Deployment Guide for Video Mesh

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

New and Changed Information

This table covers new features or functionality, changes to existing content, and any major errors that were fixed in the Deployment Guide .

For information about Webex Video Mesh node software updates, see the https://help.webex.com/en-us/article/jgobq2/Webex-Video-Mesh-release-notes .

Change

September 20, 2024

Added a note stating calls and meetings involving guest users will overflow to cloud by default and will not land on Video Mesh in Prepare Your Environment .

May 14, 2024

Deleted a note that stated ThousandEyes tests do not support Video Mesh nodes behind a proxy in Enabling ThousandEyes for Video Mesh.

February 09, 2024

Added ThousandEyes Integration with Video Mesh.

Added participant capacity for calls with 1080p resolution in Capacity for Video Mesh nodes .

Added a note regarding UDP source port differentiation in Traffic Signatures for Video Mesh (Quality of Service Enabled) .

Updated supported versions of VMware ESXi throughout the guide.

August 31, 2023

Updated the structure and added information on newly introduced APIs in Video Mesh Node APIs .

Deleted a note and One Button to Push (OBTP) information from Call Control and Meeting Integration Requirements for Video Mesh .

Added a note regarding poll interval for failover in Set the Network Configuration of the Video Mesh Node in the Console and Configure Network Settings From Video Mesh Node Web Interface .

Updated supported versions of VMware ESXi throughout the guide.

July 31, 2023

Added Webhooks for Video Mesh alerts .

July 28, 2023

Added Video Mesh Node APIs .

June 15, 2023

Updated nomenclature from "Webex app app" to "Webex app" throughout.

Updated Webex Video Mesh Overview to state that E2EE meetings are now supported on Video Mesh.

Removed outdated information and updated a note in Webex Video Mesh Overview .

Updated Clients and Devices That Use Video Mesh Node to state that web client is now supported on Video Mesh and removed outdated information.

Added a note in System and Platform Requirements for Video Mesh Node Software stating that demo environments are not Cisco TAC supported.

Updated information in the On-Premises and Cloud Call section.

Deleted a note in Cloud Cluster Selection for Overflow Based on 250 ms or Higher STUN Round-Trip Delay .

Updated information in Ports and Protocols for Webex Meetings Traffic .

Removed outdated information from Register the Video Mesh Node to the Webex Cloud and Support and Limitations for Private Meetings .

Updated steps and removed outdated information from Enable Video Mesh for the Webex Site .

Updated information in Deactivate Video Mesh .

May 16, 2023

Updated Ports and Protocols for Management , Traffic Signatures for Video Mesh (Quality of Service Enabled) , and Traffic Signatures for Video Mesh (Quality of Service Disabled) to reflect the latest ports and protocols used by Video Mesh. Updated the images impacted by the changes.

Removed 444 port references from Requirements for Proxy Support for Video Mesh , Ports and Protocols for Management , Configure Video Mesh Node for Proxy Integration , and Configure Video Mesh Node for Proxy Integration .

Updated port ranges in Quality of Service on Video Mesh Node , Enable Quality of Service (QoS) for Video Mesh Node , and Ports and Protocols for Webex Meetings Traffic .

Added a note on monitoring test failures in Run an Immediate Test and Configure periodic tests .

Added a note and updated a caution strongly recommending the use of latest software package (OVA) for deployments in Install and Configure Video Mesh Node Software .

Updated a caution regarding nodes placed in maintenance mode in Manage Video Mesh Node From the Web Interface and Manage Video Mesh Node From the Console .

Updated Video Mesh Analytics section to reflect the latest UI changes.

March 27, 2023

Updated System and Platform Requirements for Video Mesh Node Software with the latest hardware configurations and added Bandwidth Requirements.

March 02, 2023

Added information on tests that the monitoring tool runs in Monitoring Tool for Video Mesh .

Changed steps to access the monitoring tool overview page in Run an Immediate Test and Configure periodic tests .

Added information on viewing and filtering results in Run an Immediate Test and Configure periodic tests .

Updated Enable Video Mesh for the Webex Site .

July 7, 2022

Updated the capacity estimates in Capacity for Video Mesh nodes .

Removed mentions of the obsolete MM410v server throughout.

June 30, 2022

Added information on the new bulk provisioning scripts at https://github.com/CiscoDevNet/webex-video-mesh-node-provisioning .

June 14, 2022

Changed steps to exchange certificate chains to include ECDSA certificates in Exchange Certificate Chains Between Unified CM and Video Mesh Nodes

May 18, 2022

Changed the download site for the Reflector Tool to https://github.com/CiscoDevNet/webex-video-mesh-reflector-client .

April 29,2022

Added information on the new feature in Keep your media on Video Mesh for all external Webex meetings .

March 25, 2022

Updates to port usage in Ports and Protocols for Management .

Decemeber 10, 2021

Added CMS 2000 and noted upgrade issue for older CMS 1000s upgrading to ESXi 7 in System and Platform Requirements for Video Mesh Node Software .

August 30, 2021

Added information on verifying that Webex has the correct source country for your deployment in Verify That the Source Country Is Correct .

August 27, 2021

Added note on analytics reports visibility in Support and Limitations for Private Meetings .

August 13, 2021

Added information on the new Private Meetings feature in:

Clusters in Video Mesh

Private Meeting Call

Private Meetings

July 22, 2021

Added information on how to verify that the system has the correct source location for calls. Correct source locations aid in efficient routing. See Verify That the Source Country Is Correct .

June 25, 2021

Noted that the Full Featured Webex Experience feature of the Webex App is incompatible with Video Mesh in Clients and Devices That Use Video Mesh Node .

May 7, 2021

Corrected the recommended cluster size to 100 in Guidelines for Video Mesh Cluster Deployment .

April 12, 2021

Updated Configure Expressway TCP SIP Traffic Routing for Video Mesh to use the Webex zone, instead of a new DNS zone.

February 9, 2021

Added information on the new Go to Node in Control Hub to Access Overview of Webex Video Mesh Node From Web Interface .

Added Disable or Re-enable the Local Admin Account From Web Interface section to describe new functionality.

In each section that uses the node web interface, updated the steps to indicate how to access the interface from Control Hub.

Added Upload Security Certificates .

Added Set External Logging to a Syslog Server .

December 11, 2020

In Enable or Disable DNS Cachi , added information on DNS Cache wiping.

October 22, 2020

In Ports and Protocols for Webex Meetings Traffic , added SIP signaling port requirements.

October 19, 2020

Removed reference to cloudfront.net which is no longer used by the service.

September 18, 2020

Reduced the IP address range that is reserved for Webex Video Mesh Node internal use from the original 172.17.0.0–172.17.255.255 (65,536 addresses) to 172.17.42.0–172.17.42.63 (64 addresses).

August 26, 2020

Added Webex Events support to Video Mesh Overview .

Added new section Enable or Disable DNS Cachi .

August 4, 2020

Updated the following sections for short video address support:

Integrate Video Mesh With Call Control Task Flow

Configure Unified CM Secure TLS SIP Traffic Routing for Video Mesh

Configure Unified CM TCP SIP Traffic Routing for Video Mesh

Configure Expressway TCP SIP Traffic Routing for Video Mesh

Updated the VMNLite Call Capacity Benchmark section of Call Capacity on Video Mesh Node Platforms .

July 9, 2020

Added new section Set the Network Interface MTU Sizes .

June 26, 2020

Added information about the new VMNLite deployment option in:

Call Capacity on Video Mesh Node Platforms

System and Platform Requirements for Video Mesh Node Software

Install and Configure Video Mesh Node Software

Removed mentions of default NTP server because the OVA no longer has a default NTP server value.

Updated Generate Video Mesh Packet Captures for Support with new filtering options.

June 9, 2020

Added information about the new weekly automatic software upgrade scheduling option in:

Register the Video Mesh Node to the Webex Cloud

Set Video Mesh Cluster Upgrade Schedule

May 21, 2020Updated Ports and Protocols for Management and Requirements for Proxy Support for Video Mesh .May 15, 2020Updated Video Mesh Overview .April 25, 2020

Added new sections in Manage Webex Video Mesh Node From the Web Interface :

Set the External Network Interface from the Video Mesh Node Web Interface

Add Internal and External Routing Rules

Configure Container Network From Webex Video Mesh Node Web Interface

Fixed a mistake in the granularity of the horizontal axis in Access, Filter, and Save Webex Video Mesh Troubleshooting (the values were switched between the Last 7 Days and Last 24 Hours options).

January 22, 2020

Added new section: Factory Reset a Webex Video Mesh Node From The Web Interface .

Added more details on connectivity checks in the Manage Webex Video Mesh Node from the Web Interface section.

Added in-room wireless share to the Clients and Devices That Use Webex Video Mesh Node section.

December 12, 2019

Added change passphrase and passphrase expiry procedures to the Manage Webex Video Mesh Node From the Web Interface section in the Manage and Troubleshoot chapter.

December 10, 2019

Added the following information and port ranges to the traffic signature tables (for QoS enabled and disabled:

Source IP Address: Video Mesh Node

Destination IP Address: Webex cloud media services

Source UDP Ports: 35000 to 52499

Destination UDP Ports: 5004

Native DSCP Marking: AF41

Media Type: Test STUN packets

Renamed the "Bandwidth Guidelines" section to "Video Quality and Scaling", and added a link to the Preferred Architecture documentation.

In the Unified CM TLS configuration, our guide erroneously stated to configure a non-secure SIP trunk for Webex cloud failover. Corrected the statement to say to create a SIP trunk (you can configure it as either secure or non-secure).

November 4, 2019

Retired old analytics content and added new section.

In the Exchange Certificates section, added information about the Subject Alternative Name(s) field and added the following note in the Before You Begin section: For security reasons, we recommend that you use a CA signed certificate on your Video Mesh nodes instead of the node's default self-signed certificate.

October 18, 2019

Updated the description of the 1080p Control Hub setting to clarify that this setting affects call capacity and only applies to on-premises SIP registered devices. See Enable 1080p HD Video for On-Premises SIP Devices in Video Mesh Node Meetings for more information.

Updated the supported device and endpoints table to list only the tested cloud-registered devices.

September 26, 2019

Added new section Configure Network Settings from Video Mesh Node Web Interface .

Fixed the description if the Resource Utilization report. It now states: Average resource utilization for the media microservices used in the Video Mesh clusters.

Added a note to the capacity section: Overflows on low call volume (especially SIP calls that originate on-premises) are not a true reflection of scale. Video Mesh analytics (under Control Hub > Resources > Call Activity ) indicate the call legs that originate on-premises; they do no specify the call streams that came in through the cascade to the Video Mesh node for media processing. As remote participant numbers increase in a meeting, the resulting cascade increases and consumes on-premises media resources on the Video Mesh node.

September 13, 2019

Updated Install and Configure Video Mesh Node Software with network configuration steps that appear on the Customize template page.

Updated System and Platform Requirements for Video Mesh Node Software with 72vCPUs (the equivalent of CMS 1000) for specifications-based configuration.

August 29, 2019

Added Explicit Proxy and supported authentication types for explicit proxy configurations (No auth, Basic, Digest, NTLM).

Proxy Support for Edge Video Mesh

Requirements for Proxy Support for Video Mesh

Configure Webex Video Mesh Node for Proxy Integration

Added Supported Resolutions and Framerates for Video Mesh .

Updated Clients and Devices That Use Video Mesh Node to indicate that Webex Call My Video System to Webex cloud-registered video devices uses Video Mesh node.

July 24, 2019

In the Manage Webex Video Mesh Node From the Web Interface section, made the following updates:

Added new sections for Ping test, Trace Route test, NTP Server test, Reflector Tool, and Debug User Account.

Updated the Overview section—Removed cascades from the screenshot and added OS version.

Moved "Manage Video Mesh from the Console" content to the Appendix of the guide.

Renamed "Manage Webex Video Mesh" chapter to "Manage and Troubleshoot Webex Video Mesh" and moved registration troubleshooting content to that chapter.

July 9, 2019

In Call Control and Meeting Integration Requirements for Video Mesh , updated minimum supported versions for Unified CM, Expressway, and Webex sites.

In Clients and Devices That Use Video Mesh Node , added supported versions of Jabber VDI and Webex VDI (they are SIP clients). Also added a testing disclaimer.

May 24, 2019

Added new sections on the troubleshooting features and updated overview screen in the Video Mesh node web interface:

Generate Webex Video Mesh Logs for Support

Generate Webex Video Mesh Packet Captures for Support

Access Overview of Webex Video Mesh Node From Web Interface

April 25, 2019

Updated Manage and TroubleshootWebex Video Mesh to state that Control Hub maintenance mode is required before performance any maintenance on Video Mesh nodes.

April 11, 2019

Removed outdated information from Bandwidth Requirements. Updated the content and diagrams, and changed the section name to Video Quality and Scaling for Video Mesh .

Webex Video Mesh dynamically finds the optimal mix of on-premises and cloud conferencing resources. On-premises conferences stay on premises when there are enough local resources. When local resources are exhausted, conferences then expand to the cloud.

Video Mesh Node is software that is installed on an on-premises Cisco UCS server, registered to the cloud, and managed in Control Hub. Webex meetings, Webex Personal Meeting Room, Webex Space Meetings, and Webex App calls between two people can be routed to the local, on-net Video Mesh nodes. Video Mesh selects the most efficient way to use the available resources.

Video Mesh provides these benefits:

Improves quality and reduces latency by allowing you to keep your calls on premises.

Extends your calls transparently to the cloud when on-premises resources have reached their limit or are unavailable.

Manage your Video Mesh clusters from the cloud with a single administrative interface: Control Hub ( https://admin.webex.com ).

Optimize resources and scale capacity, as needed.

Combines the features of cloud and on-premises conferencing in one seamless user experience.

Reduces capacity concerns, because the cloud is always available when additional conferencing resources are needed. No need to do capacity planning for the worst case scenario.

Provides advanced analytics on capacity and usage and troubleshooting report data in https://admin.webex.com .

Uses local media processing when users dial in to a Webex meeting from on-premises standards-based SIP endpoints and clients:

SIP based endpoints and clients (Cisco endpoints, Jabber, 3rd party SIP), registered to on-premises call control (Cisco Unified Communications Manager or Expressway), that call into a Cisco Webex meeting.

Webex App (including paired with room devices) that join a Webex meeting.

Webex room and desk devices that directly join a Webex meeting.

Provides optimized audio and video interactive voice response (IVR) to on-net SIP based endpoints and clients.

H.323, IP dial-in, and Skype for Business (S4B) endpoints continue to join meetings from the cloud.

Supports 1080p 30fps high definition video as an option for meetings, if meeting participants that can support 1080p are hosted through the local on-premises Video Mesh nodes. (If a participant joins an in-progress meeting from the cloud, on-premises users continue to experience 1080p 30fps on supported endpoints.)

Enhanced and differentiated Quality of Service (QoS) marking: separate audio (EF) and video (AF41).

Webex Video Mesh currently does not support Webex Webinars.

Supports End to End Encrypted Meetings (E2EE meetings). If a customer deploys Video Mesh and selects the E2EE meeting type, it adds an additional layer of security, ensuring your data (media, files, whiteboards, annotations) remains secure and blocks third parties from accessing or modifying it. For detailed information, see Deploy Zero-Trust Meetings .

