Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3774
Views
8
Helpful
7
Replies

Cisco VCS and IP Address Dialing

Go to solution
William Bell
VIP Alumni
VIP Alumni

‎07-05-2011 02:33 PM - edited ‎03-17-2019 10:22 PM

I have a question about Ip address dialing and the VCS. In the admin guide it says that the VCS considers an IP address to be known if it either:

- is the IP address of a locally registered endpoint

- falls within the IP address range of one of the subzone membership rules

The second bullet is the one of interest. In the context of how it is presented, I am taking this to mean that if a subzone membership rule has an IP address range which includes the address of an unregistered endpoint then the VCS will still attempt to place the call to the unregistered endpoint regardless of the "Calls to Unknown IP Addresses" setting (under DialPlan). For example,

Assume endpoint point A (EP-A) is registered to a VCS Control that is configured to use Indirect mode for "Calls to Unknown IP Addresses". The idea here is that there is a VCS Expressway. Further assume that there is an endpoint (EP-B) on the internal network that EP-A wants to call. EP-B is behind the firewall but it does not registered to the VCS-C. Finally, assume the VCS-C has a subzone (let's call it "Internal-Unregistered") with a membership rule of 10.10.10.0/24.

Now, if EP-B's IP address is 10.10.10.10 and EP-A dials by IP, will the call be successfully established? Based on the admin guide, the VCS will see the EP-B IP as "known". The admin guide doesn't really address whether the call would be placed. I am sorta stuck on the RAS messaging, since EP-B wouldn't be exchanging RAS messages with the VCS-C.

I am also wondering about calls from the unregistered endpoint. EP-B could call EP-A directly. I don't want to support that behavior in the design (I'd rather recommend using URI dialing. I am considering configured the Fallback Alias on the VCS-C to funnel calls from unknown devices to an attendant on the MCU. Regardless, what I am wondering is the following:

If I have a subzone membership rule like the one above and EP-B sends a call setup message to the VCS-C, would the VCS-C still see the call as coming from the Default Zone or the Local Zone? The reason I question this is because of how the admin guide defines "known IP addresses".

Thanks in advance.

Regards,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
awinter2
Level 7
Level 7

‎07-05-2011 03:04 PM

Hi Bill,

to answer your question regarding the first scenario (Where EP A dials the IP address of EP B), the VCS would attempt to place the call if there exists a search rule of type 'AnyIPAddress' for the Local Zone on the VCS-C (And assuming that the previously mentioned subzone containing 10.10.10.0/24 exists). The VCS would in this case send an H225 SETUP message to EP B.

For the second scenario, where EP B dials the IP address of EP A, EP B would send an H225 SETUP message to EP A. EP A would then respond to the SETUP message with a FACILITY message containing a 'routeCallToGatekeeper' reason, instructing EP B to dial the IP address of the VCS instead, since the VCS wants to be included in the call signalling path.

To answer your last question, regarding on which zone a call from an unregistered endpoint (where the endpoint's IP address belongs to a subnet-type subzone) comes in on, the answer is that the call will come in on the Default Zone. Calls will only come in on the Local Zone if the call comes from an actual registered endpoint.

Hope this helps.

- Andreas

View solution in original post

0 Helpful

Go to solution
awinter2
Level 7
Level 7
In response to William Bell

‎07-05-2011 04:12 PM

Hi William.

those search rules should be fine.

For the second scenario, the SETUP message from EP B will come in on the Default Zone on the VCS, the membership rule does not matter in this case.

If the Default Zone is set to 'Check credentials', the SETUP message will be flagged as unauthenticated, although the call will still go through, as long as the Local Zone search rule on the VCS does not  have 'Request must be authenticated' set to 'Yes'.

Hope this helps,

Andreas

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎07-05-2011 02:53 PM

In vcs there something called search rules

There is a rule that look into local vcs

If you create a new rule with less priority value (preferred ) the the vcsc will look into this new rule before the local !

