Virtual Route Forwarding Design Guide Secure Softphone Connectivity
Available Languages
Table Of Contents
Virtual Route Forwarding Design Guide
Secure Softphone ConnectivityCisco IOS Global Configuration
Softphone Connectivity Configuration Example
Virtual Route Forwarding Design Guide
Secure Softphone Connectivity
This document provides overview, technology description, design considerations, sample configuration and other information for connecting softphone securely by using Virtual Private Network Routing and Forwarding (VRF) with your network. Cisco Unified CM
Contents
•
Introduction
•
•
•
•
Introduction
Virtualization is a technique for hiding the physical characteristics of computing resources from the way in which other systems, applications, or end users interact with those resources. This includes making a single physical resource (such as a server, an operating system, an application, storage device, or network) appear to function as multiple logical resources; or it can include making multiple physical resources (such as storage devices or servers) appear as a single logical resource.
Virtual networks is a generic term that uses many different technologies to provide virtualization. Fundamentally, virtual networks all provide a mechanism to deploy what looks and operates like multiple networks, and are actually all using the same hardware and physical connectivity.
A distinction needs to be made among the types of virtualization and which layer this network virtualization occurs at:
•
•
•
Virtualization of Networks
If we needed IP networks that are isolated as they were used by different companies, departments, or organizations, we would normally deploy multiple IP networks made up of separate physical routers that were not connected to each other. They may still be using a shared Layer 2 or Layer 1 infrastructure, however at Layer 3 they are not connected and do not form a network.
Network virtualization allows a single physical router to have multiple route tables. The global table contains all IP interfaces that are not part of a specific virtual network and route tables are for each unique virtual network assigned to an IP interface.
In its basic form this allows a FastEthernet 0/0 IP interface to be in virtual network 10 and FastEthernet 0/1 IP interface to be in virtual network 20. Packets arriving on FastEthernet 0/0 are only forwarded to other interfaces in virtual network 10 and do not use FastEthernet 0/1, because it is not in its virtual network: virtual network 10 has no routing knowledge of other virtual networks.
Additional virtualization can be provided by allowing multiple virtual networks per physical connection. This is enabled by using Layer 2 logical connections. For a FastEthernet physical port, the use of multiple virtual LANs (VLANs) allows each VLAN to use a different virtual network.
Virtual Route Forward (VRF) is a technique which creates multiple virtual networks within a single network entity (Figure 1). In a single network component, multiple VRF resources create the isolation between virtual networks.
Figure 1
Virtual Route Forwarding
VRF implementations in Cisco Unified Communications Manager Express (Cisco Unified CME) include:
•
•
•
•
Topology
Cisco Unified CM supports Cisco IP phones and soft phones at remote sites attached to Cisco Integrated Service Routers (ISR) across the WAN. When you deploy voice, we recommends that you enable two LANs at the access layer: a native VLAN for data traffic and a voice VLAN under Cisco IOS or Auxiliary VLAN under CatOS for voice traffic.
Separate voice and data VLANs are recommended for the following reasons:
•
•
•
•
You can use VLAN access control lists (ACLs) to control data that flows on a network. Cisco switches have the capability of controlling Layers 2 to 4 within a VLAN ACL. Depending on the types of switches in a network, VLAN ACLs can be used to block traffic into and out of a particular VLAN. They can also be used to block intra-VLAN traffic to control what happens inside the VLAN between devices.
If you plan to deploy a VLAN ACL you should verify which ports are needed to allow the phones to function with each application used in your IP telephony network. Normally, any VLAN ACL is applied to the VLAN that the phones use. This allows control at the access port, as close as possible to the devices that are plugged into that access port.
But, VLAN ACLs are very difficult to deploy and manage at an access-port level that is highly mobile. Because of these management issues, take care when deploying VLAN ACLs at the access port in the network.
As with VLAN ACLs, routers have the ability to process both inbound and outbound ACLs by port. The first Layer 3 device is the demarcation point between voice data and other types of data when using voice and data VLANs, where the two types of data are allowed to send traffic to each other. Unlike the VLAN ACLs, router ACLs are not deployed in every access device in your network. Instead, they are applied at the edge router, where all data is prepared for routing across the network. This is the perfect location to apply a Layer-3 ACL to control which areas the devices in each of the VLANs have the ability to access within a network. Layer-3 ACLs can be deployed across your entire network to protect devices from each other at points where the traffic converges.
But, as the ACLs become more granular and detailed, any changes in port usage in a network could break not only voice but also other applications in the network. If there are software phones in the network, if web access to the phone is allowed, or if you use the attendant console or other applications that need access to the voice VLAN subnets, the ACLs are much more difficult to deploy and control. By deploying VRFs with Trusted Relay Point (TRP) functionality into the network, we can solve this problem very easily and securely.
Figure 2 shows a branch office with several Cisco IP phones and soft phones connected to a Cisco router (Router1) via a switch that supports both DATA and VOICE VLAN. The router provides connections to a WAN link. The Cisco IP phones and soft-phones connect to their primary Cisco Unified CM at the central office via this WAN link.
Figure 2 Branch Office Cisco IP Phones and Soft Phones are connected to Central Cisco Unified CM
To connect softphone securely within the enterprise by using VRF technology, we need to understand how VRFs work in this very specific case. Let's follow the steps to understand is better, before we jump into the configuration.
In Figure 3, we are showing the conceptual separation of networks - voice and data networks have been separated at layer-3 (Router1) level. In the switch, we have created two different VLANs i.e., DATA-VLAN and VOICE-VLAN. These two VLANs are connected to the Router1 through two different sub-interfaces.
Figure 3 Network is segmented into two networks - Voice and Data
Now, we are going to create VRFs for each of the network segments. For this example, we have defined 3 VRFs i.e., VRF1, VRF2 and VRF3. As you know, VRF has no significance outside the router, and VRFs are tied with specific interfaces. Single VRF can be assigned to multiple interfaces; but multiple VRFs cannot be assigned to a single interface. In this specific example, we could put Gig0/1 under VRF1 as part of data network. But, to maintain the security, simplicity and clarity, we have put Gig0/1 under VRF3.
In Figure 4, all the interfaces (networks) are segmented. Under this definition, no interface can see other's traffic. Soft-phones under VRF1 cannot reach to Cisco Unified CM which is under VRF3. Same thing applies for hard phones under VRF2. We have just created three different segments of the network, where no traffic can flow among those segments. No phone can register to Cisco Unified CM as packet cannot flow between VRF1 and VRF3; and between VRF2 and VRF3.
Figure 4 Connecting Segments
Now, it is time to connect those segmented network so that they can communicate securely. First of all, we want to create bridge between VRF1 and VRF3 so that soft phones can communicate with Cisco Unified CM. And, similarly we are going to connect a bridge between VRF2 and VRF3 so that hard phones also can communicate with Cisco Unified CM. In Figure 5, the connection has been shown by black lines (in Router1) between VRFs. So, under this situation, VRF1 and VRF2 cannot communicate each others, although VRF1 and VRF2 can communicate with VRF3 individually.
By using import/export command (importing/exporting routing tables), bridge can be created between 2 (two) VRFs. In this example, VRF3 will export only it's own routing table, and import both VRF1 & VRF2. Here is the logical representation of this exchange of routing tables -
!VRF1export VRF1import VRF3!VRF2export VRF2import VRF3!VRF3export VRF3import VRF1import VRF2!Again, these are not the actual IOS CLI. We are just showing the logic behind creating the bridge. In our example, we will show the actual IOS commands those will enable the VRFs accordingly.
By importing/exporting VRFs, we define the rules to import and export routing tables among the VRFs. But we need some routing protocols to exchange the routes among those VRFs. BGP, OSPF or EIGRP can be used to inject the routes from one VRF to another VRF. This routing protocol may not be used to connect any other routers. It can be used locally to exchange routing tables among VRFs based on the rules set by export/import.
Figure 5 Cisco Unified CM in Segmented Network, connecting segments via TRP
Up to this level, both soft phones and hard phones can register to Cisco Unified CM and make calls within their own segments - soft phone can call to another soft phone and hard phone can call to another hard phone. But, they cannot make call between soft phones and hard phones. Now, we need to create some bridge so that traffic can flow between VRF1 and VRF2. This is the place where TRP comes into the picture. In Figure 6, TRP is used to create a bridge between VRF1 and VRF2.