Private meetings currently do not support End to End Encryption.

Clients and Devices That Use Video Mesh Node

We endeavor to make Video Mesh interoperable with relevant clients and device types. Although it is not possible to test all scenarios, the testing on which this data is based covers most common functions of the listed endpoints and infrastructure. The absence of a device or client implies a lack of testing and a lack of official support from Cisco.

Client or Device Type

Uses Video Mesh Node on Point to Point Call

Uses Video Mesh Node on Multiparty Meeting

Webex App (desktop and mobile)

Webex devices, including room devices and Webex Board. (See the Endpoint and Webex App Requirements section for a full list.)

In-room wireless share between Webex App and supported Room, Desk, and Board devices.

Unified CM-registered devices (including IX endpoints) and clients (including Jabber VDI 12.6 and later, and Webex VDI 39.3 and later), calling into a Webex scheduled or Webex Personal Room meeting.*

VCS/Expressway-registered devices, calling into a Webex scheduled or Webex Personal Room meeting.*

Webex Call My Video System to Webex cloud-registered video devices

Webex App web client ( https://web.webex.com )

Phones registered to Cisco Webex Calling

Webex Call My Video System to premises-registered SIP devices

_{* It is not possible to guarantee that all on-premises devices and clients have been tested with the Video Mesh solution.}

Video Mesh Incompatibility with the Full Feature Webex Experience

If you enable the Full Featured Webex Experience for the Webex App, then the Webex App isn't supported with the Video Mesh Nodes. That feature currently sends signaling and media directly to Webex. Future releases will make the Webex App and Video Mesh compatible. By default, we did not enable that feature for customers with Video Mesh.

You might have issues with Video Mesh and the Full Featured Webex Experience:

If you added Video Mesh to your deployment after the introduction of that feature.

If you enabled that feature without knowing its impact on Video Mesh.

If you notice issues, contact you Cisco Account team to disable the Full Featured Webex Experience toggle.

Quality of Service on Video Mesh Node

Video Mesh nodes conforms to recommended quality of service (QoS) best practices by enabling port ranges that allow you to differentiate audio and video streams in all flows to and from the Video Mesh nodes. This change will let you create QoS policies and effectively remark traffic to and from the Video Mesh Nodes.

Accompanying these port changes are QoS changes. Video Mesh nodes automatically mark media traffic from SIP registered endpoints (on-premises Unified CM or VCS Expressway registered) for both audio (EF) and video (AF41) separately with appropriate class of service and use well-known port ranges for specific media types.

The source traffic from the on-premises registered endpoints is always determined by the configuration on the call control (Unified CM or VCS Expressway).

For more information, see the QoS table at Ports and Protocols Used by Video Mesh and the steps to enable or disable QoS in the Video Mesh Deployment Task Flow

Webex App continue to connect to Video Mesh nodes over shared port 5004. These ports are also used by Webex App and endpoints for STUN reachability tests to Video Mesh nodes. Video Mesh node to Video Mesh node for cascades use the destination port range 10000–40000.

Proxy Support for Video Mesh

Video Mesh supports explicit, transparent inspecting, and non-inspecting proxies. You can tie these proxies to your Video Mesh deployment so that you can secure and monitor traffic from the enterprise out to the cloud. This feature sends signaling and management https-based traffic to the proxy. For transparent proxies, network requests from Video Mesh nodes are forwarded to a specific proxy through enterprise network routing rules. You can use the Video Mesh admin interface for certificate management and the overall connectivity status after you implement the proxy with the nodes.

Media does not travel through the proxy. You must still open the required ports for media streams to reach the cloud directly. See Ports and Protocols for Management .

The following proxy types are supported by Video Mesh:

Explicit Proxy (inspecting or non-inspecting)—With explicit proxy, you tell the client (Video Mesh nodes) which proxy server to use. This option supports one of the following authentication types:

None—No further authentication is required. (For HTTP or HTTPS explicit proxy.)

Basic—Used for an HTTP user agent to provide a username and password when making a request, and uses Base64 encoding. (For HTTP or HTTPS explicit proxy.)

Digest—Used to confirm the identity of the account before sending sensitive information, and applies a hash function on the username and password before sending over the network. (For HTTPS explicit proxy.)

NTLM—Like Digest, NTLM is used to confirm the identity of the account before sending sensitive information. Uses Windows credentials instead of the username and password. This authentication scheme requires multiple exchanges to complete. (For HTTP explicit proxy.)

Transparent Proxy (non-inspecting)—Video Mesh nodes are not configured to use a specific proxy server address and should not require any changes to work with a non-inspecting proxy.

Transparent Proxy (inspecting)—Video Mesh nodes are not configured to use a specific proxy server address. No http(s) configuration changes are necessary on Video Mesh, however, the Video Mesh nodes need a root certificate so that they trust the proxy. Inspecting proxies are typically used by IT to enforce policies regarding which websites can be visited and types of content that are not permitted. This type of proxy decrypts all your traffic (even https).

***Example of Video Mesh Nodes and Proxy***

Supported Resolutions and Framerates for Video Mesh

This table covers the supported resolutions and framerates from a sender-receiver perspective in a meeting that is hosted on a Video Mesh node. The sender client (app or device) is across the top row of the table, whereas the receiver client is on the left side column of the table. The corresponding cell between the two participants captures the negotiated content resolution, frames per section, and audio source.

Resolution affects the call capacity on any Video Mesh node. For more information, see Capacity for Video Mesh nodes .

The resolution and framerate value is combined as XXXpYY—For example, 720p10 means 720p at 10 frames per second.

The definition abbreviations (SD, HD, and FHD) in the sender row and receiver column refer to the upper resolution of the client or device:

SD—Standard Definition (576p)

HD—High Definition (720p)

FHD—Full High Definition (1080p)

Receiver

Sender

Webex App

Webex App Mobile

SIP Registered Devices (HD)

SIP Registered Devices (FHD)

Webex Registered Devices (SD)

Webex Registered Devices (HD)

Webex Registered Devices (FHD)

Webex App Desktop

720p10

Mixed audio*

720p10

Mixed audio

720p30

Mixed audio

720p30

Mixed audio

576p15

Content audio**

720p30

Mixed audio

720p30

Mixed audio

Webex App Mobile

SIP Registered Devices (HD)

720p30

Content audio

720p15

Mixed audio

1080p15

Mixed audio

1080p15

Mixed audio

576p15

Mixed audio

1080p15

Mixed audio

1080p15

Mixed audio

SIP Registered Devices (FHD)

1080p30

Mixed audio

720p15

Mixed audio

1080p15

Mixed audio

1080p30

Mixed audio

576p15

Mixed audio

1080p15

Mixed audio

1080p30

Mixed audio

Webex Registered Devices (SD)

1080p15

Mixed audio

720p15

Mixed audio

1080p15

Mixed audio

1080p15

Mixed audio

576p15

Mixed audio

1080p15

Mixed audio

1080p15

Mixed audio

Webex Registered Devices (FHD)

1080p30

Mixed audio

720p15

Mixed audio

1080p15

Mixed audio

1080p30

Mixed audio

576p15

Mixed audio

1080p15

Mixed audio

1080p30

Mixed audio

_{* Content Audio refers to the audio that is played from the specific content being shared, such as a streaming video. This audio stream is separate from the regular meeting audio.}

_{** Mixed Audio refers to a mix of the meeting participant audio and audio from the content share.}

Requirements for Video Mesh

Video Mesh is available with the offers documented in License Requirements for Hybrid Services .

Call Control and Meeting Integration Requirements for Video Mesh

Call control and existing meetings infrastructure are not required to use Video Mesh, but you can integrate the two. If you're integrating Video Mesh with your call control and meeting infrastructure, make sure your environment meets the minimum criteria that are documented in the following table.

Component Purpose

Minimum Supported Version

On-Premises call control

Cisco Unified Communications Manager, Release 11.5(1) SU3 or later. (We recommend the latest SU release.)

Cisco Expressway-C or E, Release X8.11.4 or later. (See the "Important Information" section in the Expressway Release Notes for more information.)

Meeting infrastructure

Webex Meetings WBS33 or later. (You can verify that your Webex site is on the correct platform if it has the Media Resource Type list available in the Cloud Collaboration Meeting Room site options.)

To ensure that your site is ready for Video Mesh, contact your customer success manager (CSM) or partner.

Failover handling

Cisco Expressway-C or E, Release X8.11.4 or later. (See the "Important Information" section in the Expressway Release Notes for more information.)

Meetings and calls with guest user participants in the organization's network (users not registered to the organization) overflow to the cloud by default and do not land on Video Mesh.

Endpoint and Webex App Requirements

Component Purpose

Details

Supported Endpoints

See Webex Video Compatibility and Support .

Supported versions of the Webex App

Video Mesh supports Webex App for desktop (Windows, Mac) and mobile (Android, iPhone, and iPad). To download the app for a supported platform, go to https://www.webex.com/downloads.html .

Supported codecs

See Webex| Video Specifications for Calls and Meetings for the supported audio and video codecs. Note these caveats for Video Mesh:

For video quality, Video Mesh supports up to 1080p in certain scenarios. You can configure this setting in https://admin.webex.com .

For SIP video systems, Video Mesh supports SIP clients that do dual tone multi frequency (DTMF) audio tones. The service also supports keypad markup language (KPML).

Webex Teams for Windows and Mac and Room, Desk, and Board devices registered to the cloud support up to 1080p 30fps with content audio.

H.323 clients are mentioned in the data sheet, but they only go to the cloud.

Supported Webex-registered Room, Desk, and Board devices

The following devices are tested and confirmed to work with Video Mesh nodes:

Cisco Webex Room Kit Mini

Cisco Webex Room Kit Plus

Cisco Webex Room Kit Plus Precision 60

Cisco Webex Room Kit Pro

Cisco TelePresence SX10 Quick Set

Cisco TelePresence SX20 Quick Set

Cisco TelePresence SX80 Codec

Cisco TelePresence MX200 G2

Cisco TelePresence MX300 G2

Cisco TelePresence MX700

Cisco TelePresence MX800

System and Platform Requirements for Video Mesh Node Software

Production Environments

In production deployments, there are two ways to deploy Video Mesh Node software on a particular hardware configuration:

You can set up each server as a single virtual machine, which is best for deployments that include many SIP endpoints.

Using the VMNLite option, you can set up each server with multiple smaller virtual machines. VMNLite is best for deployments where the majority of clients and devices are the Webex app and Webex registered endpoints.

These requirements are common for all configurations:

VMware ESXi 7 or 8, vSphere 7 or 8

Hyperthreading enabled

The Video Mesh nodes running independent of the platform hardware need dedicated vCPUs and RAM. Sharing resources with other applications is not supported. This applies to all images of the Video Mesh software.

For Video Mesh Lite (VMNLite) images on a CMS platform, we only support having VMNLite images. No other Video Mesh image or non-Video Mesh application can be on the CMS hardware with the VMNLite software.

Hardware Configuration

Production Deployment as a Single Virtual Machine

Production Deployment with VMNLite VMs

Notes

Cisco Meeting Server 1000 (CMS 1000)

72vCPUs (70 for Video Mesh Node, 2 for ESXi)

60 GB main memory

80 GB local hard disk space

Deploy as 3 identical virtual machine instances, each with:

23 vCPUs

20 GB main memory

80 GB local hard disk space

We recommend this platform for Video Mesh Node.

If you deploy VMNLite on a CMS 1000 with a 300 GB hard drive, you can run out of space when upgrading to ESXi 7. We recommend that you upgrade to at least 500 GB hard drives before upgrading VMware.

Specifications-based Configuration

(2.6-GHz Intel Xeon E5-2600v3 or later processor required)

72vCPUs (70 for Video Mesh Node, 2 for ESXi)

60 GB main memory

80 GB local hard disk space

80 GB of NFS storage

Deploy as 3 identical virtual machine instances, each with:

23 vCPUs

20 GB main memory

80 GB local hard disk space

80 GB of NFS storage

Each Video Mesh virtual machine must have CPU, RAM and hard drives reserved for itself.

Use either the CMS1000 or VMNLite option during configuration.

Peak IOPs (input/output operations per second) for NFS storage is 300 IOPS.

Cisco Meeting Server 2000 (CMS 2000)

Deploy as 8 identical virtual machine instances, each with:

72vCPUs (70 for Video Mesh Node, 2 for ESXi)

60 GB main memory

80 GB local hard disk space

80 GB of NFS storage

Deploy as 24 identical virtual machine instances, each with:

23 vCPUs

20 GB main memory

80 GB local hard disk space

80 GB of NFS storage

We recommend this platform for Video Mesh Node.

Each blade must be a complete Cisco Meeting Server 1000 with reserved CPU, RAM and hard drives per blade.

Peak IOPs for NFS storage is 300 IOPS.

Demo Environments

For basic demo purposes, you can use a specifications-based hardware configuration, with the following minimum requirements:

14vCPUs (12 for Video Mesh Node, 2 for ESXi)

8 GB main memory

20 GB local hard disk space

2.6 GHz Intel Xeon E5-2600v3 or later processor

This configuration of Video Mesh is not Cisco TAC supported.

For more information about the demo software, see Video Mesh Node Demo Software .

Bandwidth Requirements

Video Mesh Nodes must have a minimum internet bandwidth of 10 Mbps for both upload and download to function properly.

Requirements for Proxy Support for Video Mesh

We officially support the following proxy solutions that can integrate with your Video Mesh nodes.

Cisco Web Security Appliance (WSA) for transparent proxy

Squid for explicit proxy

For an explicit proxy or transparent inspecting proxy that inspects (decrypts traffic), you must have a copy of the proxy's root certificate that you'll need to upload to the Video Mesh node trust store on the web interface.

We support the following explicit proxy and authentication type combinations:

No authentication with http and https

Basic authentication with http and https

Digest authentication with https only

NTLM authentication with http only

For transparent proxies, you must use the router/switch to force HTTPS/443 traffic to go to the proxy. You can also force Web Socket to go to proxy. (Web Socket uses https.)

Video Mesh requires web socket connections to cloud services, so that the nodes function correctly. On explicit inspecting and transparent inspecting proxies, http headers are required for a proper websocket connection. If they are altered, the websocket connection will fail.

When the websocket connection failure occurs on port 443 (with transparent inspecting proxy enabled), it leads to a post-registration warning in Control Hub: “Webex Video Mesh SIP calling is not working correctly.” The same alarm can occur for other reasons when proxy is not enabled. When websocket headers are blocked on port 443, media does not flow between apps and SIP clients.

If media is not flowing, this often occurs when https traffic from the node over port 443 is failing:

Port 443 traffic is allowed by the proxy, but it is an inspecting proxy and is breaking the websocket.

To correct these problems, you may have to “bypass” or “splice” (disable inspection) on port 443 to: *.wbx2.com and *.ciscospark.com.

Capacity for Video Mesh nodes

Because Video Mesh is a software-based media product, the capacity of your Video Mesh nodes varies. In particular, meeting participants on the Webex cloud place a heavier load on nodes. You get lower capacities when you have more cascades to the Webex cloud. Other factors that impact capacity are:

Types of devices and clients

Video resolution

Network quality

Peak load

Deployment model

Video Mesh usage doesn't impact your Webex license counts.

In general, adding more nodes to the cluster doesn't double the capacity because of the overhead for setting up cascades. Use these numbers as general guidance. We recommend the following:

Test out common meeting scenarios for your deployment.

Use the analytics in Control Hub to see how your deployment is evolving and add capacity as needed.

Overflows on low call volume (especially SIP calls that originate on-premises) aren't a true reflection of scale. Video Mesh analytics (under Control Hub > Resources > Call Activity ) indicate the call legs that originate on-premises. They don't specify the call streams that came in through the cascade to the Video Mesh node for media processing. As remote participant numbers increase in a meeting, cascades increase and consume on-premises media resources on the Video Mesh node.

This table lists capacity ranges for different mixes participants and endpoints on regular Video Mesh nodes. Our testing included meetings with all participants on the local node and meetings with a mix of local and cloud participants. With more participants on the Webex cloud, expect your capacity to fall in the lower end of the range.

Scenario

Resolution

Participant capacity

Meetings with only Webex App participants

100–130

1080p

90–100

Meetings and 1-to-1 calls with only Webex App participants

60–100

1080p

30–40

Meetings with only SIP participants

70–80

1080p

30–40

Meetings with Webex App and SIP participants

75–110

The base resolution for Webex App is 720p. But when you share, the participant thumbnails are at 180p.

These performance numbers assume that you enabled all the recommended ports.

Capacity for VMNLite

We recommend VMNLite for deployments that mainly include Webex App and cloud-registered endpoints. In these deployments, the nodes use more switching and fewer transcoding resources than the standard configuration provides. Deploying several smaller virtual machines on the host optimizes resources for this scenario.

This table lists capacity ranges of different mixes participants and endpoints. Our testing included meetings with all participants on the local node and meetings with a mix of local and cloud participants. With more participants on the Webex cloud, expect your capacity to fall in the lower end of the range.

Scenario

Resolution

Participant capacity with 3 VMNLite nodes on a server

Meetings with only Webex App participants

250–300

1080p

230–240

Meetings and 1-to-1 calls with only Webex App participants

175–275

The base resolution for Webex App meetings is 720p. But when you share, the participant thumbnails are at 180p.

Clusters in Video Mesh

You deploy Video Mesh nodes in clusters. A cluster defines Video Mesh nodes with similar attributes, such as network proximity. Participants use a particular cluster or the cloud, depending on the following conditions:

A client on a corporate network that can reach an on-premises cluster connects to it—the primary preference for clients on the corporate network.

Clients joining a Video Mesh private meeting only connect to on-premise clusters. You can create a separate cluster specifically for these private meetings.

A client that can't reach an on-premises cluster connects to the cloud—the case for a mobile device unconnected to the corporate network.

The chosen cluster also depends on latency, rather than just location. For example, a cloud cluster with lower STUN round-trip (SRT) delay than a Video Mesh cluster may be a better candidate for the meeting. This logic prevents a user from landing on a geographically far cluster with a high SRT delay.

Each cluster contains logic that cascades meetings, except for Video Mesh private meetings, across other cloud meeting clusters, as needed. Cascading provides a data path for media between clients in their meetings. Meetings are distributed across nodes, and clients land on the most efficient node nearest to them, depending on factors such as network topology, WAN link, and resource utilization.

The client's ability to ping media nodes determines reachability. An actual call uses a variety of potential connection mechanisms, such as UDP and TCP. Before the call, the Webex device (Room, Desk, Board, and Webex App) registers with the Webex cloud, which provides a list of cluster candidates for the call.

The nodes in a Video Mesh cluster require unimpeded communication with each other. They also require unimpeded communication with the nodes in all your other Video Mesh clusters. Ensure that your firewalls allow all communication between the Video Mesh nodes.

Clusters for Private Meetings

You can reserve a Video Mesh cluster for private meetings. When the reserved cluster is full, the private meeting media cascades out to your other Video Mesh clusters. When the reserved cluster is full, private meetings and non-private meetings share the resources of your remaining clusters.

Non-private meetings won’t use a reserved cluster, reserving those resources for the private meetings. If a non-private meeting runs out of resources on your network, it cascades out to the Webex cloud instead.

For details on the Video Mesh private meetings feature, see Private Meetings .

You can't use the short video address format (meet@ your_site ) if you reserve all Video Mesh clusters for private meetings. These calls currently fail without a proper error message. If you leave some clusters unreserved, calls with the short video address format can connect through those clusters.

Guidelines for Video Mesh Cluster Deployment

In typical enterprise deployments, we recommend that customers use up to 100 nodes per cluster. There are no hard limits set in the system to block a cluster size with greater than 100 nodes. However, if you need to create larger clusters, we strongly recommend that you review this option with Cisco engineering through your Cisco Account Team.

Create fewer clusters when resources have similar network proximity (affinity).

When creating clusters, only add nodes that are in the same geographical region and the same data center. Clustering across the wide area network (WAN) is not supported.

Typically, deploy clusters in enterprises that host frequent localized meetings. Plan where you place clusters on the bandwidth available at various WAN locations inside the enterprise. Over time, you can deploy and grow cluster-by-cluster based on observed user patterns.

Clusters located in different time zones can effectively serve multiple geographies by taking advantage of different peak/busy hour calling patterns.

If you have two Video Mesh nodes in two separate data centers (EU and NA, for example), and you have endpoints join through each data center, the nodes in each data center would cascade to a single Video Mesh node in the cloud. Theses cascades would go over the Internet. If there is a cloud participant (that joins before one of the Video Mesh participants), the nodes would be cascaded through the cloud participant’s media node.

Time Zone Diversity

Time zone diversity can allow clusters to be shared during off-peak times. For example: A company with a Northern California cluster and a New York cluster might find that overall network latency is not that high between the two locations that serve a geographically diverse user population. When resources are at peak usage in the Northern California cluster, the New York cluster is likely to be off peak and have additional capacity. The same applies for the Northern California cluster, during peak times in the New York cluster. These aren't the only mechanisms used for effective deployment of resources, but they are the two main ones.

Overflow to the Cloud

When the capacity of all on-premises clusters is reached, an on-premises participant overflows to the Webex cloud. This doesn't mean that all calls are hosted in the cloud. Webex only directs to the cloud those participants that are either remote or can't connect to an on-premises cluster. In a call with both on-premises and cloud participants, the on-premises cluster is bridged (cascaded) to the cloud to combine all participants into a single call.

If you set up the meeting as the private meeting type, Webex keeps all the calls on your on-premises clusters. Private meetings never overflow to the cloud.

Webex Device Registers with Webex

In addition to determining reachability, the clients also perform periodic round-trip delay tests using Simple Traversal of UDP through NAT (STUN). STUN round-trip (SRT) delay is an important factor when selecting potential resources during an actual call. When multiple clusters are deployed, the primary selection criteria are based on the learned SRT delay. Reachability tests are performed in the background, initiated by a number of factors including network changes, and do not introduce delays that affect call setup times. The following two examples show possible reachability test outcomes.

Round-trip Delay Tests—Cloud Device Fails to Reach On-Premises Cluster

Round-trip Delay Tests—Cloud Device Successfully Reaches On-Premises Cluster

Learned reachability information is provided to the Webex cloud every time a call is set up. This information allows the cloud to select the best resource (cluster or cloud), depending on the relative location of the client to available clusters and the type of call. If no resources are available in the preferred cluster, all clusters are tested for availability based on SRT delay. A preferred cluster is chosen with the lowest SRT delay. Calls are served on premises from a secondary cluster when the primary cluster is busy. Local reachable Video Mesh resources are tried first, in order of lowest SRT delay. When all local resources are exhausted, the participant connects to the cloud.

Cluster definition and location is critical for a deployment that provides the best overall experience for participants. Ideally, a deployment should provide resources where the clients are located. If not enough resources are allocated where the clients make the majority of calls, more internal network bandwidth is consumed to connect users to distant clusters.

On-Premises and Cloud Call

On-premises Webex devices that have the same cluster affinity (preference, based on proximity to the cluster) connect to the same cluster for a call. On-premises Webex devices with different on-premises cluster affinities, connect to different clusters and the clusters then cascade to the cloud to combine the two environments into a single call. This creates a hub and spoke design with Webex cloud as the hub and the on-premises clusters acting as the spokes in the meeting.

On-Premises Call with Different Cluster Affinities

The Webex device connects to either on-premises cluster or cloud based upon its reachability. The following show examples of the most-common scenarios.

Webex Cloud Device Connects to Cloud

Cloud Cluster Selection for Overflow Based on 250 ms or Higher STUN Round-Trip Delay

While the preference for node selection is your locally deployed Video Mesh nodes, we support a scenario where, if the STUN round-trip (SRT) delay to an on-premises Video Mesh cluster exceeds the tolerable round-trip delay of 250 ms (which usually happens if the on-premises cluster is configured in a different continent), then the system selects the closest cloud media node in that geography instead of a Video Mesh node.

The Webex App or Webex device is on the enterprise network in San Jose.

San Jose and Amsterdam clusters are at capacity or unavailable.

SRT delay to the Shanghai cluster is greater than 250 ms and will likely introduce media quality issues.

The San Francisco cloud cluster has an optimal SRT delay.

The Shanghai Video Mesh cluster is excluded from consideration.

As a result, the Webex App overflows to the San Francisco cloud cluster.

Private Meetings

Private meetings isolate all media to your network through Video Mesh. Unlike normal meetings, if the local nodes are full, the media doesn't cascade to the Webex cloud. But, by default, private meetings can cascade to different Video Mesh clusters on your network. For private meetings across geographic locations, your Video Mesh clusters must have direct connectivity to each other to allow intercluster cascades, like HQ1_VMN to Remote1_VMN in the figure.

Make sure the necessary ports are open in your firewall, to allow unimpeded cascade between clusters. See Ports and Protocols for Management .

All participants in a private meeting must belong to your meeting host's Webex organization. They can join using the Webex App or an authenticated video system (SIP endpoints registered to UCM/VCS or Webex registered video device). Participants with VPN or MRA access to your network can join a private meeting. But nobody can join a private meeting from outside your network.

Deployment Models Supported by Video Mesh

Supported in a Video Mesh Deployment

You can deploy a Video Mesh Node in either a data center (preferred) or demilitarized zone (DMZ). For guidance, see Ports and Protocols Used by Video Mesh .

For a DMZ deployment, you can set up the Video Mesh nodes in a cluster with the dual network interface (NIC). This deployment lets you separate the internal enterprise network traffic (used for interbox communication, cascades between node clusters, and to access the node's management interface) from the external cloud network traffic (used for connectivity to the outside world and cascades to the cloud).

Dual NIC works on the full, VMNLite and demo version of Video Mesh node software. You can also deploy the Video Mesh behind a 1:1 NAT setup.

You can integrate Video Mesh nodes with your call control environment. For example deployments with Video Mesh integrated with Unified CM, see Deployment Models For Video Mesh and Cisco Unified Communications Manager .

The following types of address translation are supported:

Dynamic Network Address Translation (NAT) using an IP pool

Dynamic Port Address Translation (PAT)

1:1 NAT

Other forms of NAT should work as long as the correct ports and protocols are used, but we do not officially support them because they have not been tested.

Static IP address for the Video Mesh Node

Not Supported in a Video Mesh Deployment

DHCP for the Video Mesh Node

A cluster with a mixture of single NIC and dual NIC

Clustering Video Mesh nodes over the wide area network (WAN)

Audio, video, or media that does not pass through a Video Mesh Node:

Audio from phones

Peer-to-peer call between Webex App and standards-based endpoint

Audio termination on Video Mesh Node

Media sent through Expressway C/E pair

Video call back from Webex

Deployment Models For Video Mesh and Cisco Unified Communications Manager

These examples show common Video Mesh deployments and help you understand where Video Mesh clusters can fit in to your network. Keep in mind that Video Mesh deployment depends on factors in your network topology:

Data center locations

Office locations and size

Internet access location and capacity

In general, try to tie the Video Mesh nodes to the Unified CM or Session Management Edition (SME) clusters. As a best practice, keep the nodes as centralized as possible to the local branches.

Video Mesh supports Session Management Edition (SME). Unified CM clusters can be connected through an SME, and then you must create a SME trunk that connects to the Video Mesh nodes.

Hub and Spoke Architecture

This deployment model involves centralized networking and internet access. Typically, the central location has a high employee concentration. In this case, a Video Mesh cluster can be located at central location for optimized media handling.

Locating clusters in branch locations may not yield benefits in the short term and may lead to suboptimal routing. We recommend that you deploy clusters in a branch only if there is frequent communication between branches.

The geographically distributed deployment is interconnected but can exhibit noticeable latency between regions. Lack of resources can cause suboptimal cascades to be setup in the short term when there are meetings between users in each geographical location. In this model, we recommend that you allocate of Video Mesh nodes near regional internet access.

Geographic Distribution with SIP Dialing

This deployment model contains regional Unified CM clusters. Each cluster can contain a SIP trunk to select resources in the local Video Mesh cluster. A second trunk can provide a failover path to an Expressway pair if resources become limited.

Ports and Protocols Used by Video Mesh

To ensure a successful deployment of Video Mesh and for trouble-free operation of the Video Mesh nodes, open the following ports on your firewall for use with the protocols.

See Network Requirements for Webex Services to understand the overall network requirements for Webex Teams.

See the Firewall Traversal Whitepaper for more information about firewall and network practices for Webex services.

To mitigate potential DNS query issues, follow the DNS Best Practices, Network Protections, and Attack Identification documentation when you configure your enterprise firewall.

For more design information, see the Preferred Architecture for Hybrid Services, CVD .

Ports and Protocols for Management

The Video Mesh nodes in a cluster must be in the same VLAN or subnet mask.

Purpose

Source

Destination

Source IP

Source Port

Transport Protocol

Destination IP

Destination Port

Management

Management computer

Video Mesh node

As required

TCP, HTTPS

Video Mesh node

SSH for access to Video Mesh admin console

Management computer

Video Mesh node

As required

Video Mesh node

Intracluster Communication

Video Mesh node

IP address of other Video Mesh nodes in the cluster

Video Mesh nodes

Management

Video Mesh node

Webex cloud

As required

UDP, NTP

UDP, DNS

TCP, HTTPS (WebSockets)

Cascade Signaling

Video Mesh node

Webex cloud

Cascade Media

Video Mesh node

Webex cloud

Video Mesh node

Any***

For specific addresses ranges, see the "IP subnets for Webex Media services" section in Network Requirements for Webex Services .

50000 to 53000

For details, see the "Webex Services – Port Numbers and Protocols" section in Network Requirements for Webex Services .

Cascade Signaling

Vido Mesh Cluster (1)

Vido Mesh Cluster (2)

Cascade Media

Vido Mesh Cluster (1)

Vido Mesh Cluster (2)

Vido Mesh Cluster (1)

Any***

50000 to 53000

Management

Video Mesh node

Webex cloud

As required

TCP, HTTPS

Any**

Management

Video Mesh node (1)

Video Mesh node (2)

Video Mesh node (1)

TCP, HTTPS (WebSockets)

Video Mesh node (2)

Internal Communication

Video Mesh node

All other Video Mesh nodes

Video Mesh node

10000 to 40000

_{* The default configuration in the OVA is configured for NTP and DNS. The OVA requires that you open those ports outbound to the internet. If you configure a local NTP and DNS server, then you don't have to open ports 53 and 123 through the firewall.}

_{** Because some cloud service URLs are subject to change without warning, ANY is the recommended destination for trouble-free operation of the Video Mesh nodes. If you prefer to filter traffic based on URLs, see the

Webex Teams URLs for Hybrid Services

section of the

Network Requirements for Webex Services

for more information.}

_{***The ports vary depending on if you enable QoS. With QoS enabled, the ports are 52,500-59499, 63000-64667, 59500-62999 and 64688-65500. With QoS off, the ports are 34,000-34,999.}

Traffic Signatures for Video Mesh (Quality of Service Enabled)

For deployments where the Video Mesh node sits in the enterprise side of the DMZ or inside the firewall, there is a Video Mesh Node configuration setting in the Webex Control Hub that allows the administrator to optimize the port ranges used by the Video Mesh Node for QoS network marking. This Quality of Service setting is enabled by default and changes the source ports that are used for audio, video, and content sharing to the values in this table. This setting allows you to configure QoS marking policies based on UDP port ranges to differentiate audio from video or content sharing and mark all Audio with recommended value of EF and Video and Content sharing with a recommended value of AF41.

The table and diagram show UDP ports that are used for audio and video streams, which are the main focus of QoS network configurations. While network QoS marking policies for media over UDP are the focus of the following table, Webex Video Mesh nodes also terminate TCP traffic for presentation and content sharing for Webex app using ephemeral ports 52500–65500. If a firewall sits between the Video Mesh nodes and the Webex app, those TCP ports also must be allowed for proper functioning.

Video Mesh Node marks traffic natively. This native marking is asymmetric in some flows and depends on whether the source ports are shared ports (single port like 5004 for multiple flows to various destinations and destination ports) or whether they are not (where the port falls in a range but is unique to that specific bidirectional session).

To understand the native marking by a Video Mesh Node, note that the Video Mesh node marks audio EF when it is not using the 5004 port as a source port. Some bidirectional flows like Video Mesh to Video Mesh cascades or Video Mesh to Webex App will be asymmetrically marked, a reason to use the network to remark traffic based on the UDP port ranges provided.

Source IP Address	Destination IP Address	Source UDP Ports	Destination UDP Ports	Native DSCP Marking	Media Type
Video Mesh Node Webex cloud media services 35000 to 52499 Test STUN packets
Video Mesh Node	Webex cloud media services	52500 to 59499	5004	EF	Audio
Video Mesh Node	Webex cloud media services	63000 to 64667	5004	AF41	Video
Video Mesh Node	Webex cloud media services	59500 to 62999 50000 to 51499 Audio
Video Mesh Node	Webex cloud media services	64668 to 65500 51500 to 53000 Video
Video Mesh Node	Video Mesh Node	10000 to 40000	10000 to 40000	—	Audio
Video Mesh Node	Video Mesh Node	10000 to 40000	10000 to 40000	—	Video
Video Mesh Node	Unified CM SIP endpoints	52500 to 59499	Unified CM SIP Profile	EF	Audio
Video Mesh Node	Unified CM SIP endpoints	63000 to 64667	Unified CM SIP Profile	AF41	Video
Video Mesh Cluster Video Mesh Cluster	52500 to 59499	5004	EF	Audio
Video Mesh Cluster Video Mesh Cluster	63000 to 64667	5004	AF41	Video
Video Mesh Cluster Video Mesh Cluster 59500 to 62999 50000 to 51499 Audio Video Mesh Cluster Video Mesh Cluster 64668 to 65500 51500 to 53000 Video
Video Mesh Node	Webex Teams application or endpoint*	5004	52000 to 52099	AF41	Audio
Video Mesh Node	Webex Teams application or endpoint	5004	52100 to 52299	AF41	Video

* _{The direction of media traffic determines the DSCP markings. If the source ports are from the Video Mesh node (from the Video Mesh node to Webex Teams app), the traffic is marked as AF41 only. Media traffic that originates from the Webex Teams app or Webex endpoints has the separate DSCP markings, but the return traffic from the Video Mesh node shared ports does not.}

UDP Source Port Differentiation (Windows Webex App clients): Contact your local account team if you would like UDP Source Port Differentiation enabled for your organization. If this is not enabled, audio and video share cannot be differentiated by Windows OS. The source ports will be the same for audio, video and content share on Windows devices.

Traffic Signatures for Video Mesh (Quality of Service Disabled)

For deployments where the Video Mesh node sits in the DMZ, there is a Video Mesh Node configuration setting in the Webex Control Hub that allows you to optimize the port ranges used by the Video Mesh node. This Quality of Service setting, when disabled (enabled by default), changes the source ports that are used for audio, video, and content sharing from the Video Mesh node to the range 34000 to 34999. The Video Mesh node then natively marks all audio, video, and content sharing to a single DSCP of AF41.

Because the source ports are the same for all media regardless of destination, you cannot differentiate the audio from video or content sharing based on port range with this setting disabled. This configuration does let you configure firewall pin holes for media more easily that with Quality of Service enabled.

The table and diagram show UDP ports that are used for audio and video streams when QoS is disabled.

***Traffic Signatures for Video Mesh (Quality of Service Disabled)***

Table 6. Traffic Signatures for Video Mesh (Quality of Service Disabled)
Source IP Address	Destination IP Address	Source UDP Ports	Destination UDP Ports	Native DSCP Marking	Media Type
Video Mesh Node	Webex cloud media services	34000 to 34999	5004	AF41	Audio
Video Mesh Node	Webex cloud media services	34000 to 34999	5004	AF41	Video
Video Mesh Node	Webex cloud media services	34000 to 34999	50000 to 51499	AF41	Audio
Video Mesh Node	Webex cloud media services	34000 to 34999	51500 to 53000	AF41	Video
Video Mesh Node	Video Mesh Node	10000 to 40000	10000 to 40000	AF41	Audio
Video Mesh Node	Video Mesh Node	10000 to 40000	10000 to 40000	AF41	Video
Video Mesh Cluster Video Mesh Cluster	34000 to 34999	5004	AF41	Audio
Video Mesh Cluster Video Mesh Cluster	34000 to 34999	5004	AF41	Video
Video Mesh Cluster Video Mesh Cluster	34000 to 34999	50000 to 51499	AF41	Audio
Video Mesh Cluster Video Mesh Cluster	34000 to 34999	51500 to 53000	AF41	Video
Video Mesh Node	Unified CM SIP endpoints	52500 to 59499	Unified CM SIP Profile	AF41	Audio
Video Mesh Node	Unified CM SIP endpoints	63000 to 64667	Unified CM SIP Profile	AF41	Video
Video Mesh Node Webex cloud media services 35000 to 52499 Test STUN packets
Video Mesh Node	Webex Teams application or endpoint	5004	52000 to 52099	AF41	Audio
Video Mesh Node	Webex Teams application or endpoint	5004	52100 to 52299	AF41	Video

Ports and Protocols for Webex Meetings Traffic

Purpose

Source

Destination

Source IP

Source Port

Transport Protocol

Destination IP

Destination Port

Calling to meeting

Apps (Webex App desktop and mobile apps)

Webex registered devices

Video Mesh node

As required

UDP and TCP (Used by the Webex App)

SRTP (Any)

Any**

SIP device calling to meeting (SIP signaling)

Unified CM or Cisco Expressway call control

Video Mesh node

As required

Ephemeral (>=1024)

TCP or TLS

Any**

5060 or 5061

Cascade

Video Mesh node

Webex cloud

As required

34000 to 34999

UDP, SRTP (Any)*

Any**

50000 to 53000***

Cascade

Video Mesh node

As required

34000 to 34999

UDP, SRTP (Any)*

Any**

Port 5004 is used for all cloud media and on-premises Video Mesh nodes.

Webex App continue to connect to Video Mesh nodes over shared ports 5004. These ports are also used by Webex App and Webex registered endpoints for STUN tests to Video Mesh nodes. Video Mesh node to Video Mesh node for cascades use destination port range of 10000–40000. _{* TCP is also supported, but not preferred because it may affect media quality.}

_{** If you want to restrict by IP addresses, see the IP address ranges that are documented in

Network Requirements for Webex Services

.}

_{*** The Expressway already uses this port range for the Webex cloud. So, most deployments won't require any updates to support this new requirement for Video Mesh. But, if your deployment has more stringent firewall rules, you might need to update your firewall configuration to open these ports for Video Mesh.}

_{For the best experience using Webex in your organization, configure your firewall to allow all outbound TCP and UDP traffic that is destined toward ports 5004 as well as any inbound replies to that traffic. The port requirements that are listed above assume that Video Mesh nodes are deployed either in the LAN (preferred) or in a DMZ and that Webex App are in the LAN.}

Video Quality and Scaling for Video Mesh

Below are some common meeting scenarios when a cascade is created. Video Mesh is adaptive depending on the available bandwidth and distributes resources accordingly. For devices in the meeting that use the Video Mesh node, the cascade link provides the benefit of reducing average bandwidth and improving the meeting experience for the user.

For bandwidth provisioning and capacity planning guidelines, see the Preferred Architecture documentation .

Based on the active speakers in the meeting, the cascade links are established. Each cascade can contain up to 6 streams and the cascade is limited to 6 participants (6 in the direction of Webex app/SIP to Webex cloud and 5 in the opposite direction). Each media resource (cloud and Video Mesh) ask the remote side for the streams that are needed to fulfil the local endpoint requirements of all remote participants across the cascade.

To provide a flexible user experience, the Webex platform can do multistream video to meeting participants. This same ability applies to the cascade link between Video Mesh nodes and the cloud. In this architecture, the bandwidth requirements vary depending on a number of factors, such as the endpoint layouts.

Architecture

In this architecture, Cisco Webex-registered endpoints send signaling to the cloud and media to the switching services. On-premises SIP endpoints send signaling to the call control environment (Unified CM or Expressway), which then sends it to the Video Mesh node. Media is sent to the transcoding service.

Cloud and Premises Participants

Local on-premises participants on the Video Mesh node request the desired streams based on their layout requirements. Those streams are forwarded from the Video Mesh node to the endpoint for local device rendering.

Each cloud and Video Mesh node requests HD and SD resolutions from all participants that are cloud registered-devices or Webex app. Depending on the endpoint, it will send up to 4 resolutions, typically 1080p, 720p, 360p, and 180p.

Cascades

Most Cisco endpoints can send 3 or 4 streams from a single source in a range of resolutions (from 1080p to 180p). The layout of the endpoint dictates the requirement for the streams needed on the far end of the cascade. For active presence, the main video stream is 1080p or 720p, the video panes (PiPS) are 180p. For equal view, the resolution is 480p or 360p for all participants in most cases. The cascade created between Video Mesh nodes and the cloud also sends 720p, 360p and 180p in both directions. Content is sent as single stream, and audio is sent as multiple streams.

Cascade bandwidth graphs that provide a per-cluster measurement are available in the Analytics menu in Webex Control Hub. You cannot configure cascade bandwidth per meeting in Control Hub.

The maximum negotiated cascade bandwidth per meeting is 20Mbps for main video for all sources and the multiple main video streams that they could send. This maximum value does not include the content channel or audio.

Main Video With Multiple Layout Example

The following diagrams illustrate an example meeting scenario and how the bandwidth is influenced when multiple factors are at play. In the example, all Webex app and Webex-registered devices are transmitting 1x720p, 1x360p and 1x180p streams to Video Mesh. On the cascade, streams of 720p, 360p, and 180p are transmitted in both directions. The reason is because there are Webex app and Webex-registered devices that are receiving 720p, 360p and 180p on both sides of the cascade.

In the diagrams, the bandwidth numbers for transmitted and received data are for example purposes only. They are not an exhaustive coverage of all possible meetings and accompanying bandwidth requirements. Different meeting scenarios (joined participants, device capabilities, content sharing within the meeting, activity at any given point in time during the meeting) will yield different bandwidth levels.

The diagram below shows a meeting with cloud and premises registered endpoints and an active speaker.

***Main Video With Multiple Layout at Time of Meeting***

In the same meeting, the diagram below shows an example of a cascade created between the Video Mesh nodes and the cloud in both directions.

***Cascade From Video Mesh Node to Cloud***

In the same meeting, the diagram below shows an example of a cascade from the cloud.

The diagram below shows a meeting with the same devices above, along with a Webex Meetings client. The system sends the active speaker and last active speaker in high definition, along with an extra HD stream of the active speaker for Webex Meeting clients because Video Mesh nodes do not support the Webex Meetings at this time.

***Addition of Webex Meetings Participant***

Requirements for Webex Services

Work with your partner, customer success manager (CSM), or trials representative to correctly provision the Cisco Webex site and Webex services for Video Mesh:

You must have a Webex organization with a paid subscription to Webex services.

To take full advantage of Video Mesh, make sure your Webex site is on video platform version 2.0. (You can verify that your site is on video platform version 2.0 if it has the Media Resource Type list available in the Cloud Collaboration Meeting Room site options.)

You must enable CMR for your Webex site under user profiles. (You can do this in a bulk update CSV with the SupportCMR attribute).

For further information, see Feature Comparison and Migration Path from Collaboration Meeting Room Hybrid to Video Mesh in the Appendix.

Related Information

How Do I Contact My Customer Success Manager (CSM)?

Verify That the Source Country Is Correct

Video Mesh uses the globally distributed media (GDM) capabilities of Webex to achieve better media routing. To achieve optimal connectivity, Webex selects the nearest cloud media node to your enterprise when performing Video Mesh cascades to Webex. Traffic then passes through the Webex backbone to interact with the Webex microservices for the meeting. This routing minimizes latency and keeps most of the traffic on the Webex backbone and off the internet.

To support GDM, we use MaxMind as the GeoIP location provider for this process. Verify that MaxMind correctly identifies the location of your Public IP address to ensure efficient routing.

In a web browser, enter this URL with the public IP address of your Expressway or endpoint at the end.

https://ds.ciscospark.com/v1/region/<public IP address>

You receive a response like the following:

attribution: "This product includes GeoLite2 data created by MaxMind, available from http://www.maxmind.com"
clientAddress: "<public IP address>"
clientRegion: "US-WEST"
countryCode: "US"
disclaimer: "This service is intended for use by Webex Team only. Unauthorized use is prohibitted."
regionCode: "US-WEST"
timezone: "America/Chicago"

Verify that the countryCode is appropriate for the location of your Expressway or endpoint.

If the location is incorrect, submit a request to correct the location of your public IP address to MaxMind at https://support.maxmind.com/geoip-data-correction-request/correct-a-geoip-location .

Complete the Prerequisites for Video Mesh

Use this checklist to ensure you are ready to install and configure Video Mesh nodes and integrate a Webex site with Video Mesh.

