11-13-2012 05:26 AM - edited 03-18-2019 12:07 AM
Hi Guys,
i need a few clarification on stand alone VCS-EX call flow, considering this scenario:
Assume that endpoints on corporate wan, are not Cisco Telepresence product ( so we cannot really know if those are h.460\Assent compliant), but all of those are registered on VCS-EX port A (LAN SIDE).
Assume that VCS-EX have a dual nic interface option.
What would be the call flow, when they will try to reach EP on the internet? Call setup will be routed on ports: 1 -> 2 -> VCSEX, while RTP traffic: 1-3-> internet? Or everything will pass thru VCS-EX?
DOes anybody here have experience with a similar scenario?
Thanks for your kind collaboration.
REgards
11-13-2012 09:58 AM
Hi Daniele!
If the two interfaces are used, make sure they are also on two different subnets.
I am not 100% sure of your drawing as the VCS-Es internet interface does not have a firewall.
It also does not state if in whatever case NAT is involved and how routing would look like.
I would not run the VCS without blocking management and some other service ports.
There are some postings here in the forum and some documents which will explain more
which calls are traversal calls.
Traversal calls will always bind the media to the VCS.
One of this call scenario forcing traversal calls are calls in between the two interfaces of the VCS.
Other traversal call scenarios are h.460.18/assent calls, sip behind nat and interworked (sip2h323, ipv4-2-ipv4, encryption), ...
So all calls from Corporate wan (interface1) to Internet (interface2) would bind the media to the VCS-E.
Calls from h323 registered assent/h.460 endpoints in between the coorporate wan (as well as calls in between assent/h.460.18) would also bind the media to the VCS-E.
So for your example: in a call from the C-WAN to the internet it would go:
C-WAN > 1 >2 > (if1 > VCS-E > if2) > Internet
and this for the signaling as well as the media.
Martin
Please remember to rate helpful responses and identify
04-02-2013 04:40 PM
Hi ,
I am unable to register Jabber Movi client on VSC expressway from Internet .
not able to see any provisionning option key license either on VCS control & VCS express
so do we need provisioning option key for jabber movi client registration.
Need help...
11-13-2012 04:17 PM
If Endpoint registered on VCS-E with H.460.18/ASSENT traversal capability, VCS-E will treat the call from Endpoint behind firewall therefore both signal and media will go through VCS-E.
If VCS-E deploy with dual network interfaces (as Martin mention in above, it is important Eth1 and Eth2 configured different subnet IP address in this deployment), signal and media flow,
Endpoint <-> FW-Port 1 <-> FW-Port 2 <-> VCS-E Eth2 <-> VCS-E Eth1 <-> FW-Port 2 <-> FW-Port 3 <-> Internet.
(Assume VCS-E Eth1 is facing internet and Eth2 is facing local network)
11-14-2012 10:14 PM
Hi Guys,
thanks for your support, very explicative.
So if my understanding is right, if i'm not using assent\h460 capable endpoints but my VCS-EX is deployed using 2 interfaces on different subnets, media will be binded to VCS-Ex (there is high chance that this customer will have this scenario).
Just one more question for Tomori, you said:
"If VCS-E deploy with dual network interfaces (as Martin mention in above, it is important Eth1 and Eth2 configured different subnet IP address in this deployment), signal and media flow,
Endpoint <-> FW-Port 1 <-> FW-Port 2 <-> VCS-E Eth2 <-> VCS-E Eth1 <-> FW-Port 2 <-> FW-Port 3 <-> Internet.
(Assume VCS-E Eth1 is facing internet and Eth2 is facing local network)"
I assume this would be the call flow if VCS-EX Eth1 is deployed in DMZ corporate firewall (Natted or not), but in my example above Eth1 is directly connected on internet, so it should be:
Endpoint <-> FW-Port 1 <-> FW-Port 2 <-> VCS-E Eth2 <-> VCS-E Eth1 <-> Internet
Again, thanks for your brilliant support.
Regards
11-14-2012 11:22 PM
Oh ok, I missed the line from VCS Expressway to Internet directly.
Then, yes, flow you mention is correct.
However I strongly recommend to use firewall rule configuration on VCS to manage traffic from internet to VCS Expressway Ether port 1 for maintain certain level of security.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide