cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4022
Views
10
Helpful
8
Replies

Restricting UDP media ports on vcse

gthaliwal
Level 1
Level 1
Hi there, In a recent deployment of an expressway v8.1 my client has requested I limit the incoming media ports from the internet as much as possible. They have purchased 10 traversal calls so I figure that would be 8 dynamic ports per call (pair for video, audio, content and bfcp/FECC). Thus I reduced the traversal zone to ar range of 80 UDP ports, enough to cater for a fully loaded scenario. However, vcse keeps on throwing up errors that state there are not enough ports for the licenced number of calls. It doesn't drop complaining untill I increase the port count to around 3000 (I can't remember the exact figure). I don't understand why I would need to open such a large range of ports for a maximum of 10 traversal calls. Am I missing something obvious? Thanks Gurp
2 Accepted Solutions

Accepted Solutions

Hi Chris,

Thanks for the clarifications. On the VCS-E I tested with, I have 50 Traversal call licenses. So if VCS-E can use up to 40 ports per license that 50x40=2000.

I cannot configure the VCS-E for 50,000-52001 - the smallest range it would accept is 50,000-52,399.

This would equate to 48 ports per license. 

It would be nice just to get a definitive clarification to this point.

Thanks

David

View solution in original post

After I upgraded the VCSC to X8.1.1, I got the "Insufficient media ports" warning. I fixed the issue by applying the following formula:

      48x 'Number of Traversal calls',

      So if 100x traversal calls = 4800 ports --> Go to "Traversal Subzone" media ports and configure to start in 50000 and end 54799

View solution in original post

8 Replies 8

Chris Swinney
Level 5
Level 5

Hi Grup

If you have statefull firewall that allows established traffic, you shouldn't need to open up ANY inbound ports. The VCS-C call outbound to the VCS-E and establishes a tunnel. As far as I understand it, the VCS-E then tells the VCS-C which port to send media to - these will be the de-multiplexing ports which in x.8.1 will be the first two ports in the UDP media port range (on new installations this will be 36000 and 36001). The VCS-E will then send streams back coming from these port, so even though UDP traffic is connectionless, it all seems to work lovely.

This means you only need to open up a small range of ports OUTBOUND from the VCS-C to VCS-E, such

Source
Source Port
Destination
TCP/IP Port
Protocol
CISCO VCS Control
(IP_Address_Of_VCS-C)
Any
CISCO VCS Expressway
(DNS_Address_Of_VCS-E)
May require multiple VCS-Es in Cluster
1719
1720
2776
2777
36000**
36001**
Zone_Port_H.323
Zone_Port_SIP
UDP
TCP
TCP & UDP (x7)
TCP & UDP (x7)
UDP (x8.1)
UDP (x8.1)
UDP
TCP

Note, the Media ports might be different if you upgraded from a previous version, however, we changed our port to marry with a new install.

Alternatively you could simply only allow traffic inbound from a specific IP (or set if you have a cluster).

We use this in many, many organisations including government, health, and other public sector organisations.

Hope this helps

 

Chris

Thanks for the responses gents.

 

Dave you are correct, I want to limit the ports to 50000-50079 , this is to match the current capacity of the VCSe and to comply with the clients strict security policy.  Sorry Chris, I should have clarified, this is traversal between the VCSe an the external network. Also it has been upgraded for v7.2 which is why we are using the old port ranges, but thats fine.

So we have

 

VCSc ----fw-----VCSe-----fw----ExternalNet

 

VCSc to VCSe is fine, I just use the standard ports mentioned by Chris and have firewall rules in place, this communication works perfectly.

What we want to restrict is the incoming media ports from the External Network to the VCSe and visa versa.  My understanding is the port range you configure in VCSe effects the offered range in the SDP packet negotiation (in SIP).  If I set this range to 50000-52399 (as Dave has found) and the firewall only allows a range of 80 ports inbound, there will be a significant number of calls with failed media

 

 

So to summarise, the question is:

Is there a minium range of UDP media ports that have to be defined on Traversal SubZone of a VCSe.

 

thanks

Gurp

Hi Grup,

Whilst I understand you might want to limit the ports open on a firewall, as the VCS-E is in the DMZ, then generally you can be a little more lax on the external firewall.

You should understand that each call could use up to 40 separate ports (check out the VCS Admin guide on the section relating to "Configuring the Traversal Subzone ports", or click Help on the VCS menu when on the "Traversal Subzone" page) not the 8 you suggest, and as such you need to have enough ports open to allow for the number of call licence you have installed. For 50 calls licences this would be 40x50= 2000 ports. For your 10 licence, this would be 40x10 = 400 ports.

The default in x7 is 6000 ports as the VCS can handle up to 150 calls (assuming the correct licences), the the default in x8.1 is a massive 24000 ports because you can deploy a VCS VM farm capable of a bucket load of calls (that's a technical term - but I would have to see the the bill for licences on that one - ouch :))

TBH, our VCS-E live on the public network as we have multiple insitutions that peer with them. Thankfully, since x7.2 there is a inbuilt software firewall on the VCS based on IPtables that is able to stop traffic to the management ports such as SSH, HTTPS etc.

Cheers

Chris

 

 

Hi Chris,

Thanks for the clarifications. On the VCS-E I tested with, I have 50 Traversal call licenses. So if VCS-E can use up to 40 ports per license that 50x40=2000.

I cannot configure the VCS-E for 50,000-52001 - the smallest range it would accept is 50,000-52,399.

This would equate to 48 ports per license. 

It would be nice just to get a definitive clarification to this point.

Thanks

David

Hey Dave,

I gotta say, the total requirements for UDP port allocation always confuses the hell out of me (surprise), so I don't quite understand why 48 ports is your limit, however, the port range for 40 ports should have been 50000-51999 as both highest and lowest port numbers are inclusive. Still, I have just tried to limit the number of ports on our test expressway running x8.1 which only has 5 traversal call licences and given Cisco's documentation this should be 40x5=200 - however, this raises a warning. Only when I allocate 48 UDP ports per call (as you have suggested) does the flag disappear.

I think this must be a new warning in x8.1 as I have also tested on out second test VCS-E running x7.2.2 (with 5 traversal licences) and even when I take the port range down to 50000-50001, I get no warning. Go figure??

I'm guessing either the software developer has got there sums wrong, or the documentation is not up to date???

Hey guys, thanks both, this is exactley the quandry I have!  Whichever way you look at it, the figures don't quite seem to add up.  It would be nice to get an official response from Cisco.  I may have to raise a TAC case on this to get clarity for the client, as they will see the error upon login and inevitabley question it.  If I get a definitive answer I will post it here.

 

Thanks again

Gurp

David Anstee
Level 4
Level 4

Gurp,

For clarification, are you referring to the firewall ports required to be opened between Control and Expressway OR as I understand your question between the WAN side of the Expressway and the public internet?

Therefore you are looking on the Expressway at the Local Outbound Ports and changing the Media port range from the default 50000-59999 to a much smaller range such as 50000-50081. Is this correct? (Remember the last range must end with an odd number)

I can replicate the same issue, the error thrown up in the Expressway is as follows

Insufficient media portsThere is an insufficient number of media ports to support the number of licensed callsRaisedWarning Increase the media port range on the Traversal Subzone2014-03-21 08:21:392014-03-21 08:21:3945019

 

From trial and error, it looks like I can only configure this as the smallest range 50000-52399 without the VCS throwing up an error. I have 50 Traversal call licenses on the Expressway I was testing with but that should only require 400 ports?

Does anyone else have any other suggestions?

Sorry Gurp!

After I upgraded the VCSC to X8.1.1, I got the "Insufficient media ports" warning. I fixed the issue by applying the following formula:

      48x 'Number of Traversal calls',

      So if 100x traversal calls = 4800 ports --> Go to "Traversal Subzone" media ports and configure to start in 50000 and end 54799