Ensure that you:

Meet the minimum system requirements that are described in Requirements for Video Mesh and License Requirements for Hybrid Services .
Understand the call capacity examples that are described in Capacity for Video Mesh nodes .
Understand the supported deployment models described in Deployment Models Supported by Video Mesh .
Ensure that your network allows connectivity on the ports and using the protocols described in Ports and Protocols Used by Video Mesh
Ensure that your network supports the bandwidth requirements described in Video Quality and Scaling for Video Mesh

Work with your partner, customer success manager, or trials representative to understand and prepare your Webex environment so that it's ready to connect to Video Mesh. For more information, see Requirements for Webex Services .

Record the following network information to assign to your Video Mesh nodes:

IP address (Recommended)
Network mask
Gateway IP address
DNS servers
NTP servers
A hostname and optionally domain name for the Video Mesh node. (Optional)

We recommend that you use IP addresses for Video Mesh. If you plan to configure the nodes with FQDN, the FQDN value should be resolvable using all the entries in the DNS servers list configured on the node. You must also create both forward- and reverse-DNS (A- and PTR-records) in the DNS configuration.

Before starting installation, make sure your Webex organization is enabled for Video Mesh. This service is available for organizations with certain paid Webex service subscriptions as documented in License Requirements for Cisco Webex Hybrid Services . Contact your Cisco partner or account manager for assistance.

Choose a supported hardware or specifications-based configuration for your Video Mesh node, as described in System and Platform Requirements for Video Mesh Node Software .

Make sure your server is running VMware ESXi 7 or 8, and vSphere 7 or 8, with a VM host operational.

If you're integrating Video Mesh with your Unified CM call control environment and you want the participant lists to be consistent across meeting platforms, make sure your Unified CM cluster security mode is set to mixed mode so that it supports TLS-encrypted traffic. End-to-end encrypted traffic is required for this functionality to work.

See the TLS setup chapter in the Security Guide for Cisco Unified Communications Manager for more information about switching your Unified CM environment to mixed mode. See the Active Control solution guide for more information about the features and about how to set up end-to-end encryption.

If you're integrating a proxy (explicit, transparent inspecting, or transparent non-inspecting) with Video Mesh, make sure you following the requirements as documented in Requirements for Proxy Support for Video Mesh .

What to do next

Install and Configure Video Mesh Node Software

Deploy Video Mesh

Use this procedure to deploy a Video Mesh Node to your host server running VMware ESXi or vCenter. You install the software on-premises which creates a node and then perform initial configuration, such as network settings. You'll register it to the cloud later.

Sign in to the console for the first time. The Video Mesh Node software has a default password. You need to change this value before you configure the node.

Set the Network Configuration of the Video Mesh Node in the Console

Use this procedure to configure the network settings for the Video Mesh Node if you didn't configure them when you set up the node on a virtual machine. You'll set a static IP address and change the FQDN/hostname and NTP servers. DHCP is not currently supported.

Use these steps to configure the external interface for a dual network interface (dual NIC) deployment:

Set The External Network Interface of the Video Mesh Node Add Internal and External Routing Rules

After the node is back online and you verified the internal network configuration, you can configure the external network interface if you're deploying the Video Mesh Node in your network's DMZ so that you can isolate the enterprise (internal) traffic from the outside (external) traffic.

You can also make exceptions or overrides to the default routing rules.

Use this procedure to register Video Mesh nodes to the Webex cloud and complete additional configuration. When you use Control Hub to register your node, you create a cluster to which the node is assigned. A cluster contains one or more media nodes that serve users in a specific geographic region. The registration steps also configure SIP call settings, set an upgrade schedule, and subscribe to email notifications.

Enable and verify Quality of Service (QoS) with the following tasks:

Enable Quality of Service (QoS) for Video Mesh Node Verify Video Mesh Node Port Ranges With Reflector Tool in the Web Interface

Enable QoS if you want Video Mesh nodes to automatically mark SIP traffic (on-premises SIP registered endpoints) for both audio (EF) and video (AF41) separately with appropriate class of service and use well-known port ranges for specific media types. This change will let you create QoS policies and effectively remark return traffic from the cloud if desired.

Use the Reflector Tool steps to verify the correct ports are opened on your firewall.

Configure Video Mesh Node for Proxy Integration

Use this procedure to specify the type of proxy that you want to integrate with a Video Mesh. If you choose a transparent inspecting proxy, you can use the node's interface to upload and install the root certificate, check the proxy, and troubleshoot any potential issues.

Follow Integrate Video Mesh With Call Control Task Flow and choose one of the following, depending on your call control, security requirements, and whether you want to integrate Video Mesh with your call control environment:

Configure Unified CM Secure TLS SIP Traffic Routing for Video Mesh (TLS)

Configure Unified CM TCP SIP Traffic Routing for Video Mesh (TCP)

Configure Expressway TCP SIP Traffic Routing for Video Mesh (TCP)

SIP devices don't support direct reachability, so you must use Unified CM or VCS Expressway configuration to establish a relationship between on-premises registered SIP devices and your Video Meshclusters.

You only need to trunk your Unified CM or VCS Expressway to Video Mesh Node, depending on your call control environment.

Exchange Certificate Chains Between Unified CM and Video Mesh Nodes

In this task, you download certificates from the Unified CM and Video Mesh interfaces and upload one to the other. This step establishes secure trust between the two products and, in conjunction with the secure trunk configuration, allows encrypted SIP traffic and SRTP media in your organization to land on Video Mesh nodes.

Enable Media Encryption for the Organization and Video Mesh Clusters

Use this procedure to turn on media encryption for your organization and individual Video Mesh clusters. This setting forces end-to-end TLS setup and you must have a secure TLS SIP trunk in place on your Unified CM that points to your Video Mesh nodes.

Enable Video Mesh for the Webex Site

To use optimized media to the Video Mesh Node for a Webex meeting to all the Webex app and devices to join, this configuration needs to be enabled for the Webex site. Enabling this setting links Video Mesh and meeting instances in the cloud together and allows cascades to occur from Video Mesh nodes. If this setting is not enabled, the Webex app and devices will not use the Video Mesh node for Webex meetings.

Assign Collaboration Meeting Rooms to Webex App Users Verify the meeting experience on the secure endpoint

If you are using media encryption through the end-to-end TLS setup, use these steps to verify that the endpoints are securely registered and the correct meeting experience appears.

Bulk Provisioning Script for Video Mesh

If you need to deploy many nodes in your Video Mesh deployment, the process is time-consuming. You can use the script at https://github.com/CiscoDevNet/webex-video-mesh-node-provisioning to deploy Video mesh nodes on VMWare ESXi servers quickly. Read through the readme file for instructions on using the script.

Install and Configure Video Mesh Node Software

You must download the software package (OVA) from Control Hub ( https://admin.webex.com ), rather than using a previously downloaded version. This OVA is signed by Cisco certificates and can be downloaded after you sign in to Control Hub with your customer administrator credentials.

Before you begin

See System and Platform Requirements for Video Mesh Node Software for supported hardware platforms and specifications requirements for the Video Mesh Node.

Make sure you have these required items:

A computer with:

VMware vSphere client 7 or 8.

For a list of supported operating systems, refer to VMware documentation.

Video Mesh software OVA file downloaded.

Download the latest Video Mesh software from Control Hub, rather than using a previously downloaded version. You can also access the software from this link . (The file is approximately 1.5 GB.)

Older versions of the software package (OVA) will not be compatible with the latest Video Mesh upgrades. This can result in issues while upgrading the application. Make sure you download the latest version of the OVA file from this link .

A supported server with VMware ESXi or vCenter 7 or 8 installed and running

Disable virtual machine backups and live migration. Video Mesh Node clusters are realtime systems; any virtual machine pauses can make these systems unstable. (For maintenance activities on a Video Mesh Node, use maintenance mode from Control Hub.)

Using your computer, open the VMware vSphere client and sign in to the vCenter or ESXi system on the server.

Go to Actions > Deploy OVF Template .

On the Select an OVF tempate page, click Local File , then Choose Files . Navigate to where the videomesh.ova file is located, choose the file, and then click Next .

Each time you do a Video Mesh Node installation, we recommend that you redownload the OVA rather than using a previously downloaded version. If you try to deploy an old OVA, your Video Mesh Node may not work properly nor register to the cloud. An old OVA will also lead to potential issues during upgrades.

Make sure you download a new copy of the OVA from this link .

On the Select a name and folder page, enter a Virtual machine name for the Video Mesh Node (for example, "Video_Mesh_Node_1"), choose a location where the virtual machine node deployment can reside, and then click Next .

A validation check runs. After it finishes, the template details appear.

Verify the template details and then click Next .

On the Configuration page, choose the type of deployment configuration, and then click Next .

VMNLite (default)
CMS 1000

The options are listed in the order of increasing resource requirements.

If you choose the VMNLite option, you'll need to repeat the steps to deploy the other instance(s) on the same host, and choose the same option each time. Co-residency of VMNLite and non-VMNLite instances has not been tested and is not supported.

On the Select storage page, ensure that the default disk format of Thick Provision Lazy Zeroed and VM storage policy of Datastore Default are selected and then click Next .

On the Select networks page, choose the network option from the list of entries to provide the desired connectivity to the VM.

For Internal Interface Network , choose the node's internal IP address.
For External InterfaceNetwork , choose the external IP address that faces the public network. Ignore this option if you don't have a dual NIC deployment.

The inside interface (the default interface for traffic) is used for CLI, SIP trunks, SIP traffic and node management. The outside (external) interface is for HTTPS and websockets communication to the Webex cloud, along with the cascades traffic from the nodes to a meeting.

For a DMZ deployment, you can set up the Video Mesh node with the dual network interface (NIC). This deployment lets you separate the internal enterprise network traffic (used for interbox communication, cascades between node clusters, and to access the node's management interface) from the external cloud network traffic (used for connectivity to the outside world and cascades to Webex). All nodes in a cluster must be in dual NIC mode; a mixture of single and dual NIC is not supported.

For an existing installation of Video Mesh Node software, you cannot upgrade from a single NIC to a dual NIC configuration. You must do a fresh install of Video Mesh Node in this case.

On the Customize template page, configure the following network settings:

Hostname (Optional)—Enter the FQDN (hostname and domain) or a single word hostname for the node.

To ensure a successful registration to the cloud, use only lowercase characters in the FQDN or hostname that you set for the Video Mesh Node. Capitalization is not supported at this time.

When using or configuring FQDN or hostname, you must also enter a valid and resolvable domain. The total length of the FQDN must not exceed 64 characters.

IP Address — Enter the IP address for the internal interface of the node.

Mask —Enter the subnet mask address in dot-decimal notation. For example, 255.255.255.0 .

Gateway —Enter the gateway IP address. A gateway is a network node that serves as an access point to another network.

DNS Servers —Enter a comma-separated list of DNS servers, which handle translating domain names to numeric IP addresses. (Up to 4 DNS entries are allowed.)

NTP Servers —Enter your organization's NTP server or another external NTP server that can be used in your organization. You can also use a comma-separated list to enter multiple NTP servers.

The Video Mesh Node must have an internal IP address and resolvable DNS name. The node IP address must not belong to the IP address range reserved for Video Mesh Node internal use. The default reserved IP address range is 172.17.42.0–172.17.42.63, which can be configured later in the Diagnostic menu. This IP address range is for communication within the Video Mesh Node and between the software containers which hold the different components of the node—for example, SIP interface and media transcoding.

Deploy all the nodes on the same subnet or VLAN, so that all nodes in a cluster are reachable from wherever the clients reside in your network.

For a dual NIC DMZ deployment, you can set the external IP address in the node console, after you've saved the internal network configuration and rebooted the node later.

If preferred, you can skip the network setting configuration and follow the steps in Set the Network Configuration of the Video Mesh Node in the Console after you sign into the node.

On the Ready to Complete page, verify that all the settings that you entered match the guidelines in this procedure, and then click Finish .

After deployment of the OVA is complete, your Video Mesh Node appears in the list of VMs.

Right-click the Video Mesh Node VM, and then choose Power > Power On .

The Video Mesh Node software is installed as a guest on the VM Host. You are now ready to sign in to the console and configure the Video Mesh Node.

You may experience a delay of a few minutes before the node containers come up. A bridge firewall message appears on the console during first boot, during which you can't sign in.

What to do next

Log in to the Video Mesh Node Console

Sign in to the console for the first time. The Video Mesh Node software has a default password. You need to change this value before you configure the node.

From the VMware vSphere client, go to the Video Mesh Node VM, and then choose Console .

The Video Mesh Node VM boots up and a login prompt appears. If the login prompt does not appear, press Enter . You may briefly see a message that indicates the system is being initialized.

Use the following default username and password to log in:

Password: cisco

Because you are logging in to the Video Mesh Node for the first time, you must change the administrator passphrase (password).

For (current) password, enter the default password (from above), and then press Enter .

For new password, enter a new passphrase, and then press Enter .

For retype new password, retype the new passphrase, and then press Enter .

A "Password successfully changed" message appears, and then the initial Video Mesh Node screen appears with a message about unauthorized access being prohibited.

Press Enter to load the main menu.

What to do next

Set the Network Configuration of the Video Mesh Node in the Console

These steps are required if you didn't configure network settings at the time of OVA deployment.

The inside interface (the default interface for traffic) is used for CLI, SIP trunks, SIP traffic and node management. The outside (external) interface is for HTTPS and websockets communication to Webex, along with the cascades traffic from the nodes to Webex.

Open the node console interface through the VMware vSphere client and then sign in using the admin credentials.

After first time setup of the network settings and if the Video Mesh is reachable, you can access the node interface through secure shell (SSH).

From the main menu of the Video Mesh Node console, choose option 2 Edit Configuration and then click Select .

Read the prompt that the calls will end on the Video Mesh Node, and then click Yes .

Click Static , enter the IP address for the internal interface, Mask , Gateway , and DNS values for your network.

The Video Mesh Node must have an internal IP address and resolvable DNS name. The node IP address must not belong to the IP address range reserved for Video Mesh Node internal use. The default reserved IP address range is 172.17.42.0–172.17.42.63, which can be configured in the Diagnostic menu. This IP address range is for communication within the Video Mesh Node and between the software containers which hold the different components of the node—for example, SIP interface and media transcoding.

Deploy all the nodes on the same subnet or VLAN, so that all nodes in a cluster are reachable from wherever the clients reside in your network.

For a dual NIC DMZ deployment, you can set the external IP address in the next procedure, after you've saved the internal network configuration and rebooted the node.

Enter your organization's NTP server or another external NTP server that can be used in your organization.

After you configure the NTP server and save network settings, you can follow the steps in Check Health of Video Mesh Node From Console to verify that the time is synchronizing correctly through the specified NTP servers.

If you configure more than one NTP servers, the poll interval for failover is 40 seconds.

(Optional) Change the hostname or domain, if required.

To ensure a successful registration to the cloud, use only lowercase characters in the hostname that you set for the Video Mesh Node. Capitalization is not supported at this time.

When using or configuring FQDN or hostname, you must also enter a valid and resolvable domain. The total length of the FQDN must not exceed 64 characters.

Click Save , and then click Save Changes & Reboot .

During the save, DNS validation is performed if you provided a domain. A warning is displayed if the FQDN (hostname and domain) is not resolvable using the DNS server addresses provided. You may choose to save by ignoring the Warning, but calls will not work until the FQDN can resolve to the DNS configured on the node. After the Video Mesh Node reboots, the network configuration changes take effect.