Wish this helps

If helpful rate

Sent from Cisco Technical Support iPhone App

Go to solution
William Bell
VIP Alumni
VIP Alumni
In response to Marwan ALshawi

‎07-05-2011 03:27 PM

marwanshawi, thanks for the input.

-Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

0 Helpful

Go to solution
awinter2
Level 7
Level 7

‎07-05-2011 03:04 PM

Hi Bill,

to answer your question regarding the first scenario (Where EP A dials the IP address of EP B), the VCS would attempt to place the call if there exists a search rule of type 'AnyIPAddress' for the Local Zone on the VCS-C (And assuming that the previously mentioned subzone containing 10.10.10.0/24 exists). The VCS would in this case send an H225 SETUP message to EP B.

For the second scenario, where EP B dials the IP address of EP A, EP B would send an H225 SETUP message to EP A. EP A would then respond to the SETUP message with a FACILITY message containing a 'routeCallToGatekeeper' reason, instructing EP B to dial the IP address of the VCS instead, since the VCS wants to be included in the call signalling path.

To answer your last question, regarding on which zone a call from an unregistered endpoint (where the endpoint's IP address belongs to a subnet-type subzone) comes in on, the answer is that the call will come in on the Default Zone. Calls will only come in on the Local Zone if the call comes from an actual registered endpoint.

Hope this helps.

- Andreas

0 Helpful

Go to solution
William Bell
VIP Alumni
VIP Alumni
In response to awinter2

‎07-05-2011 03:26 PM

Andreas,

Thanks for the input (+5). The 'routeCalltoGatekeeper' reason helps a bit. I do have a few quick follow up questions:

For the first scenario, I am thinking I would have a search rule like this:

  • SearchRuleA
    • Source: LocalZone
    • Priority: 100
    • Target: LocalZone
    • Pattern Match: AnyIPAddress
    • OnMatch: Continue
  • SearchRuleB
    • Source: LocalZone
    • Priority: 101
    • Target: TraversalClientZone (pointing to the VCS Expressway)
    • Pattern Match: AnyIPAddress
    • OnMatch: Stop

This would allow for IP address dialing to Internet destinations (via SearchRuleB). Is that sound logic? I believe this is what marwanshawi was getting at and is my general understanding. Just wanted to double check.

For the second scenario, after EP-B sends the H.225 SETUP message to the VCS, what zone is associated with EP-B? Would it be the Default Zone or the Local Zone (since there is a membership rule that makes EP-B's IP address "known" to the VCS).

I am asking about scenario 2 because of authentication and link management. I was planning on removing all links from the Default Zone to the Default Subzone and Traversal Subzone. I am starting to re-think that position but am holding on the general security aspect.

The deployment will also have Movi and we are considering using the AD Direct authentication mode. Which, according to the deployment guide, wants the Default Zone setup to "Check Credentials". If EP-B's ingress call were associated with the Default Zone then my understanding is the VCS would check credentials. Though, now that I think about it, I believe that with H.323 the VCS doesn't reject the message and just treats it as unauthenticated, which shouldn't be a problem. (Sorry, thinking "aloud").

Thanks again,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

Go to solution
awinter2
Level 7
Level 7
In response to William Bell

‎07-05-2011 04:12 PM

Hi William.

those search rules should be fine.

For the second scenario, the SETUP message from EP B will come in on the Default Zone on the VCS, the membership rule does not matter in this case.

If the Default Zone is set to 'Check credentials', the SETUP message will be flagged as unauthenticated, although the call will still go through, as long as the Local Zone search rule on the VCS does not  have 'Request must be authenticated' set to 'Yes'.

Hope this helps,

Andreas

0 Helpful

Go to solution
William Bell
VIP Alumni
VIP Alumni
In response to awinter2

‎07-05-2011 05:03 PM

Andreas,

Thanks for the answer.

Regards,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to awinter2

‎07-05-2011 04:47 PM

Hi Andreas

if the calls comes from unknown/unregistered enpoint thorugh the VCSE then it will be sourced from the traversal zone first when it hit the VCSC ! lets say a call from an Internet endpoint !

0 Helpful
Customers Also Viewed These Support Documents