VoIP and VRFs
Does anyone know of any concerns, issues, problems, or hidden gotchas that have been experienced with creating a VRF for a VoIP network? What I would actually like to do is place everything (except the media gateways) in a VRF and firewall it. Thus only call signaling, management traffic, and any required database connectivity would have to pass through the firewall. Any thoughts, anyone?
Firewalling voice is always a headache. Unfortunately a lot of signaling protocols are proprietary like SCCP, and MGCP (not really). Or just change a lot, or not completely standardized like SIP.
Between the time a Dev on a VTG group decides to add a new field to a protocol like SCCP, and the time it takes the corresponding Dev on a Firewall group to add the support for that field on its 'Inspection' engine sometimes takes months. And the fact that all communications are opened on random dynamic ports between the 16K and 32K makes matters worst.
I do think it's a good idea, specially with cybersecuirty threads on the rise, and toll fraud so prevalent this days. I think SBC and Media relay points are a good way to get everything more in control.
I just wanted to raise some awareness that if you want to go down that path, you do need a solid roll-out and testing plan as things will likely get bizarre a few times.
Similar Messages
-
Questions about VOIP and recording in Connect
Hi,
We have been using Connect for a long time, but have been doing the audio using AT&T teleconferencing. We were thinking about using VOIP for the webinars we do. I just have a few questions.
1. Is there a limit of the number of connections to VOIP like there is with the teleconferencing? Is there a point where the number on there could decrease the quality of the VOIP?
2. When we record the webinar, where can we save it to? Can we save it to our server?
Any help with these questions would be great. Anything else that would be good to know for doing VOIP and recording?
Thanks.
LisaWe don't natively integrate with AT&T by the way - so you have to use Universal Voice in this case and set it up yourself. Not hard to do.
1. No limit on VOIP but we recommend using the optional SPEEX audio codec built into the Host Add-In if using VOIP a lot. It requires everyone to be using the Host Add-In though. Over 150 though and it might get unruly!
2. Recordings are saved to the Adobe Connect Central portal that every customer has for their rooms. You can create a local copy from there and then copy the local copy to another server. It's a Flash file so you may need to convert it if you don't have a player. -
I have a SOHO currently using cable modem connected to the outside interface of a PIX 501. The inside interface of the PIX connects to a hub with 8 ports.I have 2 PC's and a LinkSys AP plugged into the hub. I have been looking at using Vonage VoIP. My questions are:
1) Is it possible?
2) Do I need to use a special fixup protocol or config?
3) Has anyone used Vonage VoIP and how is it working?
Thanks,
Paul LanePaul,
I have been using Vonage succesfully with a very similar configuration. You don't neet any fixups or special configurations to make this work.
My only suggestion is to connect your ATA to a switch port behind the PIX, as opposed to the hub.
Have fun!
Fernando Macias -
AAA Authentication and VRF-Lite
Hi!
I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
--> Config Begins <---
aaa new-model
aa group server radius radius-auth
server x.x.4.23 auth-port 1645 acct-port 1646
server x.x.7.139 auth-port 1645 acct-port 1646
aaa authentication login default group radius-auth local
aaa authentication enable default group radius-auth enable
radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
ip radius source-interface <outside-if> vrf 10
---> Config Ends <---
The VRF-Lite instance is configured like this:
---> Config Begins <---
ip vrf 10
rd 65001:10
---> Config Ends <---
Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.Just wanted to help future people as some of the answers I found here were confusing.
This is all you need from the AAA perspective:
aaa new-model
aaa group server radius RADIUS-VRF-X
server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
ip vrf forwarding X
aaa authentication login default group RADIUS-VRF-X local
aaa authorization exec default group X local if-authenticated
Per VRF AAA reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168 -
Is a toll-free number mandatory for simultaneous VOIP and teleconferencing? How do we get a number, we're an academic institution?
page is here
http://ca.blackberry.com/support/tablets/playbook/contact-support.html
Click here to Backup the data on your BlackBerry Device! It's important, and FREE!
Click "Accept as Solution" if your problem is solved. To give thanks, click thumbs up
Click to search the Knowledge Base at BTSC and click to Read The Fabulous Manuals
BESAdmin's, please make a signature with your BES environment info.
