Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

MGCP ALG

The Media Gateway Control Protocol (MGCP) is a text-based signaling and call control communications protocol used in VoIP telecommunication systems. MGCP is used to set up, maintain, and terminate calls between multiple endpoints.

Understanding the MGCP ALG

The Media Gateway Control Protocol (MGCP) is a text-based Application Layer protocol used for call setup and call control between the media gateway and the media gateway controller (MGC).

The protocol is based on a primary/client call control architecture: the MGC (call agent) maintains call control intelligence, and media gateways carry out the instructions from the call agent. Both signaling packets and media packets are transmitted over UDP. Junos OS supports MGCP in route mode and Network Address Translation (NAT) mode.

The MGCP Application Layer Gateway (ALG) performs the following procedures:

  • Conducts voice-over-IP (VoIP) signaling payload inspection. The payload of the incoming VoIP signaling packet is fully inspected based on related RFCs and proprietary standards. Any malformed packet attack is blocked by the ALG.

  • Conducts MGCP signaling payload inspection. The payload of the incoming MGCP signaling packet is fully inspected in accordance with RFC 3435. Any malformed-packet attack is blocked by the ALG.

  • Provides stateful processing. The corresponding VoIP-based state machines are invoked to process the parsed information. Any out-of-state or out-of-transaction packet is identified and properly handled.

  • Performs NAT. Any embedded IP address and port information in the payload is properly translated based on the existing routing information and network topology, and is then replaced with the translated IP address and port number, if necessary.

  • Manages pinholes for VoIP traffic. To keep the VoIP network secure, the IP address and port information used for media or signaling is identified by the ALG, and any needed pinhole is dynamically created and closed during call setup.

This topic contains the following sections:

MGCP Security

The MGCP ALG includes the following security features:

  • Denial-of-service (DoS) attack protection. The ALG performs stateful inspection at the UDP packet level, the transaction level, and the call level. MGCP packets matching the RFC 3435 message format, transaction state, and call state, are processed. All other messages are dropped.

  • Security policy enforcement between gateway and gateway controller (signaling policy).

  • Security policy enforcement between gateways (media policy).

  • Per-gateway MGCP message flooding control. Any malfunctioning or hacked gateway will not disrupt the whole VoIP network. Combined with per-gateway flooding control, damage is contained within the impacted gateway.

  • Per-gateway MGCP connection flooding control.

  • Seamless switchover/failover if calls, including calls in progress, are switched to the standby firewall in case of system failure.

Entities in MGCP

There are four basic entities in MGCP:

Endpoint

A media gateway is a collection of endpoints. An endpoint can be an analog line, trunk, or any other access point. An endpoint contains the following elements:

The following examples are some valid endpoint IDs:

Connection

Connections are created on each endpoint by an MG during call setup. A typical VoIP call involves two connections. A complex call, for example a three-party call or conference call, might require more connections. The MGC can instruct media gateways to create, modify, delete, and audit a connection.

A connection is identified by its connection ID, which is created by the MG when it is requested to create a connection. Connection ID is presented as a hexadecimal string, and its maximum length is 32 characters.

Call

A call is identified by its call ID, which is created by the MGC when establishing a new call. Call ID is a hexadecimal string with a maximum length of 32 characters. Call ID is unique within the MGC. Two or more connections can have the same call ID if they belong to the same call.

Call Agent

One or more call agents (also called media gateway controllers) are supported in MGCP to enhance reliability in the VoIP network. The following two examples are of call agent names:

Several network addresses can be associated under one domain name in the Domain Name System (DNS). By keeping track of the time to live (TTL) of DNS query/response data and implementing retransmission using other alternative network addresses, switchover and failover is achieved in MGCP.

The concept of a notified entity is essential in MGCP. The notified entity for an endpoint is the call agent currently controlling that endpoint. An endpoint should send any MGCP command to its notified entity. However, different call agents might send MGCP commands to this endpoint.

