Configuring H.323 Gatekeepers and Proxies
This chapter describes how to configure the Cisco Multimedia Conference Manager. The Multimedia
Conference Manager provides gatekeeper and proxy capabilities required for service provisioning and
management of H.323-compliant networks.
This chapter includes the following sections:
•
•
•
•
•
•
For a complete description of the H.323 gatekeeper commands used in this chapter, refer to the
Cisco IOS Voice, Video, and Fax Command Reference. To locate documentation for other commands that
appear in this chapter, use the command reference master index or search online.
For more information regarding Resource Reservation Protocol (RSVP), synchronous reservation
timers, and slow connect, refer to the Cisco IOS Release 12.1(5)T VoIP Call Admission Control Using
RSVP or the Cisco IOS Quality of Service Solutions Configuration Guide.
chapter, use the Feature Navigator on Cisco.com to search for information about the feature or refer to
the software release notes for a specific release. For more information, see the “Identifying Supported
Platforms” section in the “Using Cisco IOS Software” chapter.
Multimedia Conference Manager Overview
Deploying H.323 applications and services requires careful design and planning for the network
infrastructure and for the H.323 devices. The Cisco H.323-compliant Multimedia Conference Manager
provides gatekeeper and proxy capabilities, which are required for service provisioning and management
of H.323 networks. With the Cisco Multimedia Conference Manager, your current internetwork can be
configured to route bit-intensive data, such as audio, telephony, video and audio telephony, and data
conferencing using existing telephone and ISDN links without degrading the current level of service of
the network. In addition, H.323-compliant applications can be implemented on existing networks in an
incremental fashion without upgrades.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-289
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Features
•
•
Zone and Subnet Configuration
A zone is defined as the set of H.323 nodes controlled by a single gatekeeper. Gatekeepers that coexist
on a network may be configured so that they register endpoints from different subnets.
Endpoints attempt to discover a gatekeeper and consequently the zone of which they are members by
using the Registration, Admission, and Status (RAS) message protocol. The protocol supports a
discovery message that may be sent multicast or unicast.
If the message is sent multicast, the endpoint registers nondeterministically with the first gatekeeper that
responds to the message. To enforce predictable behavior, where endpoints on certain subnets are
assigned to specific gatekeepers, the zone subnet command can be used to define the subnets that
constitute a given gatekeeper zone. Any endpoint on a subnet that is not enabled for the gatekeeper will
not be accepted as a member of that gatekeeper zone. If the gatekeeper receives a discovery message
from such an endpoint, it will send an explicit reject message.
Redundant H.323 Zone Support
Redundant H.323 zone support allows for the following:
•
•
•
•
Gatekeeper Multiple Zone Support
Redundant H.323 zone support allows users to configure multiple remote zones to service the same zone
or technology prefix. A user is able to configure more than one remote gatekeeper to which the local
gatekeeper can send location requests (LRQs). This allows for more reliable call completion.
Redundant H.323 zone support is supported on all gatekeeper-enabled IOS images.
Gateway Support for Alternate Gatekeepers
Redundant H.323 zone support in the gateway allows a user to configure two gatekeepers in the gateway
(one as the primary and the other as the alternate). All gatekeepers are active. The gateway can choose
to register with any one (but not both) at a given time. If that gatekeeper becomes unavailable, the
gateway registers with the other.
Redundant H.323 zone support is supported on all gateway-enabled images.
Zone Prefixes
The zone prefixes (typically area codes) serve the same purpose as the domain names in the H.323-ID
address space.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-291
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Features
For example, the local gatekeeper can be configured with the knowledge that zone prefix “212......” (that
is, any address beginning “212” and followed by 7 arbitrary digits) is handled by the gatekeeper
gatekeeper_2. Then, when the local gatekeeper is asked to admit a call to destination address
2125551111, it knows to send the LRQ to gatekeeper_2.
When gatekeeper_2 receives the request, the gatekeeper must resolve the address so that the call can be
sent to its final destination. There may be an H.323 endpoint with that E.164 address that has registered
with gatekeeper_2, in which case gatekeeper_2 returns the IP address for that endpoint. However, it is
possible that the E.164 address belongs to a non-H.323 device (for example, a telephone or an H.320
terminal). Because non-H.323 devices do not register with gatekeepers, gatekeeper_2 cannot resolve the
address. The gatekeeper must be able to select a gateway that can be used to reach the non-H.323 device.
This is where the technology prefixes (or “gateway-type”) become useful.
Technology Prefixes
The network administrator selects technology prefixes (tech-prefixes) to denote different types or classes
of gateways. The gateways are then configured to register with their gatekeepers with these prefixes. For
example, voice gateways can register with tech-prefix 1#, H.320 gateways with tech-prefix 2#, and
voicemail gateways with tech-prefix 3#. More than one gateway can register with the same type prefix.
When this happens, the gatekeeper makes a random selection among gateways of the same type.
If the callers know the type of device that they are trying to reach, they can include the technology prefix
in the destination address to indicate the type of gateway to use to get to the destination. For example, if
a caller knows that address 2125551111 belongs to a regular telephone, the destination address of
1#2125551111 can be used, where 1# indicates that the address should be resolved by a voice gateway.
When the voice gateway receives the call for 1#2125551111, it strips off the technology prefix and
bridges the next leg of the call to the telephone at 2125551111.
Gatekeeper-to-Gatekeeper Redundancy and Load-Sharing Mechanism
The gatekeeper-to-gatekeeper redundancy and load-sharing mechanism expands the capability that is
provided by the redundant H.323 zone support feature. Redundant H.323 zone support, which was
introduced in Cisco IOS Release 12.1(1)T, allows you to configure multiple gatekeepers to service the
same zone or technology prefix by sending LRQs to two or more gatekeepers.
With the redundant H.323 zone support feature, the LRQs are sent simultaneously (in a “blast” fashion)
to all of the gatekeepers in the list. The gateway registers with the gatekeeper that responds first. Then,
if that gatekeeper becomes unavailable, the gateway registers with another gatekeeper from the list.
The gatekeeper-to-gatekeeper redundancy and load-sharing mechanism allows you to configure
gatekeeper support and to give preference to specific gatekeepers. You may choose whether the LRQs
are sent simultaneously or sequentially (one at a time) to the remote gatekeepers in the list. If the LRQs
are sent sequentially, a delay is inserted after the first LRQ and before the next LRQ is sent. This delay
allows the first gatekeeper to respond before the LRQ is sent to the next gatekeeper. The order in which
LRQs are sent to the gatekeepers is based on the order in which the gatekeepers are listed (using either
the zone prefix command or the gw-type-prefix command).
Once the local gatekeeper has sent LRQs to all the remote gatekeepers in the list (either simultaneously
or sequentially), if it has not yet received a location confirmation (LCF), it opens a “window.” During
this window, the local gatekeeper waits to see whether a LCF is subsequently received from any of the
remote gatekeepers. If no LCF is received from any of the remote gatekeepers while the window is open,
the call is rejected.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-292
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Features
Terminal Name Registration
Gatekeepers recognize one of two types of terminal aliases, or terminal names:
•
•
H.323 IDs, which are arbitrary, case-sensitive text strings
E.164 addresses, which are telephone numbers
If an H.323 network deploys interzone communication, each terminal should at least have a fully
qualified e-mail name as its H.323 identification (ID), for example, [email protected]. The domain name
of the e-mail ID should be the same as the configured domain name for the gatekeeper of which it is to
be a member. As in the previous example, the domain name would be cisco.com.
Interzone Communication
To allow endpoints to communicate between zones, gatekeepers must be able to determine which zone
an endpoint is in and be able to locate the gatekeeper responsible for that zone. If the Domain Name
System (DNS) mechanism is available, a DNS domain name can be associated with each gatekeeper. See
how to configure DNS.
RADIUS and TACACS+
Version 1 of the H.323 specification does not provide a mechanism for authenticating registered
endpoints. Credential information is not passed between gateways and gatekeepers. However, by
enabling AAA on the gatekeeper and configuring for RADIUS and TACACS+, a rudimentary form of
identification can be achieved.
If the AAA feature is enabled, the gatekeeper attempts to use the registered aliases along with a password
and completes an authentication transaction to a RADIUS and TACACS+ server. The registration will
be accepted only if RADIUS and TACACS+ successfully authenticates the name.
The gatekeeper can be configured so that a default password can be used for all users. The gatekeeper
can also be configured so that it recognizes a password separator character that allows users to piggyback
their passwords onto H.323-ID registrations. In this case, the separator character separates the ID and
password fields.
Note
The names loaded into RADIUS and TACACS+ are probably not the same names provided for dial
access because they may all have the same password.
Accounting via RADIUS and TACACS+
If AAA is enabled on the gatekeeper, the gatekeeper will emit an accounting record each time a call is
admitted or disconnected.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-293
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Features
Interzone Routing Using E.164 Addresses
Interzone routing may be configured using E.164 addresses.
Two types of address destinations are used in H.323 calls. The destination can be specified using either
an H.323-ID address (a character string) or an E.164 address (a string that contains telephone keypad
characters). The way interzone calls are routed depends on the type of address being used.
When using H.323-ID addresses, interzone routing is handled through the use of domain names. For
example, to resolve the domain name [email protected], the source endpoint gatekeeper finds the
gatekeeper for cisco.com and sends it the location request for the target address [email protected]. The
destination gatekeeper looks in its registration database, sees bob registered, and returns the appropriate
IP address to get to bob.
When using E.164 addresses, call routing is handled through zone prefixes and gateway-type prefixes,
also referred to as technology prefixes. The zone prefixes, which are typically area codes, serve the same
purpose as domain names in H.323-ID address routing. Unlike domain names, however, more than one
zone prefix can be assigned to one gatekeeper, but the same prefix cannot be shared by more than one
gatekeeper.
Use the zone prefix command to define gatekeeper responsibilities for area codes. The command can
also be used to tell the gatekeeper which prefixes are in its own zones and which remote gatekeepers are
responsible for other prefixes.
Note
Area codes are used as an example in this section, but a zone prefix need not be an area code. It can
be a country code, an area code plus local exchange (NPA-NXX), or any other logical hierarchical
partition.
The following sample command shows how to configure a gatekeeper with the knowledge that zone
prefix 212....... (that is, any address beginning with area code 212 and followed by seven arbitrary digits)
is handled by gatekeeper gk-ny:
my-gatekeeper(config-gk)# zone prefix gk-ny 212.......
When my-gatekeeper is asked to admit a call to destination address 2125551111, it knows to send the
location request to gk-ny.
However, once the query gets to gk-ny, gk-ny still needs to resolve the address so that the call can be
sent to its final destination. There could be an H.323 endpoint that has registered with gk-ny with that
E.164 address, in which case gk-ny would return the IP address for that endpoint. However, it is more
likely that the E.164 address belongs to a non-H.323 device, such as a telephone or an H.320 terminal.
Because non-H.323 devices do not register with gatekeepers, gk-ny has no knowledge of which device
the address belongs to or which type of device it is, so the gatekeeper cannot decide which gateway
should be used for the hop off to the non-H.323 device. (The term hop off refers to the point at which the
call leaves the H.323 network and is destined for a non-H.323 device.)
Note
The number of zone prefixes defined for a directory gatekeeper that is dedicated to forwarding LRQs,
and not for handling local registrations and calls, should not exceed 10,000; 4 MB of memory must
be dedicated to describing zones and zone prefixes to support this maximum number of zone prefixes.
The number of zone prefixes defined for a gatekeeper that handles local registrations and calls should
not exceed 2000.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-294
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Features
To enable the gatekeeper to select the appropriate hop-off gateway, use the gw-type-prefix command to
configure technology or gateway-type prefixes. Select technology prefixes to denote different types or
classes of gateways. The gateways are then configured to register with their gatekeepers using these
technology prefixes.
For example, voice gateways might register with technology prefix 1#, and H.320 gateways might
register with technology prefix 2#. If there are several gateways of the same type, configure them to
register with the same prefix type. By having them register with the same prefix type, the gatekeeper
treats the gateways as a pool out of which a random selection is made whenever a call for that prefix type
arrives. If a gateway can serve more than one type of hop-off technology, it can register more than one
prefix type with the gatekeeper.
Callers will need to know the technology prefixes that are defined. The callers will need to know the type
of device they are trying to reach and will need to prepend the appropriate technology prefix to the
destination address to indicate the type of gateway needed to reach the destination.
For example, callers might request 1#2125551111 if they know that address 2125551111 is for a
telephone and that the technology prefix for voice gateways is 1#. The voice gateway is configured with
a dial peer (using the dial-peer command) so that when the gateway receives the call for 1#2125551111,
it strips off the technology prefix 1# and bridges the next leg of the call to the telephone at 2125551111.
In cases in which the call scenario is as shown in Figure 57, voice-gw1 can be configured to prepend the
voice technology prefix 1# so that the use of technology prefixes is completely transparent to the caller.
Figure 57
Call Scenario
H.323 network
PSTN
PSTN
Telephone
voice-gw1
voice-gw2
Telephone
Additionally, in using the gw-type-prefix command, a particular gateway-type prefix can be defined as
the default gateway type to be used for addresses that cannot be resolved. It also forces a technology
prefix to always hop off in a particular zone.
If the majority of calls hop off on a particular type of gateway, the gatekeeper can be configured to use
that type of gateway as the default type so that callers no longer have to prepend a technology prefix on
the address. For example, if voice gateways are mostly used in a network, and all voice gateways have
been configured to register with technology prefix 1#, the gatekeeper can be configured to use 1#
gateways as the default technology if the following command is entered:
my-gatekeeper(config-gk)# gw-type-prefix 1# default-technology
Now a caller no longer needs to prepend 1# to use a voice gateway. Any address that does not contain
an explicit technology prefix will be routed to one of the voice gateways that registered with 1#.
With this default technology definition, a caller could ask the gatekeeper for admission to 2125551111.
If the local gatekeeper does not recognize the zone prefix as belonging to any remote zone, it will route
the call to one of its local (1#) voice gateways so that the call hops off locally. However, if it knows that
gk-ny handles the 212 area code, it can send a location request for 2125551111 to gk-ny. This requires
that gk-ny also be configured with some default gateway type prefix and that its voice gateways be
registered with that prefix type.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-295
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Features
Note
For ease of maintenance, the same prefix type should be used to denote the same gateway type in all
zones under your administration. No more than 50 different technology prefixes should be registered
per zone.
Also, with the gw-type-prefix command, a hop off can be forced to a particular zone. When an endpoint
or gateway makes a call-admission request to its gatekeeper, the gatekeeper determines the destination
address by first looking for the technology prefix. When that is matched, the remaining string is
compared against known zone prefixes. If the address is determined to be a remote zone, the entire
address, including technology and zone prefixes, is sent to the remote gatekeeper in a location request.
That remote gatekeeper then uses the technology prefix to decide on which of its gateways to hop off. In
other words, the zone prefix (defined using the zone prefix command) determines the routing to a zone,
and once there, the technology prefix (defined using the gw-type-prefix command) determines the
gateway to be used in that zone. The zone prefix takes precedence over the technology prefix.
This behavior can be overridden by associating a forced hop-off zone with a particular technology prefix.
Associating a forced hop-off zone with a particular technology prefix forces the call to the specified
zone, regardless of what the zone prefix in the address is. As an example, you are in the 408 area code
and want callers to the 212 area code in New York to use H.323-over-IP and hop off there because it
saves on costs. However, the only H.320 gateway is in Denver. In this example, calls to H.320 endpoints
must be forced to hop off in Denver, even if the destination H.320 endpoint is in the 212 area code. The
forced hop-off zone can be either a local zone (that is, one that is managed by the local gatekeeper) or a
remote zone.
HSRP Support
Cisco routers support Hot Standby Router Protocol (HSRP), which allows one router to serve as a backup
to another router. Cisco gatekeepers can be configured to use HSRP so that when one gatekeeper fails,
the standby gatekeeper assumes its role.