SIM Free BlackBerry Unlocking FAQ
Follow me on Twitter @knottyrope
Want to thank me? Buy my KnottyRope App here
BES 12 and BES 5.0.4 with Exchange 2010 and SQL 2012 Hyper V -
why isn't there yet an available p2p embeded code for voip and video conference in Firefox??
So, the upload time will vary on internet connection. If there is an issue with how fast it is uploaded you can check if prefetching is turned on, but this does not really affect uploading [https://developer.mozilla.org/en-US/docs/Controlling_DNS_prefetching Controlling DNS prefetching]
If you search for solutions, you will see a bunch of tweaks as well that may be helpful to your specific computer. [[Upgrade your graphics drivers to use hardware acceleration and WebGL]] to make sure you are all up to date as well. -
VoIP and Data over 1300 Bridge
I have a customer who wants to link 5 out buildings back to the main network. I have proposed using the new 1300 series bridges and have already verified clear line of site from the root location to all remotes.
The customer wants to run VoIP and data on the links. They expect about 3 phones and 3 computers at each location. Each location will have a 3500 series switch powering the 7940 phones.
Is there a maximum number for running the VoIP of a multipoing bridge setup?
I know I will need to setup QoS on the bridges. I just cannot find any documentation to support this setup.
SethThsi document should help explain the Quality requirements for Wireless devices,
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802091be.html -
Conference bridging between VoIP and GSM calls
Hello, Can E61/E62/E50/E70 do conference between one call that's running on GSM and second call running through SIP client on VoIP? Thanks, Bilal
I tried to connect the GSM call to VOIP call on E72, but it has not happened.
I presume this may be the case, also there may be a solution for this.
VOIP Connection:
For VOIP calls the network uses an existing external IP address to transfer the information from the a server. The information received vide VOIP shall be transformed into voice which enables us to here the data conveyed by the server.
GSM Connection:
For GSM calls the network uses the intermediate service provider slot to convey the information as a signal throught the network. The signals are the direct output we hear as sound.
By my observation, in my mobile, the two network actions (VOIP and GSM) can be performed instantaneously or simultaneously.
The mobile needs a medium to convert either the GSM output signal (audio) to Internet packet data (bytes) and the VOIP software installed in mobile should recognize the same audio as an input and allow for a conference call.
or
VOIP call get converted into GSM signal. -
I'll make it short and sweet! I have a customer that has a 6Mb P2P connection over our HFC network. They're utilizing the circuit for Prioritized VOIP traffic and stated they are using DSCP. They also use the circuit for their general data. Our network is seeing ~.0065% Correctable CW's, and 0% Uncorr CW's.
My main question for voip and codewords is: How is the VOIP traffic affected by Correctable CW's in general? WIll the VOIP service drop those packets that were corrected by FEC regardless as they come in due to the small increase of latency/jitter?
Thanks for any insight to this matter in advance!WICs in the 1700 range:
Voice over DSL (VoDSL) using VoATM AAL2 or AAL5 (2600/3600) and AAL5 only (1700) technology is supported. This requires the use of separate PVCs for voice and data. VoIP over DSL will be supported in a later release together with the QoS features necessary for this solution.
http://www.cisco.com/warp/public/cc/pd/rt/1700/prodlit/ads17_ds.htm -
Hi,
This question came from our CSC Facebook community.
Karthik Ayyappan Hey Any one having Experience with Voip and IPCC let me know
I have a doubt on ICMMany of us in this community have exerpeicne with this. What's your question or doubt?
-
VoIP and Video capacity planning
For 1000 users, what is the bandwidth for backbone to run VoIP and video?
Thanksthe above link is very good as it pertains to 'per call bandwidth consumption'
you may need to use a little more to find your answer such as a capacity planning procedure(s). since you have voice and video, this will be two part.
