others. Configure the network core switch for redundancy and scalability.

In a network with multiple layers of switch hierarchy, always connect DM NAX devices to edge switches. Network edge switches are connected via uplinks to other switches and routers that form the network's core. The core switch fabric and uplinks in a tree topology must support a bandwidth greater than or equal to 1 Gbps multiplied by the total number of anticipated endpoints that will transmit through the core switch.

Each edge switch in a tree topology must support a backplane bandwidth greater than or equal to 1 Gbps multiplied by the total number of anticipated transmitting endpoints or receiving endpoints local to that switch, whichever is greater.

Tree Topology Using Nonblocking Switches on a Core Network

Network Security

Security requires the support of particular capabilities within all devices on the network. DM NAX networks employ:

802.1X authentication to ensure that devices on the network have been authorized by the network administration team.
- Unauthorized devices are prevented from being added to the network and from having access to sensitive content.
Active Directory services for endpoint administration to ensure that administrative privileges for DM NAX devices can be centrally managed, granted, and revoked when necessary.
SSL-based Secure Cresnet over IP (SCIP) for control to allow control processors and DM NAX devices to communicate with the intended party device, and that any unauthorized device on the network cannot monitor commands or status.
SSH-based command-line console access for device configuration and status to protect the device console from access by unauthorized users.

SCIP and SSH-based command-line console access are automatically configured within DM NAX devices and support software. Designs will need to facilitate 802.1X and Active Directory service support within the network.

For additional information about the secure deployment of Crestron products, refer to the IP Considerations Guidelines for the IT Professional Design Guide and Knowledge Article 5571.

Network Design Considerations

Adhere to these best practices when designing a DM NAX network:

Use nonblocking Layer 3 switches with port-based QoS at all stages of the design:
- Ensure sufficient switch fabric bandwidth and port speeds.
Configure QoS to ensure prioritization of time-critical PTP clock traffic:
- PTP events are tagged with DSCP values at DM NAX devices so PTP events can successfully pass on the network even at near saturation traffic levels, and clock synchronization is not interrupted between audio devices.
Enable an IGMP Querier on at least one switch in the DM NAX network.
Choose an appropriate network topology:
- Consider the network, including basic functionality and redundancy, as well as whether additional features such as DM NVX video walls or repetitive display signage are necessary.
- Ensure that network IT staff and network architects are involved in the decision.
In multiswitch designs, choose switches with sufficient bandwidth at each segment from edge to core to ensure a fully non-blocking design.
Consult the network switch manufacturer's documentation to confirm that any uplinks are configured properly for multicast traffic.
- Refer to Knowledge Article 2948 for further considerations when configuring Link Aggregation Groups (LAGs).
Use Active Directory for network security:
- Create an Active Directory group responsible for device administration.
- Add device administrators to the group.
- Add the group to the DM NAX device via the Device tab of the web UI.
Use a DHCP server with link-layer filtering, and configure the IP addresses of endpoints using DHCP rather than static IP addressing.
- Using a DHCP server with short lease times, MAC address filtering, and sufficient address space for future needs makes network management simpler.
Enable IGMP Snooping on the network switch.
- This is a requirement for all designs, and enables multicast traffic delivery to DM NAX endpoints. Without IGMP Snooping enabled, switches that receive a multicast stream will transmit that stream to all ports simultaneously, which may saturate all network links.
Use Rapid Spanning Tree Protocol (RSTP) on the network to ensure that network loops are discoverable and to prevent deployment issues.
- Network management should account for RSTP discovery downtime when changes are made to the network.
Disable the IGMP proxy function on Crestron control systems on the network that have a built-in router to ensure that DM NAX multicast traffic does not interfere with the control processor.
- Refer to Knowledge Article 1001644 for instructions on disabling the IGMP proxy function.
Ensure that multicast IP addresses do not overlap and do not share multicast MAC addresses.
- Overlapping addresses will cause network collisions and prevent successful operation of the DM NAX network.

