Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring a Small Office for High-Definition Videoconferencing

 

This example provides step-by-step procedures to configure the SRX100 Services Gateway to support broadband access with high-definition videoconferencing terminals. It shows how to establish secure connectivity using IP security (IPsec), implement a local Dynamic Host Configuration Protocol (DHCP) server with NAT, set up security zones, provision QoS, and define the interface maximum transmission unit (MTU).

The topic includes the following sections:

Requirements

This example uses the following hardware and software components:

  • Two Juniper Networks SRX Series Services Gateways (SRX100 and SRX3600) running Junos OS Release 11.4 or later.

  • Two Juniper Networks MX Series 3D Universal Edge Routers running Junos OS Release 11.4 or later.

Note

This configuration example has been tested using the software release listed and is assumed to work on all later releases.

Overview

In this example, a cable-based SOHO is used as a reference model. This example assumes that the WAN link is represented with an Ethernet interface, and all configurations in the example reflect this.

Figure 1 shows the physical topology.

Figure 1: SOHO Broadband Network Physical Topology
SOHO Broadband Network
Physical Topology

SOHO deployments are designed for desktop endpoint equipment whose bandwidth needs are less than 768 Kbps. An example is Polycom’s VVX series device. In this example, the videoconferencing call is treated as best-effort traffic. No special resources or admission control provisioning is required by the service provider, and therefore the high-definition videoconferencing service is provided with enhanced but not assured call experience.

The topology includes the following configurations:

  • A small videoconferencing system such as Polycom’s VVX1500 connects to the SRX100 Services Gateway over a 100 Mbps Fast-Ethernet link. The Polycom VVX device is configured to receive an IP address automatically using DHCP from a local server running on the SRX Series Services Gateway. The Polycom VVX device uses the interface IP address of the SRX Series Services Gateway as its gateway. The configuration for Polycom’s VVX1500 is beyond the scope of this document.

  • In the SOHO, the SRX Series Services Gateway provides secure IPsec virtual private network (VPN) connectivity for the video endpoint to communicate with the video data center as well as with endpoints at other sites during a point-to-point call. Additionally, the SRX100 device also acts as a security router protecting the SOHO equipment connected to its interfaces from the threats of the Internet.

    The SRX Series Services Gateway is also configured to protect devices in the trust zones from attacks originating from the unsecure Internet. These options help combat attacks, such as IP address sweeps, port scans, DOS attacks, Internet Control Message Protocol (ICMP) floods, User Datagram Protocol (UDP) floods, and many others.

  • Security zones are configured on the SRX Series device to permit all traffic to and from the physical port to which the Polycom VVX1500 is connected. This ensures that the video endpoint can communicate (register, call signaling) with the centralized SIP proxy/ H.323 gateway that resides in the video data center, as well as with other endpoints at other sites. In this example, you configure two security zones: Trust and Untrust. The Trust security zone is used for all customer premises devices including PCs and videoconferencing endpoints, while the Untrust zone is used on the WAN interface. Because the SOHO devices are regarded as trustworthy, the Trust security zone is used for all customer premises devices.

  • The SRX Series device serves as a DHCP server and NAT gateway for the video endpoints. It receives a public IP address from the ISP and in turn provides NAT to all traffic from the video endpoint to this IP address. The DHCP server is configured to match the device hardware address of the video endpoint with a pre-defined IP address. This is important because the Polycom DMA controller in the data center is provisioned to recognize endpoints using the IP address. The SRX Series device translates all traffic from the video endpoint’s private IP address to the DHCP-assigned public IP address on the egress interface and vice versa.

  • Although it is challenging to guarantee service-level agreements (SLAs) for calls over the public Internet, as a best practice, provision the SRX Series device to apply static QoS on the video endpoint traffic. You can achieve this by attaching a filter on the interface to which the endpoint is connected and marking ingress traffic on this interface with an assured forwarding Differentiated Services code point (DSCP). Since the traffic is traversing the Internet, only best-effort delivery is guaranteed.

    Note

    Ideally, QoS must be used across the end-to-end connection. However, since the last mile might not be QoS-enabled, a congestion-free metro access network cannot be guaranteed.

  • Configure the MTU to ensure minimal packet loss and transit delays for videoconferencing traffic. You must consider the size of the entire network’s MTU and configure the video endpoints accordingly.

Configuration

To configure a small office for high-definition videoconferencing, perform the following procedures on your SRX100 Services Gateway:

Best Practice

In any configuration session, it is a good practice to periodically use the commit check command to verify that the configuration can be committed.

Establishing Secure Connectivity Using IPsec

Step-by-Step Procedure

In this section, you configure the SRX Series device to provide IPsec VPN connectivity for the video endpoint to communicate with the video data center as well as with endpoints at other sites during a point-to-point call. Figure 2 shows the IPsec connectivity between the video endpoint and the video data center.

Figure 2: IPsec Connectivity
IPsec Connectivity

To configure the IPsec VPN:

  1. Configure the Internet key protocol (IKE) proposal.

    The IKE proposal must match with the IPsec tunnel termination proposal at the SRX3600 device in the video data center and at all other sites that this site communicates with. You define the authentication method, Diffie-Hellman group, authentication algorithm, encryption algorithm, and lifetime seconds.

  2. Configure the IKE policy that references the IKE proposal.

    Specify the IKE authentication method as hdvc-ike-proposal, and specify the mode as main for negotiating the IPsec security association.

  3. Configure the IKE gateway that references the IKE policy.

    Specify the IKE IDs for the local and remote devices and the IP address of the SRX3600 device at the data center as the IPsec tunnel endpoint.

  4. Define the IPsec proposal by specifying the protocol, authentication algorithm, and encryption algorithm.
  5. Configure an IPsec policy that references the IPsec proposal.
  6. Configure an IPsec VPN tunnel that references both the IKE gateway and the IPsec policy.

Configuring the Security Zones for the Endpoints

Step-by-Step Procedure

In this section, you configure trust and untrust security zones to permit all traffic to and from the physical port to which the Polycom VVX is connected.

To configure security zones:

  1. Configure the Ethernet interface that serves as the default gateway for the video endpoint.

    Optionally, specify the description.

  2. Configure the trust security zone.

    Include the TCP reset (tcp-rst) statement at the [edit security zones security-zone trust] hierarchy level. Specify vvx-devices as the address book address name and 192.168.40.0/24 as the address book IPv4 address. Specify all as the allowed host-inbound-traffic system services for the security zone. Specify all as the allowed host-inbound-traffic protocols.

  3. Configure the untrust security zone.

    Assign an interface to the security zone and allow all system services for the security zone. Configure the address book entry for the untrust security zone. Specify an address set that includes all video endpoints and devices that the site has to communicate with.

  4. Configure the security policy to permit traffic from the trust zone to the trust zone.
  5. Configure the security policy to permit traffic from the trust zone to the untrust zone.
  6. Configure the security policy to permit traffic from the untrust zone to the trust zone.

Configuring the Local DHCP Server

Step-by-Step Procedure

This section describes how to configure an SRX Series device as a local DHCP server and a DHCP client. Figure 3 illustrates the DHCP address assignment mechanism.

Figure 3: DHCP Address Assignment
DHCP Address Assignment

To configure DHCP:

  1. Configure the DHCP server.

    Specify the static binding for the DHCP client and bind the hardware address of the Polycom VVX device to a static IP address on the local network.

  2. Specify fe-0/0/7 as the interface on which the DHCP client has to be enabled.

    Optionally specify the description.

  3. Specify DHCP as a host-inbound service for the untrust security zone to which the interface is bound.
  4. Define the number of attempts allowed to retransmit a DHCP packet.
  5. Define the interval, in seconds, allowed between retransmission attempts.

Configuring Source NAT

Step-by-Step Procedure

In this section, you configure the SRX100 Services Gateway to translate all traffic from the private IP address of the video endpoint to the DHCP-assigned public IP address on the egress interface and vice versa.

To configure NAT:

  1. Create a source NAT rule set called VVX-Interface-NAT.
  2. Create a rule called private_net and assign it to the rule set. Specify the range of private IP addresses that require NAT translation.
  3. Specify the action to translate the source address to the address of the egress interface.

    The SRX100 device uses the specified source-nat interface, and translates the source IP address and port for outgoing traffic, using the IP address of the egress interface as the source IP address and a random higher port for the source port.

Configuring Screens

Step-by-Step Procedure

In this section, you configure an intrusion detection service (IDS) profile and attach it to the untrust zone. You configure the SRX100 Services Gateway to protect devices in the trust zone from attacks originating from the unsecure Internet. The screening options help combat attacks, such as IP address sweeps, port scans, DOS attacks, ICMP floods, and UDP floods.

To configure the IDS profile and attach it to a zone:

  1. Create an IDS profile called untrust-screen and configure the ICMP screening options.
  2. Configure the IP screening options.
  3. Configure the TCP screening options.
  4. Attach the IDS profile untrust-screen to the untrust zone.

Provisioning QoS on the Video Endpoint and Configuring the Interface MTU

Step-by-Step Procedure

In this section, the SRX100 Services Gateway is provisioned to apply static QoS on the video endpoint traffic.

To ensure minimal packet loss and transit delays for video conferencing traffic, you must consider the size of the entire network’s MTU and configure the video endpoints accordingly. By default, on the Polycom V700 device, the MTU is set to 1260 bytes. The end-to-end MTU assessment must account for overhead added by IPsec VPN (~52 bytes), VLAN header (4 bytes), and Layer 3 VPN (4 bytes). If the packet size exceeds that MTU of any network link, it is fragmented into two or more fragments. This must be avoided for high-definition videoconferencing traffic because it results in degraded quality. In the case of IPsec tunnels, packet fragmentation is absolutely not permissible.

The default value for the MTU on the Fast Ethernet interface of the SRX Series device is 1500 bytes. Based on the end-to-end MTU calculation, this must be changed on both the interface connecting the video endpoint and the WAN uplink, if required. Typically, the MTU size in cable and asymmetric digital subscriber line (ADSL) networks is even shorter, so ensure that the length of the transmitted packets does not exceed the link’s MTU.

To provision QoS and reset the MTU:

  1. Create a firewall filter called V700-MC-Bronze-Tier, and specify the term as All-VVX-Traffic and the forwarding class as MC-BRONZE to select the traffic.
  2. Apply the firewall filter to the fe-0/0/2 interface, which connects the video endpoint.

    Optionally, specify the description.

  3. Reset the MTU size to 1492 at the fe-0/0/2 interface.

Verification

After configuring the SRX Series Services Gateway, ensure the connectivity to the essential elements in the network. The following steps illustrate debugging examples at various network elements in the path.

Ping the DHCP server from the SRX Series Services Gateway, If the DHCP IP address is not assigned to the SRX Series Services Gateway, perform the following steps:

  1. Re-initiate the DHCP request.

    The video endpoint device acquires an IP address through DHCP.

  2. If an IP address is acquired at the video endpoint device, check the end-to-end connectivity between the video endpoint and the video signaling equipment (Polycom’s DMA, RMX) in the data center.

    Video endpoints provide a connectivity test that is accessible using the Web interface of the endpoint. If problems still exist, troubleshoot the routers.

  3. If connectivity to the video signaling equipment in the data center has not yet been established, verify the connectivity to the public Internet.

    You can verify the connectivity by pinging the default gateway that was assigned to the SRX Series Services Gateway by the ISP’s DHCP server.

  4. If there are no connectivity issues, then inspect the IPsec VPN configuration on the SRX Series Services Gateway, and the tunnel termination configuration in the SRX cluster at the video data center.

  5. If there are any MTU-related problems, ping from the video endpoint using the ICMP packets with the packet length set to the size of the MTU configured on the SRX Series Services Gateway.

Confirm that the configuration is working properly.

Re-Initiating DHCP IP Address Assignment on SRX Series Services Gateway

Purpose

Re-initiate the DHCP client IP address assignment on the SRX Series Services Gateway.

Action

From operational mode on the SRX Series Services Gateway, enter the request system services dhcp renew fe-0/0/7 command.

Meaning

If the IP address of the interface is renewed, then this command produces no output.

Verifying the DHCP Client Information

Purpose

Verify the DHCP client information on the SRX Series Services Gateway.

Action

From operational mode on the SRX Series Services Gateway, enter the show system services dhcp client fe-0/0/7.0 command.

Meaning

Verify the hardware address is correct, the client status is bound, and that the address obtained is correct.

Verifying the DHCP Statistics

Purpose

Verify the DHCP statistics on the SRX Series Services Gateway are incrementing.

Action

From operational mode on the SRX Series Services Gateway, enter the show system services dhcp client statistics command.

Meaning

Verify that the DHCPACK, DHCPRENEW, and DHCPACK statistics are all incrementing.

Verifying the Connectivity from SRX Series Services Gateway

Purpose

Verify that you have end-to-end connectivity between the video endpoint and the video signaling equipment at the data center.

Action

From operational mode, enter the ping command on the SRX Series Services Gateway to verify connectivity to the video endpoint.

From operational mode, enter the ping command on the SRX Series Services Gateway to verify connectivity to the video signaling equipment (DMA) at the data center.

Meaning

Verify the number of packets transmitted, packets received, and packets lost. If 0% packet loss is displayed, it indicates that the connectivity is working.