The notified entity is set to a provisioned value upon startup, but can be changed by a call agent through the use of the NotifiedEntity parameter contained in an MGCP message. If the notified entity for an endpoint is empty or has not been set explicitly, its value defaults to the source address of the last successful non-audit MGCP command received for that endpoint.

MGCP Commands

The MGCP protocol defines nine commands for controlling endpoints and connections. All commands are composed of a command header, optionally followed by Session Description Protocol (SDP) information. A command header has the following elements:

  • A command line: command verb + transaction ID + endpointId + MGCP version.

  • Zero or more parameter lines, composed of a parameter name followed by a parameter value.

Table 1 lists supported MGCP commands and includes a description of each, the command syntax, and examples. Refer to RFC 2234 for a complete explanation of command syntax.

Table 1: MGCP Commands

Command

Description

Command Syntax

Example

EPCF

EndpointConfiguration—Used by a call agent to inform a gateway of coding characteristics (a-law or mu-law) expected by the line side of the endpoint.

ReturnCode [PackageList] EndpointConfiguration (EndpointId,[BearerInformation])

EPCF 2012 wxx/T2@example.com MGCP 1.0B: e:mu

CRCX

CreateConnection—Used by a call agent to instruct the gateway to create a connection with, and endpoint inside, the gateway.

ReturnCode, [ConnectionId,] [SpecificEndPointId,] [LocalConnectionDescriptor,] [SecondEndPointId,] [SecondConnectionId,] [PackageList] CreateConnection (CallId, EndpointId, [NotifiedEntity,] [LocalConnectionOption,] Mode, [{RemoteConnectionDescriptor | SecondEndpoindId},] [encapsulated RQNT,] [encapsulated EPCF])

CRCX 1205 aaln/1@gw-25.example.net MGCP 1.0C: A3C47F21456789F0L: p:10, a:PCMUM: sendrecvX: 0123456789ADR: L/hdS: L/rgv=0o=- 25678 753849 IN IP4 128.96.41.1s=-c=IN IP4 128.96.41.1t=0 0m=audio 3456 RTP/AVP 0

MDCX

ModifyConnection—Used by a call agent to instruct a gateway to change the parameters for an existing connection.

ReturnCode, [LocalConnectionDescriptor,] [PackageList] ModifyConnection (CallId, EndpointId, ConnectionId, [NotifiedEntity,] [LocalConnectionOption,] [Mode,]

[RemoteConnectionDescriptor,] [encapsulated RQNT,] [encapsulated EPCF])

MDCX 1210 aaln/1@rgw-25.example.net MGCP 1.0C: A3C47F21456789F0I: FDE234C8M: recvonlyX: 0123456789AER: L/huS: G/rtv=0o=- 4723891 7428910 IN IP4 128.96.63.25s=-c=IN IP4 128.96.63.25t=0 0m=audio 3456 RTP/AVP 0

DLCX

DeleteConnection—Used by a call agent to instruct a gateway to delete an existing connection.

DeleteConnection can also be used by a gateway to release a connection that can no longer be sustained.

ReturnCode, ConnectionParameters, [PackageList] DeleteConnection (CallId, EndpointId, ConnectionId, [NotifiedEntity,] [encapsulated RQNT,] [encapsulated EPCF])

Example 1: MGC -> MG

DLCX 9210 aaln/1@rgw-25.example.net MGCP 1.0C: A3C47F21456789F0I: FDE234C8

Example 2: MG -> MGC

DLCX 9310 aaln/1@rgw-25.example.net MGCP 1.0C: A3C47F21456789F0I: FDE234C8E: 900 - Hardware errorP: PS=1245, OS=62345, PR=780, OR=45123, PL=10, JI=27, LA=48

RQNT

NotificationRequest command—Used by a call agent to instruct an MG to monitor for certain event(s) or signal(s) for a specific endpoint.

ReturnCode, [PackageList] NotificationRequest[(EndpointId, [NotifiedEntity,] [RequestedEvents,] RequestIdentifier, [DigitMap,] [SignalRequests,] [QuarantineHandling,] [DetectEvents,] [encapsulated EPCF])

RQNT 1205 aaln/1@rgw-25.example.net MGCP 1.0N: ca-new@callagent-ca.example.netX: 0123456789AAR: L/hd(A, E(S(L/dl),R(L/oc,L/hu,D/[0-9#*T](D))))D: (0T|00T|xx|91xxxxxxxxxx|9011x.T)S:T: G/ft

NTFY

Notify—Used by a gateway to inform the call agent when requested event(s) or signal(s) occur.

ReturnCode, [PackageList] Notify (EndpointID, [NotifiedEntity,] RequestIdentifier, ObservedEvents)

NTFY 2002 aaln/1@rgw-25.example.net MGCP 1.0N: ca@ca1.example.net:5678X: 0123456789ACO: L/hd,D/9,D/1,D/2,D/0,D/1,D/8,D/2,D/9,D/4, D/2,D/6,D/6

AUEP

AuditEndpoint—Used by a call agent to audit the status of the endpoint.

ReturnCode, EndPointIdList, | { [RequestedEvents,] [QuarantineHandling,] [DigitMap,] [SignalRequests,] [RequestedIdentifier,] [NotifiedEntity,] [ConnectionIdentifier,] [DetectEvents,] [ObservedEvents,] [EventStats,] [BearerInformation,] [BearerMethod,] [RestartDelay,] [ReasonCode,] [MaxMGCPDatagram,] [Capabilities]} [PackageList] AuditEndpoint (EndpointId, [RequestedInfo])

Example 1:

AUEP 1201 aaln/1@rgw-25.example.net MGCP 1.0F: A, R,D,S,X,N,I,T,O

Example 2:

AUEP 1200 *@rgw-25.example.net MGCP 1.0

AUCX

AuditConnection—Used by a call agent to collect the parameters applied to a connection.

ReturnCode, [CallId,] [NotifiedEntity,] [LocalConnectionOptions,] [Mode,] [RemoteConnectionDescriptor,] [LocalConnectionDescriptor,] [ConnectionParameters,] [PackageList] AuditConnection (EndpointId, ConnectionId, RequestedInfo)

AUCX 3003 aaln/1@rgw-25.example.net MGCP 1.0I: 32F345E2F: C,N,L,M,LC,P

RSIP

RestareInProgress—Used by a gateway to notify a call agent that one or more endpoints are being taken out of service or placed back in service.

ReturnCode, [NotifiedEntity,] [PackageList] RestartInProgress (EndpointId, RestartMethod, [RestartDelay,] [ReasonCode])

RSIP 5200 aaln/1@rg2-25.example.net MGCP 1.0RM: gracefulRD: 300

MGCP Response Codes

Every command sent by the calling agent or gateway, whether successful or not, requires a response code. The response code is in the header of the response message, and optionally is followed by session description information.

The response header is composed of a response line, followed by zero or more parameter lines, each containing a parameter name letter followed by its value. The response header is composed of a three-digit response code, transaction ID, and optionally followed by commentary. The response header in the following response message shows response code 200 (successful completion), followed by ID 1204 and the comment:OK.

The ranges of response codes are defined as follows:

  • 000 — 099 indicate a response acknowledgement.

  • 100 — 199—indicate a provisional response.

  • 200 — 299 indicate a successful completion (final response).

  • 400 — 499 indicate a transient error (final response).

  • 500 — 599 indicate a permanent error (final response).

Refer to RFC 3661 for detailed information about response codes.

A response to a command is sent to the source address of the command, not to the current notified entity. A media gateway can receive MGCP commands from various network addresses simultaneously, and send back responses to corresponding network addresses. However, it sends all MGCP commands to its current notified entity.

MGCP ALG Configuration Overview

The Media Gateway Control Protocol (MGCP ALG) is enabled by default on the device—no action is required to enable it. However, you might choose to fine-tune MGCP ALG operations by using the following instructions:

  1. Free up bandwidth when calls fail to properly terminate. See Example: Setting MGCP ALG Call Duration.

  2. Control how long a call can remain active without any media traffic. See Example: Setting MGCP ALG Inactive Media Timeout.

  3. Track and clear signaling traffic when it times out. See Example: Setting MGCP ALG Transaction Timeout.

  4. Protect the media gateway from denial-of-service (DoS) flood attacks. See Example: Configuring MGCP ALG DoS Attack Protection.

  5. Enable unknown messages to pass when the session is in Network Address Translation (NAT) mode and route mode. See Example: Allowing Unknown MGCP ALG Message Types.

Example: Configuring Media Gateways in Subscriber Homes Using MGCP ALGs

This example shows how to configure media gateways in subscriber homes using MGCP ALGs.

Requirements

Before you begin:

Overview

When a cable service provider offers MGCP services to residential subscribers, they locate the Juniper Networks device and call agent on their premises and install a set-top box, in each subscriber's home. The set-top boxes act as gateways for the residences.

After creating zones—external_subscriber for the customer and internal_ca for the service provider—you configure addresses, then interfaces, and finally policies to allow signaling between endpoints. Note that although gateways frequently reside in different zones, requiring policies for media traffic, in this example both gateways are in the same subnet. Note also that because RTP traffic between the gateways never passes through the device, no policy is needed for the media. See Figure 1.

Figure 1: Media Gateway in Subscriber HomesMedia Gateway in Subscriber Homes

Configuration

Procedure

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure media gateways in subscriber homes using MGCP ALGs:

  1. Create security zones for the customer and the service provider.

  2. Configure interfaces for the zones.

  3. Configure address books and attach zones to them.

  4. Configure policies for traffic from the internal to the external zone.

  5. Configure policies for traffic from the external to the internal zone.

  6. Configure policies for traffic between two internal zones.

  7. Configure policies for traffic between two external zones.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying MGCP ALGs

Purpose

Verify the MGCP ALG verification options.

Action

From operational mode, enter the show security alg mgcp ? command.

Meaning

The output shows a list of all MGCP verification parameters. Verify the following information:

  • All MGCP calls

  • Counters for all MGCP calls

  • Information about all MGCP endpoints

Verifying MGCP ALG Calls

Purpose

Verify information about active MGCP calls.

Action

From operational mode, enter the show security alg mgcp calls command.

Meaning

The output displays information about all MGCP calls. Verify the following information:

  • Endpoint

  • Zone

  • Call identifier

  • Resource Manager group

Verifying MGCP ALG Endpoints

Purpose

Verify information about MGCP endpoints.

Action

From operational mode, enter the show security alg mgcp endpoints command.

Meaning

The output displays information about all MGCP endpoints. Verify the following information:

  • Gateway IP address and zone of both endpoints

  • Endpoint identifier, transaction number, call number, and notified entity for each gateway

Verifying MGCP ALG Counters

Purpose

Verify information about MGCP counters.

Action

From operational mode, enter the show security alg mgcp counters command.

Meaning

The output displays information about all MGCP counters. Verify the following information:

  • Summary of MGCP counters

  • MGCP error counters

  • MGCP packet counters

Example: Configuring Three-Zone ISP-Hosted Service Using MGCP ALG and NAT

This example shows how to configure a three-zone configuration using MGCP ALG and NAT.

Requirements

Before you begin, understand NAT support with MGCP ALG. See Understanding the MGCP ALG.

Overview

Typically, a three-zone configuration is used when an ISP in one geographical location provides service to two networks in different geographical locations.

In this example (see Figure 2), an ISP located on the USA West Coast provides MGCP service to customers in separate networks in Asia and San Francisco. Asia customers are in the asia-3 zone and are supported by the asia-gw gateway; San Francisco customers are in the sf-2 zone and are supported by the sf-gw gateway. A call agent, west-ca, is in the DMZ. The gateways and the call agent are listed in Table 2, showing the corresponding IP address, interface, and zone.

In this example, after creating zones and setting addresses for the gateways and the call agent, you associate the zones to interfaces, and then configure static NAT to the call agent and source NAT for communication from an IP phone in the sf-2 zone to phones in the asia-3 zone. You also configure a policy between the zones to allow the communication.

Topology

Figure 2 shows a three-zone ISP-hosted service.

Figure 2: Three-Zone ISP-Hosted ServiceThree-Zone ISP-Hosted Service
Table 2: Three-Zone ISP-Host Service

Gateway

IP Address

Interface

Zone

sf-gw

192.168.3.201

ge-0/0/0

sf-2

asia-gw

3.3.3.101

ge-0/0/1

asia-3

west-ca

10.1.1.101

ge-0/0/2

DMZ

Configuration

Procedure

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a three-zone configuration using MGCP ALG and NAT:

  1. Configure interfaces.

  2. Create security zones.

  3. Create address books and assign zones to them.

  4. Create a static NAT rule set and set the match conditions and actions for it.

  5. Configure proxy ARP for address 3.3.3.101/32 on interface ge-0/0/1.0.

  6. Create a source NAT pool.

  7. Create a source NAT rule set and set the match conditions and actions for it.

  8. Configure proxy ARP for address 3.3.3.20/32 on interface ge-0/0/1.0.

  9. Configure a policy to allow traffic from DMZ to Asia.

  10. Configure a policy to allow traffic from Asia to DMZ.

  11. Configure a policy to allow traffic from San Francisco to DMZ.

  12. Configure a policy to allow traffic from DMZ to San Francisco.

  13. Configure a policy to allow traffic from San Francisco to Asia.

  14. Configure a policy to allow traffic from Asia to San Francisco.

  15. Configure a policy to allow traffic on devices within San Francisco.

  16. Configure a policy to allow traffic on devices within Asia.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security zones, show security address-book, show security nat, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying MGCP ALG

Purpose

Verify if the MGCP ALG is enabled.

Action

From operational mode, enter the show security alg status | match mgcp command.

Meaning

The output shows the MGCPALG status as follows:

  • Enabled—Shows the MGCP ALG is enabled.

  • Disabled—Shows the MGCP ALG is disabled.

Verifying MGCP Calls

Purpose

Verify the MGCP calls that are currently active.

Action

From operational mode, enter the show security alg mgcp calls command.

Meaning

The output displays information about all MGCP calls. Verify the following information:

  • Endpoint

  • Zone

  • Call identifier

  • Resource Manager group

Verifying MGCP ALG Statistics

Purpose

Verify the MGCP ALG statistics.

Action

From operational mode, enter the show security alg mgcp counters command.

Meaning

The output displays information about all MGCP counters. Verify the following information:

  • Summary of MGCP counters

  • MGCP error counters

  • MGCP packet counters

Verifying MGCP Endpoints

Purpose

Verify the MGCP endpoints.

Action

From operational mode, enter the show security alg mgcp endpoints command.

Meaning

The output displays information about all MGCP endpoints. Verify the following information:

  • Gateway IP address and zone of both endpoints

  • Endpoint identifier, transaction number, call number, and notified entity for each gateway

Understanding MGCP ALG Call Duration and Timeouts

The call duration feature gives you control over Media Gateway Control Protocol (MGCP) call activity and helps you to manage network resources.

Typically a Delete Connection (DLCX) message will be sent out to delete a connection. The MCGP Application Layer Gateway (ALG) intercepts it and removes all media sessions for that connection.

A call can have one or more voice channels. Each voice channel has two sessions (or two media streams), one for Real-Time Transport Protocol (RTP) traffic and one for Real-Time Control Protocol (RTCP) signaling. When managing the sessions, the device considers the sessions in each voice channel as one group. Timeouts and call duration settings apply to a group as opposed to each session.