What to do next

Once the software image is installed and configured with the network settings (IP Address, DNS, NTP, and so on) and accessible on the enterprise network, you can move to the next step of securely registering it to the cloud. The IP address that is configured on the Video Mesh Node is accessible only from the enterprise network. From a security perspective, the node is hardened whereby only customer administrators can access the node interface to perform configuration.

Set The External Network Interface of the Video Mesh Node

From the main menu of the Video Mesh Node console, choose option 5 External IP Configuration and then click Select .

Click 1 Enable/Disable , then Select , and then Yes to enable the external IP address options on the node.

As you did with the initial network configuration, enter the IP Address (external), Mask , and Gateway values.

The Interface field shows the name of the external interface for the node.

Click Save and Restart .

The node once again reboots to enable the dual IP address, and then automatically configures the basic static routing rules. These rules determine that traffic to and from a private class IP address uses an internal interface; traffic to and from a public class IP address uses an external interface. Later, you can create your own routing rules—For example, if you need to configure an override and allow access to an external domain from the internal interface.

Under certain circumstances, the existing SSH connection may terminate. For organizations that use IP addresses from the public range , you must reestablish an SSH connection to the public IP address of the Video Mesh Node.

To validate the internal and external IP address configuration, from the main menu of the console, go to 4 Diagnostics , and then choose Ping .

In the ping field, enter a destination address that you want to test, such as an external destination or an internal IP address, and then click OK .

Test an external destination (example, cisco.com); if successful, the results show that the destination was accessed from the external interface.
Test an internal IP address; if successful, the results show that the address was accessed from the internal interface.

What to do next

Video Mesh Node APIs

Video Mesh Node APIs enable organization admins to manage password, internal & external network settings, maintenance mode and server certificates related to Video Mesh Nodes. These APIs can be invoked via any API tool like Postman, or you can create your own script to call them. The user needs to call the APIs using the appropriate endpoint (you can use either node IP or FQDN), method, body, headers, authorization, etc. to perform the desired action and get a suitable response, as per the information provided below.

VMN Administration APIs

Video Mesh Administration APIs enable organization admins to manage maintenance mode and admin account password of the Video Mesh Nodes.

Get the Maintenance Mode status

Retrieves the current maintenance mode status (Expected status: on, off, pending or requested).

[GET] https://<node_ip>/api/v1/external/maintenanceMode

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Success" "result": { "isRegistered": true, "maintenanceMode": "pending/requested/on/off", "maintenanceModeLastUpdated": 1691135731847

Sample Response 2:

"status": { "code": 401, "message": "login failed: incorrect password or username"

Sample Response 3:

"status": { "code": 429, "message": "Too Many Requests" Enable or Disable Maintenance Mode

When you place a Video Mesh node into maintenance mode, it does a graceful shutdown of calling services (stops accepting new calls and waits up to 2 hours for existing calls to complete).

[PUT] https://<node_ip>/api/v1/external/maintenanceMode

Call this API only when there are no active calls.

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Body :

"maintenanceMode": "on"

maintenanceMode - Status of Maintenance Mode to be set - "on" or "off".

Request Headers:

'Content-type': 'application/json'

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Your request to enable/disable maintenance mode was successful."

Sample Response 2:

"status": { "code": 409, "message": "Maintenance Mode is already on/off"

Sample Response 3 :

"status": { "code": 400, "message": "Bad Request - wrong input" Change admin password

Changes the admin user's password.

[PUT] https://<node_ip>/api/v1/external/password

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Body:

"newPassword": "new"

newPassword- The new password to be set for the 'admin' account of the Video Mesh Node.

Request Headers:

'Content-type': 'application/json'

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully set the new passphrase for user admin."

Sample Response 2:

"status": { "code": 400, "message": "Enter a new passphrase that wasn't used for one of the previous 3 passphrases."

VMN Network APIs

Video Mesh Network APIs enable organization admins to manage internal and external network settings.

Get External Network Configuration

Detects if the external network is enabled or disabled. If the external network is enabled, it also fetches the External IP Address, External Subnet Mask and the External Gateway.

[GET] https://<node_ip>/api/v1/external/externalNetwork

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully fetched external network configuration." "result": { "ip": "1.1.1.1", "mask": "2.2.2.2", "gateway": "3.3.3.3"

Sample Response 2:

"status": { "code": 200, "message": "External network not enabled."

Sample Response 3:

"status": { "code": 500, "message": "Failed to get external network configuration." Edit External Network Configuration

Changes the External Network settings. This API can be used to either enable the external network along with setting or editing the External Network Interface with External IP Address, External Subnet Mask and External Gateway. It can also be used to disable the external network. After you make external network configuration changes, the node reboots to apply these changes.

[PUT] https://<node_ip>/api/v1/external/externalNetwork

You can configure this only for newly deployed Video Mesh Nodes, whose default admin password has changed. Do not use this API after registering the node to an organisation.

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Body:

Enabling external network:

"externalNetworkEnabled": true, "externalIp": "1.1.1.1", "externalMask": "2.2.2.2", "externalGateway": "3.3.3.3"

Disabling external network:

"externalNetworkEnabled": false

externalNetworkEnabled- Boolean value (true or false) to enable/disable External Network

externalIp - The External IP to be added

externalMask - The Netmask for the External Network

externalGateway - The Gateway for the External Network

Request Headers:

'Content-type': 'application/json'

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully saved the external network configuration. This node will reboot soon to apply the changes. Please wait for a minute and relogin to the node to verify that all changes were applied."

Sample Response 2:

"status": { "code": 200, "message": "Successfully disabled the external network. This node will reboot soon to apply the changes. Please wait for a minute and relogin to the node to verify that all changes were applied."

Sample Response 3:

"status": { "code": 400, "message": "One or more errors in the input: Value should be boolean for 'externalNetworkEnabled'"

Sample Response 4:

"status": { "code": 400, "message": "External network configuration has not changed; skipping save of the external network configuration." Get Internal Network details

Retrieves the internal network configuration details which includes Network Mode, IP Address, Subnet Mask, Gateway, DNS Caching details, DNS servers, NTP servers, Internal Interface MTU, Hostname and Domain.

[GET] https://<node_ip>/api/v1/external/internalNetwork

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully fetched internal network details" "result": { "dhcp": false, "ip": "1.1.1.1", "mask": "2.2.2.2", "gateway": "3.3.3.3", "dnsCaching": false, "dnsServers": [ "4.4.4.4", "5.5.5.5" "mtu": 1500, "ntpServers": [ "6.6.6.6" "hostName": "test-vmn", "domain": ""

Sample Response 2:

"status": { "code": 500, "message": "Failed to get Network details."

Sample Response 3:

"status": { "code": 500, "message": "Failed to get host details." Edit DNS servers

Updates DNS Servers with new ones.

[PUT] https://<node_ip>/api/v1/external/internalNetwork/dns

Place the Node in Maintenance Mode before making this change. See Enable or Disable Maintenance Mode for more information on moving a node into maintenance mode.

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Body:

"dnsServers": "1.1.1.1 2.2.2.2"

dnsServers - DNS servers to be updated. Multiple space-separated DNS servers are allowed.

Request Headers:

'Content-type': 'application/json'

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully saved DNS servers"

Sample Response 2:

"status": { "code": 409, "message": "Requested DNS server(s) already exist."

Sample Response 3:

"status": { "code": 424, "message": "Maintenance Mode is not enabled. Kindly enable Maintenance Mode and try again for this node." Edit NTP servers

Updates NTP servers with new ones.

[PUT] https://<node_ip>/api/v1/external/internalNetwork/ntp

Place the Node in Maintenance Mode before making this change. See Enable or Disable Maintenance Mode for more information on moving a node into maintenance mode.

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Body:

"ntpServers": "1.1.1.1 2.2.2.2"

ntpServers - NTP servers to be updated. Multiple space-separated NTP servers are allowed.

Request Headers:

'Content-type': 'application/json'

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully saved the NTP servers."

Sample Response 2:

"status": { "code": 409, "message": "Requested NTP server(s) already exist."

Sample Response 3:

"status": { "code": 424, "message": "Maintenance Mode is not enabled. Kindly enable Maintenance Mode and try again for this node." Edit host name and domain

Updates the Hostname and Domain of the Video Mesh Node.

[PUT] https://<node_ip>/api/v1/external/internalNetwork/host

Place the Node in Maintenance Mode before making this change. The Node reboots to apply the change. See Enable or Disable Maintenance Mode for more information on moving a node into maintenance mode.

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Body:

"hostName": "test-vmn", "domain": "abc.com"

hostName - The new hostname of the node.

domain - The new domain for the hostname of the node (optional).

Request Headers:

'Content-type': 'application/json'

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully saved the host FQDN. This node will reboot soon to apply the changes. Please wait for a minute and relogin to the node to verify that all changes were applied."

Sample Response 2:

"status": { "code": 400, "message": "Unable to resolve FQDN"

Sample Response 3:

"status": { "code": 409, "message": "Entered hostname and domain already set to same." Enable or Disable DNS Caching

Enables or Disables DNS Caching. Consider enabling caching if DNS checks often take over 750 ms to resolve, or if recommended by Cisco Support.

[PUT] https://<node_ip>/api/v1/external/internalNetwork/dnsCaching

Place the Node in Maintenance Mode before making this change. The Node reboots to apply the change. See Enable or Disable Maintenance Mode for more information on moving a node into maintenance mode.

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Body:

"dnsCaching": true

dnsCaching - DNS Caching Configuration. Accepts Boolean value (true or false).

Request Headers:

'Content-type': 'application/json'

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully saved DNS settings changes. This node will reboot soon to apply the changes. Please wait for a minute and relogin to the node to verify that all changes were applied."

Sample Response 2:

"status": { "code": 400, "message": "One or more errors in the input: 'dnsCaching' field value should be a boolean"

Sample Response 3:

"status": { "code": 409, "message": "dnsCaching is already set to false" Edit Interface MTU

Changes the Maximum Transmission Unit (MTU) for the node's network interfaces from the default value of 1500. Values between 1280 and 9000 are allowed.

[PUT] https://<node_ip>/api/v1/external/internalNetwork/mtu

Place the Node in Maintenance Mode before making this change. The Node reboots to apply the change. See Enable or Disable Maintenance Mode for more information on moving a node into maintenance mode.

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Body:

"internalInterfaceMtu": 1500

internalInterfaceMtu - Maximum Transmission Unit for the node's network interfaces. The value should be between 1280 and 9000.

Request Headers:

'Content-type': 'application/json'

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully saved the internal interface MTU settings. This node will reboot soon to apply the changes. Please wait for a minute and relogin to the node to verify that all changes were applied."

Sample Response 2:

"status": { "code": 400, "message": "One or more errors in the input: 'internalInterfaceMtu' field value should be a number"

Sample Response 3:

"status": { "code": 400, "message": "Please enter a number between 1280 and 9000."

VMN Server Certificate APIs

Video Mesh Server Certificate APIs enable organization admins to create, update, download, and delete the certificates related to Video Mesh Nodes. For more information, see Exchange Certificate Chains Between Unified CM and Video Mesh Nodes .

Create the CSR certificate

Generates a CSR (Certificate Signing Request) certificate, and the private key, based on the details provided.

[POST] https://<node_ip>/api/v1/externalCertManager/generateCsr

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Body :

"csrInfo": "commonName": "1.2.3.4", "emailAddress": "[email protected]", "altNames": "1.1.1.1 2.2.2.2", "organization": "VMN", "organizationUnit": "IT", "locality": "BLR", "state": "KA", "country": "IN", "passphrase": "", "keyBitSize": 2048

commonName - IP/FQDN of the Video Mesh Node given as common name. (mandatory)

emailAddress - User's Email Address. (optional)

altNames - Subject Alternative Name(s) (optional). Multiple space separated FQDNs are allowed. If provided, it must contain the common name. If altNames are not provided, it takes the commonName as the value of altNames.

organization - Organization/Company name. (optional)

organizationUnit - Organizational Unit or Department or Group Name, etc. (optional)

locality - City/Locality. (optional)

state - State/Province. (optional)

country - Country/Region. Two-letter abbreviation. Do not provide more than two letters. (optional)

passphrase - Private Key Passphrase. (optional)

keyBitSize - Private Key Bit Size. Accepted values are 2048, by default, or 4096. (optional)

Request Headers :

Content-Type: 'application/json'

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully generated CSR" "result": { "caCert": {}, "caKey": { "fileName": "VideoMeshGeneratedPrivate.key", "localFileName": "CaPrivateKey.key", "fileLastModified": "Fri Jul 21 2023 08:12:25 GMT+0000 (Coordinated Universal Time)", "uploadDate": 1689927145422, "size": 1678, "type": "application/pkcs8", "modulus": "S4MP1EM0DULU2" "certInstallRequestPending": false, "certInstallStarted": null, "certInstallCompleted": null, "isRegistered": true, "caCertsInstalled": false, "csr": { "keyBitsize": 2048, "commonName": "1.2.3.4", "organization": "VMN", "organizationUnit": "IT", "locality": "BLR", "state": "KA", "country": "IN", "emailAddress": "[email protected]", "altNames": [ "1.1.1.1", "2.2.2.2" "csrContent": "-----BEGIN CERTIFICATE REQUEST-----\nS4MP1E_C3RT_C0NT3NT\n-----END CERTIFICATE REQUEST-----" "encryptedPassphrase": null

Sample Response 2:

"status": { "code": 400, "message": "Private key already exists. Delete it before generating new CSR."

Sample Response 3:

"status": { "code": 400, "message": "CSR certificate already exists. Delete it before generating new CSR."

Sample Response 4:

"status": { "code": 400, "message": "CSR certificate and private key already exist. Delete them before generating new CSR."

Sample Response 5:

"status": { "code": 400, "message": "There were one or more errors while generating the CSR: The \"Country\" field must contain exactly two A-Z characters." Download the CSR certificate

Downloads the generated CSR certificate.

[GET] https://<node_ip>/api/v1/externalCertManager/csr

You can also download the file through the Send and Download option.

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Sample Responses :

Sample Response 1:

-----BEGIN CERTIFICATE REQUEST-----
S4MP1E_C3RT_C0NT3NT
-----END CERTIFICATE REQUEST-----

Sample Response 2:

"status": { "code": 404, "message": "Could not download, CSR certificate does not exist." Download the private key

Downloads the private key generated along with the CSR certificate.

[GET] https://<node_ip>/api/v1/externalCertManager/key

You can also download the file through the Send and Download option.

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Sample Responses :

Sample Response 1:

-----BEGIN RSA PRIVATE KEY----- S4MP1E_PR1V4T3_K3Y -----END RSA PRIVATE KEY-----

Sample Response 2:

"status": { "code": 404, "message": "Could not download, private key does not exist." Delete the CSR certificate

Deletes the existing CSR certificate.

[DELETE] https://<node_ip>/api/v1/externalCertManager/csr

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully deleted the CSR certificate"

Sample Response 2:

"status": { "code": 404, "message": "CSR certificate does not exist." Delete the private key

Deletes the existing private key.

