12-5 H.323 Gatekeepers

• An H.323 gatekeeper provides address translation between E.164 addresses and the IP addresses of endpoints and gateways.

• A gatekeeper can also control H.323 access to terminals, gateways, and multimedia control units (MCUs).

• H.323 endpoints communicate with a gatekeeper using the Registration, Admission, and Status (RAS) protocol.

• In larger H.323 networks, endpoints can be grouped into zones. Each zone is managed by a gatekeeper or a cluster of gatekeepers.

• Cisco IOS software bundles both H.323 gatekeeper and proxy functions under the feature called Multimedia Conference Manager (MCM).

• A router can use HSRP to provide a redundant IP address that is shared with other routers. A gatekeeper provides HSRP mode, moving between standby and active mode along with HSRP.

• Gatekeepers can be configured as a cluster to provide redundancy and call load balancing. (This is a new feature in IOS 12.2(2)T.)

Configuration

1. Enable the gatekeeper:

    (global)  gatekeeper  

2. Identify one or more local zones controlled by the gatekeeper:

    (gatekeeper)  zone local   gatekeeper-name domain-name  [  ras-ip-address  ] 

   The host name of the gatekeeper is given as gatekeeper-name and the domain-name of the domain it serves. The ras-ip-address can be used to specify the IP address of a router interface to use when answering gatekeeper discovery queries. This address is used for all local zones defined on the router.

3. (Optional) Create a cluster of gatekeepers in the local zone for redundancy.

   1. Name the cluster:

       (gatekeeper)  zone cluster local   cluster-name local-zone-name  

      The cluster named cluster-name is associated with the local-zone-name (the host name of the local gatekeeper).

   2. Add an alternative gatekeeper to the cluster:

       (gatekeeper-cluster)  element   alternate-gk ip-address  [  port   port  ] 

      The host name of an alternative gatekeeper in the local zone is given as alternate-gk, along with its IP address and port.

   3. (Optional) Use load balancing of H.323 endpoints:

       (gatekeeper)  load-balance  [  endpoints   max-endpoints  ] [  calls   max-calls  ]   [  cpu   max-cpu  ] [  memory   max-mem-used  ] 

      Load balancing occurs by defining various limits on the local gatekeeper: endpoints (the maximum number of endpoints served ), calls (the maximum number of simultaneous calls), cpu (the maximum CPU usage, in percentage), or memory (the maximum percentage of available memory used). As soon as the threshold is reached, the gatekeeper moves registered H.323 endpoints to an alternative gatekeeper or rejects new registrations and calls.

4. (Optional) Limit the IP subnets associated with a gatekeeper:

    (gatekeeper)  zone subnet   local-gatekeeper-name  {  default   subnet-address  {/  bits-in-mask   mask-address  }}  enable  

   By default, a gatekeeper answers requests from all subnets in its local zone. Specific subnets can be served, while others are excluded. The local gatekeeper is identified by its name, local-gatekeeper-name. A subnet is specified by its subnet-address (network address), followed by the subnet mask in /bits-in-mask or mask-address ( dotted string format). The enable keyword is used to allow the gatekeeper to respond to requests from the subnet.

   If the default keyword is given, all subnets other than those specifically defined are used. Also, to exclude subnets from gatekeeper service, use the no keyword with this command. For example, no zone subnet default enable excludes all subnets except those enabled in other zone subnet commands.

5. Communicate with other gatekeepers.

   1. Use DNS to look up gatekeepers.

      • Set the local router's domain name:

         (global)  ip domain-name   domain-name  

      • Identify one or more name servers:

         (global)  ip name-server   server-address  [  server-address2 ...   server-address6  ] 

        Up to six DNS server addresses can be given. Each is tried in sequential order when requesting a DNS lookup.