(minding that video if used for all users will require much more capacity than the voice; possibly upto 50 - 100 times more depending on your use/needs)
some decent capacity planning providers, case studies and best practices are as follows:
42U - obtain a free capacity planning consultation.
http://www.42u.com/proj-eval.htm
nice case study by cisco on capacity planning:
http://www.writtenright.net/Portfolio/WrittenRightCaseStudy.pdf
(for do it yourself)
a very good 'best practices handbook' by wainhouse:
http://www.wainhouse.com/files/papers/wr-best-net-vnvoip.pdf -
1801w ISR and mapping VLAN, WLAN and VRF
I have a problem with getting SSID and local vlans to work unless I create subinterfaces on radio interface. If the VLAN is then associated to a VRF and VRF DHCP pool I won?t get an IP over WLAN.
Has anyone experience with such a solution with the intergrated radio?
Using LWAPP Hybrid REAP AP?s on a trunk (fa8) interface works just fine...Try the command ip dhcp use vrf connected in order to assign the ip address through DHCP.
-
Cisco 1700 with MP-BGP and VRF support
I have a Cisco 1721 with MP-BGP Support, you can create VRFs with it and every other MPLSVPN feature, but the commands for MPLS switching are not supported like Router(config-if)mpls ip , I read in some forums that you can create MPLS VPN without enabling MPLS at all, just with MPBGP, but I couldn't do it myself, Can someone tell me how to make it work or what can I do with a Cisco 1721 that supports MP-BGP?
thanks in advanceHere is an example. Take care about overhead for packets like VoIP. The overhead is 88 bytes.
The packet semms something like that.
IpHeader-pub@ - NAT-Tudp4500 - ESP - IpHeader-priv@(vrf discriminator) - GRE - Original IP Header - Data - Esp Trailer.
In this case you neet tunnel-mode because you use
private @ in order to determine vrf (vrf discriminator).
This is a LAB config, all other security parameters you need on a router are not configured. If you add access-list on the external interface of REMOTE you have to understand every encapsulation step in order to well tune it.
Good reading.
The PPT draw shows physically and logically views.
PS, take care about fragmentation issues, the problematic is still not well managed by the routers, I could not made Tunnel-path-mtu discovery work with vrf's. The workaround is to fragment packets. It's not good for performance but actually there is no other solution concerning that.
Kind Regards
Miguel -
We just upgraded the CallManager and new voips. I have noticed that we are running out of ip's. We setup a second pool, but are unable to register any phones on the new/different vlan (453). What am I missing?
The config on NTP/DHCP server is as follows:
Ip dhcp smart-relay
No ip dhcp use vrf connected
Ip dhcp excluded-address xxx.xx.253.129 xxx.xx.253.135
Ip dhcp excluded-address xxx.xx.253.248 xxx.xx.253.254
Ip dhcp excluded-address xxx.xx.253.65 xxx.xx.253.69 (new to config)
Ip dhcp pool VOIP
Network xxx.xx.253.128 xxx.xxx.xxx.128
Next-server xxx.xx.253.131
Default-router xxx.xx.253.130
Option 150 ip xxx.xx.253.131
Ip dhcp pool VOIP2 (new to config)
Network xxx.xx.253.64 xxx.xxx.xxx.192 (new to config)
Next-server xxx.xx.253.131 (new to config)
Default-router xxx.xx.253.65 (new to config)
Option 150 ip xxx.xx.253.131 (new to config)sh ip dhcp bind on dhcp server x.x.253.132
Bindings from all pools not associated with VRF:
ips listed, mac address, lease times; all today the 19th or tomorrow the 20th, type; all automatic
x.x.253.136
.138
.140
.142
.143
.144
.146
.148
.149
.151-.157
.159-.166
.168-.188
.190
.193
.194
.196
.198
.199
.202-.204
.208
.213
.214-.216
.218
.219
.221-.231
.244
.249
.250
.251
.252 -
Hi all
I'm been doing some experimenting with multipoint GRE over 3G and I've run into a problem I need some help with. My setup is best described with the attached network drawing. MAR-Router has a fiber Internet connection while the ECK-Router1 only has 3G connections using external modems with dynamic provider IPs, hence the need for multipoint GRE rather than static GRE tunnels. I've also had to use VRF lite on the ECK-Router1 as there is a need to keep the routing tables separate.