[DELETE] https://<node_ip>/api/v1/externalCertManager/key

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully deleted the private key"

Sample Response 2:

"status": { "code": 404, "message": "Private key does not exist." Install the CA signed certificate and private key

Uploads the provided CA signed certificate and the private key on the Video Mesh node and installs the certificate on the node.

[POST] https://<node_ip>/api/v1/externalCertManager/uploadInstallCaCert

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Body :

Use 'form-data' to upload the following files:

CA Signed Certificate (.crt) file with key as 'crtFile'.

Private Key (.key) file with key as 'keyFile'.

Request Headers :

Content-Type: 'multipart/form-data'

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully installed certificate and key. It might take a few seconds to reflect on the node." "result": { "caCert": { "fileName": "videoMeshCsr.crt", "localFileName": "CaCert.crt", "fileLastModified": 1689931788598, "uploadDate": 1689931788605, "size": 1549, "type": "application/x-x509-ca-cert", "certStats": { "version": 0, "subject": { "countryName": "IN", "stateOrProvinceName": "KA", "localityName": "BLR", "organizationName": "VMN", "organizationalUnitName": "IT", "emailAddress": "[email protected]", "commonName": "1.2.3.4" "issuer": { "countryName": "AU", "stateOrProvinceName": "Some-State", "organizationName": "ABC" "serial": "3X4MPL3", "notBefore": "2023-07-21T09:28:19.000Z", "notAfter": "2024-12-02T09:28:19.000Z", "signatureAlgorithm": "sha256WithRsaEncryption", "fingerPrint": "11:22:33:44:AA:BB:CC:DD", "publicKey": { "algorithm": "rsaEncryption", "e": 65537, "n": "3X4MPL3", "bitSize": 2048 "altNames": [], "extensions": {} "caKey": { "fileName": "VideoMeshGeneratedPrivate.key", "localFileName": "CaPrivateKey.key", "fileLastModified": 1689931788629, "uploadDate": 1689931788642, "size": 1678, "type": "application/pkcs8", "modulus": "S4MP1EM0DULU2" "certInstallRequestPending": true, "certInstallStarted": null, "certInstallCompleted": null, "isRegistered": true, "caCertsInstalled": false, "csr": { "keyBitsize": 2048, "commonName": "1.2.3.4", "organization": "VMN", "organizationUnit": "IT", "locality": "BLR", "state": "KA", "country": "IN", "emailAddress": "[email protected]", "altNames": [ "1.1.1.1", "2.2.2.2" "csrContent": "-----BEGIN CERTIFICATE REQUEST-----\nS4MP1E_C3RT_C0NT3NT\n-----END CERTIFICATE REQUEST-----" "encryptedPassphrase": null

Sample Response 2:

"status": { "code": 400, "message": "Could not parse the certificate file. Make sure it is a properly formatted certificate and try again."

Sample Response 3:

"status": { "code": 400, "message": "Private Key does not match Certificate (different modulus)"

Sample Response 4:

"status": { "code": 202, "message": "Certificate and private key PENDING installation. It might take a few seconds to reflect on the node. If the node is in maintenance mode, it will get installed once it is disabled." Download the CA signed certificate

Downloads the CA signed certificate installed on the node.

[GET] https://<node_ip>/api/v1/externalCertManager/caCert

You can also download the file through the Send and Download option.

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Sample Responses :

Sample Response 1:

-----BEGIN CERTIFICATE-----
S4MP1E_C3RT_C0NT3NT
-----END CERTIFICATE-----

Sample Response 2:

"status": { "code": 404, "message": "Could not download, CA certificate does not exist." Delete the CA signed certificate

Deletes the CA signed certificate installed on the node.

[DELETE] https://<node_ip>/api/v1/externalCertManager/caCert

Authorization : Basic Authentication utilizing the Video Mesh username (‘admin’) and the password.

Sample Responses :

Sample Response 1:

"status": { "code": 200, "message": "Successfully deleted the CA certificate."

Sample Response 2:

"status": { "code": 404, "message": "CA certificate does not exist."

Common API Responses

Listed below are some sample responses that you might encounter while using any of the APIs mentioned above.

Sample Response 1: Wrong Credentials provided in the Basic Authorization.

"status": { "code": 401, "message": "login failed: incorrect password or username"

Sample Response 2: VMN is not upgraded to the required version that supports these APIs.

"status": { "code": 421, "message": "Misdirected Request 1:[undefined]"

Sample Response 3: Wrong referer entered in the header (when header wasn't expected).

"status": { "code": 421, "message": "Misdirected Request 2:[https://x.x.x.x/setup]"

Sample Response 4: Rate limit exceeded, try after some time.

"status": { "code": 429, "message": "Too Many Requests"

Add Internal and External Routing Rules

In a dual network interface (NIC) deployment, you can fine tune the routing for Video Mesh nodes by adding user-defined route rules for external and internal interfaces. The default routes are added to the nodes, but you can make exceptions—for example, external subnets or host addresses that need to be accessed through the internal interface, or internal subnets or host addresses that need to be accessed from the external interface. Perform the following steps as needed.

From the Video Mesh node interface, choose 5 External IP Configuration and then click Select .

Choose 3 Manage Routing Rules , and then click Select .

The first time you open this page, the default system routing rules appear in the list. By default, all internal traffic goes through the internal interface and external traffic through the external interface.

You can add manual overrides to these rules in the next steps.

Follow these steps as needed:

Click Add external route , and then enter the internal subnet or host IP address to use for the external route.
Click Add internal route , and then enter the external subnet or host IP address to use for the internal route.

As you add each rule, they appear in the routing rule list, categorized as user defined rules.

The default routes cannot be deleted, but you can delete any user-defined overrides that you configured.

Custom routing rules may create potential for conflicts with other routing. For example, you may define a rule that freezes your SSH connection to the Video Mesh Node interface. If this happens, do one of the following and then remove or modify the routing rule:

Open an SSH connection to the public IP address of the Video Mesh Node.

Access the Video Mesh Node through the ESXi console

Register the Video Mesh Node to the Webex Cloud

Before you begin

Once you begin registration of a node, you must complete it within 60 minutes or you have to start over.

Ensure that any popup blockers in your browser are disabled or that you allow an exception for https://admin.webex.com .

For best results, deploy all nodes of a cluster in the same data center. See Clusters in Video Mesh for how they work and best practices.

From the host or machine where you're registering Video Mesh Nodes to the cloud, you must have connectivity to the Webex cloud and the Video Mesh IP addresses that are being registered (in a dual NIC environment, specifically the internal IP addresses of the Video Mesh Nodes).

You sign in to Control Hub using the admin credentials. The Control Hub admin functionality is available only to users who are defined as admins in Control Hub. See Customer Account Roles for more information.

Go to Services > Hybrid and choose one:

Set up : Choose this option if this is the first Video Mesh Node you're registering, then click Next .

See Complete the Prerequisites for Video Mesh for more information.

View all : Choose this option if you've already registered one or more Video Mesh Nodes, then click Add Resource .

Make sure you have installed and configured your Video Mesh Node. Click Yes, I'm ready to register... , then click Next .

In Create a new or select a cluster , choose one:

For a new cluster, enter a name for the cluster to which you want to assign your Video Mesh Node.
For an existing cluster, click the field, then choose an existing cluster to which to add the new node.

We recommend that you name a cluster based on where the nodes of the cluster are located geographically. For example, "San Francisco".

In Enter the FQDN or IP address , enter the fully qualified domain name (FQDN) or internal IP address of your Video Mesh Node and then click Next .

If you use FQDN, enter a domain that can be resolved by DNS.
If you use an IP address, enter the same internal IP address that you used to configure the node from the console.

An FQDN must resolve directly to the IP address or it is not usable. We perform the validation on FQDN to rule out any typo or configuration mismatch.

The dual network interface does not support specifying an FQDN for the external IP address. The FQDN can be added only on the screen where internal IP address is entered. That is what the FQDN must resolve to using the DNS servers that are specified on the same screen.

Under Upgrade Schedule , choose a time, frequency, and time zone.

The default is a daily upgrade schedule. You can change it to a weekly schedule on a specific day. When an upgrade is available, the Video Mesh Node software automatically upgrades during the time that you select.

When an upgrade is available, you can use Upgrade Now to start the upgrade before the next maintenance window or Postpone to defer it until the subsequent window.

Under Email Notifications , add administrator email addresses to subscribe to notifications about service alarms and software upgrades.

Your administrator email address is automatically added. You can remove it if you want.

Toggle the Video Quality setting on to enable 1080p 30fps video.

With this setting, SIP participants that join a meeting that is hosted in a Video Mesh Node can use 1080p 30fps video if they are all inside the corporate network and they're using a high definition-capable device. The setting applies to all clusters of nodes.

If this setting is off, the default is 720p.

For video resolutions supported by Webex App, see Video specifications for calls and meetings .

Read the information under Complete Registration , then click Go to Node to register the node to the Webex cloud.

A new browser tab opens to check the node. This step safelists the Video Mesh Node using the IP address of the node. During the registration process, Control Hub redirects you to the Video Mesh Node. The IP address must be safelisted, otherwise registration fails. The registration process must be completed from the enterprise network where the node is installed.

Check Allow Access to the Webex Video Mesh Node , then click Continue .

Click Allow .

Your account is validated, your Video Mesh Node is registered and the message Registration Complete is shown, indicating your Video Mesh Node is now registered to Webex.

The Video Mesh Node gets machine credentials based on your organization's entitlements. The generated machine credentials expire periodically and are refreshed.

Click the portal link or close the tab to go back to the Video Mesh page.

On the Video Mesh page, you now see the new cluster that contains the Video Mesh Node that you registered.

If you go to the cluster, you'll see the new Video Mesh Node, which initially shows a status of Registering . The node changes to Running when it is ready for use in your Webex organization.

Because the software is a container that contains services from the cloud infrastructure, it gets updates from the cloud to remain in sync with the cloud services. Required updates may install shortly after you register the node to the cloud. You can also change your automatic upgrade schedule. See Automatic Upgrades for Hybrid Services Resources for more information.

If you installed the demo image on the node that you registered, you'll see a demo mode yellow status alarm. This alarm is normal, but we recommend installing the full software image before the 90-day grace period expires for the demo image.

At this point, the Video Mesh Node is ready to communicate with Cisco cloud services over the secured channels using a token issued for authentication. The Video Mesh Node also communicates with Docker Hub (docker.com, docker.io). Docker is used by Video Mesh node to store containers for distribution to different Video Mesh nodes all over the world. Only Cisco has credentials to write to Docker Hub. The Video Mesh nodes can reach out to Docker Hub using read-only credentials to download the containers for upgrades.

Images are downloaded based on checksum, which is transmitted to the node as part of the provisioning data. See this document for more details on how docker pull works: https://docs.docker.com/v17.09/engine/userguide/storagedriver/imagesandcontainers/#sharing-promotes-smaller-images

Things to keep in mind

Keep the following information in mind about Video Mesh Node and how it works once registered to your Webex organization:

When you deploy a new Video Mesh Node, the Webex App and Webex-registered device won't recognize the new node for up to 2 hours. The clients check for cluster reachability during startup, a network change, or cache expiration. You can wait for 2 hours or, as a workaround, restart your Webex App or reboot the Webex room or desk device. Afterwards, call activity is captured in the Video Mesh reports in Control Hub.

A Video Mesh Node registers to a single Webex organization; it is not a multitenant device.

To understand what uses Video Mesh Node and what doesn't, see the table in Clients and Devices that use Video Mesh Node .

The Video Mesh Node can connect to your Webex site or to another customer or partner's Webex site. For example, Site A deployed a Video Mesh Node cluster and registered it with the example1.webex.com domain. If users in Site A dial in to [email protected], they use the Video Mesh Node and a cascade can be created. If the users in site A dial [email protected], the Site A users will use their local Video Mesh Node and connect to the meeting on Site B's Webex organization.

What to do next

To register additional nodes, repeat these steps.

If an upgrade is available, we recommend that you apply it as soon as possible. To upgrade, complete the following steps:

The provisioning data is pushed to the Webex cloud by the Cisco development team over secured channels. The provisioning data is signed. For the containers, the provisioning data contains name, checksum, version, and so on. Video Mesh Node also gets its provisioning data from the Webex cloud over secured channels.

Once Video Mesh Node gets its provisioning data, the node authenticates with read-only credentials and downloads the container with specific checksum and name and upgrades the system. Each container running on Video Mesh Node has an image name and checksum. These attributes are uploaded to the Webex cloud using secured channels.

Enable Quality of Service (QoS) for Video Mesh Node

Before you begin

Make the necessary firewall port changes that are covered in the diagram and table. See Ports and Protocols Used by Video Mesh .

For Video Mesh nodes to be enabled for QoS, the nodes must be online. Nodes in maintenance mode or offline states are excluded when you enable this setting.

From the customer view in https://admin.webex.com , go to Services > Hybrid , click Edit settings on the Video Mesh card.

Scroll to Quality of Service and click Enable .

When enabled, you get the large, discrete port range (determined by on-premises call control configuration) that's used for audio and video for on-premises SIP clients/endpoints and intracluster cascades with unique DSCP markings:.

Audio: 52500–59499 and 59500–62999 DSCP EF (Expedited Forwarding)

Video/Content: 63000–64667 and 64668–65500 DSCP AF41

All SIP and cascade traffic from Video Mesh nodes is marked with EF for audio and AF41 for video. The discrete port ranges are used as source ports for cascade media to other Video Mesh nodes and cloud media nodes as well as source and destination ports for SIP client media. Webex Teams apps and cascade media continue to use the destination shared port of 5004 and port ramge 50000–53000.

All Video Mesh return traffic (audio, video, content) from the shared ports is marked with AF41. The audio traffic needs to be remarked to EF in your network, based on the source port numbers.

A status message appears that shows which nodes are being enabled one-by-one for the QoS port range. You can click review pending nodes to see a list of nodes that are pending for QoS. Enabling this setting can take up to 2 hours, depending on call traffic on the nodes.

If QoS is not fully enabled in 2 hours, open a case with support for further investigation.

The nodes reboot and are updated with the new port range.

If you decide to disable the setting, you get the small, consolidate port range that's used for both audio and video (34000–34999). All traffic from Video Mesh nodes (SIP, cascades, cloud traffic, and so on) gets a single marking of AF41.

Verify Video Mesh Node Port Ranges With Reflector Tool in the Web Interface

The reflector tool (a combination of a server on the Video Mesh node and client through a Python script) is used to verify whether the required TCP/UDP ports are open from Video Mesh nodes.

Before you begin

Download a copy of the Reflector Tool Client (a Python script) from https://github.com/CiscoDevNet/webex-video-mesh-reflector-client .

For the script to work properly, ensure that you're running Python 2.7.10 or later in your environment.

Currently, this tool supports SIP endpoints to Video Mesh nodes and intracluster verification.

From the customer view in https://admin.webex.com , enable maintenance node for the Video Mesh Node by following these instructions .

Wait for the node to show a 'Ready for maintenance' status in Control Hub.

Open the Webex Video Mesh node interface.

For instructions, see Manage Video Mesh Node From the Web Interface .

