7 Replies Latest reply on Apr 7, 2014 2:01 PM by matt

    media-gateway for VLAN interface

    crawc New Member

      We are trying to send the outbound SIP traffic out the vlan3 interface so it stays within the private VOIP network. The SIP traffic is routing properly, but we can't get the RTP to source from the IP on the vlan 3 interface. We have tried setting up a loopback interface and using it for the media-gateway ip, but everything we try still won't source as the 172.16.16.10 address. How can this be done?

       

      Here is the config for the interfaces involved.

       

      interface eth 0/0

        description WAN

        ip address 68.65.123.10 255.255.255.0

        ip access-policy Public

        no shutdown

      !

       

      interface gigabit-eth 0/2

        no shutdown

        switchport access vlan 3

      !

       

      interface vlan 3

        description SIP WAN

        ip address 172.16.16.10 255.255.255.0

        ip access-policy SIP_Private

        media-gateway ip primary

        no shutdown

      !

       

      ip route 0.0.0.0 0.0.0.0 68.65.123.1

      ip route 172.17.0.0 255.255.255.0 172.16.16.1

        • Re: media-gateway for VLAN interface
          jayh Hall_of_Fame

          If you aren't traversing a NAT, the RTP will typically just route to the origin of the RTP and pass through the Adtran device as would any other layer 3 IP routed flow.

           

          If you are traversing a NAT, make sure that you also have the media-gateway ip defined on the outside of the NAT which should fix the problem.

          1 of 1 people found this helpful
            • Re: media-gateway for VLAN interface
              crawc New Member

              The phone network (vlan2) is NAT'ing out the "sip WAN" vlan 3 interface. The problem is the rtp is reporting the source address as the eth0/0 interface address and not the vlan 3 interface address.

               

              Also and all interfaces that are doing SIP need a media-gateway set or it will fail altogether.

               

               

               

              interface vlan 1

                description Customer LAN

                ip address 10.10.10.1 255.255.255.0

                ip access-policy Private

                media-gateway ip primary

                no shutdown

              !

              interface vlan 2

                description VOIP Phones

                ip address 10.10.20.1 255.255.255.0

                ip access-policy Private

                media-gateway ip primary

                no shutdown

              !

              interface vlan 3

                description SIP WAN

                ip address 172.16.16.10 255.255.255.0

                ip access-policy SIP_Private

                media-gateway ip primary

                no shutdown

              !

                • Re: media-gateway for VLAN interface
                  jayh Hall_of_Fame

                  Do you have the appropriate NAT rules in place between the Private and SIP_Private policy-classes?

                   

                  Also, both of these are RFC1918 IP ranges, could there be double-NAT going on?  If so, you will likely want to avoid doing this if at all possible.

                    • Re: media-gateway for VLAN interface
                      crawc New Member

                      The NAT is working as it should. The vlan 2 network is NAT overloading to the vlan 3 address. The problem is ONLY with the SIP RTP. I can't get it to source from the vlan 3 interface. So what ends up happening is the SIP RTP si sent to the SIP server living at 172.17.0.5; it sees the RTP coming from 68.65.123.10 so it sends the packets back to that address which isn't what we want. It needs to souce from 172.16.16.10 so the RTP can route back to it properly.

                        • Re: media-gateway for VLAN interface
                          jayh Hall_of_Fame

                          How is the eth 0/0 WAN interface involved? You don't have a media-gateway ip primary statement applied to that interface.  Based on your interface descriptions you've got VoIP phones on interface VLAN 2, 10.10.20.0/24 and a SIP WAN on VLAN 3, 172.16.16.0/24.  In your last posting you reference a SIP server on 172.17.0.5 which isn't directly connected.  What's the route to that network?

                           

                          Could you possibly post a config with sensitive information redacted?  Also the results of:

                           

                          • show ip route
                          • show ip policy-sessions

                          with a voice call up.

                            • Re: media-gateway for VLAN interface
                              crawc New Member

                              Here is a diagram of how everything is setup.

                              nv7100.jpg

                               

                              Also here is the output of those commands

                               

                              Gateway of last resort is 68.65.123.1 eth 0/0

                              S    0.0.0.0/0 [1/1/0] via 68.65.123.1, eth 0/0

                              C    10.10.10.0/24 is directly connected, vlan 1

                              C    10.10.20.0/24 is directly connected, vlan 2

                              C    68.65.123.0/24 is directly connected, eth 0/0

                              C    172.16.16.0/24 is directly connected, vlan 3

                              S    172.17.0.0/24 [1/1/0] via 172.16.16.1, vlan 3

                               

                               

                              Src Vrf (if not default), Src policy class:

                              Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class

                                Src IP Address  Src Port Dest IP Address Dst Port NAT IP Address    NAT Port

                                --------------- -------- --------------- -------- ----------------- --------

                               

                               

                              Policy class "Private":

                              udp (53) -> self

                                10.10.20.2      5060     10.10.20.1      5060

                              udp (45) -> SIP_Private

                                10.10.20.2      3000     172.17.0.6      51064    s 68.65.123.10   50000

                              udp (38) -> SIP_Private

                                10.10.20.2      3001     172.17.0.6      51065    s 68.65.123.10   50001

                               

                               

                              Policy class "self":

                              udp (53) -> SIP_Private

                                172.16.16.9     5060     172.17.0.5      5060

                               

                               

                               

                               

                               

                              ip access-list standard NAT

                                remark Internet Connection Sharing

                                permit any

                              !

                              !

                              ip access-list extended InterVLAN

                                remark Voice / Data VLAN Traffic

                                permit ip 10.10.10.0 0.0.0.255  10.10.20.0 0.0.0.255

                              !

                              ip access-list extended self

                                remark Traffic to Netvanta

                                permit ip any  any     log

                              !

                              ip access-list extended tsc-sip-acl

                                permit ip 172.17.0.0 0.0.0.15  any

                                permit ip 172.17.0.16 0.0.0.15  any

                                permit ip 172.17.0.32 0.0.0.15  any

                              !

                              ip access-list extended web-acl-7

                                remark 1toMany

                                permit ip 10.10.20.0 0.0.0.255  any     log

                              !

                              ip access-list extended web-acl-8

                                remark Traffic to Netvanta

                                permit ip any  any     log

                              !

                              !

                              !

                              !

                              ip policy-class Private

                                allow list self self

                                allow list InterVLAN stateless

                                nat source list NAT interface eth 0/0 overload

                              !

                              ip policy-class Public

                                allow list tsc-mgt-acl self

                                allow list tsc-sip-acl self

                              !

                              ip policy-class SIP_Private

                                allow list web-acl-8

                                nat source list web-acl-7 interface vlan 3 overload

                              !

                              !

                              !

                              ip route 0.0.0.0 0.0.0.0 68.65.105.1

                              ip route 172.17.0.0 255.255.255.0 172.16.16.1

                              !