TRP can be used to enable the VRF traversal functionality in the Router1. TRP can be configured in Cisco Unified CM as shown below.
Figure 6 Configuring TRP in Cisco Unified CM
Figure 7 Assigning TRP for phones in Cisco Unified CM
Note
We can use the same technique to have VRF traversal in multiple VRFs. It can be used to traverse multiple voice and data VRFs. In this example above, we have demonstrated how to connect softphone securely by using three VRFs and TRP functionality. But, it can be extended to more complex scenarios. We can put conferencing and transcoding services into different VRFs, so that we can control those devices too. In Figure 8, we have shown five different VRFs to segment the network more complex way.
Figure 8 MTP, Transcoding and Conferencing services under VRFs
In the configuration example, we have used this network topology with five VRFs to show you the actual working configuration.
Configuration
To configure a voice VRF, you must shut down voice services on the gateway, assign a previously defined VPN VRF to the VoIP SPI, and then restart voice services.
This section describes the tasks required to configure VRF-aware voice gateways.
Note
Prerequisites
Be sure to check the following prerequisites before configuring a voice VRF:
•
•
•
Restrictions
Restrictions for configuring VRF-aware H.323 and SIP are as follows:
•
•
Voice VRF supports only the following call types:
•
•
•
•
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Examples
!ip vrf vrf1rd 100:1route-target export 100:1route-target import 100:2!voice vrf vrf1!voice service voip!Cisco IOS Global Configuration
The following example is part of a TRP configuration. There are two VRFs, VPN801 and VPN802, defined for two groups of phones. Cisco Unified Communication Manager (Cisco Unified CM) belongs to the third VRF and is named ccm.
The VPN801 and VPN802 imports the routes from the VRF ccm. VPN801 and VPN802 export routes to the VRF ccm. VPN801 and VPN802 can access VRF ccm, but are independent of each other's routes.
Default voice VRF is ccm, where SIP phones must belongs and registered Cisco Unified CME.
Initially, phones belongs to VRF VPN801 and VPN802 register to Cisco Unified CM.
!ip vrf VRFdatard 100:1route-target export 100:1route-target import 100:3route-target import 100:2!ip vrf VRFresourcerd 100:5route-target export 100:5route-target import 100:3route-target import 100:2!ip vrf VRFservicerd 100:2route-target export 100:2route-target import 100:1route-target import 100:4route-target import 100:3route-target import 100:5!ip vrf VRFvoicerd 100:4route-target export 100:4route-target import 100:3route-target import 100:2!ip vrf VRFvoicesigrd 100:3route-target export 100:3route-target import 100:5route-target import 100:1route-target import 100:4route-target import 100:2!VRF Routing Configurations
As the VRFs are all different virtual networks, they cannot communicate among themselves without the exchange of routing information. Even though, they reside in a single box/router, but they are all independent virtual networks; they don't know how to reach IP-address of other networks. We can use VRF-enabled routing protocols to exchange routing tables among themselves.
The following is an example BGP configuration showing how to exchange routing information among the five VRF resources defined earlier.
!router bgp 1000no synchronizationbgp router-id 22.22.22.22bgp log-neighbor-changesno auto-summary!address-family ipv4 vrf VRFvoicesigredistribute connectedno synchronizationexit-address-family!address-family ipv4 vrf VRFvoiceredistribute connectedno synchronizationexit-address-family!address-family ipv4 vrf VRFserviceredistribute connectedno synchronizationexit-address-family!address-family ipv4 vrf VRFresourceredistribute connectedno synchronizationexit-address-family!address-family ipv4 vrf VRFdataredistribute connectedno synchronizationexit-address-family!Notice that, BGP does not have any neighbor; and this BGP is not used to make Border Routing implementation. BGP is used only to exchange routing tables among the VRFs within the same router via IPv4 VRF extension. Other routing protocols, for example, OSPF and EIGRP, can also be used to achieve the same purpose.
Softphone Connectivity Configuration Example
Figure 9 shows a configuration topology for VRF-Aware SIP call flows on Cisco Unified CME.