Scroll to Reflector Tool , and then start either the TCP Reflector Server or UDP Reflector Server , depending on what protocol you want to use.

Click Start Reflector Server , and then wait for the server to start successfully.

You'll see a notice when the server starts.

From a system (such as a PC) on a network that you want Video Mesh nodes to reach, run the script with the following command:

$ python <local_path_to_client_script>/reflectorClient.py --ip <ip address of the server> --protocol <tcp or udp>

At the end of the run, the client shows a success message if all the required ports are open:

The client shows a failed message if any required ports are not open:

Resolve any port issues on the firewall and then rerun the above steps.

Run the client with --help to get more details.

Configure Video Mesh Node for Proxy Integration

Use this procedure to specify the type of proxy that you want to integrate with a Video Mesh. If you choose a transparent inspecting proxy or an explicit proxy, you can use the node's interface to upload and install the root certificate, check the proxy connection, and troubleshoot any potential issues.

Before you begin

See Proxy Support for Video Mesh for an overview of the supported proxy options.

Requirements for Proxy Support for Video Mesh

Enter the Video Mesh setup URL https://[IP or FQDN/setup in a web browser, enter the admin credentials you set up for the node, and then click Sign In .

Go to Trust Store & Proxy , and then choose an option:

No Proxy —The default option before you integrate a proxy. No certificate update is required.

Transparent Non-Inspecting Proxy —Video Mesh nodes are not configured to use a specific proxy server address and should not require any changes to work with a non-inspecting proxy. No certificate update is required.

Transparent Inspecting Proxy —Video Mesh nodes are not configured to use a specific proxy server address. No http(s) configuration changes are necessary on Video Mesh; however, the Video Mesh nodes need a root certificate so that they trust the proxy. Inspecting proxies are typically used by IT to enforce policies regarding which websites can be visited and types of content that are not permitted. This type of proxy decrypts all your traffic (even https).

Explicit Proxy —With explicit proxy, you tell the client (Video Mesh nodes) which proxy server to use, and this option supports several authentication types. After you choose this option, you must enter the following information:

Proxy IP/FQDN —Address that can be used to reach the proxy machine.

Proxy Port —A port number that the proxy uses to listen for proxied traffic.

Proxy Protocol —Choose http (Video Mesh tunnels its https traffic through the http proxy) or https (traffic from the Video Mesh node to the proxy uses the https protocol). Choose an option based on what your proxy server supports.

Choose from among the following authentication types, depending on your proxy environment:

Option

Usage

Choose for HTTP or HTTPS explicit proxies where there's no authentication method.

Basic

Available for HTTP or HTTPS explicit proxies.

Used for an HTTP user agent to provide a username and password when making a request, and uses Base64 encoding.

Digest

Available for HTTPS explicit proxies only.

Used to confirm the account before sending sensitive information, and applies a hash function on the user name and password before sending over the network.

Available for HTTP explicit proxies only.

Like Digest, used to confirm the account before sending sensitive information. Uses Windows credentials instead of the username and password.

If you choose this option, enter the Active Directory domain that the proxy uses for authentication in the NTLM Domain field. Enter the name of the proxy workstation (also referred to as a workstation account or machine account) within the specified NTLM domain in the NTLM Workstation field.

Follow the next steps for a transparent inspecting or explicit proxy.

Click Upload a Root Certificate or End Entity Certificate , and then locate and choose the root certificate for the explicit or transparent inspecting proxy.

The certificate is uploaded but not yet installed because the node needs to be rebooted to install the certificate. Click the arrow by the certificate issuer name to get more details or click Delete if you made a mistake and want to reupload the file.

For transparent inspecting or explicit proxies, click Check Proxy Connection to test the network connectivity between the Video Mesh node and the proxy.

If the connection test fails, you'll see an error message that shows the reason and how you can correct the issue.

After the connection test passes, for explicit proxy, turn the toggle on to Route all port 443 https requests from this node through the explicit proxy . This setting requires 15 seconds to take effect.

Click Install All Certificates Into the Trust Store (appears whenever a root certificate was added during proxy setup) or Reboot (appears if no root certificate was added), read the prompt, and then click Install if you're ready.

The node reboots within a few minutes.

After the node reboots, sign in again if needed, and then open the Overview page to check the connectivity checks to make sure they are all in green status.

The proxy connection check only tests a subdomain of webex.com. If there are connectivity problems, a common issue is that some of the cloud domains listed in the install instructions are being blocked at the proxy.

Integrate Video Mesh With Call Control Task Flow

Configure SIP trunks to route SIP dial-in for Webex meetings on Video Mesh. SIP devices don't support direct reachability, so you must use Unified CM or VCS Expressway configuration to establish a relationship between on-premises SIP devices and your Video Mesh clusters.

Before you begin

See Deployment Models For Video Mesh and Cisco Unified Communications Manager to understand common deployment examples.
Video Mesh supports either TCP or TLS between Unified CM and SIP signaling. SIP TLS is not supported for VCS Expressway.

In Unified CM, each SIP trunk can support up to 16 Video Mesh destinations (IP addresses).

In Unified CM, incoming ports on SIP trunk security profile can be default (Non Secure SIP Trunk Profile).

Video Mesh supports 2 route patterns: sitename.webex.com and meet.ciscospark.com . Other route patterns are unsupported.

Video Mesh supports 3 route patterns: webex.com (for short video addresses ), sitename.webex.com and meet.ciscospark.com . Other route patterns are unsupported.

When you use the short video address format ( [email protected] ), the Video Mesh node always handles the call. The node handles the call even if the call is to a site that doesn't have Video Mesh enabled.

Example Deployment of Video Mesh with Distributed Unified CM

Choose one of these options, depending on your call control environment and security requirements:
Configure Unified CM Secure TLS SIP Traffic Routing for Video Mesh Configure Unified CM TCP SIP Traffic Routing for Video Mesh Configure Expressway TCP SIP Traffic Routing for Video Mesh (TCP only)

SIP Devices Registered to Unified CM (TLS or TCP)

Configure Unified CM with Video Mesh, using either TLS encrypted or TCP SIP traffic. You can create a trunk routing policy that reflects cluster preferences, and is highly available and resilient to device failures. If you use Unified CM Session Management Edition (SME), configure trunks on the Unified CM SME and leaf systems so that inbound and outbound calls are evenly distributed across the Unified CM servers within the Session Management cluster.

Typically, each site will have a dedicated Unified CM cluster associated with it. These clusters will be connected through intercluster SIP trunks. Each cluster will have call-in trunks to the local site for the Video Mesh nodes.

You can also configure your deployment to handle failure or overflow conditions. This configuration helps if there's an outage or if the Video Mesh clusters reached capacity. If the SIP meeting or call cannot be established with a cluster, the meeting or call will overflow to the cloud.

SIP Devices Registered to VCS or Expressway (TCP Only)

Configure neighbor zones and search rules to route SIP dial-in and dial-out for Cisco Webex meetings to Video Mesh clusters. SIP devices registered to a VCS Control or Expressway-C don't support direct reachability, so you must use a TCP-based Expressway configuration to establishes a relationship between on-premises SIP devices and your Video Mesh clusters.

Configure Unified CM Secure TLS SIP Traffic Routing for Video Mesh

Create a SIP profile for Video Mesh clusters:

From Cisco Unified CM Administration, go to Device > Device Settings > SIP Profile , and then click Find .

Choose Standard SIP Profile For Cisco VCS , and then click Copy .

Enter a name for the new profile—for example, Video Mesh SIP Profile .

Under Trunk Specific Configuration , set Early Offer support for voice and video calls to Best Effort (no MTP inserted) .

You can apply this setting to a new SIP trunk to the Webex cloud (routed by the external domain for the Webex site). The setting does not affect any existing SIP trunking or call routing.

Make sure that Enable OPTIONS Ping to monitor destination status for Trunks with Service Type is checked.

Leave all other fields with their default values and save your changes.

Add a new SIP trunk security profile for Video Mesh clusters:

From Cisco Unified CM Administration, choose System > Security > SIP Trunk Security Profile , and then click Add New .

Enter a meaningful name, such as Video Mesh Secure SIP Trunk Security Profile

Confirm these settings:

Field

Value

Device Security Mode

Encrypted

Incoming Transport Type

Outgoing Transport Type

X.509 Subject Name

Secure Certificate Subject or Subject Alternate Name

Enter the common name of the Video Mesh node certificate.

Incoming Port

SIP V.150 Outbound SDP Offer Filtering

Use Default Filter

Leave all other fields with their default values and save your changes.

Add a new SIP trunk to point to your Video Mesh clusters:

In a Unified CM-only deployment, add a single trunk.
In an SME deployment, a trunk typically exists between Unified CM and SME. Add another trunk between SME and Video Mesh nodes. Both trunks must have the same settings specified below.

From Cisco Unified CM Administration, choose Device > Trunk , and then click Add New .

Choose SIP Trunk for the trunk type; leave the other values and click Next .

Enter a meaningful name, such as Video_Mesh_SIP_Trunk_UCMtoVMN .

Check the SRTP Allowed check box

For Calling and Connecting Party Info Format , check Deliver URI and DN in connected party, if available . This setting enables blended identity. It allows the SIP trunk to transmit the enterprise-side party's directory URI to Webex.

Check Run On All Active Unified CM Nodes .

Under SIP Information - Destination , enter an IP address or fully qualified domain name (FQDN) for each of your Video Mesh nodes.

Enter 5061 for the Destination Port .

For the SIP Trunk Security Profile , choose the Video Mesh Trunk Security Profile that you created earlier. (For example, Video Mesh Secure SIP Trunk Security Profile .)

For the SIP Profile , choose the Video Mesh SIP Profile that you created earlier. (For example, Video Mesh SIP Profile .)

Leave all other fields with their default values and save your changes.

A Video Mesh call or meeting might assign media to any node in a cluster, not just the node that terminates the SIP call.

From Cisco Unified CM Administration, choose Device > Trunk , and then click Add New .

Choose SIP Trunk for the trunk type; leave the other values and click Next .

Enter a meaningful name, such as Video_Mesh_VCS_Trunk .

Under SIP Information - Destination , enter an IP address or fully qualified domain name (FQDN) for each of your Expressways. For the Port , enter 5060 .

For SIP Profile , choose Standard SIP Profile For Cisco VCS .

Create a new route group for calls to Video Mesh clusters:

From Cisco Unified CM Administration, choose Call Routing > Route/Hunt > Route Group , and then click Add New .

Enter a meaningful name, such as Video Mesh Node Route Group .

Change the Distribution Algorithm to Top Down .

In the Route Group Member Information section, Find the Devices with name Video Mesh .

Add Video_Mesh_SIP_Trunk_UCMtoVMN by clicking Add to Route Group .

Save your changes.

For overflow to the cloud, create a new route group for calls to Expressway:

From Cisco Unified CM Administration, choose Call Routing > Route/Hunt > Route Group , and then click Add New .

Enter a meaningful name, such as Video Mesh Expressway Route Group .

Change the Distribution Algorithm to Top Down .

In the Route Group Member Information section, Find the Devices with name Video Mesh .

Add Video_Mesh_VCS_Trunk by clicking Add to Route Group .

Save your changes.

Create a new route list for calls to Video Mesh clusters and Expressway:

From Cisco Unified CM Administration, choose Call Routing > Route/Hunt > Route List , and then click Add New .

Enter a meaningful name, such as Video Mesh Node Route List .

Set the Cisco Unified Communications Manager Group to Default , or another value depending on your configuration.

Save your changes.

In the Route List Member Information section, click Add Route Group , and then choose Video Mesh Route Group .

Leave the defaults for the other settings, and then save your changes.

In the Route List Member Information section, click Add Route Group , and then choose Video Mesh Expressway Route Group .

Leave the defaults for the other settings, and then save your changes.

Create a SIP route pattern for the short video address dialing format for Webex meetings:

From Call Routing > SIP Route Pattern , click Add New and enter the name Video Mesh Route Pattern for Webex Short URIs .

In the IPv4 pattern , enter webex.com as the domain.

For SIP Trunk/Route List , choose the Route List created for Video Mesh—For example, Video Mesh Route List .

Leave all other fields with their default values and save your changes.

With the short video address dialing feature, users no longer have to remember the Webex site name to join a Webex meeting or event using a video system. They can join the meeting faster because they only need to know the meeting or event number.

Create a SIP route pattern for the Webex site:

From Call Routing > SIP Route Pattern , click Add New and enter the name Video Mesh Route Pattern for Webex Sites .

In the IPv4 pattern , enter the Webex site for which you want optimized media—For example, examplesitename.webex.com .

For SIP Trunk/Route List , choose the Route List created for Video Mesh—For example, Video Mesh Route List .

Leave all other fields with their default values and save your changes.

Create a SIP route pattern for Webex App meetings (backwards compatibility):

From Call Routing > SIP Route Pattern , click Add New , and then enter the name Video Mesh Route Pattern for Teams Meetings .

In the IPv4 pattern , enter the meet.ciscospark.com .

For SIP Trunk/Route List , choose the Route List created for Video Mesh—For example, Video Mesh Route List .

Leave all other fields with their default values and save your changes.

Configure Unified CM TCP SIP Traffic Routing for Video Mesh

Create a SIP profile for Video Mesh clusters:

From Cisco Unified CM Administration, go to Device > Device Settings > SIP Profile , and then click Find .

Choose Standard SIP Profile For Cisco VCS , and then click Copy .

Enter a name for the new profile—for example, Video Mesh SIP Profile .

Under Trunk Specific Configuration , set Early Offer support for voice and video calls to Best Effort (no MTP inserted) .

You can apply this setting to a new SIP trunk to the Webex (routed by the external domain for the Webex site). The setting does not affect any existing SIP trunking or call routing.

Make sure that Enable OPTIONS Ping to monitor destination status for Trunks with Service Type is checked.

Leave all other fields with their default values and save your changes.

Add a new SIP trunk security profile for Video Mesh clusters:

From Cisco Unified CM Administration, choose System > Security > SIP Trunk Security Profile , and then click Add New .

Enter a meaningful name, such as Video Mesh Trunk Security Profile

Confirm these settings:

Field

Value

Device Security Mode

Non Secure

Incoming Transport Type

TCP+UDP

Outgoing Transport Type

Incoming Port

SIP V.150 Outbound SDP Offer Filtering

Use Default Filter

Leave all other fields with their default values and save your changes.

Add a new SIP trunk to point to your Video Mesh clusters:

In a Unified CM-only deployment, add a single trunk.
In an SME deployment, a trunk typically exists between Unified CM and SME. Add another trunk between SME and Video Mesh nodes. Both trunks must have the same settings specified below.

From Cisco Unified CM Administration, choose Device > Trunk , and then click Add New .

Choose SIP Trunk for the trunk type; leave the other values and click Next .

Enter a meaningful name, such as Video_Mesh_SIP_Trunk_UCMtoVMN .

Check Run On All Active Unified CM Nodes .

Under SIP Information - Destination , enter an IP address or fully qualified domain name (FQDN) for each of your Video Mesh nodes.

Enter 5060 for the Destination Port .

For the SIP Trunk Security Profile , choose the Video MeshTrunk Security Profile that you created earlier. (For example, Video Mesh Trunk Security Profile .)