Network Requirements for Cisco Spark Services (Administrators)

Document created by Cisco Documentation Team on Apr 19, 2016Last modified by Cisco Documentation Team on Aug 18, 2017
Version 34Show Document
  • View in full screen mode
 

Cisco Spark Network Requirements for Administrators

   

This article is intended for network administrators, particularly firewall and web security administrators. It will help you configure your network to support Cisco Spark.

    

Cisco Spark apps and endpoints initiate outbound connections. Cisco Collaboration Cloud never initiates any connections to the Cisco Spark apps. For more details on interaction between Cisco Spark and the network, please see the Cisco Spark Firewall whitepaper.

   

Types of Traffic

       

Cisco Spark apps and endpoints use two types of traffic:

    
  1.      

    HTTPS and WSS (secure websocket) traffic. This traffic is protected by TLS. All Cisco Spark features other than real-time media depend on this.

         

  2.      

    Real-time media (audio, video, and content sharing) traffic. This is primarily SRTP, but also includes STUN and other protocols necessary for media.

         

    

If there is a firewall, proxy, transparent proxy, or any other middle-box capable of filtering HTTPS traffic based on its content, see the list of URLs. Filtering HTTPS traffic by IP address is not supported as the IPs used are dynamic and may change at any time.

   

Firewall Configuration

      

Cisco Spark Apps and Endpoints

       

The following table describes ports and protocols used by Cisco Spark apps and endpoints.

     
                                    
Source IPDestination IPDestination PortProtocolDescriptionDevices using this rule
Your networks    ANY      443  TLSHTTPS and WSS for signaling and messaging. If using an HTTP proxy, instead of opening this port in your firewall, see the URLs table.All
Your Networks    ANY      5004 (1)(2)UDPSRTP audio, video & content sharing mediaAll
Your Networks    ANY      5004 (1)TCPFallback for audio and video if UDP is closed. Used for content sharing on desktop and mobile appsAll except Cisco Spark Board
Your Networks    ANY      123NTPTime SynchronizationCisco Spark Board (3)
    

(1): Media flows in both directions using a symmetric inside-initiated, 5-tuple UDP or TCP stream outbound to Cisco Collaboration Cloud

    

(2): Usage of UDP port 33434 is deprecated, but for backward compatibility Cisco Spark will still probe and use this port if 5004 is not open.

    

(3): Latest software releases uses DHCP for time synchronization. Old software releases still need NTP on port 123.

   

Cisco Spark Call

        
                                           
Source IPDestination IPDestination PortProtocolDescriptionDevices using this rule
Your Networks    ANY      123UDPNTP time synchronizationDesk Phones (8800 and 7800 series)
Your Networks    ANY      3478UDPAudio, VideoDesk Phones (8800 and 7800 series)
Your Networks    ANY      24000-29999, 36000-59999UDPSRTP audio & video mediaDesk Phones (8800 and 7800 series)
Your Networks    ANY      5061TLSSIP signalingDesk Phones (8800 and 7800 series)
Your Networks    ANY      8443TLSSignalingDesk Phones (8800 and 7800 series)
   

Hybrid Media Node

       

The Cisco Spark Hybrid Media Node provides a destination for media traffic on your network. Instead of all media going to Cisco Collaboration Cloud, it can remain on your network, for reduced Internet bandwidth usage and increased media quality. It requires the ports and protocols listed in the Hybrid Media Service Deployment Guide to be permitted in your firewall rules.

   

URLs

       

The following table describes the URLs that are used by Cisco Spark. If you use an HTTP/HTTPS proxy, ensure these URLs can be accessed. For details how Cisco Spark handles data sent to those URL see the Cisco Spark Security and Privacy whitepaper.

     
                                                             
URLDescriptionDevices using this URL
*.adobedtm.comMarketing & analyticsCisco Spark Web app
*.appsflyer.comMarketing campaign informationiOS, Android apps
*.ciscospark.comCisco Spark servicesAll
*.clouddrive.comE2E-encrypted files uploaded to Cisco Spark spacesAll
*.crashlytics.comDiagnostic & troubleshooting dataAll
*.docker.ioHybrid Services ContainersHybrid Services
*.clients3.google.com/generate_204Captive portal detectionRoom Devices (DX, MX, SX, and Room Kit)
gds.huron-dev.comGlobal Discovery Service - onboardingRoom Devices (DX, MX, SX, and Room Kit), Cisco Spark Board
*.huron-dev.comCisco Spark Call servicesDesk Phones (8800 & 7800 series)
*.omtrdc.netMarketing & usage telemetryCisco Spark Web app
*.optimizely.comA/B testing & metricsCisco Spark Web app
*.rackcdn.comSoftware/firmware updatesAll
*.webex.comAuthentication and WebEx integrationAll
*.wbx2.comCisco Spark servicesAll
   

HTTP Proxy Support

       

When Cisco Spark is running on a macOS or Windows operating system, it automatically uses the configured proxy. Other platforms do not currently support proxies.