The following parameters govern MGCP call activity:

  • maximum-call-duration—This parameter sets the absolute maximum length of a call. When a call exceeds this parameter setting, the MGCP ALG tears down the call and releases the media sessions. The default setting is 720 minutes, and the range is 3 through 720 minutes. This setting also frees up bandwidth in cases where calls fail to properly terminate.

  • inactive-media-timeout—This parameter indicates the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the MGCP ALG gates opened for media are closed. The default setting is 120 seconds, and the range is 10 through 2550 seconds. Note that upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated.

    Note:

    The inactive-media-timeout value should be less than the maximum-call-duration value.

  • transaction-timeout—A transaction is a command and its mandatory response. For example, an NTFY from the gateway to the call agent or a 200 OK from the call agent to the gateway. The Juniper Networks device tracks these transactions and clears them when they time out. The timeout range for MGCP transactions is 3 through 50 seconds and the default is 30 seconds.

Example: Setting MGCP ALG Call Duration

This example shows how to set call duration for the MGCP ALG.

Requirements

Before you begin, determine the type of parameter used to control the MGCP call activity and manage its network resources. See Understanding MGCP ALG Call Duration and Timeouts.

Overview

The maximum-call-duration parameter governs MGCP call activity and sets the absolute maximum length of a call. When a call exceeds this parameter setting, the MGCP ALG tears down the call and releases the media sessions. The default setting is 720 minutes, and the range is 3 through 720 minutes. This setting also frees up bandwidth in cases where calls fail to properly terminate. In this example, the call duration is set to 600 minutes.

Configuration

Procedure

GUI Quick Configuration
Step-by-Step Procedure

To set call duration for the MGCP ALG:

  1. Select Configure >Security >ALG.

  2. Select the MGCP tab.

  3. In the Maximum call duration box, enter 600.

  4. Click OK to check your configuration and save it as a candidate configuration.

  5. If you are done configuring the device, click Commit Options >Commit.

Step-by-Step Procedure

To set call duration for the MGCP ALG:

  1. Configure the MGCP ALG call duration.

  2. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security alg mgcp command.

Example: Setting MGCP ALG Inactive Media Timeout

This example shows how to set the inactive media timeout value for the MGCP ALG.

Requirements

Before you begin, determine the type of parameter used to control the MGCP call activity and manage its network resources. See Understanding MGCP ALG Call Duration and Timeouts.

Overview

The inactive-media-timeout parameter governs MGCP call activity and indicates the maximum length of time (in seconds) a call can remain active without any media (RTP or RTCP) traffic within a group. Each time an RTP or RTCP packet occurs within a call, this timeout resets. When the period of inactivity exceeds this setting, the MGCP ALG gates opened for media are closed. The default setting is 120 seconds, and the range is from 10 to 2550 seconds. Note that upon timeout, while resources for media (sessions and pinholes) are removed, the call is not terminated. In this example, the inactive media timeout is set to 90 seconds.

Configuration

Procedure

GUI Quick Configuration
Step-by-Step Procedure

To set the inactive media timeout for the MGCP ALG:

  1. Select Configure>Security>ALG.

  2. Select the MGCP tab.

  3. In the Inactive Media Timeout box, enter 90.

  4. Click OK to check your configuration and save it as a candidate configuration.

  5. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

To set the inactive media timeout for the MGCP ALG:

  1. Configure the MGCP ALG inactive media timeout value.

  2. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security alg mgcp command.

Example: Setting MGCP ALG Transaction Timeout

This example shows how to set the transaction timeout for the MGCP ALG.

Requirements

Before you begin, determine the type of parameter used to control the MGCP call activity and manage its network resources. See Understanding MGCP ALG Call Duration and Timeouts.

Overview

The transaction-timeout parameter governs MGCP call activity and is a signaling message; for example, a NTFY from the gateway to the call agent or a 200 OK from the call agent to the gateway. The Juniper Networks device tracks these transactions, and clears them when they time out. The timeout range for MGCP transactions is from 3 to 50 seconds, and the default is 30 seconds. In this example, the transaction timeout is set to 20 seconds.

