cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
411
Views
8
Helpful
8
Replies

VSC x8.1 upgrade - Should we update the port ranges on an upgrade to match new instalation port ranges?

Chris Swinney
Level 5
Level 5

Hi all,

 

I know there are several threads regarding this upgrade, yet I don't think there is anything specifically relating to this question.

 

I see that the port ranges on several connections have changed, but if an upgrade from x.7.2.2 has been applied, then certain port ranges remain the same.

 

i.e. the traversal media ports for NEW installation are now 36000 – 59999, with the first two ports in this range being use for the media demultiplexing ports (36000 and 36001). However, if a VCS has been upgraded from x7.x than the port range could be 50000 - 54999 (with 50000 and 50001 being the media demultiplexing ports).

 

So, is the advice that we should update the port ranges on the VCS upgrade to marry with that of a new installation, especially considering that in some instance, firewall rule will need to be amended in any case? The port ranges are wider to account for future improvement and traffic flows and I suspect that they will be at these levels for some time.

 

Many thanks

 

Chris

1 Accepted Solution

Accepted Solutions

Martin Koch
VIP Alumni
VIP Alumni

Btw, the multiplex range can even be 36.000-36.011 in large VM deployments)

I would say practice is to update the ports using the default values for X8.1:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-1.pdf

If you want to be future proof you might also want to see what going on on the "Cisco Expressway"

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-IP-Port-Usage-for-Firewall-Traversal-Deployment_Guide-X8-1.pdf

It might also depend on the security rules for you company/customer.

Some might ask you to limit the ports even more down, some will not care and have at least internally >1024UDP/TCP open
or even no firewall at all (not recommended, especially external!)

After the upgrade its always handy to double check the listening and outbound ports on the VCS

under "Maintenance > Tools > Port usage" and sure do a functionality test as well.

 

Please remember to rate helpful responses and identify

View solution in original post

8 Replies 8

Martin Koch
VIP Alumni
VIP Alumni

Btw, the multiplex range can even be 36.000-36.011 in large VM deployments)

I would say practice is to update the ports using the default values for X8.1:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-IP-Port-Usage-for-Firewall-Traversal-Deployment-Guide-X8-1.pdf

If you want to be future proof you might also want to see what going on on the "Cisco Expressway"

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-IP-Port-Usage-for-Firewall-Traversal-Deployment_Guide-X8-1.pdf

It might also depend on the security rules for you company/customer.

Some might ask you to limit the ports even more down, some will not care and have at least internally >1024UDP/TCP open
or even no firewall at all (not recommended, especially external!)

After the upgrade its always handy to double check the listening and outbound ports on the VCS

under "Maintenance > Tools > Port usage" and sure do a functionality test as well.

 

Please remember to rate helpful responses and identify

Thanks Martin,

Odd though as I thought there were several other replies to this thread previously. I wonder if these forums had created a doubled post to this thread? Its also difficult to work out what content you have posted as that feature is broken too. And annoyingly, accidentally hitting the Reply button again after composing a response simply wipes your work (he says, after typing this whole thing for the second time!)

However, your words are heeded and indeed this is the direction we will be going. However, we have no plans to deploy of utilise CUCM or the VCSs in the "Expressway" flavours across any of our managed organisations at this point in time - if ever.

 

Cheers

Chris

 

Wayne DeNardi
VIP Alumni
VIP Alumni

Hi Chris,

Yes, you had asked a similar question before... it was a few weeks ago.

Here's the thread: https://supportforums.cisco.com/discussion/12135251/vcs-upgrade-x81-recommended-practice-updating-port-ranges

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to mark helpful responses and to set your question as answered if appropriate.

Hi Wayne,

what is the status with your install/upgrade?

We had filed a Cisco SR#629524925 and my Cisco contact is saying he is trying to escalate it.

But I have the feeling that there is not much response.

 

What I requested:

* back port of the security issue bug to X7

* backwards capability of the traversal zone >X8.1 towards <=X7.x

Please remember to rate helpful responses and identify

Hey martin - I have a feeling you posted this in the wrong thread - Don't you jut love these new forums????

I have absolutely no idea what is going on!!!!!!!!!!!

Hi Martin,

At this stage, we're staying with X7.2.2 until there is a confirmed migration path doing parts of the environment at a time.

I have a meeting with our local Cisco rep on Friday afternoon this week to discuss this (and some other things) further.

I've asked that there is a fix for backwards compatibility (X8.1.1?) to allow us to migrate parts of the environment without upsetting the rest.

I've pushed this to the Asia Pacific experts too and asked that it is excalated.  Similar to you, I haven't had much in the way of a response - hopefully I'll find out more on Friday.

Cheers

Wayne
--
Pleae remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to mark helpful responses and to set your question as answered if appropriate.

Yea. An other issue is that I did not get a real info on how critical and likely the <X8 bug is:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140122-vcs

 

We are also not really happy about the handling and communication of X8.1

 

Please remember to rate helpful responses and identify

Thanks Martin, +points for you.

Yep.  I agree - the communication, and follow up on questions, has been pretty ordinary on everything to do with X8.1.

I've queried the Security Advisory too and used that to highlight why we need answers to all the other questions.

Fingers crossed we'll hear something positive soon.

Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to mark helpful responses and to set your question as answered if appropriate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: