[cisco-voip] Nbar missing some RTP traffic

Patrick Shoemaker shoemakerp at vectordatasystems.com
Thu Apr 17 15:03:58 EDT 2008 

Thanks for the responses, everybody.

No, I am not directly connected to the SIP provider, and the provider 
suggests that compiling a list of all the audio path origination points 
would be tedious/impossible. They are not all funneled through a single 
gateway- they come from all over the Internet, according to the 
provider. Customers connect into my network through a last mile wireless 
system that is completely under my control, so maintaining the markings 
on outbound traffic is no problem.

I have also tried "match protocol rtp" to see if the payload type was 
the issue, even though it shouldn't be since everything is g.711 or 
g.729 with no dynamic payload types. I get the same problem- most 
traffic is identified but some streams are missed.

I would like to avoid marking based on a static UDP port range. As this 
is an ISP network, you never know what kind of random applications will 
be traversing it. I don't want some rouge filesharing app using a port 
range that gets placed into a high priority queue.

It looks like the only reliable option at this point is maintaining 
giant ACLs on each border router with the IP addresses of all the 
registered ATAs on my network, then marking all the UDP traffic destined 
to them. This is going to turn into a management nightmare after a 
while, but is there another solution?

One idea I had was to use reflexive ACLs to identify outgoing streams 
tagged with the EF bit, then apply the same treatment to the 
corresponding incoming stream. However, it is not necessarily true that 
the outgoing voice traffic is traversing the same router as the incoming 
traffic.

Patrick Shoemaker
President, Vector Data Systems LLC
shoemakerp at vectordatasystems.com
office: (301) 358-1690 x36
mobile: (410) 991-5791
http://www.vectordatasystems.com



Ryan West wrote:
> The big problem here is using a non-directly connected carrier.  The more mature SIP implementations out there will avoid offering any SLA's or even recommending connecting through another carrier.  Although almost all of your congestions are at the edge router, you still need an effective way to determine the traffic.  An implicit trust of previous markings, which should be done at the other edge device, is the way to go.  Matching on protocol rtp audio is extremely effective coming from a CM or CME device, then again, it is already marked with EF anyhow.
> 
> -ryan
> 
> -----Original Message-----
> From: cisco-voip-bounces at puck.nether.net [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ellington, Chris
> Sent: Thursday, April 17, 2008 11:03 AM
> To: Jeffrey Ollie
> Cc: cisco-voip at puck.nether.net
> Subject: Re: [cisco-voip] Nbar missing some RTP traffic
> 
> It is a lot of ports, however if you look at something like wireshark it figures out the ports and maps them to RTP - generally - I also realize that video shares this port range, at least in Cisco implementations, and some deeper analysis will have to occur, potentially.  I say potentially, because even with video don't you want to prioritize the audio path  (because if the video gets distorted, nobody seems to mind, audio distortions are generally deemed unacceptable).
> 
> chris
> 
> -----Original Message-----
> From: Jeffrey Ollie [mailto:jeff at ocjtech.us]
> Sent: Thursday, April 17, 2008 10:46 AM
> To: Ellington, Chris
> Cc: Jorge L. Rodriguez Aguila; cisco-voip at puck.nether.net
> Subject: Re: [cisco-voip] Nbar missing some RTP traffic
> 
> On Thu, Apr 17, 2008 at 9:35 AM, Ellington, Chris
> <Chris.Ellington at inin.com> wrote:
>> Well, yes that is true - however you can pick a range of ports to match - I do it all of the time.  Use an extended ACL to match by port range if you like.  Much more granular than trying to use nbar
> 
> By default RTP on Cisco kit uses UDP ports in the range of 16K - 32K.
> That's a lot of ports... Plus don't you think that that will match non
> RTP data?  Plus not all RTP data is alike... you need to assign
> different DSCP mappings to packets depending on if the packet contains
> audio or video data.  That's why trying to match based on UDP port
> number is inadequate and why I hoped that using nBAR to match RTP
> packets would work better.  Unfortunately, since nBAR doesn't work
> properly if your RTP streams are using dynamically negotiated payload
> types using nBAR to classify RTP traffic is useless to me.
> 
> Jeff
> 
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip

More information about the cisco-voip mailing list