System Installation

The installation phase of DM NAX network deployment has its own set of best practices to ensure optimal performance and longevity.

Endpoint Installation

Each DM NAX endpoint has unique installation requirements that vary depending on:

Quantity of RJ-45 connectors:
- Single Ethernet port models cannot isolate AoIP and control traffic.
- Dual Ethernet port models can either share all traffic between both ports or dedicate one port to AoIP traffic, segmenting the remaining traffic to the other port, via the Port Selection feature.
Local I/O capabilities:
- Some local I/O signal types require close proximity to the connected source or sink.
- Some signal types, such as unbalanced line-level analog audio, are more susceptible to interference from other devices, especially from AC power lines.
- Wireless communications such as Bluetooth audio may require unobstructed line-of-sight between transmitter and receiver for optimal performance.
Amplification, form factor limitations, and channel count requirements.
Versiport capabilities.

DM NAX devices with dual Ethernet ports can pass the control LAN through to a Crestron touch screen on the secondary Ethernet port when the Port Selection feature is disabled.

To minimize required maintenance on an installation:

Avoid direct access to the endpoint by end users, as they can induce failures or create a security risk due to unauthorized network access.
Use shielded or unshielded CAT5e (or greater) copper network cable that is properly terminated with an RJ-45 connector and tested for both continuity and throughput.
Observe the minimum bend radius and maximum pull force of cables to maintain cable integrity.
Use plenum rated cables in plenum spaces:
- Fire rated conduit for any fiber or copper cabling used in plenum spaces is also suitable.
Practice good cable dressing.
Use descriptive names for endpoints, either through the web UI or Crestron Toolbox™ software; do not rely on default names or the Crestron IP ID.
Physically secure the endpoint to a fixed point or rack to prevent movement over time.
Thoroughly document the installation of endpoints, including diagrams, lists, and descriptions to provide detailed information for those who will maintain or upgrade the network.

Network Installation

The success of a DM NAX network installation varies depending on several factors of the physical install, including whether existing network infrastructure is being reused or the location of networking equipment relative to the DM NAX and DM NVX endpoints.

For optimal installation and maintenance of a DM NAX network, adhere to these best practices:

Use or repurpose existing infrastructure as possible in DM NAX network installation.
Practice physical security for the network:
- Secure all network locations (MDF/CDF and IDF down to individual closets) from unauthorized access.
Disable any unused ports on network switches.
Use a structured cabling approach, such as those described in the TIA/EIA-568 standard:
- Include keystones in jacks and patch panels, shielded or unshielded solid copper conductor cable not exceeding 295 ft (90 m), and patch cables not exceeding 33 ft (10 m) to connect between patch panels.
- Use cable testers to verify the integrity of the installation and capacity for future expansion and backup.
Use Crestron recommended switch configuration files when possible.
- Refer to Knowledge Article 1000314 for network switch configuration files that have been shown to meet the minimum requirements for DM NVX deployments; not all of these files have been tested with mixed DM NAX and DM NVX environments. Contact Crestron True Blue Support to confirm if a network switch will support a mixed DM NAX and DM NVX environment.
- Refer to Knowledge Article 2836 for instructions on configuring NETGEAR® AV network switches to use the built-in DM NAX and DM NVX profiles.
Configure the routing of any external servers:
- If non-dedicated DHCP, RADIUS, Active Directory, or other servers are used, ensure that these servers can reach the DM NAX network.
Thoroughly document all DM NAX network hardware and configurations.

Have feedback on this document? Contact docfeedback@crestron.com.

All brand names, product names and trademarks are the property of their respective owners. Certain trademarks, registered trademarks, and trade names may be used to refer to either the entities claiming the marks and names or their products. Crestron disclaims any proprietary interest in the marks and names of others. Crestron is not responsible for errors in typography or photography. Specifications are subject to change without notice.