Figure 9 Topology for Softphone Connectivity with MTP and Transcoding/Conferencing facility
Router-1 Configuration:
Here is the full configuration of the ROUTER-1 running on ISR platform:
!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router1!boot-start-markerboot-end-marker!logging message-counter sysloglogging buffered 999999!no aaa new-model!ip source-route!!ip cef!!ip vrf VRFdatard 100:1route-target export 100:1route-target import 100:3route-target import 100:2!ip vrf VRFresourcerd 100:5route-target export 100:5route-target import 100:3route-target import 100:2!ip vrf VRFservicerd 100:2route-target export 100:2route-target import 100:1route-target import 100:4route-target import 100:3route-target import 100:5!ip vrf VRFvoicerd 100:4route-target export 100:4route-target import 100:3route-target import 100:2!ip vrf VRFvoicesigrd 100:3route-target export 100:3route-target import 100:5route-target import 100:1route-target import 100:4route-target import 100:2!no ipv6 cefmultilink bundle-name authenticated!!voice dsp waitstate 0!voice service voipallow-connections h323 to h323allow-connections h323 to sipallow-connections sip to h323allow-connections sip to sipshutdownsupplementary-service h450.12h323call start slowsipregistrar server expires max 3600 min 3600!!voice-card 0no dspfarmdsp services dspfarm!!archivelog confighidekeys!!interface GigabitEthernet0/0no ip addressduplex autospeed auto!interface GigabitEthernet0/0.801encapsulation dot1Q 801ip vrf forwarding VRFdataip address 21.22.21.1 255.255.255.0ip helper-address 21.20.10.11!interface GigabitEthernet0/0.802encapsulation dot1Q 802ip vrf forwarding VRFvoiceip address 21.22.22.1 255.255.255.0ip helper-address 21.20.10.11!interface GigabitEthernet0/0.803encapsulation dot1Q 803ip vrf forwarding VRFserviceip address 21.10.3.1 255.255.255.0!interface GigabitEthernet0/0.804encapsulation dot1Q 804ip vrf forwarding VRFvoicesigip address 21.10.4.1 255.255.255.0!interface GigabitEthernet0/0.805encapsulation dot1Q 805ip vrf forwarding VRFresourceip address 21.10.5.1 255.255.255.0!interface GigabitEthernet0/1ip vrf forwarding VRFvoicesigip address 21.20.10.1 255.255.255.0duplex autospeed auto!router bgp 1000no synchronizationbgp router-id 22.22.22.22bgp log-neighbor-changesno auto-summary!address-family ipv4 vrf VRFvoicesigredistribute connectedno synchronizationexit-address-family!address-family ipv4 vrf VRFvoiceredistribute connectedno synchronizationexit-address-family!address-family ipv4 vrf VRFserviceredistribute connectedno synchronizationexit-address-family!address-family ipv4 vrf VRFresourceredistribute connectedno synchronizationexit-address-family!address-family ipv4 vrf VRFdataredistribute connectedno synchronizationexit-address-family!ip forward-protocol nd!!ip http server!access-list 10 permit 21.10.10.0 0.0.0.255access-list 21 permit 21.22.21.0 0.0.0.255access-list 22 permit 21.22.22.0 0.0.0.255!!!!control-plane!!ccm-manager fax protocol cisco!mgcp fax t38 ecm!sccp local GigabitEthernet0/1sccp ccm 21.20.10.11 identifier 2 version 6.0sccp!sccp ccm group 2bind interface GigabitEthernet0/0.805associate ccm 2 priority 1associate profile 103 register CFB00175a378101!sccp ccm group 3bind interface GigabitEthernet0/0.804associate ccm 2 priority 1associate profile 101 register MTP00175a378101associate profile 105 register softmtp-3825!dspfarm profile 101 transcodecodec g711ulawcodec g711alawcodec g729ar8codec g729abr8codec g729r8maximum sessions 20associate application SCCP!dspfarm profile 103 conferencecodec g711ulawcodec g711alawcodec g729ar8codec g729abr8codec g729r8codec g729br8maximum sessions 8associate application SCCP!dspfarm profile 105 mtpcodec g711ulawrsvpmaximum sessions hardware 5maximum sessions software 250associate application SCCP!!!gatewaytimer receive-rtp 1200!!line con 0exec-timeout 0 0line aux 0line vty 0 4exec-timeout 0 0login!exception data-corruption buffer truncatescheduler allocate 20000 1000endRouter1#Verification
The following commands can be used to verify and debug the VRF configuration:
show ip route vrf <vrf-name>show ip route vrf VRFvoiceshow ip route vrf VRFdatashow ip vrf interfaceshow ip vrf detailping vrf VRFvoice 1.1.1.1debug ip cef packetdebug ip cef dropdebug ip dhcp packetdebug voip rtp sessionsdebug voip rtp packet (hidden and huge impact to performance)Some of the outputs are given in the following section.
