The autonomous IP objects allows you to define ”islands” of IP subnets. Traffic from these subnets can then be excluded from passing through the ME (the system does not anchor the interaction). This might be desirable, for example, for phones within the same office. By implementing this feature, known as ”smart anchoring,” you can ensure more efficient processing of media streams within identified subnets.
Note that to implement this feature you must set the anchoring property to auto in the media object of your session configuration. The auto feature allows the ME to determine whether or not to anchor a call.
Autonomous IP subnets are defined by an IP address and mask using the private-group object.
When a SIP call matches a source and destination subnet in a single autonomous IP location private-group, the ME does not anchor the call unless an explicit policy to do so takes precedence. If both the source and destination locations are unassigned (not in a configured subnet), the media anchoring decision follows the behavior defined in the default session config or other session config.
When hosts are behind the same firewall, the ME, by default, does not anchor the calls. However, you can configure the system so that it does anchor those calls by using the private-group object. Each endpoint behind a firewall has a public and private address. Initially, the ME examines the public address to see whether it is comprised within the address pool defined for a private-group. If there is a match, the ME then examines any private groups configured under the private gateway, and applies the same logic as the non-firewall traffic.
The ME first determines membership in location groups and then executes the decision algorithm to decide whether to perform media anchoring. The caller and callee addresses may be defined within a configured subnet (location) group, in which case the membership is determined. Otherwise, the ME determines location membership through the location database.
A location is identified as a pair consisting of a public and private address. The public address is the address of either a private location gateway, if present, or a phone client address. The private address is the phone client address, which comes from the Contact header in the REGISTER request. If the location is behind a private location gateway (SIP proxy, firewall, etc.), then the public address is different from the private address.
When the ME receives a call from a private gateway, it performs the following processing to determine location group membership:
The ME obtains the source location (source public address and private address) by looking up the From URI in the location database.
If the public address and private address are the same, the ME checks to see if this address is in a configured location group.
If the public address and private address are not the same, the ME determines the private location gateway in use and checks to see if this address is in a configured location group.
The ME obtains the destination location (destination public address and private address) by looking up the Request URI or the To URI in the location database.
If the public address and private address are the same, the ME checks to see if this address is in a configured location group.
If the public address and private address are not the same, the ME determines the private location gateway in use and check to see if this address is in a configured location group.
Once the ME establishes the location group, it runs a decision algorithm to determine whether to anchor the call. Source and destination groups are configured with the private-group object. The following summarizes the decision process:
If the source group and/or destination group are configured, but are different, then the ME anchors the media;
If the source and destination groups are configured and if they are the same, then the ME does not anchor the media;
If the source firewall and/or the destination firewall are configured, but are different, then the ME anchors the media;
If the source and destination firewalls are configured and are the same, then the ME does not anchor the media
If the source and destination public address are the same, then the ME does not anchor the media;
In all other cases, the ME anchors the media.
Note:
When an autonomous IP group is created, the subnet of 0.0.0.0/0 is added by default. When this configuration is activated and used in conjunction with auto-anchoring, all calls using this session-config will feature released (not anchored) media.This default subnet persists even after a delete action is executed from the web interface unless other subnets are also configured within the group > subnet configuration object.
To disable this default subnet via the web interface, set a mask value of /32. For example:
vsp autonomous-ip group test subnet[1] 0.0.0.0/32 connected true self-connected true
Opens the object form which you configure autonomous IP subnets in order to implement smart anchoring. For smart anchoring to take effect, you must set anchoring to enabled in the media object of your session configuration.
treat-tag-as-group: Enables tag routing for autonomous IP groups. When set to true, the ME treats the final routing tag (the tag with any changes that resulted from a matching session configuration) as an autonomous-ip private-group name. In that way, even if an endpoint does not fall within the subnets defined for the group, if it has a routing-tag that matches the VLAN group name, it is treated as part of the group.
Default: false
Values: true | false
Example: set treat-tag-as-group true
Creates a gateway for autonomous private IP groups. Use this object if you are configuring a SIP proxy, a firewall, or something similar that serves as the last hop from a phone client to the ME when the phone client registers. If the last-hop device has multiple public addresses, this object sets the address pool that covers the range of addresses. When the ME receives a call from a public address that is defined within the pool, it does not anchor the call.
Also this object adds subnets to the named group. If both the source and destination addresses are contained in one of the subnet entries in the group, and the connected property is set to true, no media anchoring applies. See the ME media anchoring decision process for a complete description of the determination process.
subnet: Specifies the subnet(s) that you want to exclude from system anchoring. Within a single group, when both the source and destination are found within one of the configured subnets, the connection is a candidate for smart anchoring. Assuming media anchoring is set to auto, the connected property (below) is set to true, and no policy takes precedence, the system does not anchor the call.
You can enter multiple subnet addresses. The system processes the subnets in the order that they appear in the configuration. Use the global media command to re-order the subnets for processing.
Default: 0.0.0.0/32
Example: set subnet 192.168.0.0/16
connected: Specifies whether all members of the group can reach each other. If set to true, and all members are connected, the system does not anchor the media.
Default: true
Values: true | false
Example: set connected false
selfConnected: Specifies whether the system should anchor calls if they appear to have the same public and private IP address. (This may happen, for example, if both phones are behind a device that rewrites SIP headers, such as an ALG, and are NAT'd to the same public IP address.) By default (true), the ME device does not anchor those calls. When two phones are in the same group and have the same IP address, if this property is set to false, the ME anchors the call.
Default: true
Values: true | false
Example: set selfConnected false