VCSExpress, stand alone deployment: call flow

Daniele De Bruyn · ‎11-13-2012

Hi Guys,

i need a few clarification on stand alone VCS-EX call flow, considering this scenario:

Assume that endpoints on corporate wan, are not Cisco Telepresence product ( so we cannot really know if those are h.460\Assent compliant), but all of those are registered on VCS-EX port A (LAN SIDE).

Assume that VCS-EX have a dual nic interface option.

What would be the call flow, when they will try to reach EP on the internet? Call setup will be routed on ports: 1 -> 2 -> VCSEX, while RTP traffic: 1-3-> internet? Or everything will pass thru VCS-EX?

DOes anybody here have experience with a similar scenario?

Thanks for your kind collaboration.

REgards

Martin Koch · ‎11-13-2012

Hi Daniele!

If the two interfaces are used, make sure they are also on two different subnets.

I am not 100% sure of your drawing as the VCS-Es internet interface does not have a firewall.

It also does not state if in whatever case NAT is involved and how routing would look like.

I would not run the VCS without blocking management and some other service ports.

There are some postings here in the forum and some documents which will explain more

which calls are traversal calls.

Traversal calls will always bind the media to the VCS.

One of this call scenario forcing traversal calls are calls in between the two interfaces of the VCS.

Other traversal call scenarios are h.460.18/assent calls, sip behind nat and interworked (sip2h323, ipv4-2-ipv4, encryption), ...

So all calls from Corporate wan (interface1) to Internet (interface2) would bind the media to the VCS-E.

Calls from h323 registered assent/h.460 endpoints in between the coorporate wan (as well as calls in between assent/h.460.18) would also bind the media to the VCS-E.

So for your example: in a call from the C-WAN to the internet it would go:

C-WAN > 1 >2 > (if1 > VCS-E > if2) > Internet

and this for the signaling as well as the media.

Martin

Please remember to rate helpful responses and identify

Vinod Kembhavi · ‎04-02-2013

Hi ,

I am unable to register Jabber Movi client on VSC expressway from Internet .

not able to see any provisionning option key license either on VCS control & VCS express

so do we need provisioning option key for jabber movi client registration.

Need help...

Tomonori Taniguchi · ‎11-13-2012

If Endpoint registered on VCS-E with H.460.18/ASSENT traversal capability, VCS-E will treat the call from Endpoint behind firewall therefore both signal and media will go through VCS-E.

If VCS-E deploy with dual network interfaces (as Martin mention in above, it is important Eth1 and Eth2 configured different subnet IP address in this deployment), signal and media flow,

Endpoint <-> FW-Port 1 <-> FW-Port 2 <-> VCS-E Eth2 <-> VCS-E Eth1 <-> FW-Port 2 <-> FW-Port 3 <-> Internet.

(Assume VCS-E Eth1 is facing internet and Eth2 is facing local network)

Daniele De Bruyn · ‎11-14-2012

Hi Guys,

thanks for your support, very explicative.

So if my understanding is right, if i'm not using assent\h460 capable endpoints but my VCS-EX is deployed using 2 interfaces on different subnets, media will be binded to VCS-Ex (there is high chance that this customer will have this scenario).

Just one more question for Tomori, you said:

"If VCS-E deploy with dual network interfaces (as Martin mention in above, it is important Eth1 and Eth2 configured different subnet IP address in this deployment), signal and media flow,

Endpoint <-> FW-Port 1 <-> FW-Port 2 <-> VCS-E Eth2 <-> VCS-E Eth1 <-> FW-Port 2 <-> FW-Port 3 <-> Internet.

(Assume VCS-E Eth1 is facing internet and Eth2 is facing local network)"

I assume this would be the call flow if VCS-EX Eth1 is deployed in DMZ corporate firewall (Natted or not), but in my example above Eth1 is directly connected on internet, so it should be:

Endpoint <-> FW-Port 1 <-> FW-Port 2 <-> VCS-E Eth2 <-> VCS-E Eth1 <-> Internet

Again, thanks for your brilliant support.

Regards

Tomonori Taniguchi · ‎11-14-2012

Oh ok, I missed the line from VCS Expressway to Internet directly.

Then, yes, flow you mention is correct.

However I strongly recommend to use firewall rule configuration on VCS to manage traffic from internet to VCS Expressway Ether port 1 for maintain certain level of security.