     
                                              
Product        AuthenticationAuto DiscoveryPAC Support
Cisco Spark for Mac                          None                    OS provided    OS provided
Cisco Spark for WindowsNone, Negotiate, NTLMOS providedOS provided
Cisco Spark for iOSN/AN/AN/A
Cisco Spark for AndroidN/AN/AN/A
Room Devices (SX, DX, MX, and Room Kit series) N/AN/AN/A
Cisco Spark BoardN/AN/AN/A
Cisco Spark Call Phones (8800 and 7800 series)N/AN/AN/A
Hybrid Media NodeN/AN/AN/A
   

HTTPS Inspection and Certificate Pinning

       

Cisco Spark validates the certificates of the systems it communicates with. It does this by ensuring that the certificates presented when establishing a TLS session can be validated against the list of trusted root CAs installed in the operating system of the device. Cisco Spark also ensures that the certificate is not issued by a known malicious or compromised CA.

    

If you have deployed a TLS-inspecting device, ensure that the certificate it presents has a trust chain allowing successful validation on devices running the Cisco Spark app. This requires installing a CA certificate into the operating system of the device.

    

The following table lists support for custom trusted root CAs installed in the operating system, as described above.

     
                                    
Product        Supports Custom Trusted CAsNotes
Cisco Spark for iOSNo 
Cisco Spark for AndroidNo 
Cisco Spark for MacYes 
Cisco Spark for WindowsYes 
Room Devices (SX, DX, MX, and Room Kit series) YesRequires support ticket*
Cisco Spark BoardNo 
Cisco Spark Call Phones (8800 and 7800 series)No 
Hybrid Media NodeNo
    

*In order for Cisco Spark Room devices and Cisco Spark Board to obtain the CA certificate necessary to validate communication through your TLS-inspecting proxy, please contact your CSM or open a case with the Cisco TAC.

   

Bandwidth Requirements

        
             
Bandwidth LevelGrade
Greater than 2 MbpsGood
Less than 2 Mbps but greater than 100 KbpsFair
Less than 100 KbpsPoor
    

The bandwidth levels apply to all Cisco Spark services. They are based specifically on video bandwidth requirements—For example, a video call through the Cisco Spark app, a supported phone, or room system.

    

Note These bandwidth levels are not required for audio only calls, but we recommend that you use the video bandwidth requirements as a guideline.

   

Bandwidth Information for Phone Calls

       

Audio Bandwidth for Phones

    

Based on the codecs being used by the service, we recommend that you allot 80 Kbps bandwidth for each audio-only desk phone or endpoint. For example, for one connection, allot 80 Kbps for audio. For ten simultaneous connections, allot 800 Kbps.

    

Video Bandwidth for Phones

    

The 8800 series desk phones determine video quality. These phones find the highest bandwidth level they can maintain, and they move this level up or down as needed. The bandwidth can range from 64Kbps up to 2.5 Mbps.

    

We recommend that you allot at least 2 Mbps of bandwidth for each video device (for video and audio streams). For example, for one connection, allot 2 Mbps for video and audio. For ten simultaneous connections, allot 20 Mbps.

    

An Example of Total Bandwidth Requirements for Each Phone

    

A call within your customer's organization between two on-site users is considered two simultaneous connections.

    

For audio-only phones such as the 78xx series, we recommend that you allot 80 Kbs per phone. For an audio call between two users on one site, 160 Kbs per call (two connections) is required.

    

For video endpoints such as the 88xx series , we recommend that you allow 2 Mbps per video endpoint. For a video call between two users on one site, 4 Mbps per call (two connections) is required.

    

Caution If Bandwidth minimums are not met, users may experience degraded media quality and dropped calls.

    

For example, in a trial in which two video endpoints and three audio endpoints are deployed, the trial setup requires a minimum of 4.24 Mbps. Here is how that bandwidth requirement is calculated:

    
  •      

    Video—2 Mbps x 2

         

  •      

    Audio—80 Kbps x 3

         

  •      

    Total—4 Mbps + 240 Kbps = 4.24 Mbps

         

   

Bandwidth Information for Cisco Spark Board

       

Cisco Spark Board uses the following minimum bandwidth for resolution/frame rate:

    
  •      

    720p30 from 768 Kbps

         

  •      

    1080p30 from 1.72 Mbps

         

    

For multipoint calls, up to 4.3Mbps transmit and 10Mbps receive is required.

   

Bandwidth Information for Cisco Spark Room Devices

       

Depending on the model, a room device can use up to 3 or 6 Mbps up and down, if available. In all cases, the system can use the minimum bandwidth level, as low as 64 Kbps, if the network is constrained.

     
             
Model or SeriesBandwidth Up and DownVideo and Content Quality
SX10 and DX80Up to 3Mbps720p30 for main video, 1080p5 for content
SX20, SX80, MX series, Room Kit & Room Kit PlusUp to 6Mbps1080p30 for main video and content
    

For point-to-point calls, the room device sends 1080p30 if 2.2 Mbps is allocated. For multipoint calls, 3 Mbps is required to send 1080p30.

   
 

Attachments

    Outcomes