To configure a gatekeeper to use HSRP, perform the following tasks:
•
Select one interface on each gatekeeper to serve as the HSRP interface and configure these two
interfaces so that they belong to the same HSRP group but have different priorities. The one with
the higher priority will be the active gatekeeper; the other assumes the standby role. Make a note of
the virtual HSRP IP address shared by both of these interfaces. (For details on HSRP and HSRP
configuration, refer to the Cisco IOS IP Configuration Guide.)
•
•
•
Configure the gatekeepers so that the HSRP virtual IP address is the RAS address for all local zones.
Make sure that the gatekeeper-mode configurations on both routers are identical.
If the endpoints and gateways are configured so that they use a specific gatekeeper address (rather
than multicasting), use the HSRP virtual IP address as the gatekeeper address. You can also let the
endpoints and gateways find the gatekeeper by multicasting. As long as it is on standby status, the
secondary gatekeeper neither receives nor responds to multicast or unicast requests.
As long as both gatekeepers are up, the one with the higher priority on its HSRP interface will be the
active gatekeeper. If this active gatekeeper fails, or if its HSRP interface fails, the standby HSRP
interface assumes the virtual HSRP address and, with it, the active gatekeeper role. When the gatekeeper
with the higher HSRP priority comes back online, it reclaims the HSRP virtual address and the
gatekeeper function, while the secondary gatekeeper goes back to standby status.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-296
Configuring H.323 Gatekeepers and Proxies
H.323 Proxy Features
Note
Gatekeeper failover will not be completely transparent to endpoints and gatekeepers. When the
standby gatekeeper takes over, it does not have the state of the failed gatekeeper. If an endpoint that
had registered with the failed gatekeeper now makes a request to the new gatekeeper, the gatekeeper
responds with a reject, indicating that it does not recognize the endpoint. The endpoint must
reregister with the new gatekeeper before it can continue H.323 operations.
For an example of configuring gatekeeper HSRP support, see the “H.323 Gatekeeper and Proxy
Configuration Examples” section.
H.323 Proxy Features
Each of the following sections describes how the proxy feature can be used in an H.323 network:
•
•
•
Security
When terminals signal each other directly, they must have direct access to each other’s addresses. This
exposes an attacker to key information about a network. When a proxy is used, the only addressing
information that is exposed to the network is the address of the proxy; all other terminal and gateway
addresses are hidden.
There are several ways to use a proxy with a firewall to enhance network security. The configuration to
be used depends on how capable the firewall is of handling the complex H.323 protocol suite. Each of
the following sections describes a common configuration for using a proxy with a firewall:
•
•
•
•
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-297
Configuring H.323 Gatekeepers and Proxies
H.323 Proxy Features
Proxy Inside the Firewall
H.323 is a complex, dynamic protocol that consists of several interrelated subprotocols. During H.323
call setup, the ports and addresses released with this protocol require a detailed inspection as the setup
progresses. If the firewall does not support this dynamic access control based on the inspection, a proxy
can be used just inside the firewall. The proxy provides a simple access control scheme, as illustrated in
Figure 58
Proxy Inside the Firewall
Terminals
Gatekeeper
Proxy
Edge router
Firewall
Outside
devices
Because the gatekeeper (using RAS) and the proxy (using call setup protocols) are the only endpoints
that communicate with other devices outside the firewall, it is simple to set up a tunnel through the
firewall to allow traffic destined for either of these two endpoints to pass through.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-298
Configuring H.323 Gatekeepers and Proxies
H.323 Proxy Features
Proxy in Co-Edge Mode
If H.323 terminals exist in an area with local interior addresses that must be translated to valid exterior
addresses, the firewall must be capable of decoding and translating all addresses passed in the various
H.323 protocols. If the firewall is not capable of this translation task, a proxy may be placed next to the
firewall in a co-edge mode. In this configuration, interfaces lead to both inside and outside networks.
Figure 59
Proxy in Co-Edge Mode
Edge router
Firewall
Outside
devices
Terminals
Gatekeeper
Proxy
In co-edge mode, the proxy can present a security risk. To avoid exposing a network to unsolicited
traffic, configure the proxy to route only proxied traffic. In other words, the proxy routes only H.323
protocol traffic that is terminated on the inside and then repeated to the outside. Traffic that moves in the
opposite direction can be configured this way as well.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-299
Configuring H.323 Gatekeepers and Proxies
H.323 Proxy Features
Proxy Outside the Firewall
To place the proxy and gatekeeper outside the firewall, two conditions must exist. First, the firewall must
support H.323 dynamic access control. Second, Network Address Translation (NAT) must not be in use.
If NAT is in use, each endpoint must register with the gatekeeper for the duration of the time it is online.
This will quickly overwhelm the firewall because a large number of relatively static, internal-to-external
address mappings will need to be maintained.
If the firewall does not support H.323 dynamic access control, the firewall can be configured with static
access lists that allow traffic from the proxy or gatekeeper through the firewall. This can present a
security risk if an attacker can spoof, or simulate, the IP addresses of the gatekeeper or proxy and use
Figure 60
Proxy Outside the Firewall
Edge router
Gatekeeper
Proxy
Terminals
Firewall
Outside
devices
Proxies and NAT
When a firewall is providing NAT between an internal and an external network, proxies may allow H.323
traffic to be handled properly, even in the absence of a firewall that can translate addresses for H.323
Table 24
Guidelines for Networks That Use NAT
For Networks Using NAT
Firewall with H.323 NAT
Firewall Without H.323 NAT
Firewall with dynamic access
control
Gatekeeper and proxy inside the Co-edge gatekeeper and proxy
firewall
Firewall without dynamic access Gatekeeper and proxy inside the Co-edge gatekeeper and proxy
control
firewall, with static access lists
on the firewall
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-300
Configuring H.323 Gatekeepers and Proxies
H.323 Proxy Features
Table 25
Guidelines for Networks That Do Not Use NAT
For Networks Not Using NAT
Firewall with Dynamic Access
Firewall with H.323. NAT
Firewall Without H.323 NAT
Gatekeeper and proxy inside the Gatekeeper and proxy inside the
Control
firewall
firewall
Gatekeeper and proxy outside
the firewall
Gatekeeper and proxy outside the
firewall
Firewall Without Dynamic
Access Control
Gatekeeper and proxy inside the Gatekeeper and proxy inside the
firewall, with static access lists firewall, with static access lists
on the firewall
on the firewall
Quality of Service
Quality of service (QoS) enables complex networks to control and predictably service a variety of
applications. QoS expedites the handling of mission-critical applications while sharing network
resources with noncritical applications. QoS also ensures available bandwidth and minimum delays
required by time-sensitive multimedia and voice applications. In addition, QoS gives network managers
control over network applications, improves cost-efficiency of WAN connections, and enables advanced
differentiated services. QoS technologies are elemental building blocks for other Cisco IOS-enabling
services such as its H.323-compliant gatekeeper. Overall call quality can be improved dramatically in
the multimedia network by using pairs of proxies between regions of the network where QoS can be
requested.
When two H.323 terminals communicate directly, the resulting call quality can range from good (for
high-bandwidth intranets) to poor (for most calls over the public network). As a result, deployment of
H.323 is almost always predicated on the availability of some high-bandwidth, low-delay,
low-packet-loss network that is separate from the public network or that runs overlaid with the network
as a premium service and adequate QoS.
Adequate QoS usually requires terminals that are capable of signaling such premium services. There are
two major ways to achieve such signaling:
•
•
RSVP to reserve flows having adequate QoS based on the media codecs of H.323 traffic
IP precedence bits to signal that the H.323 traffic is special and that it deserves higher priority
Unfortunately, the vast majority of H.323 terminals cannot achieve signaling in either of these ways.
The proxy can be configured to use any combination of RSVP and IP precedence bits.
The proxy is not capable of modifying the QoS between the terminal and itself. To achieve the best
overall QoS, ensure that terminals are connected to the proxy using a network that intrinsically has good
QoS. In other words, configure a path between a terminal and proxy that provides good bandwidth, delay,
and packet-loss characteristics without the terminal needing to request special QoS. A high-bandwidth
LAN works well for this.
Application-Specific Routing
To achieve adequate QoS, a separate network may be deployed that is partitioned away from the standard
data network. The proxy can take advantage of such a partitioned network using a feature known as
application-specific routing (ASR).
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-301
Configuring H.323 Gatekeepers and Proxies
H.323 Prerequisite Tasks and Restrictions
Application-specific routing is simple. When the proxy receives outbound traffic, it directs traffic to an
interface that is connected directly to the QoS network. The proxy does not send the traffic using an
interface that is specified for the regular routing protocol. Similarly, inbound traffic from other proxies
is received on the interface that is connected to the QoS network. This is true if all these other proxies
around the QoS network use ASR in a consistent fashion. ASR then ensures that ordinary traffic is not
routed into the QoS network by mistake.
Implementation of ASR ensures the following:
•
Each time a connection is established with another proxy, the proxy automatically installs a host
route pointing at the interface designated for ASR.
•
The proxy is configured to use a loopback interface address. The proxy address is visible to both the
ASR interface and all regular interfaces, but there are no routes established between the loopback
interface and the ASR interface. This ensures that no non-H.323 traffic is routed through the ASR
interface.
Note
ASR is not supported on Frame Relay or ATM interfaces for the Cisco MC3810 platform.
H.323 Prerequisite Tasks and Restrictions
This section contains prerequisite tasks and restrictions for configuring H.323 gatekeepers and proxies.
Redundant H.323 Zone Support
Redundant H.323 zone support has the following restrictions and limitations:
•
•
•
The gateway can register with only one gatekeeper at any given time.
Only E.164 address resolution is supported.
Because the gateway can register with only one gatekeeper at a time, redundant H.323 zone support
provides only redundancy and does not provide any load balancing.
•
Although redundant H.323 zone support allows you to configure alternate gatekeepers, it will not
insert information in the alternate gatekeeper field of some RAS messages.
Gatekeeper-to-Gatekeeper Redundancy and Load-Sharing Mechanism
The gatekeeper-to-gatekeeper redundancy and load-sharing mechanism has the following restrictions
and limitations:
•
•
•
•
The gatekeeper-to-gatekeeper redundancy and load-sharing mechanism requires the Cisco H.323
VoIP Gatekeeper for Cisco Access Platforms feature.
The order in which LRQs are sent to the gatekeepers is based on the order in which the gatekeepers
are listed. You cannot specify a priority number for a gatekeeper.
Regardless of the order in which the LRQs are sent, the gateway will still use the first gatekeeper
that sends an LCF.
The settings for delay between LRQs and the LRQ window are global and cannot be set on a
per-zone or technology-prefix basis.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-302
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
•
•
The number of remote gatekeepers multiplied by the delay per LRQ cannot exceed the Routing
Information Protocol (RIP) timeout. Therefore, we recommend that you limit your list of remote
gatekeepers to two or three.
If LRQ forwarding is enabled on the directory gatekeeper, the sequential setting for LRQs is
ignored.
•
•
Only E.164 address resolution is supported.
Using redundant H.323 zone support in the “directory gatekeeper” can generate extra RAS
messages. Therefore, the number of “directory gatekeeper” levels should be kept to a minimum (two
or three at the maximum).
H.323 Gatekeeper Configuration Task List
To configure Cisco gatekeepers, perform the tasks in the following sections. The tasks in these two
sections are required.
•
•
Configuring the Gatekeeper, page 303 (Required)
Configuring the Proxy, page 332 (Required)
Configuring the Gatekeeper
To configure gatekeepers, perform the tasks in the following sections. All of the tasks listed are required.
•
–
•
•
•
•
•
•
•
•
•
•
–
–
–
–
–
–
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-303
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Starting a Gatekeeper
To enter gatekeeper configuration mode and to start the gatekeeper, use the following commands
beginning in global configuration mode:
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Specifies a zone controlled by a gatekeeper.
The arguments are as follows:
Router(config-gk)# zone local gatekeeper-name
domain-name [ras-IP-address]
•
gatekeeper-name—Specifies the gatekeeper
name or zone name. This is usually the fully
domain-qualified host name of the gatekeeper.
For example, if the domain name is cisco.com,
the gatekeeper name might be gk1.cisco.com.
However, if the gatekeeper is controlling
multiple zones, the gatekeeper name for each
zone should be some unique string that has a
mnemonic value.
•
•
domain-name—Specifies the domain name
served by this gatekeeper.
ras-IP-address—(Optional) Specifies the IP
address of one of the interfaces on the
gatekeeper. When the gatekeeper responds to
gatekeeper discovery messages, it signals the
endpoint or gateway to use this address in future
communications.
Note
Setting this address for one local zone makes
it the address used for all local zones.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-304
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config-gk)# zone prefix gatekeeper-name
e164-prefix [blast | seq] [gw-priority priority
gw-alias [gw-alias, ...]]
Step 3
Adds a prefix to the gatekeeper zone list.
The keywords and arguments are as follows:
•
gatekeeper-name—Specifies the name of a local
or remote gatekeeper, which must have been
defined by using the zone local or zone remote
command.
•
e164-prefix—Specifies an E.164 prefix in
standard form followed by dots (.). Each dot
represents a number in the E.164 address. For
example, 212....... is matched by 212 and any 7
numbers.
Note
Although a dot to represent each digit in an
E.164 address is the preferred configuration
method, you can also enter an asterisk (*) to
match any number of digits.
•
blast—(Optional) If you list multiple hopoffs,
indicates that the location requests (LRQs)
should be sent simultaneously to the gatekeepers
based on the order in which they were listed. The
default is seq.
•
•
seq—(Optional) If you list multiple hopoffs,
indicates that the LRQs should be sent
sequentially to the gatekeepers based on the
order in which they were listed. The default is
seq.
gw-priority priority gw-alias—(Optional) Use
the gw-priority option to define how the
gatekeeper selects gateways in its local zone for
calls to numbers that begin with prefix
e164-prefix. Do not use this option to set priority
levels for a prefix assigned to a remote
gatekeeper.
Use values from 0 to 10. A 0 value prevents the
gatekeeper from using the gateway gw-alias for
that prefix. Value 10 places the highest priority
on gateway gw-alias. If you do not specify a
priority value for a gateway, the value 5 is
assigned.
To assign the same priority value for one prefix
to multiple gateways, list all the gateway names
after the pri-0-to-10 value.
The gw-alias name is the H.323 ID of a gateway
that is registered or will register with the
gatekeeper. This name is set on the gateway with
the h323-gateway voip h.323-id command.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-305
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config-gk)# zone subnet local-gatekeeper-name
[default | subnet-address {/bits-in-mask |
mask-address} enable]
Step 4
Defines a set of subnets that constitute the gatekeeper
zone. Enables the gatekeeper for each of these
subnets and disables it for all other subnets. (Repeat
for all subnets.)
The keywords and arguments are as follows:
•
local-gatekeeper-name—Specifies the name of
the local gatekeeper.
•
default—(Optional) Applies to all other subnets
that are not specifically defined by the
zone subnet command.
•
•
subnet-address—(Optional) Specifies the
address of the subnet that is being defined.
bits-in-mask—(Optional) Specifies the number
of bits of the mask to be applied to the subnet
address.
Note
•
The slash must be entered before this
argument.
mask-address—(Optional) Specifies the mask (in
dotted string format) to be applied to the subnet
address.
•
enable—(Optional) Specifies that the gatekeeper
accepts discovery and registration from the
specified subnets.
Note
To define the zone as being all but one set of
subnets by disabling that set and enabling all
other subnets, use the no form of the
command as follows: Configure no zone
subnet local-gatekeeper-name
subnet-address {/bits-in-mask |
mask-address} enable.
Note
To accept the default behavior, which is that
all subnets are enabled, use the no form of the
command as follows: no zone subnet
local-gatekeeper-name default enable.
Router(config-gk)# no shutdown
Step 5
Brings the gatekeeper online.
The local-gatekeeper-name argument should be a Domain Name System (DNS) host name if DNS is to
be used to locate remote zones.
The zone subnet command may be used more than once to create a list of subnets controlled by a
gatekeeper. The subnet masks need not match actual subnets in use at your site. For example, to specify
a particular endpoint, show its address as a 32-bit netmask.
If a local gatekeeper name is contained in the message, it must match the local-gatekeeper-name
argument.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-306
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Note
To explicitly enable or disable a particular endpoint, specify its host address using a 32-bit subnet
mask.
Configuring Intergatekeeper Communication
This section describes two ways to configure intergatekeeper communication:
•
•
Via DNS
To configure intergatekeeper communication using DNS, use the following commands in global
configuration mode:
Command
Purpose
Router(config)# ip name-server dns-server-name
[server-address2...server-address6]
Step 1
Specifies the DNS server address.
The arguments are as follows:
•
dns-server-name— Specifies the IP address of
the name server.
•
server-address2...server-address6—(Optional)
IP addresses of additional name servers (a
maximum of six name servers).
Router(config)# ip domain-name name
Step 2
Defines a default domain name that the Cisco IOS
software uses to complete unqualified host names
(names without a dotted-decimal domain name). The
name argument specifies the default domain name
used to complete unqualified host names. Do not
include the initial period that separates an unqualified
name from the domain name.
For all gatekeepers in the system, enter a text record of the form into DNS:
ras [gk-id@] host [:port] [priority]
The gk-id argument is an optional gatekeeper ID. If the optional gatekeeper ID is not specified, host is
used as the gatekeeper ID.
The host argument is either an IP address or the actual host name of the gatekeeper in the form
host.some_domain.com.
The port argument, if specified, should be some port number other than RAS port 1719.
The priority argument specifies the order in which the listed gatekeepers should be searched for
endpoints. Gatekeepers with lower priorities are searched before those with higher numbers.
How you enter the text record for a particular domain depends on the DNS implementation. The
following examples are for the Berkeley Internet Name Domain (BIND). These records are typically
entered into the “hosts” database:
zone1.comintxt“ras gk.zone1.com”
zone2.comintxt“ras [email protected]”
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-307
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
zone3.comintxt“ras [email protected]:1725”
zone4.comintxt“ras [email protected]:1725 123”
zone5.comintxt“ras [email protected]:1725”
Manual Configuration
If you choose not to use DNS or if DNS is not available, configure intergatekeeper communication
manually. To configure intergatekeeper manual communication, use the following command in
gatekeeper configuration mode for every other gatekeeper in the network:
Command
Purpose
Router(config-gk)# zone remote other-gatekeeper-name
other-domain-name other-gatekeeper-ip-address
[port-number]
Statically specifies a remote zone if Domain Name System
(DNS) is unavailable or undesirable. Enter this command
for each gatekeeper.
The arguments are as follows:
•
•
•
•
other-gatekeeper-name—Specifies the name of the
remote gatekeeper.
other-domain-name—Specifies the domain name of
the remote gatekeeper.
other-gatekeeper-ip-address—Specifies the IP
address of the remote gatekeeper.
port-number—(Optional) Specifies the RAS signaling
port number for the remote zone. Value ranges are
from 1 to 65,535. If this option is not set, the default is
the well-known RAS port number 1719.
Configuring Redundant H.323 Zone Support
Regardless of whether you specify sequential or blast, there is an order to how the LRQs are sent. With
sequential, the LRQs are sent one at a time with a delay between each. With blast, the LRQs are sent
back-to-back in a rapid sequence without any delay between them. The order in which zone and
technology prefixes are configured determines the order in which the LRQs are sent to the remote
gatekeepers. Using zone prefixes as an example, the local gatekeeper routes the call to the first zone that
responds with an LCF. If the local gatekeeper is configured for a zone prefix that already has remote
gatekeepers configured, the local gatekeeper will automatically put that zone prefix at the top of the list.
For example:
gatekeeper
zone local gnet-2503-2-gk cisco.com
zone remote gnet-2600-1-gk cisco.com 172.18.194.131 1719
zone remote gnet-2503-3-gk cisco.com 172.18.194.134 1719
zone prefix gnet-2600-1-gk 919.......
zone prefix gnet-2503-6-gk 919.......
With this configuration, LRQs are first sent to gnet-2600-1-gk (which is the first zone prefix because it
has a remote gatekeeper configured for it) and then to gnet-2503-6-gk (which is the second zone prefix).
If you add the local gatekeeper to that zone prefix, it automatically goes to the top of the list, as shown
below:
gatekeeper
zone local gnet-2503-2-gk cisco.com
zone remote gnet-2600-1-gk cisco.com 172.18.194.131 1719
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-308
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
zone remote gnet-2503-3-gk cisco.com 172.18.194.134 1719
zone prefix gnet-2503-2-gk 919.......
zone prefix gnet-2600-1-gk 919.......
zone prefix gnet-2503-6-gk 919.......
As you can see, the zone prefix for the local gatekeeper (gnet-2503-2-gk) has been inserted at the top of
the zone prefix list. If the local gatekeeper can resolve the address, it will not send LRQs to the remote
zones.
If you are configuring technology prefixes, the zone prefix for the local gatekeeper should be inserted at
the top of the zone prefix list. If the local gatekeeper can resolve the address, it will not send LRQs to
the remote zones.
Configuring Local and Remote Gatekeepers
To configure local and remote gatekeepers, use the following commands beginning in global
configuration mode:
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Specifies a zone controlled by a gatekeeper.
The arguments are as follows:
Router(config-gk)# zone local gatekeeper-name
domain-name [ras-IP-address]
•
gatekeeper-name—Specifies the gatekeeper name or
zone name. This is usually the fully
domain-qualified host name of the gatekeeper. For
example, if the domain name is cisco.com, the
gatekeeper name might be gk1.cisco.com. However,
if the gatekeeper is controlling multiple zones, the
gatekeeper name for each zone should be some
unique string that has a mnemonic value.
•
•
domain-name—Specifies the domain name served
by this gatekeeper.
ras-IP-address—(Optional) Specifies the IP address
of one of the interfaces on the gatekeeper. When the
gatekeeper responds to gatekeeper discovery
messages, it signals the endpoint or gateway to use
this address in future communications.
Note
Setting this address for one local zone makes it
the address used for all local zones.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-309
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config-gk)# zone remote
Step 3
Configures the remote gatekeeper.
The arguments are as follows:
other-gatekeeper-name other-domain-name
other-gatekeeper-ip-address
[port-number]
•
•
•
•
other-gatekeeper-name—Name of the remote
gatekeeper.
other-domain-name—Domain name of the remote
gatekeeper.
other-gatekeeper-ip-address—IP address of the
remote gatekeeper.
port-number—(Optional) RAS signaling port
number for the remote zone. Value ranges from 1 to
65,535. If this option is not set, the default is the
well-known RAS port number 1719.
Configuring Redundant Gatekeepers for a Zone Prefix
To configure redundant gatekeepers for a zone prefix, use the following commands beginning in global
configuration mode:
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Adds a prefix to the gatekeeper zone list.
Router(config-gk)# zone prefix gatekeeper-name
e164-prefix [blast | seq] [gw-priority priority
gw-alias [gw-alias, ...]]
For an explanation of the keywords and arguments,
see Step 3 of the configuration task table in the
You can configure multiple remote gatekeepers for the same prefix, but only one of the gatekeepers
defined for any given zone prefix can be local. It is recommended that you limit the number of remote
gatekeepers that service the same zone prefix to two.
By default, LRQs are sent sequentially to the remote gatekeepers. If you would like the LRQs to be sent
simultaneously (blast), you need only specify the blast keyword on one zone prefix command per E.164
prefix.
Verifying Zone Prefix Redundancy
To verify the order in which LRQs will be sent to the gatekeepers defined for a zone prefix, enter the
show gatekeeper zone prefix command. The following output lists all the gatekeepers, in order, and the
zone prefixes serviced by each.
router# show gatekeeper zone prefix
ZONE PREFIX TABLE
=================
GK-NAME
-------
c3620-1-gk
c2514-2-gk
c2600-1-gk
c2514-1-gk
E164-PREFIX
-----------
917300....
917300....
919.......
919.......
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-310
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
To verify whether the LRQs will be sent sequentially or simultaneously to the gatekeepers, enter the
show running-config command. If the LRQs will be sent simultaneously, blast will appear beside the
first entry for a particular zone (as shown in the following output for zone 919).
Router# show running-config
Building configuration...
Current configuration:
!
gatekeeper
zone remote c3620-1-gk cisco.com 172.18.194.79 1719
zone remote c2514-2-gk cisco.com 172.18.194.89 1719
zone remote gk-cisco-paul cisco.com 172.18.193.155 1719
zone prefix c3620-1-gk 917300....
zone prefix c2514-2-gk 917300....
zone prefix c2514-2-gk 919....... blast
zone prefix c3620-1-gk 919.......
Configuring Redundant Gatekeepers for a Technology Prefix
To configure redundant gatekeepers for a technology prefix, use the following commands beginning in
global configuration mode:
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Router(config-gk)# gw-type-prefix type-prefix
[[hopoff gkid1] [hopoff gkid2] [hopoff gkidn] [seq |
blast]] [default-technology] [[gw ipaddr ipaddr
[port]]...]
Configures the gatekeepers to service a technology
zone and specifies whether LRQs should be sent in
blast or sequential fashion. The default is
sequential.
The keywords and arguments are as follows:
•
type-prefix—Specifies that a technology prefix
is recognized and stripped before checking for
the zone prefix. It is strongly recommended
that you select technology prefixes that do not
lead to ambiguity with zone prefixes. Do this
by using the # character to terminate
technology prefixes, for example, 3#.
•
hopoff gkid—(Optional) Specifies the
gatekeeper where the call is to hop off,
regardless of the zone prefix in the destination
address. The gkid argument refers to a
gatekeeper previously configured using the
zone local or zone remote command. You can
enter this keyword and argument multiple
times to configure redundant gatekeepers for a
given technology prefix.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-311
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
•
seq | blast—(Optional) If multiple hopoffs are
listed, indicates that the location requests
(LRQs) should be sent sequentially or
simultaneously (blast) to the gatekeepers
based on the order in which they were listed.
The default is to send them sequentially.
•
•
default-technology—(Optional) Specifies
that gateways that register with this prefix
option are used as the default for routing any
addresses that are otherwise unresolved.
gw ipaddr ipaddr [port]—(Optional)
Indicates that the gateway is incapable of
registering technology prefixes. When it
registers, it adds the gateway to the group for
this type-prefix, just as if it had sent the
technology prefix in its registration. This
parameter can be repeated to associate more
than one gateway with a technology prefix.
You can enter the hopoff keyword and gkid argument multiple times in the same command to define a
group of gatekeepers that will service a given technology prefix. After you have listed all of the
gatekeepers that will service that technology zone, you can specify whether the LRQs should be sent in
blast or sequential fashion.
Note
Only one of the gatekeepers in the hopoff list can be local. We recommend that you limit the number
of remote gatekeepers that service the same technology prefix to two.
Verifying Technology Prefix Redundancy
To verify that multiple gatekeepers are defined for a technology prefix, enter the show gatekeeper
gw-type-prefix command. The following output displays the gateway technology prefix table.
router# show gatekeeper gw-type-prefix
(GATEWAYS-TYPE PREFIX TABLE
================================
Prefix:3#*
(Hopoff zone c2600-1-gk c2514-1-gk)
To verify whether the LRQs will be sent sequentially or simultaneously to the gatekeepers, enter the
show running-config command. If the LRQs will be sent simultaneously, blast will appear at the end of
the gw-type-prefix line (as shown below).
Router# show running-config
Building configuration...
Current configuration:
!
gatekeeper
zone remote c2600-1-gk cisco.com 172.18.194.70 1719
zone remote c2514-1-gk cisco.com 172.18.194.71 1719
gw-type-prefix 3#* hopoff c2600-1-gk hopoff c2514-1-gk blast
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-312
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Configuring Static Nodes
In some cases, the registration information is not accessible for a terminal or endpoint from any
gatekeeper. This inaccessible registration information may be because the endpoint does not use RAS,
is in an area where no gatekeeper exists, or is in a zone where the gatekeeper addressing is unavailable
either through DNS or through configuration.
These endpoints can still be accessed via a gatekeeper by entering them as static nodes. To enter the
endpoints as static nodes, obtain the address of the endpoint and then use the following commands
beginning in global configuration mode:
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Router(config-gk)# zone local gatekeeper-name
domain-name [ras-IP-address]
Specifies a zone controlled by a gatekeeper.
For an explanation of the arguments, see Step 2 of the
configuration task table in the “Starting a
Router(config-gk)# alias static ip-signalling-addr
[port] gkid gatekeeper-name [ras ip-ras-addr port]
[terminal | mcu | gateway {h320 |h323-proxy | voip}]
[e164 e164-address] [h323id h323-id]
Step 3
Creates a static entry in the local alias table for each
E.164 address. Repeat this step for each E.164
address you want to add for the endpoint.
The keywords and arguments are as follows:
•
•
•
•
ip-signalling-addr—Specifies the IP address of
the H.323 node, used as the address to signal
when establishing a call.
port—(Optional) Specifies the port number other
than the endpoint call-signaling well-known port
number (1720).
gkid gatekeeper-name—Specifies the name of
the local gatekeeper of whose zone this node is a
member.
ras ip-ras-addr—(Optional) Specifies the node
remote access server (RAS) signaling address. If
omitted, the ip-signalling-addr parameter is used
in conjunction with the RAS well-known port.
•
•
•
•
•
port—(Optional) Specifies a port number other
than the RAS well-known port number (1719).
terminal—(Optional) Indicates that the alias
refers to a terminal.
mcu—(Optional) Indicates that the alias refers to
a multiple control unit (MCU).
gateway—(Optional) Indicates that the alias
refers to a gateway.
h320—(Optional) Indicates that the alias refers
to an H.320 node.h320—(Optional) Indicates
that the alias refers to an H.320 node.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-313
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
•
•
•
h-323 proxy—(Optional) Indicates that the alias
refers to an H.323 proxy.
voip—(Optional) Indicates that the alias refers to
VoIP.
e164 e164-address—(Optional) Specifies the
node E.164 address. This keyword and argument
can be used more than once to specify as many
E.164 addresses as needed. Note that there is a
maximum number of 128 characters that can be
entered for this address. To avoid exceeding this
limit, you can enter multiple alias static
commands with the same call-signaling address
and different aliases.
•
h323-id h323-id—(Optional) Specifies the node
H.323 alias. This keyword and argument can be
used more than once to specify as many H.323
identification (ID) aliases as needed. Note that
there is a maximum number of 256 characters
that can be entered for this address. To avoid
exceeding this limit, you can enter multiple
commands with the same call signaling address
and different aliases.
Configuring H.323 Users via RADIUS
To authenticate H.323 users via RADIUS, use the following commands beginning in global
configuration mode:
Command
Purpose
Router(config)# aaa new-model
Step 1
Step 2
Enables the authentication, authorization, and
accounting (AAA) access model.
Router(config)# aaa authentication login {default |
list-name} method1 [method2...]
Sets AAA authentication at login.
The keywords and arguments are as follows:
•
•
•
default—Uses the listed authentication methods
that follow this keyword as the default list of
methods when a user logs in.
list-name—Specifies the character string used to
name the list of authentication methods activated
when a user logs in.
method1 [method2...]—Specifies that at least one
of the keywords described below be used:
–
–
enable—Uses the enable password for
authentication.
krb5—Uses Kerberos 5 for authentication..
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-314
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
–
krb5-telnet—Uses the Kerberos 5 Telnet
authentication protocol when using Telnet to
connect to the router.
–
–
–
line—Uses the line password for
authentication.
local—Uses the local username database for
authentication
local-case—Uses case-sensitive local
username authentication.
–
–
none—Uses no authentication.
group radius—Uses the list of all RADIUS
servers for authentication.
–
–
group tacacs+—Uses the list of all
TACACS+ servers for authentication.
group group-name—Uses a subset of
RADIUS or TACACS+ servers for
authentication as defined by the group
server radius or aaa group server tacacs+
command.
Router(config)# radius-server host {hostname |
Step 3
Specifies the RADIUS server host.
ip-address} [auth-port port-number] [acct-port
port-number] [timeout seconds] [retransmit retries]
[key string]
The keywords and arguments are as follows:
•
•
•
hostname—Specifies the Domain Name System
(DNS) name of the RADIUS server host.
ip-address—Specifies the IP address of the
RADIUS server host.
auth-port—(Optional) Specifies the User
Datagram Protocol (UDP) destination port for
authentication requests.
•
port-number—(Optional) Specifies the port
number for authentication requests; the host is
not used for authentication if set to 0. If
unspecified, the port number defaults to 1645.
•
•
acct-port—(Optional) Specifies the UDP
destination port for accounting requests.
port-number—(Optional) Specifies the port
number for accounting requests; the host is not
used for accounting if set to 0. If unspecified, the
port number defaults to 1646.
•
•
acct-port—(Optional) Specifies the UDP
destination port for accounting requests.
port-number—(Optional) Specifies the port
number for accounting requests; the host is not
used for accounting if set to 0. If unspecified, the
port number defaults to 1646.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-315
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
•
timeout—(Optional) Specifies the time interval
(in seconds) for which the router waits for the
RADIUS server to reply before retransmitting.
This setting overrides the global value of the
radius-server timeout command. If no timeout
value is specified, the global value is used. Enter
a value in the range of from 1 to 1000.
•
•
seconds—(Optional) Specifies the timeout value.
Enter a value in the range of from 1 to 1000. If no
timeout value is specified, the global value is
used.
retransmit—(Optional) Specifies the number of
times a RADIUS request is resent to a server if
that server is not responding or responding
slowly. This setting overrides the global setting
of the radius-server retransmit command.
•
•
retries—(Optional) Specifies the retransmit
value. Enter a value in the range of from 1 to 100.
If no retransmit value is specified, the global
value is used.
key—(Optional) Specifies the authentication and
encryption key used between the router and the
RADIUS daemon running on this RADIUS
server. This key overrides the global setting of
the radius-server key command. If no key string
is specified, the global value is used.
The key is a text string that must match the
encryption key used on the RADIUS server.
Always configure the key as the last item in the
radius-server host command syntax. This is
because the leading spaces are ignored, but
spaces within and at the end of the key are used.
If you use spaces in the key, do not enclose the
key in quotation marks unless the quotation
marks themselves are part of the key.
•
string—(Optional) Specifies the authentication
and encryption key for all RADIUS
communications between the router and the
RADIUS server. This key must match the
encryption used on the RADIUS daemon. All
leading spaces are ignored, but spaces within and
at the end of the key are used. If you use spaces
in your key, do not enclose the key in quotation
marks unless the quotation marks themselves are
part of the key.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-316
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config)# radius-server key {0 string | 7
string | string}
Step 4
Sets the authentication and encryption key for all
RADIUS communications between the router and the
RADIUS daemon.
The arguments are as follows:
•
•
0—Specifies that an unencrypted key will follow.
string—Specifies the unencrypted (cleartext)
shared key.
•
•
•
7—Specifies that a hidden key will follow.
string—Specifies the hidden shared key.
string—Specifies the unencrypted (cleartext)
shared key.
Router(config)# gatekeeper
Step 5
Step 6
Enters gatekeeper configuration mode.
Router(config-gk)# security {any | h323-id | e164}
{password default password | password separator
character}
Enables authentication and authorization on a
gatekeeper.
The keywords and arguments are as follows:
•
any—Uses the first alias of an incoming
Registration, Admission, and Status (RAS)
registration, regardless of its type, as the means
of identifying the user to RADIUS/TACACS+.
•
•
•
h323-id—Uses the first H.323 ID type alias as
the means of identifying the user to
RADIUS/TACACS+.
e164—Uses the first E.164 address type alias as
the means of identifying the user to
RADIUS/TACACS+.
password default password—Specifies the
default password that the gatekeeper associates
with endpoints when authenticating them with an
authentication server. The password must be
identical to the password on the authentication
server.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-317
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
•
password separator character—Specifies the
character that endpoints use to separate the
H.323-ID from the piggybacked password in the
registration. This allows each endpoint to supply
a user-specific password. The separator character
and password will be stripped from the string
before it is treated as an H.323-ID alias to be
registered.
Note that passwords may be piggybacked only in
the H.323-ID, not the E.164 address. This is
because the E.164 address allows a limited set of
mostly numeric characters. If the endpoint does
not wish to register an H.323-ID, it can still
supply an H.323-ID that consists of just the
separator character and password. This will be
understood to be a password mechanism, and no
H.323-ID will be registered.
After the previous steps have been completed, enter each user into the RADIUS database using either
the default password if using the security password default command or the actual passwords if using
the piggybacked password mechanism as the RADIUS authentication for that user. Enter either the user
H.323-ID or the E.164 address, depending on how the gatekeeper was configured.
For more information about configuring AAA services or RADIUS, refer to the Cisco IOS Security
Configuration Guide.
Configuring a RADIUS/AAA Server
To configure the RADIUS/AAA server with information about the gatekeeper for your network
installation, use the following commands beginning in global configuration mode:
Command
Purpose
Router(config)# aaa new-model
Step 1
Step 2
Enables the authentication, authorization, and
accounting (AAA) model.
Router(config)# aaa authentication login {default |
list-name} method1 [method2...]
Sets AAA authorization at login.
For an explanation of the keywords and arguments,
see Step 2 in the configuration task table in the
Router(config)# radius-server deadtime minutes
Step 3
Improves the server response time when some servers
might be unavailable. The minutes argument
specifies the length of time, in minutes, for which a
RADIUS server is skipped over by transaction
requests, up to a maximum of 1440 minutes (24
hours).
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-318
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config)# radius-server host {host-name |
Step 4
Specifies the RADIUS server host.
ip-address} [auth-port port-number] [acct-port
port-number] [timeout seconds] [retransmit retries]
[key string]
For an explanation of the keywords and arguments,
see Step 3 in the configuration task table in the
Router(config)# radius-server key {0 string | 7
string | string}
Step 5
Sets the authentication and encryption key for all
RADIUS communications between the router and the
RADIUS daemon.
For an explanation of the arguments, see Step 4 in the
configuration task table in the “Configuring H.323
In addition to the above configuration, make sure that the following information is configured in your
CiscoSecure AAA server:
•
In the /etc/raddb/clients file, ensure that the following information is provided.
#Client Name
#-----------
gk215.cisco.com
Key
-------------------
testing123
Where:
gk215.cisco.com is resolved to the IP address of the gatekeeper requesting authentication.
•
In the /etc/raddb/users file, ensure that the following information is provided:
User-Service-Type = Framed-User,
Login-Service = Telnet
Where:
[email protected] is the h323-id of the gateway authenticating to gatekeeper gk215.cisco.com.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-319
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Configuring User Accounting Activity for RADIUS
After AAA has been enabled and the gateway has been configured to recognize RADIUS as the remote
security server providing authentication services, the next step is to configure the gateway to report user
activity to the RADIUS server in the form of connection accounting records. To send connection
accounting records to the RADIUS server, use the following commands beginning in global
configuration mode:
Command
Purpose
Router(config)# aaa accounting connection h323
{stop-only | start-stop | wait-start | none}
[broadcast] group group-name
Step 1
Defines the accounting method list H.323 with
RADIUS as a method.
The keywords and arguments are as follows:
•
stop-only—Sends a “stop” accounting notice at
the end of the requested user process.
•
start-stop—Sends a “start” accounting notice at
the beginning of a process and a “stop”
accounting notice at the end of a process. The
“start” accounting record is sent in the
background. The requested user process begins
regardless of whether the “start” accounting
notice was received by the accounting server.
•
wait-start—Sends a “start” accounting notice at
the beginning of a process and a “stop”
accounting notice at the end of a process. The
“start” accounting record is sent in the
background. The requested user process does not
begin until the “start” accounting notice is
received by the server.
•
•
none—Disables accounting services on this line
or interface.
broadcast—(Optional) Enables sending
accounting records to multiple AAA servers.
Simultaneously sends accounting records to the
first server in each group. If the first server is
unavailable, failover occurs using the backup
servers defined within that group.
•
group group-name—Specifies the server group
to be used for accounting services. The following
are valid server group names:
–
string—Specifies the character string used to
name a server group.
–
–
radius—Uses list of all RADIUS hosts.
tacacs+—Uses list of all TACACS+ hosts.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-320
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config)# gatekeeper
Step 2
Step 3
Enters gatekeeper configuration mode.
Router(config-gk)# aaa accounting
Enables authentication, authorization, and
accounting (AAA) of requested services for billing or
security purposes when you use RADIUS or
TACACS+.
For more information about AAA connection accounting services, refer to the Cisco IOS Security
Configuration Guide.
Configuring E.164 Interzone Routing
With Cisco IOS Release 12.0(3)T and later releases, interzone routing may be configured using E.164
addresses. To configure interzone routing in the E.164 address space, use the following commands
beginning in global configuration mode:
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Router(config-gk)# zone local gatekeeper-name
domain-name [ras-IP-address]
Specifies a zone controlled by a gatekeeper.
For an explanation of the arguments, see Step 2 of the
configuration task table in the “Starting a
Router(config-gk)# zone remote other-gatekeeper-name
other-domain-name other-gatekeeper-ip-address
[port-number]
Step 3
Statically specifies a remote zone if Domain Name
System (DNS) is unavailable or undesirable. Enter
this command for each gatekeeper.
The arguments are as follows:
•
•
•
•
other-gatekeeper-name—Specifies the name of
the remote gatekeeper.
other-domain-name—Specifies the domain name
of the remote gatekeeper.
other-gatekeeper-ip-address—Specifies the IP
address of the remote gatekeeper.
port-number—(Optional) Specifies the
Registration, Admission, and Status (RAS)
signaling port number for the remote zone. Value
ranges are from 1 to 65,535. If this option is not
set, the default is the well-known RAS port
number 1719.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-321
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config-gk)# zone prefix gatekeeper-name
e164-prefix [blast | seq] [gw-priority priority
gw-alias [gw-alias, ...]]
Step 4
Adds a prefix to the gatekeeper zone list.
For an explanation of the keywords and arguments,
see Step 3 of the configuration task table in the
Router(config-gk)# gw-type-prefix type-prefix
[[hopoff gkid1] [hopoff gkid2] [hopoff gkidn] [seq |
blast]] [default-technology] [[gw ipaddr ipaddr
[port]]...]
Step 5
Configures the gatekeepers to service a technology
zone and specifies whether location requests (LRQs)
should be sent in blast or sequential fashion. The
default is sequential.
For an explanation of the keywords and arguments,
see Step 2 of the configuration task table in the
Configuring H.323 Version 2 Features
To configure H.323 Version 2 features using the Cisco gatekeeper, perform the following configuration
tasks. The first two tasks are required; the others are optional. Make sure that you include a priority value
for selecting between multiple gateways when you configure the gatekeeper.
•
•
•
•
•
•
See the “H.323 Applications” chapter for further information on H.323 Version 2 features supported by
Cisco IOS software.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-322
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Configuring a Dialing Prefix for Each Gateway
To configure a dialing prefix for each gateway, use the following commands beginning in global
configuration mode:
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Specifies a zone controlled by a gatekeeper.
The arguments are as follows:
Router(config-gk)# zone local
gatekeeper-name domain-name
[ras-IP-address]
•
gatekeeper-name—Specifies the gatekeeper name or zone name. This is
usually the fully domain-qualified host name of the gatekeeper. For
example, if the domain-name is cisco.com, the gatekeeper-name might be
gk1.cisco.com. However, if the gatekeeper is controlling multiple zones,
the gatekeeper-name for each zone should be some unique string that has
a mnemonic value.
•
•
domain-name—Specifies the domain name served by this gatekeeper.
ras-IP-address—(Optional) The IP address of one of the interfaces on the
gatekeeper. When the gatekeeper responds to gatekeeper discovery
messages, it signals the endpoint or gateway to use this address in future
communications.
Note
Setting this address for one local zone makes it the address used for all
local zones.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-323
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config-gk)# zone prefix
Step 3
Adds a prefix to the gatekeeper zone list. To remove knowledge of a zone
prefix, use the no form of this command with the gatekeeper name and prefix.
To remove the priority assignment for a specific gateway, use the no form of
this command with the gw-priority option.
gatekeeper-name e164-prefix
[gw-priority pri-0-to-10
gw-alias [gw-alias, ...]]
The keywords and arguments are as follows:
•
gatekeeper-name—Specifies the name of a local or remote gatekeeper,
which must have been defined by using the zone local or zone remote
command.
•
e164-prefix—Specifies an E.164 prefix in standard form followed by dots
(.). Each dot represents a number in the E.164 address. For example,
212....... is matched by 212 and any seven numbers.
Note
Although a dot representing each digit in an E.164 address is the
preferred configuration method, you can also enter an asterisk (*) to
match any number of digits.
•
gw-priority pri-0-to-10 gw-alias—(Optional) Use the gw-priority
option to define how the gatekeeper selects gateways in its local zone for
calls to numbers that begin with prefix e164-prefix. Do not use this option
to set priority levels for a prefix assigned to a remote gatekeeper.
Use values from 0 to 10. A 0 value prevents the gatekeeper from using the
gateway gw-alias for that prefix. Value 10 places the highest priority on
gateway gw-alias. If you do not specify a priority value for a gateway, the
value 5 is assigned.
To assign the same priority value for one prefix to multiple gateways, list
all the gateway names after the pri-0-to-10 value.
The gw-alias name is the H.323 identification (ID) of a gateway that is
registered or that will register with the gatekeeper. This name is set on the
gateway with the h323-gateway voip h.323-id command.
To put all your gateways in the same zone, use the gw-priority option and specify which gateways are
used for calling different area codes. For example:
zone local localgk xyz.com
zone prefix localgk 408.......
zone prefix localgk 415....... gw-priority 10 gw1 gw2
zone prefix localgk 650....... gw-priority 0 gw1
The above commands accomplish the following:
•
•
Domain xyz.com is assigned to gatekeeper localgk.
Prefix 408 is assigned to gatekeeper localgk, and no gateway priorities are defined for it; therefore,
all gateways registering to localgk can be used equally for calls to the 408 area code. No special
gateway lists are built for the 408 prefix; a selection is made from the master list for the zone.
•
The prefix 415 is added to gatekeeper localgk, and priority 10 is assigned to gateways gw1 and gw2.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-324
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
•
•
Prefix 650 is added to gatekeeper localgk, and priority 0 is assigned to gateway gw1.
A priority 0 is assigned to gateway gw1 to exclude it from the gateway pool for prefix 650. When
gw2 registers with gatekeeper localgk, it is added to the gateway pool for each prefix as follows:
–
–
For gateway pool for 415, gateway gw2 is set to priority 10.
For gateway pool for 650, gateway gw2 is set to priority 5.
Configuring a Gatekeeper for Interaction with External Applications
There are two ways of configuring the gatekeeper for interaction with an external application. You can
configure a port number where the gatekeeper listens for dynamic registrations from applications. Using
this method, the application connects to the gatekeeper and specifies the trigger conditions in which it
is interested.
The second method involves using the command-line interface to statically configure the information
about the application and its trigger conditions, in which case the gatekeeper initiates a connection to
the external application.
To configure a gatekeeper (sj.xyz.com) that uses port 20000 for a specific connection with an external
server (Server-123), use the following commands beginning in global configuration mode. Server-123
has a number of triggers that are used to maintain a database of active gateways, which are used for active
call resolution.
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Router(config)# server registration-port port-number
Establishes the server registration port that is used for
communication between the server and the
gatekeeper. The port-number argument specifies a
single range of values from 1 through 65,535 for the
port number on which the gatekeeper listens for
external server connections.
Server-123 establishes a connection with gatekeeper sj.xyz.com on port 20000 and sends a REGISTER
RRQ message to gatekeeper sj.xyz.com to express interest in all RRQs from voice gateways that support
a technology prefix of 1# or 2#.