The tunnel9 interface on ECK-Router1 noVRF comes online nicely and OSPF does what it does. The tunnel can even handle when the 3G provider assign the modem a new IP. The tunnel 16 on ECK-Router1 VRF guest however does not handle nicely. When I set up the configuration the first time the tunnel comes up and OSPF goes adjacent with MAR-Router but whenever there is a disturbance in the 3G connection or the modem gets a new IP the tunnel goes down and doesn't activate until I remove and reenter the " tunnel vrf guest" command. The show dmvpn static detail command on ECK-Router1 gives the result below with the VRF guest tunnel in the NHRP state.
It seems multipoint GRE has a problem with VRF lite but it could also be a case where I've missed something. I would appreciate any pointers.
Regards
/Fredrik
ECK-Router1#sh dmvpn static det
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel9 is up/up, Addr. is 172.16.14.2, VRF ""
Tunnel Src./Dest. addr: 192.168.14.30/194.112.9.140, Tunnel VRF ""
Protocol/Transport: "GRE/IP", Protect ""
Interface State Control: Disabled
nhrp event-publisher : Disabled
IPv4 NHS:
172.16.14.1 RE priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
1 194.112.9.140 172.16.14.1 UP 00:02:46 S 172.16.14.1/32
Interface Tunnel16 is up/up, Addr. is 172.16.14.3, VRF "guest"
Tunnel Src./Dest. addr: 192.168.15.30/194.112.9.140, Tunnel VRF "guest"
Protocol/Transport: "GRE/IP", Protect ""
Interface State Control: Disabled
nhrp event-publisher : Disabled
IPv4 NHS:
172.16.14.1 E priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
1 194.112.9.140 172.16.14.1 NHRP 00:00:45 S 172.16.14.1/32 (guest)
ECK-Router1
interface Tunnel9
bandwidth 10000
ip address 172.16.14.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast 194.112.9.140
ip nhrp map 172.16.14.1 194.112.9.140
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp nhs 172.16.14.1
ip ospf network non-broadcast
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf priority 0
ip ospf 1 area 0
ip ospf cost 2
tunnel source GigabitEthernet0/0.807
tunnel mode gre multipoint
interface Tunnel16
bandwidth 10000
ip vrf forwarding guest
ip address 172.16.14.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp map multicast 194.112.9.140
ip nhrp map 172.16.14.1 194.112.9.140
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp nhs 172.16.14.1
ip ospf network non-broadcast
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf priority 0
ip ospf 10 area 0
ip ospf cost 2
tunnel source GigabitEthernet0/0.810
tunnel mode gre multipoint
tunnel vrf guest
interface GigabitEthernet0/0.807
encapsulation dot1Q 807
ip address 192.168.14.30 255.255.255.0
interface GigabitEthernet0/0.810
encapsulation dot1Q 810
ip vrf forwarding guest
ip address 192.168.15.30 255.255.255.0
MAR-Router
interface Tunnel9
bandwidth 10000
ip address 172.16.14.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 60
ip ospf network broadcast
ip ospf dead-interval 4
ip ospf hello-interval 1
ip ospf priority 255
ip ospf 1 area 0
ip ospf cost 2
tunnel source 194.112.9.140
tunnel mode gre multipointBump :)
Maybe you are looking for
-
Problem with Managed Server pointing to a different JDK
Hi, My Adminserver is pointing to JDK 1.7 which is shown in the startup, but my managed servers are pointing to a different 1.6_43 . We are running into Java version mismatch problem while deploying our application built with jdk 1.7 onto these manag
-
ITunes won't open or uninstall and reinstall
I recently tried to download iTunes 10 but a part of it didn't download right and now when I press iTunes it says, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Then when
-
Which is better for FCPX... .aiff or .mp3?
...all other things being equal. Which file type is better and why? Thanks!
-
An Enterprise Data Dictionary / Business Glossary solution using SharePoint Online
Hi everyone! I have a requirement to create a metadata repository (data dictionaries of various SQL, Oracle and DB2 databases) and a business glossary of terms and associate the database columns in the various data dictionaries to the business terms.
-
How to reprint a production order?
When I tried to reprint a production order, I got an error "Reprint order is not allowed". What should I need to do to make enable reprint? Thanks!