[cisco-voip] Nbar missing some RTP traffic

Jorge L. Rodriguez Aguila jorge.rodriguez at netxar.com
Thu Apr 17 08:34:49 EDT 2008 

That is correct. The RTP match is for even port numbers as Cisco uses even RTP ports in that range for voice payload and the corresponding odd ports for RTCP.

If you want to be extra sure you could convert your match-all voice class to match-any and add access-group XXX with an access-list XXX permit udp any any range 16384  32767 to pick up any packets the match RTP might miss.

Jorge Rodriguez
Senior VOice/Data Consultant
CCNA,CCVP,CRMCS
Netxar Technologies
www.netxar.com

________________________________________
From: cisco-voip-bounces at puck.nether.net [cisco-voip-bounces at puck.nether.net] On Behalf Of Ryan West [rwest at zyedge.com]
Sent: Wednesday, April 16, 2008 6:15 PM
To: Patrick Shoemaker; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Nbar missing some RTP traffic

Patrick,

I haven't looked at the NBAR definition in great detail for RTP audio, but if it is expecting a Cisco port range, then your packets do not fall within the 16384 - 32767 range that are expected for an RTP stream.  I am assuming that you're not directly connected to the SIP provider or are you the SIP provider?  Can you gather a list of SBC's that the SIP provider uses?  It's also possible that they are allowing other on-net calls to go directly to your system rather than hairpinning from their SBC's, either way making it a pain to secure or use explicit ACL's to remark your packets.

If the customers are using your network for SIP service, how are they connected to you?

http://www.cisco.com/en/US/products/ps6616/products_white_paper09186a0080110040.shtml

After further investigation, it seems that match ip rtp uses even port numbers in the range I listed above.  It seems that you could classify on payload type if you really wanted to get that granular.

-ryan

-----Original Message-----
From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Patrick Shoemaker
Sent: Wednesday, April 16, 2008 5:03 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Nbar missing some RTP traffic

Hello list, new member here and first time posting. Hopefully this topic
hasn't been discussed recently- I couldn't find anything about it in the
archives.

I am trying to implement QoS for voip on a small ISP network. At the
border routers that connect to our upstreams, I am attempting to tag all
incoming voip traffic with the DSCP "expedited forwarding" bit so that
it is appropriately handled by our internal network, particularly the
customer last mile connection. I am also tagging all SIP traffic with
DSCP af31. This is being done by activating nbar on the border routers
for all incoming traffic using the following (abridged) configuration:

class-map match-all sip
match protocol sip
class-map match-all voice
match protocol rtp audio

policy-map input-mark
class voice
set ip dscp ef
class sip
set ip dscp af31

interface FastEthernet0/0.300
service-policy input input-mark

Using the above configuration, most all RTP traffic is caught and tagged
as expected, however some is missed. I have captured some packets that
are correctly tagged, and some that are not, using a sniffer. Comparing
the two packets shows that there are no differences in the two except
for the source IP addresses, and the UTP port numbers (source 60250,
60164; destination 13456, 13460), and obviously the payload.

My theory is that cisco's nbar engine uses the SDP packet that sets up
the RTP stream to identify the subsequent RTP packets. Therefore, if the
SDP packet enters the network through a different boundary router, the
router seeing the subsequent RTP packets won't be able to classify them.
Does anyone know what specific criteria nbar uses to classify RTP packets?

--
Patrick Shoemaker
President, Vector Data Systems LLC
shoemakerp at vectordatasystems.com
office: (301) 358-1690 x36
mobile: (410) 991-5791
http://www.vectordatasystems.com

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip

More information about the cisco-voip mailing list