The following is an example of a registration message:
REGISTER RRQ
Version-id:1
From:Server-123
To:sj.xyz.com
Priority:2
Notification-Only:
Content-Length:29
t=voice-gateway
p=1#
p=2#
When gatekeeper sj.xyz.com receives this message, the information supplied in the message is added to
the trigger list. Then, when an endpoint registers with this gatekeeper by using an RRQ that matches the
specified trigger condition in the message, the gatekeeper sends a notification to Server-123.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-325
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
The following is an example of an RRQ notification sent from the gatekeeper to the server when the
above trigger condition matches:
REQUEST RRQ
Version-id:1
From:sj.xyz.com
To:Server-123
Notification-Only:
Content-Length:89
c=I:172.18.00.00:1720
r=I:172.20.01.40:16523
a=H:gw3-sj
t=voice-gateway
p=1# 2#
Configuring a Prefix to a Gatekeeper Zone List
To add a prefix to a gatekeeper zone list, use the following commands beginning in global configuration
mode:
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Adds a prefix to the gatekeeper zone list.
Router(config-gk)# zone prefix gatekeeper-name
e164-prefix [blast | seq] [gw-priority priority
gw-alias [gw-alias, ...]]
For an explanation of the keywords and arguments,
see Step 3 of the configuration task table in the
Note
Note that the zone prefix command matches a prefix to a gateway. It does not register the gateway.
The gateway must register with the gatekeeper before calls can be completed through that gateway.
Verifying an Added Prefix
To view the prefixes added to the gatekeeper zone list, use the show gatekeeper zone prefix command.
To see gatekeeper zone information, use the show gatekeeper zone status command.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-326
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Configuring Gatekeeper Triggers for Interaction with External Applications
To establish statically configured triggers on a router, use the following commands beginning in global
configuration mode:
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Router(config)# server trigger
{arq | lcf | lrj | lrq | rrq | urq} gkid priority
server-id server-ip-address server-port
Configures a static server trigger for external
applications. Enter the all form of the no server trigger
all command to remove every static trigger that you
configured if you want to delete them all.
The keywords and arguments are as follows:
•
all—Deletes all command-line interface- (CLI-)
configured triggers.
•
arq, lcf, lrj, lrq, rrq, urq—Specifies Registration,
Admission, and Status (RAS) message types. Use
these message types to specify a submode in the
gatekeeper configuration mode where you configure
a trigger for the gatekeeper to act upon. Specify only
one message type per server trigger command. There
is a different trigger submode for each message type.
Each trigger submode has its own set of applicable
commands.
•
•
gkid—Specifies the local gatekeeper identifier.
priority—Specifies the priority for each trigger. The
range is from 1 through 20, with 1 being the highest
priority.
•
•
•
server-id—Specifies the identification (ID) number
of the external application.
server-ip-address—Specifies the IP address of the
server.
server-port—Specifies the port on which the
Cisco IOS gatekeeper listens for messages from the
external server connection.
Router(config)# info-only
Step 3
Indicates to the Cisco IOS gatekeeper that messages that
meet the specified trigger parameters should be sent as
notifications only and that the Cisco IOS gatekeeper
should not wait for a response from the external
application.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-327
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config)# destination-info {e164 | email-id
| h323-id} value
Step 4
Configures a trigger that is based on a particular
destination. Repeat this command for more destinations.
The keywords and arguments are as follows:
•
•
•
•
e164—Indicates that the destination address is an
E.164 address.
email-id—Indicates that the destination address is an
e-mail ID.
h323-id—Indicates that the destination address is an
H.323 ID.
value—Specifies the value against which to compare
the destination address in the RAS messages. For
E.164 addresses, the following wildcards can be
used:
–
A trailing series of periods, each of which
represents a single character.
–
A trailing asterisk, which represents one or more
characters.
Router(config)# redirect-reason value
Step 5
Configures a trigger that is based on a specific redirect
reason. Repeat this command for more destinations. The
value argument specifies the value against which to
compare the redirect reason in the RAS messages.
Possible values are from 0 to 65,535. Currently used
redirect reasons are as follows:
•
•
•
•
•
•
0—Unknown reason.
1—Call forwarding is busy or called DTE is busy.
2—Call forwarded; no reply.
4—Call deflection.
9—Called DTE out of order.
10—Call forwarding by the call DTE 15—Call
forwarding unconditionally.
•
15—Call forwarding unconditionally.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-328
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config)# remote-ext-address [e164] value
Step 6
Limits the qualifying messages based on the remote
extension address. Repeat this command for more
destinations.
The keywords and arguments are as follows:
•
e164—(Optional) Indicates that the remote extension
address is an E.164 address.
•
value—Specifies the value against which to compare
the destination address in the RAS messages. The
following wildcards can be used:
–
A trailing series of periods, each of which
represents a single character.
–
A trailing asterisk, which represents one or more
characters.
Router(config)# endpoint-type value
Step 7
Configures a trigger that is based on a specific endpoint.
Repeat this command for more destinations. The value
argument specifies the value against which to compare
the endpoint type in the RAS messages. The possible
values are as follows:
•
•
•
•
•
•
•
gatekeeper—Specifies that the endpoint is an H.323
gatekeeper.
h320-gateway—Specifies that the endpoint is an
H.320 gateway.
mcu—Specifies that the endpoint is a multipoint
control unit (MCU).
other-gateway—Specifies that the endpoint is a type
of gateway not specified on this list.
proxy—Specifies that the endpoint is an H.323
proxy.
terminal—Specifies that the endpoint is an H.323
terminal.
voice-gateway—Specifies that the endpoint is a
voice type gateway.
Router(config)# supported-prefix value
Step 8
Configures a trigger that is based on a specific supported
prefix. Repeat this command for more destinations. The
value argument specifies the value against which to
compare the supported prefix in the RAS messages. The
possible values are any E.164 pattern used as a gateway
technology prefix. The value string may contain any of
the following: 0123456789#*,
Note
Repeat Steps 2 through 8 in the above configuration task table for each trigger that you want to
define.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-329
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Note
To remove a trigger, enter the no server trigger command. To temporarily suspend a trigger, enter
the trigger configuration mode, as described in Step 2, and enter the shutdown subcommand.
Configuring Inbound or Outbound Gatekeeper Proxied Access
By default, a gatekeeper will offer the IP address of the local proxy when queried by a remote gatekeeper
(synonymous with remote zone). This is considered proxied access. Before Cisco IOS Release 12.0(5)T,
the local gatekeeper was configured using the zone access command to offer the address of the local
endpoint instead of the address of the local proxy (considered direct access).
Note
The use-proxy command replaces the zone access command. The use-proxy command, configured
on a local gatekeeper, affects only the use of proxies for incoming calls (that is, it does not affect the
use of local proxies for outbound calls). When originating a call, a gatekeeper will use a proxy only
if the remote gatekeeper offers a proxy at the remote end. A call between two endpoints in the same
zone will always be a direct (nonproxied) call.
To configure a proxy for inbound calls from remote zones to gateways in its local zone and to configure
a proxy for outbound calls from gateways in its local zone to remote zones, use the following commands
beginning in global configuration mode:
Command
Purpose
Router(config)# gatekeeper
Step 1
Step 2
Enters gatekeeper configuration mode.
Router(config-gk)# use-proxy local-zone-name
{default | remote-zone remote-zone-name} {inbound-to
| outbound-from} {gateway | terminal}
Enables proxy communications for calls between
local and remote zones.
The keywords and arguments are as follows:
•
local-zone-name—Specifies the name or zone
name of the gatekeeper, which is usually the fully
domain-qualified host name of the gatekeeper.
For example, if the domain name is cisco.com,
the gatekeeper name might be gk1.cisco.com.
However, if the gatekeeper is controlling
multiple zones, the name of the gatekeeper for
each zone should be a unique string that has a
mnemonic value.
•
•
default—Defines the default proxy policy for all
calls that are not defined by a use-proxy
command that includes the remote-zone
keyword.
remote-zone remote-zone-name—Defines a
proxy policy for calls to or from a specific remote
gatekeeper or zone.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-330
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
•
inbound-to—Applies the proxy policy to calls
that are inbound to the local zone from a remote
zone. Each use-proxy command defines the
policy for only one direction.
•
outbound-from—Applies the proxy policy to
calls that are outbound from the local zone to a
remote zone. Each use-proxy command defines
the policy for only one direction.
•
•
gateway—Defines the type of local device to
which the policy applies. The gateway option
applies the policy only to local gateways.
terminal—Defines the type of local device to
which the policy applies. The terminal option
applies the policy only to local terminals.
Verifying Gatekeeper Proxied Access Configuration
Use the show gatekeeper zone status command to see information about the configured gatekeeper
proxies and gatekeeper zone information (as shown in the following output).
Router# show gatekeeper zone status
GATEKEEPER ZONES
================
GK name
Domain Name
RAS Address
PORT FLAGS MAX-BW
(kbps)
---- ----- ------
CUR-BW
(kbps)
------
-------
sj.xyz.com
-----------
xyz.com
-----------
10.0.0.9 1719 LS
0
SUBNET ATTRIBUTES :
All Other Subnets :(Enabled)
PROXY USAGE CONFIGURATION :
inbound calls from germany.xyz.com :
to terminals in local zone sj.xyz.com :use proxy
to gateways in local zone sj.xyz.com :do not use proxy
outbound calls to germany.xyz.com
from terminals in local zone germany.xyz.com :use proxy
from gateways in local zone germany.xyz.com :do not use proxy
inbound calls from all other zones :
to terminals in local zone sj.xyz.com :use proxy
to gateways in local zone sj.xyz.com :do not use proxy
outbound calls to all other zones :
from terminals in local zone sj.xyz.com :do not use proxy
from gateways in local zone sj.xyz.com :do not use proxy
tokyo.xyz.co xyz.com
milan.xyz.co xyz.com
172.21.139.89
172.16.00.00
1719 RS
1719 RS
0
0
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-331
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Configuring a Forced Disconnect on a Gatekeeper
To force a disconnect on a gatekeeper, use the following command in privileged EXEC mode:
Command
Purpose
Router# clear h323 gatekeeper call
{all | local-callID local-callID}
Forces a disconnect on a specific call or on all calls currently
active on this gatekeeper.
The keywords and arguments are as follows:
•
•
•
all—Forces all active calls currently associated with this
gatekeeper to be disconnected.
local-callID—Forces a single active call associated with this
gatekeeper to be disconnected.
local-callID—Specifies the local call identification number
(CallID) that identifies the call to be disconnected.
To force a particular call to be disconnected (as opposed to all active calls on the H.323 gateway), use
the local call identification number (CallID) to identify that specific call. Find the local CallID number
for a specific call by using the show gatekeeper calls command; the ID number is displayed in the
LocalCallID column.
Verifying a Forced Disconnect
To show the status of each ongoing call that a gatekeeper is aware of, use the show gatekeeper calls
command. If you have forced a disconnect either for a particular call or for all calls associated with a
particular H.323 gatekeeper, the system will not display information about those calls.
The following is sample output from the show gatekeeper calls command:
router# show gatekeeper calls
Total number of active calls =1
Gatekeeper Call Info
====================
LocalCallID
12-3339
Age (secs)
94
BW
768 (Kbps)
Endpt(s): Alias
src EP: epA
E.164Addr
CallSignalAddr
10.0.0.11
Port
1720
RASSignalAddr
10.0.0.11
Port
1700
dst EP: epB2zoneB.com
src PX: pxA
dst PX: pxB
10.0.0.1
172.21.139.90
1720
1720
10.0.0.11
172.21.139.90
24999
24999
Configuring the Proxy
This section describes the following configuration tasks for configuring the proxy. Depending on your
specific network design, either the first task or the second task is required.
•
•
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-332
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Configuring a Proxy Without ASR
To start the proxy without application-specific routing (ASR), start the proxy and then define the H.323
name, zone, and QoS parameters on the interface whose IP address the proxy will use. To start the proxy
without ASR, use the following commands beginning in global configuration mode:
Command
Purpose
Router(config)# proxy h323
Step 1
Step 2
Starts the proxy feature.
Router(config)# interface type number [name-tag]
Configures an interface type and enters interface
configuration mode.
Cisco 4000 Series with Channelized T1 or E1 and the Cisco MC3810
Router(config)# interface serial
number:channel-group
The keywords and arguments are as follows:
•
type—Specifies the type of interface to be
configuration task table.)
To configure a subinterface, use these forms of the interface
global configuration command:
•
number—Specifies the port, connector, or
interface card number. On a Cisco 4000 series
router, specifies the network process monitor
(NPM) number. The numbers are assigned at the
factory at the time of installation or when added
to a system, and they can be displayed with the
show interfaces command.
Cisco 7200 Series
Router(config)# interface type
slot/port-adapter/port.subinterface-number
[multipoint | point-to-point]
Cisco 7200 Series and Cisco 7500 Series with a Packet over SONET
Interface Processor
•
name-tag—(Optional) Specifies the logic name
to identify the server configuration so that
multiple entries of server configuration can be
entered. This optional argument is for use with
the Redundant Link Manager (RLM) feature.
Router(config)# interface type slot/port
Cisco 7500 Series
Router(config)# interface type
slot/port-adapter.subinterface-number [multipoint |
point-to-point][ethernet | serial]
•
•
•
slot—Specifies the number of the slot being
configured. Refer to the appropriate hardware
manual for slot and port information.
Cisco 7500 Series with Channelized T1 or E1
Router(config)# interface serial
slot/port:channel-group
port—Specifies the number of the port being
configured. Refer to the appropriate hardware
manual for slot and port information.
Cisco 7500 Series with Ports on VIP Cards
Router(config)# interface type
port-adapter—Specifies the number of the port
adapter being configured. Refer to the
appropriate hardware manual for information
about port adapter compatibility.
slot/port-adapter/port [ethernet | serial]
•
•
ethernet—(Optional) Specifies an Ethernet
IEEE 802.3 interface.
serial—(Optional) Specifies a serial interface.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-333
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
•
:channel-group—Specifies a T1 channel group
number in the range 0 to 23 defined with the
channel-group controller configuration
command. On a dual port card, it is possible to
run channelized on one port and primary rate on
the other port.
Cisco MC3810 specifies the T1/E1 channel
group number in the range 0 to 23 defined with
the channel-group controller configuration
command.
•
•
.subinterface-number—Specifies a subinterface
number in the range of 1 to 4,294,967,293. The
number that precedes the period (.) must match
the number to which this subinterface belongs.
multipoint | point-to-point—(Optional)
Specifies a multipoint or point-to-point
subinterface. There is no default.
Router(config-if)# h323 interface [port-number]
Step 3
Selects an interface whose IP address will be used by
the proxy to register with the gatekeeper. The
port-number argument specifies the port number on
which the proxy will listen for incoming call setup
requests:
•
The port-number range is from 1 to 65,356. The
default port number for the proxy is 11,720 in
-isx- or -jsx- Cisco IOS images.
•
The default port number for the proxy is 1720 in
-ix- Cisco IOS images, which do not contain the
Voice over IP (VoIP) gateway.
Router(config-if)# h323 h323-id h323-id
Step 4
Configures the proxy name. (More than one name
may be configured if necessary.)
The h323-id argument specifies the name of the
proxy. It is recommended that this be a fully qualified
e-mail identification (ID), with the domain name
being the same as that of its gatekeeper.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-334
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config-if)# h323 gatekeeper [id
gatekeeper-id] {ipaddr ipaddr [port] | multicast}
Step 5
Specifies the gatekeeper associated with a proxy and
controls how the gatekeeper is discovered.
The keywords and arguments are as follows:
•
id gatekeeper-id—(Optional) Specifies the
gatekeeper name. Typically, this is a Domain
Name System (DNS) name, but it can also be a
raw IP address in dotted form. If this parameter
is specified, gatekeepers that have either the
default or the explicit flags set for the subnet of
the proxy will respond. If this parameter is not
specified, only those gatekeepers with the default
subnet flag will respond.
