Cisco Cisco TelePresence Video Communication Server Expressway
Appendix 3: IP ports and protocols
It is unusual to have any sort of firewall between cluster peers, but if there is, the IP protocols and ports that
must be open between each and every VCS peer in the cluster are listed below.
must be open between each and every VCS peer in the cluster are listed below.
For cluster communications between VCS peers:
n
UDP port 500 (ISAKMP) is used for PKI (Public Key Infrastructure) key exchange
n
Standard SIP and H.323 signaling ports are used for calls
n
UDP port 1719 is used for bandwidth updates between VCS peers
n
IP protocol 51 (IPSec AH) is used for database synchronization
If you are using the VCS's built-in Firewall rules feature then you must ensure that it is not configured to
drop or reject traffic sent to UDP ports 4369 – 4380.
drop or reject traffic sent to UDP ports 4369 – 4380.
For cluster communications between VCS peers and a Cisco TMS when running in Provisioning Extension
mode:
mode:
n
VCS ephemeral port to port 443 on Cisco TMS (secure) or
n
VCS ephemeral port to port 80 on Cisco TMS
Note: Ports 443 and 80 are the default values; they can be configured in the Cisco TMS IIS, and VCS if
different ports are required.
different ports are required.
IPSec communications
For IPSec between VCS cluster peers:
n
AES256 is used for encryption, SHA256 (4096 bit key length) is used for authentication; peers are identified
by their IP address and are authenticated using a pre-shared key
by their IP address and are authenticated using a pre-shared key
n
Main mode is used during the IKE exchange
n
diffie-hellman group ‘modp4096’ is used
MTU size
The default MTU size on the VCS is 1500 bytes. Under normal conditions this has no effect on the cluster.
However, if there are network elements between the cluster peers (which is not recommended), you must
ensure consistent MTU size throughout the path. Cluster replication could fail if the MTU is lower on the path
between peers, because the synchronization packets are not allowed to fragment.
However, if there are network elements between the cluster peers (which is not recommended), you must
ensure consistent MTU size throughout the path. Cluster replication could fail if the MTU is lower on the path
between peers, because the synchronization packets are not allowed to fragment.
Determine which network element in the paths between peers has the lowest MTU value, then adjust each
peer's cluster interface to use that value.
peer's cluster interface to use that value.
Cisco TelePresence VCS Cluster Creation and Maintenance Deployment Guide (X8.5)
Page 36 of 49
Appendix 3: IP ports and protocols