Configuration

Procedure

GUI Quick Configuration
Step-by-Step Procedure

To set the transaction timeout for the MGCP ALG:

  1. Select Configure>Security>ALG.

  2. Select the MGCP tab.

  3. In the Transaction Timeout box, enter 20.

  4. Click OK to check your configuration and save it as a candidate configuration.

  5. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

To set the transaction timeout for the MGCP ALG:

  1. Configure the MGCP ALG transaction timeout value.

  2. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security alg mgcp command.

Example: Configuring MGCP ALG DoS Attack Protection

This example shows how to configure connection flood protection for the MGCP ALG.

Requirements

Before you begin, determine whether to protect the MGCP media gateway from DoS flood attacks.

Overview

You can protect the Media Gateway Control Protocol (MGCP) media gateway from denial-of-service (DoS) flood attacks by limiting the number of remote access service (RAS) messages and connections per second it will attempt to process.

When you configure MGCP message flood protection, the MGCP Application Layer Gateway (ALG) drops any messages exceeding the threshold you set. The range is 2 to 50,000 messages per second per media gateway, and the default is 1000 messages per second per media gateway.

When you configure MGCP connection flood protection, the MGCP ALG drops any connection request exceeding the threshold you set. This limits the rate of processing of CreateConnection (CRCX) commands, thereby indirectly limiting pinhole creation. The range is 2 to 10,000 connection requests per second per media gateway, the default is 200.

In this example, you configure the MGCP ALG to drop any message requests exceeding 10,000 requests per second and to drop any connection requests exceeding 4000 per second.

Configuration

Procedure

GUI Quick Configuration
Step-by-Step Procedure

To configure connection flood protection for the MGCP ALG:

  1. Select Configure>Security>ALG.

  2. Select the MGCP tab.

  3. In the Message flood gatekeeper threshold box, type 10000.

  4. In the Connection flood threshold box, type 4000.

  5. Click OK to check your configuration and save it as a candidate configuration.

  6. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

To configure connection flood protection for the MGCP ALG:

  1. Configure the connection flood threshold value.

  2. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security alg mgcp command.

Example: Allowing Unknown MGCP ALG Message Types

This example shows how to configure the MGCP ALG to allow unknown MGCP message types in both NAT mode and route mode.

Requirements

Before you begin, determine whether to accommodate new and unknown MGCP message types for the device.

Overview

To accommodate on-going development of the Media Gateway Control Protocol (MGCP), you might want to allow traffic containing new MGCP message types. The unknown MGCP message type feature enables you to configure the Juniper Networks device to accept MGCP traffic containing unknown message types in both Network Address Translation (NAT) mode and route mode.

This feature enables you to specify how unidentified MGCP messages are handled by the Juniper Networks device. The default is to drop unknown (unsupported) messages. Unknown messages can compromise security. However, in a secure test or production environment, this command can be useful for resolving interoperability issues with disparate vendor equipment. Permitting unknown MGCP messages can help you get your network operational so that you can later analyze your voice-over-IP (VoIP) traffic to determine why some messages were being dropped.

Note that this command applies only to received packets identified as supported VoIP packets. If a packet cannot be identified, it is always dropped. If a packet is identified as a supported protocol and you have configured the device to permit unknown message types, the message is forwarded without processing.

Configuration

Procedure

GUI Quick Configuration
Step-by-Step Procedure

To configure the MGCP ALG to allow unknown message types:

  1. Select Configure>Security>ALG.

  2. Select the MGCP tab.

  3. Select the Enable Permit NAT applied check box.

  4. Select the Enable Permit routed check box.

  5. Click OK to check your configuration and save it as a candidate configuration.

  6. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

To configure the MGCP ALG to allow unknown message types:

  1. Allow unknown message types to pass if the session is in either NAT mode or in route mode.

  2. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security alg mgcp command.