•
•
ipaddr ipaddr [port]—If this parameter is
specified, the gatekeeper discovery message will
be unicast to this address and, optionally, to the
port specified.
multicast—If this parameter is specified, the
gatekeeper discovery message will be multicast
to the well-known Registration, Admission, and
Status (RAS) multicast address and port.
Router(config-if)# h323 qos {ip-precedence value |
rsvp {controlled-load | guaranteed-qos}}
Step 6
Enables quality of service (QoS) on the proxy.
The keywords and arguments are as follows:
•
ip-precedence value—Specifies that Realtime
Transport Protocol (RTP) streams should set
their IP precedence bits to the specified value.
•
•
rsvp [controlled-load]—Specifies controlled
load class of service.
rsvp [guaranteed-qos]—Specifies guaranteed
QoS class of service.
Router(config-if)# ip route-cache [cbus]
same-interface [flow] distributed
Step 7
Controls the use of high-speed switching caches for
IP routing.
The keywords are as follows:
•
cbus—(Optional) Enables both autonomous
switching and fast switching.
•
same-interface—Enables fast-switching packets
to back out through the interface on which they
arrived.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-335
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
•
flow—(Optional) Enables the Route Switch
Processor (RSP) to perform flow switching on
the interface.
•
distributed—Enables Versatile Interface
Processor (VIP) distributed switching on the
interface. This feature can be enabled on
Cisco 7500 series routers with RSP and VIP
controllers. If both the ip route-cache flow
command and the ip route-cache distributed
command are configured, the VIP does
distributed flow switching. If only the ip
route-cache distributed command is
configured, the VIP does distributed switching.
Table 26 lists interface types that may be used for the type argument in Step 2 of the configuration task
Table 26
Interface Type Keywords
Keyword
async
atm
Interface Type
Port line used as an asynchronous interface.
ATM interface.
bri
ISDN BRI. This interface configuration is propagated to each of the B channels.
B channels cannot be individually configured. The interface must be configured
with dial-on-demand commands for calls to be placed on that interface.
dialer
Dialer interface.
ethernet
fastethernet
Ethernet IEEE 802.3 interface.
100-Mbps Ethernet interface on the Cisco 4500, Cisco 4700, Cisco 7000, and
Cisco 7500 series routers.
fddi
FDDI interface.
group-async
hssi
Master asynchronous interface.
High-Speed Serial Interface (HSSI).
LAN Extender (LEX) interface.
lex
loopback
Software-only loopback interface that emulates an interface that is always up. It
is a virtual interface supported on all platforms. The interface-number is the
number of the loopback interface that you want to create or configure. There is
no limit on the number of loopback interfaces you can create.
null
Null interface.
port-channel
pos
Port channel interface.
Packet OC-3 interface on the Packet over SONET Interface Processor.
serial
Serial interface.
switch
tokenring
Switch interface.
Token Ring interface.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-336
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Table 26
Interface Type Keywords (continued)
Keyword
Interface Type
tunnel
Tunnel interface; a virtual interface. The number is the number of the tunnel
interface that you want to create or configure. There is no limit on the number
of tunnel interfaces you can create.
vg-anylan
100VG-AnyLAN port adapter.
Configuring a Proxy with ASR
To enable ASR on the proxy, start the proxy and then define the H.323 name, zone, and QoS parameters
on the loopback interface. Next, determine which interface will be used to route the H.323 traffic and
configure ASR on it. The ASR interface and all other interfaces must be separated so that routing
information never travels from one to the other. There are two different ways to separate the ASR
interface and all other interfaces:
•
Use one type of routing protocol on the ASR interface and another on all the non-ASR interfaces.
Include the loopback subnet in both routing domains.
•
Set up two different autonomous systems, one that contains the ASR network and the loopback
network and another that contains the other non-ASR networks and loopback network.
To ensure that the ASR interface and all other interfaces never route packets between each other,
configure an access control list. (The proxy traffic will be routed specially because it is always addressed
to the loopback interface first and then translated by the proxy subsystem.)
To start the proxy with ASR enabled on the proxy using one type of routing protocol on the ASR
interface and another on all of the non-ASR interfaces, and with the loopback subnet included in both
routing domains, use the following commands beginning in global configuration mode:
Command
Purpose
Router(config)# proxy h323
Step 1
Step 2
Starts the proxy.
Router(config)# interface type number [name-tag]
Enters loopback interface configuration mode.
For an explanation of the arguments, see Step 2 in the
“Configuring a Proxy Without ASR” configuration
task table.
To configure a proxy with ASR enabled on the proxy
using one type of routing protocol, the type argument
is loopback. The loopback type specifies the
software-only loopback interface that emulates an
interface that is always up. It is a virtual interface
supported on all platforms. The number argument is
the number of the loopback interface that you want to
create or configure. There is no limit on the number
of loopback interfaces that you can create.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-337
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config-if)# ip address ip-address mask
[secondary]
Step 3
Sets a primary or secondary IP address for an
interface.
The keywords and arguments are as follows:
•
•
ip-address—Specifies the IP address.
mask—Specifies the mask for the associated IP
subnet.
•
secondary—(Optional) Specifies that the
configured address is a secondary IP address. If
this keyword is omitted, the configured address is
the primary IP address.
Router(config-if)# h323 interface [port-number]
Step 4
Step 5
Signals the proxy that this interface IP address is the
one to use.
For an explanation of the arguments, see Step 3 in the
configuration task table in the “Configuring a Proxy
Router(config-if)# h323 h323-id h323-id
Configures the proxy name. (More than one name can
be configured if necessary.)
The h323-id argument specifies the name of the
proxy. It is recommended that this be a fully qualified
e-mail identification (ID), with the domain name
being the same as that of its gatekeeper.
Router(config-if)# h323 gatekeeper [id
gatekeeper-id] {ipaddr ipaddr [port] | multicast}
Step 6
Specifies the gatekeeper associated with a proxy and
controls how the gatekeeper is discovered.
For an explanation of the keywords and arguments,
see Step 5 in the configuration task table in the
Router(config-if)# h323 qos {ip-precedence value |
rsvp {controlled-load | guaranteed-qos}}
Step 7
Step 8
Enables quality of service (QoS) on the proxy.
For an explanation of the keywords and arguments,
see Step 6 in the configuration task table in the
Router(config-if)# interface type number [name-tag]
If ASR is to be used, enters the interface through
which outbound H.323 traffic should be routed.
For an explanation of the keywords and arguments,
see Step 2 in the configuration task table in the
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-338
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config-if)# h323 asr [bandwidth
max-bandwidth]
Step 9
Enables ASR and specifies the maximum bandwidth
for a proxy.
The keywords and arguments are as follows:
•
bandwidth max-bandwidth—Specifies the
maximum bandwidth on the interface. Value
ranges are from 1 to 10,000,000 kbps. If you do
not specify a value for the max-bandwidth
argument, the value defaults to the bandwidth on
the interface. If you specify the max-bandwidth
value as a value greater than the interface
bandwidth, the bandwidth will default to the
interface bandwidth.
Router(config-if)# ip address ip-address mask
[secondary]
Step 10
Sets up the ASR interface network number.
For an explanation of the keywords and arguments,
see Step 3 in this configuration task table.
Router(config-if)# exit
Step 11
Step 12
Exits interface configuration mode and returns to
global configuration mode.
Router(config)# interface type number [name-tag]
Enters interface configuration mode for a non-ASR
interface.
For an explanation of the keywords and arguments,
see Step 2 in the configuration task table in the
Router(config-if)# ip address ip-address mask
[secondary]
Step 13
Sets up a non-ASR interface network number.
For an explanation of the keywords and arguments,
see Step 3 in this configuration task table.
Router(config-if)# exit
Step 14
Step 15
Exits interface configuration mode.
Router(config)# router rip
Configures the Routing Information Protocol (RIP)
for a non-ASR interface.
Router(config)# network network-number
Step 16
Specifies a list of networks for the RIP routing
process or a loopback interface in an Interior
Gateway Routing Protocol (IGRP) domain. The
network-number argument specifies the IP address of
the directly connected networks.
Router(config)# router igrp autonomous-system
Step 17
Configures Interior IGRP for an ASR interface. The
autonomous-system argument specifies the
autonomous system number that identifies the routes
to the other IGRP routers. It is also used to tag the
routing information.
Router(config)# network network-number
Router(config)# network loopback-addr
Step 18
Step 19
Specifies a list of networks for the Routing
Information Protocol (RIP) routing process. The
network-number argument should include an ASR
interface in an IGRP domain.
Includes a loopback interface in an IGRP domain.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-339
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config)# access-list access-list-number
Step 20
Creates an access list.
{permit | deny} source source-mask [destination
destination-mask] {eq | neq} [[source-object]
[destination-object] [identification] any]
The keywords and arguments are as follows:
•
access-list-number—Specifies the integer that
you choose. The number should be between 300
and 399, and it uniquely identifies the access list.
•
•
•
permit—Permits access when there is an address
match.
deny—Denies access when there is an address
match.
source—Specifies the source address. DECnet
addresses are written in the form area.node. For
example, 50.4 is node 4 in area 50. All addresses
are in decimal.
•
•
source-mask—Specifies the mask to be applied
to the address of the source node. All masks are
in decimal.
destination—(Optional) Specifies the DECnet
address of the destination node in decimal
format. DECnet addresses are written in the form
area.node. For example, 50.4 is node 4 in area 50.
All addresses are in decimal.
•
•
destination-mask—(Optional) Specifies the
destination mask. DECnet addresses are written
in the form area.node. For example, 50.4 is node
4 in area 50. All masks are in decimal.
eq—Specifies that the item matches the packet if
all the specified parts of the source object,
destination object, and identification match the
data in the packet.
•
•
neq—Specifies that the item matches the packet
if any of the specified parts do not match the
corresponding entry in the packet.
source-object—(Optional) Contains the
mandatory keyword src and one of the following
optional keywords:
–
eq | neq | lt | gt—Specifies equal to, not
equal to, less than, or greater than. These
keywords must be followed by the argument
object-number, a numeric DECnet object
number.
–
exp—Stands for expression; followed by a
regular-expression that matches a string. See
the “Regular Expressions” appendix in the
Cisco IOS Dial Technologies Command
Reference for a description of regular
expressions.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-340
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
•
destination-object—(Optional) Contains the
mandatory keyword dst and one of the following
optional keywords:
–
eq | neq | lt | gt—Specifies equal to, not
equal to, less than, or greater than. These
keywords must be followed by the argument
object-number, a numeric DECnet object
number.
–
exp—Stands for expression; followed by a
regular expression that matches a string. See
the “Regular Expressions” appendix in the
Cisco IOS Dial Technologies Command
Reference for a description of regular
expressions.
–
uic—Stands for user identification code;
followed by a numeric UID expression. The
argument [group, user] is a numeric UID
expression. In this case, the bracket symbols
are literal; they must be entered. The group
and user parts can be specified either in
decimal, in octal by prefixing the number
with a 0, or in hex by prefixing the number
with 0x. The uic expression displays as an
octal number.
•
identification—(Optional) Uses any of the
following three keywords:
–
–
–
–
id—Specifies regular expression; refers to
the user ID.
password—Specifies regular expression;
the password to the account.
account—Specifies regular expression; the
account string.
any—(Optional) Specifies that the item
matches if any of the specified parts do
match the corresponding entries for
source-object, destination-object, or
identification.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-341
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config)# interface type number [name-tag]
Step 21
Enters interface configuration mode on an ASR
interface.
For an explanation of the keywords and arguments,
see Step 2 in the configuration task table in the
Router(config-if)# ip access-group
{access-list-number | access-list-name}{in | out}
Step 22
Controls access to an interface.
Use this command to set the outbound access group
and then the inbound access group.
The keywords and arguments are as follows:
•
access-list-number—Specifies the number of an
access list. This is a decimal number from 1 to
199 or from 1300 to 2699.
•
access-list-name—Name of an IP access list as
specified by an IP access-list command.
•
•
in—Filters on inbound packets.
out—Filters on outbound packets.
Note
ASR is not supported on Frame Relay or ATM interfaces for the Cisco MC3810 platform.
To start the proxy with ASR enabled on the proxy using two different autonomous systems (one that
contains the ASR network and the loopback network and another that contains the other non-ASR
networks and the loopback network), use the following commands beginning in global configuration
mode:
Command
Purpose
Router(config)# proxy h323
Step 1
Step 2
Starts the proxy.
Router(config)# interface type number [name-tag]
Enters loopback interface configuration mode.
For an explanation of the arguments, see Step 2 in the
configuration task table in the “Configuring a Proxy
To start the proxy with ASR enabled on the proxy
using two different autonomous systems, the type
argument is loopback. The loopback type specifies
the software-only loopback interface that emulates an
interface that is always up. It is a virtual interface
supported on all platforms. The number argument is
the number of the loopback interface that you want to
create or configure. There is no limit on the number
of loopback interfaces you can create.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-342
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config-if)# ip address ip-address mask
[secondary]
Step 3
Sets a primary or secondary IP address for an
interface.
The keywords and arguments are as follows:
•
•
ip-address—Specifies the IP address.
mask—Specifies the mask for the associated IP
subnet.
•
secondary—(Optional) Specifies that the
configured address is a secondary IP address. If
this keyword is omitted, the configured address is
the primary IP address.
Router(config-if)# h323 interface [port-number]
Step 4
Step 5
Signals the proxy that this interface IP address is the
one to use.
For an explanation of the arguments, see Step 3 in the
configuration task table in the “Configuring a Proxy
Router(config-if)# h323 h323-id h323-id
Configures the proxy name. (More than one name can
be configured if necessary.)
The h323-id argument specifies the name of the
proxy. It is recommended that this be a fully qualified
e-mail identification (ID), with the domain name
being the same as that of its gatekeeper.
Router(config-if)# h323 gatekeeper [id
gatekeeper-id] {ipaddr ipaddr [port] | multicast}
Step 6
Step 7
Specifies the gatekeeper associated with a proxy and
controls how the gatekeeper is discovered.
For an explanation of the keywords and arguments,
see Step 5 in the configuration task table in the
Router(config-if)# h323 qos {ip-precedence value |
rsvp {controlled-load | guaranteed-qos}}
Enables quality of service (QoS) on the proxy.
The keywords and arguments are as follows:
•
ip-precedence value—Specifies that Real-time
Transport Protocol (RTP) streams should set
their IP precedence bits to the specified value.
•
•
rsvp {controlled-load}—Specifies controlled
load class of service.
rsvp {guaranteed-qos}—Specifies guaranteed
QoS class of service.
Router(config-if)# interface type number [name-tag]
Step 8
If application-specific routing (ASR) is to be used,
enters the interface through which outbound H.323
traffic should be routed.
For an explanation of the keywords and arguments,
see Step 2 in the configuration task table in the
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-343
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Task List
Command
Purpose
Router(config-if)# h323 asr [bandwidth
max-bandwidth]
Step 9
Enables ASR and specifies the maximum bandwidth
for a proxy.
The optional max-bandwidth argument specifies the
maximum bandwidth on the interface. Value ranges
are from 1 to 10,000,000 kbps. If you do not specify
max-bandwidth, this value defaults to the bandwidth
on the interface. If you specify max-bandwidth as a
value greater than the interface bandwidth, the
bandwidth will default to the interface bandwidth.
Router(config-if)# ip address ip-address mask
[secondary]
Step 10
Sets up the ASR interface network number.
For an explanation of the keywords and arguments,
see Step 3 in this configuration task table.
Router(config-if)# exit
Step 11
Step 12
Exits interface configuration mode and returns to
global configuration mode.
Router(config)# interface type number [name-tag]
Enters interface configuration mode on a non-ASR
interface.
For an explanation of the keywords and arguments,
see Step 2 in the configuration task table in the
Router(config-if)# ip address ip-address mask
[secondary]
Step 13
Sets up a non-ASR interface network number.
For an explanation of the keywords and arguments,
see Step 3 in this configuration task table.
Router(config-if)# exit
Step 14
Step 15
Exits interface configuration mode.
