[cisco-voip] Nbar missing some RTP traffic
Ellington, Chris
Chris.Ellington at inin.com
Thu Apr 17 10:59:27 EDT 2008
That's the other reason I like to use ACLs - there's really isn't (or
doesn't seem to be) a standard for RTP so if you know what you are
likely to encounter it's easy enough to write an ACL. I realize that if
you are a service provider, you can't always know but your customers
will likely complain if you are contracted to do EF on RTP and aren't -
they will notice quickly enough.
chris
-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com]
Sent: Thursday, April 17, 2008 10:46 AM
To: Ellington, Chris; Jeffrey Ollie
Cc: cisco-voip at puck.nether.net
Subject: RE: [cisco-voip] Nbar missing some RTP traffic
Chris,
The problem with this is that SIP providers do not follow the same
guidelines that Cisco uses for RTP port assignments. This being said,
you will see ranges of RTP that are well below 16384 and above 32767. I
have run into issues with customers explicity blocking these ranges for
legacy trojan protection.
-ryan
-----Original Message-----
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ellington,
Chris
Sent: Thursday, April 17, 2008 10:35 AM
To: Jeffrey Ollie
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Nbar missing some RTP traffic
Well, yes that is true - however you can pick a range of ports to match
- I do it all of the time. Use an extended ACL to match by port range
if you like. Much more granular than trying to use nbar
chris
-----Original Message-----
From: Jeffrey Ollie [mailto:jeff at ocjtech.us]
Sent: Thursday, April 17, 2008 10:30 AM
To: Ellington, Chris
Cc: Jorge L. Rodriguez Aguila; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Nbar missing some RTP traffic
On Thu, Apr 17, 2008 at 8:42 AM, Ellington, Chris
<Chris.Ellington at inin.com> wrote:
> Why not just pick the exact traffic you are looking to match and match
> it? Don't worry about nbar messing it up - just grab the ports
you're
> seeking and mark as such?
Because RTP traffic doesn't use a single UDP port. The phone (or
CallManager, the router, or whatever) picks a UDP port number at
random and sends that information to the other side via the signalling
protocol (SIP, H.323, SCCP, etc.).
Jeff
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
More information about the cisco-voip
mailing list