Post on 27-Mar-2015
transcript
09999/2106
Practical Experiences Overcoming Firewalls Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video and Limited Bandwidth for H.323 Video
ConferencingConferencing
AREN
09999/2106
AREN Quick Overview
• Multiple Star Network– Stars originate at the hub
sites and hubs are connected by a North-South backbone
• DS3/Partial OC-3 backbone
• DS1 (T1) or Multiple T1 to clients
• Multiple Internet access points (DS3+)
09999/2106
So What’s the Problem?
• H.323 based VTC systems are increasingly used for K-20 distance learning
• Many Education Networks have limited bandwidth connections with little funding for upgrades
• Most school system networks (many University Networks) are behind firewalls and NAT
09999/2106
The Small Pipe Issue
• In Alabama, most schools connect to their system’s network (and then the Internet) through point to point DS1 (T1s) – 1.5Mbps
• A single H.323 VTC connection with decent quality uses 384kbps (+overhead)
• Conservative Rule of Thumb recommended by Cisco is 20% overhead ~460kbps
• So… a single H.323 session at 384kbps uses almost 1/3 of a T1 line (for design purposes)
• And the real problem…. Most large schools fill the pipe with just Internet traffic
09999/2106
The Huntsville Example
T1
...
Huntsville BOE Office
AREN NOC
100 Mbps Full
MCU
AR
EN
75
13
Layer3Switch
PIX
HS
V
75
13
= QoS Aware
09999/2106
Where did we enable QoS?
• Schools were not using VLANs and most had no QoS support at the LAN level– So No CoS 802.1p could be used
• QoS enabled using DSCP tagging and CBWFQ on routers and layer3 switches– Differentiated Services Code Point (DSCP)
– Class-Based Weighted Fair Queueing (CBWFQ)
• Traffic is classified and tagged at routers based on source/destination IP address
09999/2106
Cisco Router Config Example
class-map match-all VTC-hosts match access-group name VTC-list!policy-map QoS-VTC class VTC-hosts bandwidth percent 50 set ip dscp ef class class-default fair-queue! ip access-list extended VTC-list permit ip any any precedence critical permit ip any any dscp ef permit ip any host 192.168.2.20 permit ip host 192.168.2.20 any
interface FastEthernet0/0 description School LAN bandwidth 100000 ip address 192.168.2.1 255.255.255.0 speed 100 full-duplex service-policy output QoS-VTC!interface Serial0/0 description to Core Router bandwidth 1544 ip address 172.20.2.2 255.255.255.252 service-policy output QoS-VTC!
09999/2106
QoS Through Firewalls?
• Most (all?) firewalls offer no support for QoS guarantees
• The official Cisco comment is that their PIX is so fast there is no congestion
• The PIX firewall does not alter DSCP tagged packets (so QoS can be done on either side of the PIX)
09999/2106
Problems With Firewalls (and NAT)
• H.323 uses multiple tcp connections and udp ports simultaneously for VTC
• The H.323 standard assigns ports dynamically from 1024 to 65535
• During call setup, the IP address of the calling party is sent to the called party in the data field of the IP packet (so NAT can’t translate it)
09999/2106
Solutions to the Firewall Problem
• Don’t NAT H.323 clients – Well…. what’s the firewall doing then?– May or may not open the H.323 client to all ports
• Probably not a good idea to open everything!
• NAT H.323 and rely on the client to be “smart” enough to work through the firewall/NAT– A Polycom client can be told to use specific ports. The client can also be
configured to know its real “outside address” and can use this address in handshaking
• NAT H.323 and rely on the firewall to be “smart” enough to work everything out– Application Proxy etc.
• Use an additional device to perform the Application Proxy– May be useful when deploying a standard solution across diverse
networks
09999/2106
What do you mean “Don’t NAT”?
• If public IP space is available, you could form small public subnets at each site in parallel with the privately addressed network
• Firewall could pass these address on into the Internet without NATing
• Client would need to predefine which TCP/UDP ports will be used so they can be opened through the firewall– Otherwise all ports above 1024 would have to be
opened (back to… Why have a firewall?)
09999/2106
NAT with a “Smart” Client• PAT won’t work but NAT can work with a “smart” client
– I mean true one to one static NAT here (1 public to 1 private)
• Example: Polycom clients have settings in their QoS menu that allow pre-definition of the Clients outside, public address. There is a check box that says “this client is behind NAT”
• Polycom units also allow pre-definition of TCP/UDP ports used – default is 3230-3235
• No application proxy (or fixup) would be configured on the firewall.
• Pre-defined data ports and TCP 1720 (call setup) would be allowed to the statically NATed addresses of the clients
• This method was used for Shelby County schools due to old software version on their PIX firewall.
09999/2106
Polycom Setup Example
09999/2106
NAT with a “Smart” Firewall
• Firewall must either serve as an H.323 Application proxy or somehow snoop the H.323 setup (looking at all the handshaking)
• Cisco PIX version 6.14 and up supports an H.323 “fixup protocol” that overcomes the NAT and port problems by snooping.
• Some PIX versions prior to 6.14 have an “H.323 fixup protocol” but it will only work with Netmeeting, CUSeeMe, etc…
• Even with snooping the call setup port 1720 must be opened to allow calls originating from the outside
09999/2106
Additional Application Proxy
• Most new firewall versions support some form of Application Proxy or snooping– ISA Microsoft Proxy– Checkpoint– Firebox
• New interesting concept (read about but not driven)– Ridgeway Systems