Router(config)# router igrp autonomous-system
Configures Interior Gateway Routing Protocol
(IGRP) for a non-ASR interface. The
autonomous-system argument specifies the
autonomous system number that identifies the routes
to the other IGRP routers. It is also used to tag the
routing information.
Router(config)# network network-number
Router(config)# network network-number
Router(config)# router igrp autonomous-system
Step 16
Step 17
Step 18
Includes a non-ASR interface in an IGRP domain.
The network-number argument specifies the IP
address of the network of the directly connected
networks.
Includes a loopback interface in an IGRP domain.
The network-number argument specifies the IP
address of the network of the directly connected
networks.
Configures IGRP for an ASR interface. The
autonomous-system argument specifies the
autonomous system number that identifies the routes
to the other IGRP routers. It is also used to tag the
routing information.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-344
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
Command
Purpose
Router(config)# network network-number
Step 19
Specifies a list of networks for the Routing
Information Protocol (RIP) routing process. The
network-number argument should include an ASR
interface in an IGRP domain.
Router(config)# network network-number
Step 20
Specifies a list of networks for the RIP routing
process. The network-number argument should
include a loopback interface in an IGRP domain.
Router(config)# access-list access-list-number
Step 21
Creates an access list.
{permit | deny} source source-mask [destination
destination-mask] {eq | neq} [[source-object]
[destination-object] [identification] any]
For an explanation of the keywords and arguments,
see Step 20 in the configuration task table in the
Router(config)# interface type number [name-tag]
Step 22
Enters interface configuration mode on an ASR
interface.
For an explanation of the keywords and arguments,
see Step 2 in the configuration task table in the
Router(config-if)# ip access-group
{access-list-number | access-list-name} {in | out}
Step 23
Controls access to an interface.
Use this command to set the outbound access group
and then the inbound access group.
The keywords and arguments are as follows:
•
access-list-number—Specifies the number of an
access list. This is a decimal number from 1 to
199 or from 1300 to 2699.
•
access-list-name—Name of an IP access list as
specified by an IP access-list command.
•
•
in—Filters on inbound packets.
out—Filters on outbound packets.
H.323 Gatekeeper Configuration Examples
This section includes the following configuration examples:
•
•
•
•
•
•
–
–
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-345
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
–
–
–
–
–
•
•
•
•
•
•
•
•
•
•
Configuring a Gatekeeper Example
The following is an annotated example of how to configure a gatekeeper:
hostname gk-eng.xyz.com
! This router serves as the gatekeeper for the engineering community.
! at xyz.com.
ip domain-name xyz.com
! Domain name of this company.
interface Ethernet0
ip address 172.21.127.27 255.255.255.0
! This gatekeeper can be found at address 172.21.127.27.
gatekeeper
! Enter gatekeeper config mode.
zone local gk-eng.xyz.com xyz.com
! Because a zone is, by definition, the area of control of a gatekeeper,
! we tend to use the terms “zone name” and “gatekeeper name” synonymously.
! Here we use the host name as the name of the gatekeeper and zone.
! This is not necessary, but it does simplify administration.
zone remote gk-mfg.xyz.com xyz.com 172.12.10.14 1719
zone remote gk-corp.xyz.com xyz.com 172.12.32.80 1719
! A couple of other zones within xyz.com. We make lots of calls
! between these departments, so we just configure these so we save
! a little time bypassing DNS lookup to find their gatekeepers.
use-proxy gk-eng.xyz.com remote-zone gk-mfg.xyz.com direct
use-proxy gk-eng.xyz.com remote-zone gk-corp.xyz.com direct
use-proxy gk-eng.xyz.com default proxied
! We have good QoS on our local network, so we don't need proxies when
! calling between the xyz.com zones. But for all other zones, we want
! to use proxies.
zone subnet gk-eng.xyz.com 172.21.127.0/24 enable
no zone subnet gk-eng.xyz.com default enable
! We will accept registrations from our local subnet as long as they
! do not specify some other gatekeeper name. We will not accept any
! registrations from any other subnet.
zone bw gk-eng.xyz.com 2000
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-346
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
! Preserve our good QoS by not allowing excessive amounts of H.323 traffic
! on the local network. This restricts the traffic within our zone,
! for both intra-zone and interzone calls, to 2 kbps at any given time.
alias static 172.21.127.49 gkid gk-eng.xyz.com terminal h323id joeblow ras
172.21.127.49 1719
! The “user” has an H.323 terminal, which does not support RAS. So we have
! to configure his alias manually so that callers can find him.
Redundant Gatekeepers for a Zone Prefix Example
In the following example, two remote gatekeepers are configured to service the same zone prefix:
gatekeeper
zone remote c2600-1-gk cisco.com 172.18.194.70 1719
zone remote c2514-1-gk cisco.com 172.18.194.71 1719
zone prefix c2600-1-gk 919.......
zone prefix c2514-1-gk 919.......
Redundant Gatekeepers for a Technology Prefix Example
In the following example, two remote gatekeepers are configured to service the same technology prefix:
gatekeeper
zone remote c2600-1-gk cisco.com 172.18.194.70 1719
zone remote c2514-1-gk cisco.com 172.18.194.71 1719
gw-type-prefix 3#* hopoff c2600-1-gk hopoff c2514-1-gk
E.164 Interzone Routing Example
Interzone routing may be configured by using E.164 addresses.
In this example, there are two gatekeepers that need to be able to resolve E.164 addresses. One is in San
Figure 61
E.164 Interzone Routing
Non-H.323 network
Non-H.323 network
H.323 network
H.320
terminal
(over ISDN)
H.320
terminal
(over ISDN)
sj (408)
gw-sj2
ny (212)
gw-ny2
H.324
terminal
(over POTS)
H.324
terminal
(over POTS)
gk-ny gw-ny3
gw-ny4
IP
gw-sj3 gk-sj
gw-sj4
Speech
only
(telephone)
Speech
only
(telephone)
In sj (San Jose in the 408 area code), the gateways are configured to register with gk-sj as follows:
•
•
•
gw-sj2 configured to register with technology prefix 2#
gw-sj3 configured to register with technology prefix 3#
gw-sj4 configured to register with technology prefix 4#
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-347
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
Similarly, in ny (New York in the 212 area code), gateways are configured to register with gk-ny as
follows:
•
•
•
gw-ny2 configured to register with technology prefix 2#
gw-ny3 configured to register with technology prefix 3#
gw-ny4 configured to register with technology prefix 4#
For the gatekeeper for San Jose, the configuration commands are as follows:
gatekeeper
zone local gk-sj cisco.com
zone remote gk-ny cisco.com 172.21.127.27
use-proxy gk-sj default direct
zone prefix gk-sj 408.......
zone prefix gk-ny 212.......
gw-type-prefix 3# hopoff gk-sj
gw-type-prefix 4# default-technology
For the gatekeeper for New York, the configuration commands are as follows:
gatekeeper
zone local gk-ny cisco.com
zone remote gk-sj cisco.com 172.21.1.48
use-proxy gk-ny default direct
zone prefix gk-sj 408.......
zone prefix gk-ny 212.......
gw-type-prefix 3# hopoff gk-ny
gw-type-prefix 4# default-technology
When a call is presented to gatekeeper gk-sj with the following target address in San Jose:
2#2125551212
Gatekeeper gk-sj recognizes that 2# is a technology prefix. It was not configured as such, but because
gw-sj2 registered with it, the gatekeeper now treats 2# as a technology prefix. It strips the prefix, which
leaves the telephone number 2125551212. This is matched against the zone prefixes that have been
configured. It is a match for 212......., so gk-sj knows that gk-ny handles this call. Gatekeeper gk-sj
forwards the entire address 2#2125551212 over to Gatekeeper gk-ny, which also looks at the technology
prefix 2# and routes it to gw-ny2.
When a call is presented to gatekeeper gk-sj with the following target address in San Jose:
2125551212
Gatekeeper gk-sj checks it against known technology prefixes but finds no match. It then checks it
against zone prefixes and matches on 212....... for gk-ny, and therefore routes this call to gk-ny.
Gatekeeper gk-ny does not have any local registrations for this address, and there is no technology prefix
on the address, but the default prefix is 4#, and gw-ny4 is registered with 4#, so the call gets routed to
gw-ny4.
Another call is presented to gatekeeper gk-sj with the following target address in San Jose:
3#2125551212
The call has technology prefix 3#, which is defined as a local hopoff prefix, so gk-sj routes this call to
gw-sj3, despite the fact that it has a New York zone prefix.
In this last example, a call is presented to gatekeeper gk-sj with the following target address in San Jose:
6505551212
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-348
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
Gatekeeper gk-sj checks for a technology prefix match but does not find one. It then searches for a zone
prefix match and fails again. But there is a match for default gateway prefix of 4#, and gw-sj4 is
registered with 4#, so the call is routed out on gw-sj4.
Configuring HSRP on the Gatekeeper Example
This sample configuration uses Ethernet 0 as the HSRP interface on both gatekeepers.
On the primary gatekeeper, enter these commands:
configure terminal
! Enter global configuration mode.
interface ethernet 0
! enter interface configuration mode for interface ethernet 0.
standby 1 ip 172.21.127.55
! Member of standby group 1, sharing virtual address 172.21.127.55.
standby 1 preempt
! Claim active role when it has higher priority.
standby 1 timers 5 15
! Hello timer is 5 seconds; hold timer is 15 seconds.
standby 1 priority 110
! Priority is 110.
On the backup gatekeeper, enter these commands:
configure terminal
interface ethernet 0
standby 1 ip 172.21.127.55
standby 1 preempt
standby 1 timers 5 15
The configurations are identical except that gk2 has no standby priority configuration, so it assumes the
default priority of 100—meaning that gk1 has a higher priority.
On both gk1 and gk2, set up identical gatekeeper mode configurations, as follows:
configure terminal
! Enter global configuration mode.
gatekeeper
! Enter gatekeeper configuration mode.
zone local gk-sj cisco.com 172.21.127.55
! Define local zone using HSRP virtual address as gatekeeper RAS address.
.
.
.
! Various other gk-mode configurations.
no shut
! Bring up the gatekeeper.
configure terminal
! Enter global configuration mode.
gatekeeper
! Enter gatekeeper configuration mode.
zone local gk-sj cisco.com 172.21.127.55
! Define local zone using HSRP virtual address as gatekeeper RAS address.
! Note this uses the same gkname and address as on gk1.
.
.
! Various other gk-mode configurations.
no shut
! Bring up the gatekeeper.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-349
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
Note
The no shut command is issued on both gatekeepers, primary and secondary. If the show gatekeeper
status command is issued on the two gatekeepers, gk1 will show the following:
Gatekeeper State: UP
But gk2 will show the following:
Gatekeeper State: HSRP STANDBY
Using ASR for a Separate Multimedia Backbone Example
The examples in this section illustrate a separate multimedia backbone network dedicated to transporting
only H.323 traffic. The closed functionality of the H.323 proxy is necessary for creating this type of
backbone. Place a closed H.323 proxy on each edge of the multimedia backbone to achieve the following
goals:
•
The proxy directs all inter-proxy H.323 traffic, including Q.931 signaling, H.245, and media stream,
to the multimedia backbone.
•
The proxy shields the multimedia backbone so that routers on edge networks and other backbone
networks are not aware of its existence. In this way, only H.323-compliant packets can access or
traverse the multimedia backbone.
•
The proxy drops any unintended non-H.323 packets that attempt to access the multimedia backbone.
This section contains the following subsections:
•
•
•
•
•
•
•
Figure 62 illustrates a network that has a multimedia backbone. A gatekeeper (not shown) in the edge
network (zone) directs all out-of-zone H.323 calls to the closed proxy on the edge of that network. The
closed proxy forwards this traffic to the remote zone through the multimedia backbone. A closed proxy
and the edge router may reside in the same Cisco router, or they may be in separate routers, as shown in
Figure 62
Sample Network with Multimedia Backbone
Multimedia
backbone
PX1
R1
PX2
R2
Edge net 2
EP2
Edge net 1
EP1
Data backbone
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-350
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
Enabling the Proxy to Forward H.323 Packets
To enable the proxy to forward H.323 packets received from the edge network to the multimedia
backbone, designate the interface that connects the proxy to the multimedia backbone to the ASR
interface by entering the h323 asr command in interface configuration mode. Enabling the proxy to
forward H.323 packets satisfies the first goal identified earlier in this section.
Because the proxy terminates two call legs of an H.323 call and bridges them, any H.323 packet that
traverses the proxy will have the proxy address either in its source field or in its destination field.
To prevent problems that can occur in proxies that have multiple IP addresses, designate only one
interface to be the proxy interface by entering the h323 interface command in interface configuration
mode. Then all H.323 packets that originate from the proxy will have the address of this interface in their
source fields, and all packets that are destined to the proxy will have the address of this interface in their
destination fields.
Figure 62 illustrates that all physical proxy interfaces belong either to the multimedia network or to the
edge network. These two networks must be isolated from each other for the proxy to be closed; however,
the proxy interface must be addressable from both the edge network and the multimedia network. For
this reason, a loopback interface must be created on the proxy and configured to the proxy interface.
It is possible to make the loopback interface addressable from both the edge network and the multimedia
network without exposing any physical subnets on one network to routers on the other network. Only
packets that originate from the proxy or packets that are destined to the proxy can pass through the proxy
interface to the multimedia backbone in either direction. All other packets are considered unintended
packets and are dropped. This can be achieved by configuring access control lists (ACLs) so that the
closed proxy acts like a firewall that only allows H.323 packets to pass through the ASR interface. This
satisfies the second goal identified earlier in this section, which is to ensure that only H.323-compliant
packets can access or traverse the multimedia backbone.
Isolating the Multimedia Network
The last step is to configure the network so that non-H.323 traffic never attempts to traverse the
multimedia backbone and so that it never risks being dropped by the proxy. This is achieved by
completely isolating the multimedia network from all edge networks and from the data backbone and by
configuring routing protocols on the various components of the networks.
The example provided in Figure 62 requires availability of six IP address classes, one for each of the
four autonomous systems and one for each of the two loopback interfaces. Any Cisco-supported routing
protocol can be used on any of the autonomous systems, with one exception: Routing Information
Protocol (RIP) cannot be configured on two adjacent autonomous systems because this protocol does not
include the concept of an autonomous system. The result would be the merging of the two autonomous
systems into one.
If the number of IP addresses are scarce, use subnetting, but the configuration can get complicated. In
this case, only the Enhanced IGRP, Open Shortest Path First (OSPF), and RIP Version 2 routing
protocols, which allow variable-length subnet masks (VLSMs), can be used.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-351
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
•
•
•
Configure each of the four networks as a separate routing autonomous system and do not redistribute
routes between the multimedia backbone and any other autonomous system.
Create a loopback interface on the proxy and configure it to be the proxy interface. That way no
subnets of the multimedia backbone will be exposed to the edge network, or the other way around.
To ensure that the address of the loopback interface does not travel outside the edge network,
configure the appropriate distribution list on the edge router that connects the edge network to the
data backbone. Configuring the appropriate distribution list guarantees that any ongoing H.323 call
will be interrupted if the multimedia backbone fails. Otherwise, H.323 packets that originate from
one proxy and that are destined to another proxy might discover an alternate route using the edge
networks and the data backbone.
In some topologies, the two edge networks and the data backbone may be configured as a single
autonomous system, but it is preferable to separate them as previously described because they are
different networks with different characteristics.
The following examples illustrate the router configuration that is relevant to the closed proxy operation.
Configuring a Co-Edge Proxy with ASR Without Subnetting Example
networks and how to configure IGRP on the two backbone networks.
Figure 63
Sample Configuration Without Subnetting
E1: 172.22.0.1
L0: 10.0.0.0
E1: 172.22.0.2
L0: 10.0.0.1
Multimedia
backbone
E0: 172.23.0.1
PX1
E0: 172.20.0.1
PX2
EP2
Edge net 1
Edge net 2
EP1
R2
E0: 172.20.0.2
172.23.0.2
E2: 172.21.0.2
Data backbone
R1
E1: 172.21.0.1
PX1 Configuration
The following output is for the PX1 configuration:
!
proxy h323
!
interface Loopback0
ip address 10.0.0.0 255.0.0.0
!Assume PX1 is in Zone 1, and the gatekeeper resides in the same routers as PX1:
h323 interface
h323 h323-id [email protected]
h323 gatekeeper ipaddr 10.0.0.0
!
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-352
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
interface Ethernet0
ip address 172.20.0.1 255.255.0.0
!
interface Ethernet1
ip address 172.22.0.1 255.255.0.0
ip access-group 101 in
ip access-group 101 out
h323 asr
!
router rip
network 172.20.0.0
network 10.0.0.0
!
router igrp 4000
network 172.22.0.0
network 10.0.0.0
!
access-list 101 permit ip any host 10.0.0.0
access-list 101 permit ip host 10.0.0.0 any
access-list 101 permit igrp any any
R1 Configuration
The following output is for the R1 configuration:
!
interface Ethernet0
ip address 172.20.0.2 255.255.0.0
!
interface Ethernet1
ip address 172.21.0.1 255.255.0.0
!
router rip
redistribute igrp 5000 metric 1
network 172.20.0.0
!
router igrp 5000
redistribute rip metric 10000 10 255 255 65535
network 172.21.0.0
distribute-list 10 out
!
access-list 10 deny ip 10.0.0.0 255.255.255
access-list 10 permit any
Note
The configuration for PX2 and R2 is the same as that for PX1 and R1.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-353
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
Co-Edge Proxy with Subnetting Example
Figure 64 and the examples that follow illustrate how to configure Enhanced IGRP on all networks.
Figure 64
Sample Configuration with Subnetting
E1: 172.21.2.2
L0: 172.21.20.1
E0: 172.21.3.1
E1: 172.21.2.1
L0: 172.21.10.1
Multimedia
PX1
backbone
E0: 172.21.0.1
PX2
Edge net 2
Edge net 1
EP2
EP1
R2
172.21.3.2
E2: 172.21.1.2
E0: 172.21.0.2
Data backbone
R1
E1: 172.21.1.1
PX1 Configuration
The following output is for the PX1 configuration:
!
proxy h323
!
interface Loopback0
ip address 172.21.10.1 255.255.255.192
h323 interface
h323 h323-id [email protected]
h323 gatekeeper ipaddr 172.21.20.1
!
interface Ethernet0
ip address 172.21.0.1 255.255.255.192
!
interface Ethernet1
ip address 172.21.2.1 255.255.255.192
ip access-group 101 in
ip access-group 101 out
h323 asr
!
router eigrp 4000
redistribute connected metric 10000 10 255 255 65535
passive-interface Ethernet1
network 172.21.0.0
distribute-list 10 out
no auto-summary
!
router eigrp 5000
redistribute connected metric 10000 10 255 255 65535
passive-interface Ethernet0
network 172.21.0.0
distribute-list 11 out
no auto-summary
!
access-list 10 deny 172.21.2.0 0.0.0.63
access-list 10 permit any
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-354
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
access-list 11 deny 172.21.0.0 0.0.0.63
access-list 11 permit any
access-list 101 permit ip any host 172.21.10.1
access-list 101 permit ip host 172.21.10.1 any
access-list 101 permit eigrp any any
R1 Configuration
The following output is for the R1 configuration:
!
interface Ethernet0
ip address 172.21.0.2 255.255.255.192
!
interface Ethernet1
ip address 172.21.1.1 255.255.255.192
!
router eigrp 4000
redistribute eigrp 6000 metric 10000 10 255 255 65535
passive-interface Ethernet1
network 172.21.0.0
no auto-summary
!
router eigrp 6000
redistribute eigrp 4000 metric 10000 10 255 255 65535
passive-interface Ethernet0
network 172.21.0.0
distribute-list 10 out
no auto-summary
!
access-list 10 deny 172.21.10.0 0.0.0.63
access-list 10 permit any
Note
The configuration for PX2 and R2 is the same as that for PX1 and R1.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-355
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
Configuring an Inside-Edge Proxy with ASR Without Subnetting Example
The configuration of the co-edge proxy in Edge net 1 has already been presented above. Figure 65
illustrates the configuration of the inside-edge proxy PX2 and edge router R2 of Edge net 2. RIP is used
on the edge networks. IGRP is used on the data backbone and the multimedia backbone.
Figure 65
Edge Net 2 with Inside-Edge Proxy and No Subnetting
E1: 172.22.0.1
E1: 172.22.0.2
S0: 10.0.0.1
S0: 10.0.0.2
E0: 172.23.0.2
L0: 10.0.0.0
Multimedia
backbone
PX1
E0: 172.20.0.1
PX2
Edge net 2
R2
Edge net 1
EP2
EP1
E2: 172.21.0.2
E0: 172.23.0.1
E0: 172.20.0.2
Data backbone
R1
E1: 172.21.0.1
PX2 Configuration
The following output is for the PX2 configuration:
!
proxy h323
!
interface Ethernet0
ip address 172.23.0.2 255.255.0.0
!
interface Serial0
ip address 10.0.0.2 255.0.0.0
ip access-group 101 in
ip access-group 101 out
h323 interface
h323 asr
h323 h323-id [email protected]
h323 gatekeeper ipaddr 10.0.0.2
!
router rip
redistribute connected metric 10000 10 255 255 65535
network 172.23.0.0
!
access-list 101 permit ip any host 10.0.0.2
access-list 101 permit ip host 10.0.0.2 any
R2 Configuration
The following output is for the R2 configuration:
!
interface Ethernet0
ip address 172.23.0.1 255.255.0.0
!
interface Ethernet1
ip address 172.22.0.1 255.255.0.0
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-356
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
ip access-group 101 in
ip access-group 101 out
!
interface Ethernet2
ip address 172.21.0.2 255.255.0.0
!
interface Serial0
ip address 10.0.0.1 255.0.0.0
!
router rip
redistribute igrp 5000 metric 1
network 172.23.0.0
!
router igrp 4000
network 10.0.0.0
network 172.22.0.0
!
router igrp 5000
redistribute rip metric 10000 10 255 255 65535
network 172.21.0.0
distribute-list 10 out
!
ip route 10.0.0.2 255.255.255.255 Serial0
access-list 10 deny ip 10.0.0.0 255.255.255
access-list 10 permit any
access-list 101 permit ip any host 10.0.0.2
access-list 101 permit ip host 10.0.0.2 any
Note
To guarantee that all traffic between the proxy and other proxies is carried over the multimedia
backbone, run IGRP 4000 on the 10.0.0.0 network and on the 172.22.0.0 network. Make sure that the
H.323 proxy interface address (10.0.0.2) is not advertised over the data network (distribution list 10
in IGRP 5000). Doing this also eliminates the need to configure policy routes or static routes.
Configuring a QoS-Enforced Open Proxy Using RSVP Example
Figure 66 illustrates a proxy configuration that was created on a Cisco 2500 router with one Ethernet
interface and two serial interfaces. Only the Ethernet interface is in use.
Figure 66
Configuring a QoS-Enforced Open Proxy Using RSVP
PX1
172.21.127.38
Data backbone
Edge net 1
R1
EP1
172.21.127.39
GK1
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-357
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
PX1 Configuration
The following output is for the PX1 configuration:
!
version 11.3
no service password-encryption
service tcp-small-servers
!
hostname ExampleProxy
!
no ip domain-lookup
!
proxy h323
!
interface Ethernet0
ip address 172.21.127.38 255.255.255.192
no ip redirects
ip rsvp bandwidth 7000 7000
ip route-cache same-interface
fair-queue 64 256 1000
h323 interface
h323 qos rsvp controlled-load
h323 h323-id [email protected]
h323 gatekeeper ipaddr 172.21.127.39
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
router rip
network 172.21.0.0
!
ip classless
!
line con 0
exec-timeout 0 0
line aux 0
transport input all
line vty 0 4
password lab
login
!
end
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-358
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
Configuring a Closed Co-Edge Proxy with ASR Without Subnetting Example
Figure 67 illustrates how to configure RIP on the edge networks and IGRP on the two backbone
networks. A Cisco 2500 router is used for the proxy.
Figure 67
Configuring a Closed Co-Edge Proxy with ASR
L0: 101.0.0.1
S1: 172.22.0.1
E0: 172.20.0.3
Multimedia
backbone
PX1
E0: 172.20.0.1
Edge net 1
GK1
EP1
E0: 172.20.0.2
E1: 172.21.0.1
Data backbone
R1
PX1 Configuration
The following output is for the PX1 configuration:
!
version 11.3
no service password-encryption
service tcp-small-servers
!
hostname ExampleProxy
!
!
no ip domain-lookup
!
!
proxy h323
!
interface Loopback0
ip address 10.0.0.1 255.0.0.0
h323 interface
h323 qos ip-precedence 4
h323 h323-id [email protected]
h323 gatekeeper ipaddr 172.20.0.3
!
interface Ethernet0
ip address 172.20.0.1 255.255.255.192
no ip redirects
!
interface Serial0
no ip address
shutdown
!
interface Serial1
ip address 172.22.0.1 255.255.0.0
ip access-group 101 in
ip access-group 101 out
h323 asr
!
router rip
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-359
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
network 172.20.0.0
network 10.0.0.0
!
router igrp 4000
network 172.22.0.0
network 101.0.0.0
!
ip classless
access-list 101 permit ip any host 10.0.0.1
access-list 101 permit ip host 10.0.0.1 any
access-list 101 permit igrp any any
!
!
line con 0
exec-timeout 0 0
line aux 0
transport input all
line vty 0 4
password lab
login
Defining Multiple Zones Example
The following example shows how to define multiple local zones for separating gateways:
zone local gk408or650 xyz.com
zone local gk415 xyz.com
zone prefix gk408or650 408.......
zone prefix gk408or650 650.......
zone prefix gk415 415.......
All the gateways used for area codes 408 or 650 can be configured so that they register with gk408or650,
and all gateways used for area code 415 can be configured so that they register with gk415.
Defining One Zone for Multiple Gateways Example
The following example shows how to put all the gateways in the same zone and use the gw-priority
keyword to determine which gateways will be used for calling different area codes:
zone local localgk xyz.com
zone prefix localgk 408.......
zone prefix localgk 415....... gw-priority 10 gw1 gw2
zone prefix localgk 650....... gw-priority 0 gw1
The commands shown accomplish the following tasks:
•
•
Domain xyz.com is assigned to gatekeeper localgk.
Prefix 408....... is assigned to gatekeeper localgk, and no gateway priorities are defined for it;
therefore, all gateways that register to localgk can be used equally for calls to the 408 area code. No
special gateway lists are built for the 408....... prefix; selection is made from the master list for the
zone.
•
•
The prefix 415....... is added to gatekeeper localgk, and priority 10 is assigned to gateways gw1 and
gw2.
Prefix 650....... is added to gatekeeper localgk, and priority 0 is assigned to gateway gw1.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-360
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
A priority 0 is assigned to gateway gw1 to exclude it from the gateway pool for prefix 650........ When
gateway gw2 registers with gatekeeper localgk, it is added to the gateway pool for each prefix as follows:
•
•
For gateway pool for 415......., gateway gw2 is set to priority 10.
For gateway pool for 650......., gateway gw2 is set to priority 5.
To change gateway gw2 from priority 10 for zone 415....... to the default priority 5, enter the following
command:
no zone prefix localgk 415....... gw-pri 10 gw2
To change both gateways gw1 and gw2 from priority 10 for zone 415....... to the default priority 5, enter
the following command:
no zone prefix localgk 415....... gw-pri 10 gw1 gw2
In the preceding example, the prefix 415....... remains assigned to gatekeeper localgk. All gateways that
do not specify a priority level for this prefix are assigned a default priority of 5. To remove the prefix
and all associated gateways and priorities from this gatekeeper, enter the following command:
no zone prefix localgk 415.......
Configuring a Proxy for Inbound Calls Example
In the following example, the local zone sj.xyz.com is configured to use a proxy for inbound calls from
remote zones tokyo.xyz.com and milan.xyz.com to gateways in its local zone. The sj.xyz.com zone is
also configured to use a proxy for outbound calls from gateways in its local zone to remote zones
tokyo.xyz.com and milan.xyz.com.
gatekeeper
use-proxy sj.xyz.com remote-zone tokyo.xyz.com inbound-to gateway
use-proxy sj.xyz.com remote-zone tokyo.xyz.com outbound-from gateway
use-proxy sj.xyz.com remote-zone milan.xyz.com inbound-to gateway
use-proxy sj.xyz.com remote-zone milan.xyz.com outbound-from gateway
Because the default mode disables proxy communications for all gateway calls, only the gateway call
scenarios listed can use the proxy.
Configuring a Proxy for Outbound Calls Example
In the following example, the local zone sj.xyz.com uses a proxy for only those calls that are outbound
from H.323 terminals in its local zone to the specified remote zone germany.xyz.com:
gatekeeper
no use-proxy sj.xyz.com default outbound-from terminal
use-proxy sj.xyz.com remote-zone germany.xyz.com outbound-from
terminal
Note that any calls inbound to H.323 terminals in the local zone sj.xyz.com from the remote zone
germany.xyz.com use the proxy because the default applies.
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-361
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
Removing a Proxy Example
The following example shows how to remove one or more proxy statements for the remote zone
germany.xyz.com from the proxy configuration list:
no use-proxy sj.xyz.com remote-zone germany.xyz.com
The command removes all special proxy configurations for the remote zone germany.xyz.com. After the
command is entered like this, all calls between the local zone (sj.xyz.com) and germany.xyz.com are
processed according to the defaults defined by any use-proxy commands that use the default option.
H.235 Security Example
The following example shows output from configuring secure registrations from the gatekeeper and
identifying which RAS messages the gatekeeper will check to find authentication tokens:
dial-peer voice 10 voip
destination-pattern 4088000
session target ras
dtmf-relay h245-alphanumeric
!
gateway
security password 09404F0B level endpoint
The following example shows output from configuring which RAS messages will contain gateway
generated tokens:
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
radius-server host 10.0.0.1 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server deadtime 5
radius-server key lab
radius-server vsa send accounting
!
gatekeeper
zone local GK1 test.com 10.0.0.3
zone remote GK2 test2.com 10.0.2.2 1719
accounting
security token required-for registration
no use-proxy GK1 remote-zone GK2 inbound-to terminal
no use-proxy GK1 remote-zone GK2 inbound-to gateway
no shutdown
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-362
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
GKTMP and RAS Messages Example
The following is an example of a gatekeeper that has interaction with external applications. The
registration message from Server-123 establishes a connection with gatekeeper sj.xyz.com on port
20000. Server-123 sends a REGISTER RRQ message to gatekeeper sj.xyz.com to express interest in all
RRQs from voice gateways that support a technology prefix of 1# or 2#.
REGISTER RRQ
Version-id:1
From:Server-123
To:sj.xyz.com
Priority:2
Notification-Only:
Content-Length:29
t=voice-gateway
p=1#
p=2#
Prohibiting Proxy Use for Inbound Calls Example
To prohibit proxy use for inbound calls to H.323 terminals in a local zone from a specified remote zone,
enter a command similar to the following:
no use-proxy sj.xyz.com remote-zone germany.xyz.com inbound-to terminal
This command overrides the default and disables proxy use for inbound calls from remote zone
germany.xyz.com to all H.323 terminals in the local zone sj.xyz.com.
Disconnecting a Single Call Associated with an H.323 Gateway Example
The following example forces an active call on the H.323 gateway to be disconnected. The local ID
number of the active call is 12-3339.
Router> enable
Router# clear h323 gatekeeper call local-callID 12-3339
Disconnecting All Calls Associated with an H.323 Gateway Example
The following example forces all active calls on the H.323 gateway to be disconnected:
Router> enable
Router# clear h323 gatekeeper call all
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-363
Configuring H.323 Gatekeepers and Proxies
H.323 Gatekeeper Configuration Examples
Cisco IOS Voice, Video, and Fax Configuration Guide
VC-364
|