The following command shows the different interfaces assigned to different VRF resources.
router#show ip vrf interfaceInterface IP-Address VRF ProtocolGi0/0.801 21.22.21.1 VRFdata upGi0/0.805 21.10.5.1 VRFresource upGi0/0.803 21.10.3.1 VRFservice upGi0/0.802 21.22.22.1 VRFvoice upGi0/0.804 21.10.4.1 VRFvoicesig upGi0/1 21.20.10.1 VRFvoicesig uprouter#The following command shows the VRF routing table for VRFvoice.
router#sh ip route vrf VRFvoiceRouting Table: VRFvoiceCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set21.0.0.0/24 is subnetted, 4 subnetsB 21.20.10.0 is directly connected, 00:19:36, GigabitEthernet0/1C 21.22.22.0 is directly connected, GigabitEthernet0/0.802B 21.10.4.0 is directly connected, 00:19:36, GigabitEthernet0/0.804B 21.10.3.0 is directly connected, 00:19:36, GigabitEthernet0/0.803The following command shows the VRF routing table for VRFdata.
router#sh ip route vrf VRFdataRouting Table: VRFdataCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set21.0.0.0/24 is subnetted, 5 subnetsB 21.20.10.0 is directly connected, 5d23h, GigabitEthernet0/1C 21.22.21.0 is directly connected, GigabitEthernet0/0.801B 21.10.4.0 is directly connected, 1d01h, GigabitEthernet0/0.804B 21.10.3.0 is directly connected, 1d01h, GigabitEthernet0/0.803router#The following command shows the routing table for the VRFvoicesig VRF, which is connected to Cisco Unified CM.
router#sh ip route vrf VRFvoicesigRouting Table: VRFvoicesigCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set21.0.0.0/24 is subnetted, 6 subnetsC 21.20.10.0 is directly connected, GigabitEthernet0/1B 21.22.22.0 is directly connected, 1d01h, GigabitEthernet0/0.802B 21.22.21.0 is directly connected, 1d01h, GigabitEthernet0/0.801B 21.10.5.0 is directly connected, 1d01h, GigabitEthernet0/0.805C 21.10.4.0 is directly connected, GigabitEthernet0/0.804B 21.10.3.0 is directly connected, 1d01h, GigabitEthernet0/0.803router#The following command shows different SCCP resources (conferencing, transcoding, MTP, and so on) that are registered with Cisco Unified CM.
router#sh sccp allSCCP Admin State: UPGateway Local Interface: GigabitEthernet0/1IPv4 Address: 21.20.10.10Port Number: 2000IP Precedence: 5User Masked Codec list: NoneCall Manager: 21.20.10.12, Port Number: 2000Priority: N/A, Version: 5.0.1, Identifier: 1Trustpoint: N/ATranscoding Oper State: ACTIVE - Cause Code: NONEActive Call Manager: 21.20.10.12, Port Number: 2000TCP Link Status: CONNECTED, Profile Identifier: 101.........MTP Oper State: ACTIVE - Cause Code: NONEActive Call Manager: 21.20.10.12, Port Number: 2000TCP Link Status: CONNECTED, Profile Identifier: 105...........Conferencing Oper State: ACTIVE - Cause Code: NONEActive Call Manager: 21.20.10.12, Port Number: 2000TCP Link Status: CONNECTED, Profile Identifier: 103.......Caveats
These are some known limitations of the system:
•
•
•
•
•
•
•
•
•
•
•
•
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)