Enabling the proxy to forward h.323 packets, Isolating the multimedia network – Cisco H.323 VC-289 User Manual

Page 63

Advertising
background image

Configuring H.323 Gatekeepers and Proxies

H.323 Gatekeeper Configuration Examples

VC-351

Cisco IOS Voice, Video, and Fax Configuration Guide

Enabling the Proxy to Forward H.323 Packets

To enable the proxy to forward H.323 packets received from the edge network to the multimedia
backbone, designate the interface that connects the proxy to the multimedia backbone to the ASR
interface by entering the h323 asr command in interface configuration mode. Enabling the proxy to
forward H.323 packets satisfies the first goal identified earlier in this section.

Because the proxy terminates two call legs of an H.323 call and bridges them, any H.323 packet that
traverses the proxy will have the proxy address either in its source field or in its destination field.

To prevent problems that can occur in proxies that have multiple IP addresses, designate only one
interface to be the proxy interface by entering the h323 interface command in interface configuration
mode. Then all H.323 packets that originate from the proxy will have the address of this interface in their
source fields, and all packets that are destined to the proxy will have the address of this interface in their
destination fields.

Figure 62

illustrates that all physical proxy interfaces belong either to the multimedia network or to the

edge network. These two networks must be isolated from each other for the proxy to be closed; however,
the proxy interface must be addressable from both the edge network and the multimedia network. For
this reason, a loopback interface must be created on the proxy and configured to the proxy interface.

It is possible to make the loopback interface addressable from both the edge network and the multimedia
network without exposing any physical subnets on one network to routers on the other network. Only
packets that originate from the proxy or packets that are destined to the proxy can pass through the proxy
interface to the multimedia backbone in either direction. All other packets are considered unintended
packets and are dropped. This can be achieved by configuring access control lists (ACLs) so that the
closed proxy acts like a firewall that only allows H.323 packets to pass through the ASR interface. This
satisfies the second goal identified earlier in this section, which is to ensure that only H.323-compliant
packets can access or traverse the multimedia backbone.

Isolating the Multimedia Network

The last step is to configure the network so that non-H.323 traffic never attempts to traverse the
multimedia backbone and so that it never risks being dropped by the proxy. This is achieved by
completely isolating the multimedia network from all edge networks and from the data backbone and by
configuring routing protocols on the various components of the networks.

The example provided in

Figure 62

requires availability of six IP address classes, one for each of the

four autonomous systems and one for each of the two loopback interfaces. Any Cisco-supported routing
protocol can be used on any of the autonomous systems, with one exception: Routing Information
Protocol (RIP) cannot be configured on two adjacent autonomous systems because this protocol does not
include the concept of an autonomous system. The result would be the merging of the two autonomous
systems into one.

If the number of IP addresses are scarce, use subnetting, but the configuration can get complicated. In
this case, only the Enhanced IGRP, Open Shortest Path First (OSPF), and RIP Version 2 routing
protocols, which allow variable-length subnet masks (VLSMs), can be used.

Advertising