Michael, My understanding is that you will need to at least assume that traffic could be sourced from any port and will be sent to a destination port of 16384-32767 (which is the RTP range). RFC 4961 suggests that as a best practice, RTP sessions should be symmetric (both endpoints of the stream use the same port). If you want to confirm the behavior in your lab, set up a call and sniff the traffic to see how your endpoints are using ports with RTP.
As Jason mentioned, Skinny originally had three designated ports, although 2001 and 2002 are now obsolete. You should at least support port 2000 for IP phones, but make sure you do whatever the lab asks (maybe only 2000, or maybe 2000-2002). Reference: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/43881-ccm-tcp-udp-ports.html SIP ports 5060 and 5061 are standard SIP and secure SIP, kind of like HTTP and HTTPS. 2443 is Skinny secure control signaling. Justin From: [email protected] [mailto:[email protected]] On Behalf Of Michael Ruetz Sent: Wednesday, February 26, 2014 12:16 To: [email protected] Subject: [OSL | CCIE_Wireless] QoS ACLs Dear CCIEW-Students, Unfortunately there are a lot of different ways mentioned in the workbooks, how to set up the correct QoS-ACL for mapping RTP and SIGNALING. What confuses me most is the usage of the same ranges of ports for matching on the src.- and dst.- ports im some examples. [SNIP] ! ip access-list extended RTP 10 permit udp any range 16384 32767 any range 16384 32767 <- same range src. and dst.?? ! ip access-list extended SIGNALING 10 permit tcp any any range 2000 2002 <- three ports for SKINNY? 20 permit tcp any any range 5060 5061 <- two ports for SIP? 21 permit udp any any range 5060 5061 <- two ports for SIP? 30 permit tcp any any eq 1720 -> H.323 is clear 40 permit tcp any any eq 2443 <- Secure Signalling?? ! [SNIP] Has anyone maybe traced RTP/SKINNY/SIP/... to get the correct mapping-ACL? I can't find a hint in any best practice documentation. Thx. in advance ... MICHAEL RUETZ Senior IT Architekt/Engineering Manager, CCIE#5356
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