   2. Statically define gatekeepers:

       (gatekeeper)  zone remote   other-gatekeeper-name other-domain-name   other-gatekeeper-ip-address  [  port-number  ] [  cost   cost  [  priority   priority  ]] 

      A remote gatekeeper can be defined with its name (other-gatekeeper-name), its domain name ( other-domain-name ), IP address (other-gatekeeper-ip-address), and an optional port-number for RAS communication ( 1 to 65535; the default is 1719 ). Least-cost call routing is used by assigning a cost ( 1 to 100; the default is 50 ) and a priority ( 1 to 100; the default is 50 ) to a remote gatekeeper.

   3. (Optional) Create a cluster of gatekeepers in the remote zone for redundancy.

      • Name the cluster:

         (gatekeeper)  zone cluster remote   remote-cluster-name domain-name  [  cost   cost  ] [  priority   priority  ] 

      • The remote cluster named remote-cluster-name is associated with the domain-name (remote zone name). An optional cost (1 to 100; the default is 50) and priority (1 to 100; the default is 50) can be assigned to the cluster for least-cost call routing.

      • Add an alternative gatekeeper to the cluster:

         (gatekeeper-cluster)  element   alternate-gk ip-address  [  port   port  ] 

        The host name of an alternative gatekeeper in the remote zone is given as alternate-gk, along with its IP address and port.

6. (Optional) Associate a technology prefix with gatekeepers:

    (gatekeeper)  gw-type-prefix   type-prefix  [[  hopoff   gkid1  ]   [  hopoff   gkid2   ... hopoff   gkidn  ] [  seq   blast  ]] [  default-technology  ]   [[  gw ipaddr   ipaddr  [  port  ]]] 

   Technology prefixes are recognized before zone prefixes to find a call hop-off point with an associated gatekeeper. A technology prefix is given as type-prefix (an arbitrary sequence of digits, usually ending with a pound sign [#]; tech prefixes are configured in gatekeepers). Normally, gateways register technology prefixes with a gatekeeper automatically. However, one or more redundant hop-off points can be specified for the prefix with gatekeeper names gkid1, gkid2, and so forth. The gatekeepers must be identified on the router with the zone local or zone remote commands. The default-technology keyword can be used to route unmatched technology prefixes to the listed gatekeepers.

   When resolving a prefix to a gatekeeper with multiple hop-offs (the same prefix is assigned to multiple gatekeepers), location requests (LRQs) can be sent simultaneously ( blast ) to the gatekeepers in the order they are listed. Local gatekeepers are placed at the top of the list, followed by any remote gatekeepers. Otherwise, the LRQs are sent sequentially, with a delay after each ( seq, the default).

   If a gateway is incapable of registering technology prefixes with the gatekeeper, you can add a static pointer to it with the gw ipaddr keywords, along with the gateway's IP address and RAS port (default 1719).

7. (Optional) Associate an E.164 prefix with a gateway:

    (gatekeeper)  zone prefix   gatekeeper-name   e164-prefix  [  blast   seq  ]   [  gw-priority   priority   gw-alias  [  gw-alias,   ...  ]] 

   A gatekeeper translates an E.164 number, e164-prefix (a number of digits followed by dots, each matching any digit, or a star [*], matching all digits), to the gatekeeper name gatekeeper-name serving that prefix. You can set priorities for specific gateways in a prefix with the gw-priority keyword, along with the priority (0 to 10; 0 excludes the gateway from a prefix) and a list of gateway names. Gateways must register with the gatekeeper before receiving a priority. If no specific priority is given for a gateway, it receives a default of 5.

   When resolving a prefix to a gatekeeper with multiple hop-offs (the same prefix is assigned to multiple gatekeepers), location requests (LRQs) can be sent simultaneously ( blast ) to the gatekeepers in the order they are listed. Local gatekeepers are placed at the top of the list, followed by any remote gatekeepers. Otherwise, the LRQs are sent sequentially with a delay after each ( seq, the default).

8. (Optional) Statically configure nodes that are unable to register:

    (gatekeeper)  alias static   ip-signaling-addr  [  port  ]  gkid   gatekeeper-name  [  ras   ip-ras-addr port  ] [  terminal   mcu   gateway  {  h320   h323-proxy   voip  }] [  e164   e164-address  ] [  h323id   h323-id  ] 

   If an endpoint or node cannot register with a gatekeeper for some reason, it can be statically defined with an alias in the gatekeeper. The node's IP address and port are given as ip-signaling-addr [ port ]. The gatekeeper name for the node's zone is given as gkid gatekeeper-name. You can specify the RAS address and port used by the node with ras ip-ras-addr port. The type of H.323 endpoint is given by terminal (H.323 terminal), mcu (multiple control unit), or gateway. Gateway types are given by h320 (H.320), h323-proxy (H.323 proxy), or voip (VoIP). One or more E.164 numbers for the node can be given as e164 e164-address (up to 128 characters total). One or more H.323 identification strings can be assigned to the node with h323id h323-id (up to 256 characters total).

9. (Optional) Use AAA authentication and accounting with H.323.

   1. Configure AAA login authentication to a RADIUS or TACACS+ server by referring to Section 13-2.

   2. Enable AAA on the gatekeeper:

       (gatekeeper)  security  {  any   h323-id   e164  } {  password default   password   password separator   character  } 

      Endpoints or nodes can be configured in a RADIUS or TACACS+ server, which is queried when a node registers with the gatekeeper. The type of user alias that is authenticated is given by h323-id (H.323 ID), e164 (E.164 number), or any (uses the first alias given by the node). An alias must be accompanied by a password. A default password can be given as password default password and must also be configured in the AAA server. For H.323 ID aliases, the alias and password can be passed as a single string, separated by password separator character.

   3. Configure AAA accounting to a RADIUS or TACACS+ server by referring to Section 13-2. Use the aaa accounting connection h323 keywords for H.323 accounting.

   4. Enable H.323 accounting on the gatekeeper:

       (gatekeeper)  aaa accounting  

      The gatekeeper sends registration accounting records to the configured RADIUS or TACACS+ servers.

10. (Optional) Use external applications with the gatekeeper.

    1. (Optional) Define a port that the gatekeeper uses for listening:

        (gatekeeper)  server registration-port   port  

       By default, the gatekeeper doesn't listen to any external sources for H.323 registration. A registration port (1 to 65535) can be defined to match the port used by the external application.

    2. (Optional) Trigger interaction with external applications.

       • Define a static trigger:

          (gatekeeper)  server trigger  {  arq   lcf   lrj   lrq   rrq   urq  }  gkid priority server-id server-ipaddress server-port  

         A trigger is configured for one of the RAS message types shown. The local gatekeeper identifier is given as gkid. Each trigger is assigned a priority (1 to 20; 1 is highest) so that multiple triggers can be used in order. The external application server is known as server-id (a string or name) at IP address server-ipaddress and using RAS port server-port.

       • (Optional) Generate information notifications only:

          (gatekeeper-trigger)  info-only  

         Messages are sent as notifications without waiting for a response from the application.

       • (Optional) Temporarily disable a trigger:

          (gatekeeper-trigger)  shutdown  

       • (ARQ, LRQ, LCF, LRJ only) Base the trigger on a destination:

          (gatekeeper-trigger)  destination-info  {  e164   email-id   h323-id  }  value  

         The trigger destination can be based on value, of the type e164 (an E.164 number), email-id (an e-mail address), or h323-id (an H.323-ID). More than one destination can be given by ending the value string with a comma and another value, or with an asterisk (*).

       • (ARQ and LRQ only) Base the trigger on a specific redirect reason:

          (gatekeeper-trigger)  redirect-reason   value  

         The redirect reason is a numeric value (0 to 65535), with these values currently used: (unknown reason), 1 (call forwarding or called DTE is busy), 2 (call forwarded; no reply), 4 (call deflection ), 9 (called DTE is out of order), 10 (call forwarding by the call DTE), and 15 (call forwarding unconditionally).

       • (LCF only) Base the trigger on a specific type of endpoint:

          (gatekeeper-trigger)  endpoint-type   type  

         The endpoint type is given as one of the following types: gatekeeper, h320-gateway, mcu, other-gateway (a gateway type not in this list of choices), proxy, terminal, or voice-gateway.

       • (RRQ and URQ only) Base the trigger on a specific supported prefix:

          (gatekeeper-trigger)  supported-prefix   prefix  

         The prefix is given as a string of digits (0 to 9, #, *) containing the E.164 technology prefix pattern to match against.

11. (Optional) Perform H.323 proxy functions.

    1. (Optional) Act as a proxy between local and remote zones:

        (gatekeeper) use-proxy local-zone-name {default  remote-zone   remote-zone-name  }{  inbound-to   outbound-from  }{  gateway   terminal  } 

       By default, the proxy function is performed in the local zone for calls to and from local H.323 terminals only. To change this behavior, the name of the local zone or gatekeeper is given as local-zone-name (usually name.domain-name ). Proxy services occur for specific remote zones identified with remote-zone remote-zone-name. Remote zones not listed can be served using the default keyword.

       Proxy service can be applied to calls that are inbound-to or outbound-from the local zone and to either gateway or terminal devices.

    2. (Optional) Use an H.323 proxy.

       • Enable the proxy:

          (global)  proxy h323  

       • Associate a gatekeeper with the proxy:

          (interface)  h323 gatekeeper  [  id   gatekeeper-id  ] {  ipaddr   ipaddr  [  port  ]  multicast  } 

         The gatekeeper named gatekeeper-id (usually of the form name.domain-name ) using IP address ipaddr and port is used by the proxy. If the multicast keyword is given, the gatekeeper is discovered through a multicast message. The IP address of the local interface is used as the RAS source address.

       • (Optional) Enable the proxy to use QoS signaling:

          (interface)  h323 qos  {  ip-precedence   value   rsvp  {  controlled-load   guaranteed-qos  }} 

         The proxy signals QoS requirements by either setting the IP Precedence to value (0 to 7) or requesting RSVP controlled load or guaranteed QoS classes of service.

       • (Optional) Use Application-Specific Routing (ASR) with the proxy.

         Configure ASR on the H.323 interface:

          (interface)  h323 asr  [  bandwidth   max-bandwidth  ] 

         The maximum bandwidth available to the proxy is max-bandwidth (1 to 10,000,000 kbps; the default is the bandwidth configured on the interface).

         Keep the ASR interface isolated from other interfaces.

         You can keep ASR traffic isolated by assigning an IP subnet to the ASR interface that is routed by one type of routing protocol. Then, use another routing protocol for all other interfaces. Or, you can use a single routing protocol but assign the ASR and non-ASR interfaces to two different autonomous systems.

         Use an access list to ensure ASR isolation.

         Create an IP access list that only permits traffic to and from the H.323 interface's IP address (usually a loopback interface). All other traffic is denied (except for any necessary routing protocols, and so forth). Apply the access list to both inbound and outbound traffic on the interface at the edge of the ASR-only network. All proxy traffic uses the H.323 interface's IP address as the source, which is permitted by the access list.

Example

An H.323 gatekeeper is configured for the local zone called gk-myregion at company.com , using IP address 192.168.14.1. Another gatekeeper in the remote zone gk-theirregion is also configured at 192.168.112.1. The technology prefix 2# causes calls to hop off to the remote gatekeeper gk-theirregion. The default technology prefix 4# is used to find a gateway registered with the same technology prefix. E.164 prefix 859. is assigned to the local zone, and 270. is assigned to gk-theirregion. A proxy is configured in the local zone to provide proxy services for calls coming into the local zone to a gateway.

  gatekeeper   zone local gk-myregion company.com 192.168.14.1   zone remote gk-theirregion company.com 192.168.112.1   gw-type-prefix 2# hopoff gk-theirregion   gw-type-prefix 4# default-technology   zone prefix gk-myregion 859.......   zone prefix gk-theirregion 270.......   use-proxy gk-myregion default inbound-to gateway