Cisco Systems ASR 1000 manual DBE Signaling Pinhole Support, DBE Restrictions

Page 66

Chapter 7 H.248 Services—Signaling and Control

DBE Signaling Pinhole Support

DBE Signaling Pinhole Support

DBE Signaling Pinhole Support allows the media gateway controller (MGC) to directly control policing of signaling flows through the SBC interfaces on the DBE. The policing is at a per signaling flow level, via the H.248 association between the MGC and the DBE. The feature removes the need to have a separate firewall device to protect the MGC.

Without this feature, signaling packets are addressed to the SBE, and the DBE acts as a router, forwarding the packets to the SBE. With this feature enabled, the DBE can police signaling packets using the ETSI TS 102 333 Traffic Management (Tman) package. The DBE has application-level pinholes created to allow those packets to be forwarded to the SBE. Normal IP forwarding is disabled on the SBC interfaces of the DBE.

DBE Signaling Pinhole Support includes the following functionality:

The DBE only forwards traffic that is received on a configured pinhole. The packet must be addressed to a VPN, address, or port on an SBC interface on the DBE.

Signaling pinholes are configured in the same way as media pinholes over H.248. They can be differentiated from media pinholes by session descriptions as defined in the Session Description Protocol (SDP) in the local and remote descriptors. The “m=application” line indicates that the termination is a signaling pinhole.

The data rate through a signaling pinhole can be unlimited.

The MGC can specify the VPN, address, and port of the pinhole on the DBE when it is created. This must be selected from the address and port range available on the DBE, and must not already have been allocated for another use. This function is intended to be used for signaling pinholes, but it can be used for any pinhole. The address and port range available must be separately configured on both the MGC and the DBE.

Each endpoint must have a signaling pinhole associated with it in order for it to communicate with the SIP server.

Signaling pinholes are forwarded in the same way as media pinholes; that is, packets are forwarded after the policing bandwidth usage is checked and the IP header is re-written. The only exception is that signaling pinholes do not time out if the flow of signaling packets stops.

Signaling pinholes can be used for other than just SIP traffic, such as for non-RTP media streams of any kind. However, you need to specify a bandwidth limit using the Traffic Management (Tman) package if you want policing.

DBE Restrictions

The following are DBE restrictions for DBE Signaling Pinhole Support:

The endpoint still needs to be sending its signaling to a local address owned by the DBE configured as a media address

If a signaling port range is not configured, then by default the range is the same as that for media ports (16384 to 32767). For this reason, it is recommended that a signaling port range is explicitly configured. The configured range must not clash with the address and port used by the media gateway for its connection to the MGC. You need to ensure this configuration is entered consistently.

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

7-2

OL-15421-01

 

 

Image 66
Contents Americas Headquarters Page N T E N T S IiiQoS Bandwidth Allocation Traffic Management Package Support Local Source Properties Address and Port IPv6 Support ViiEvents Storage Until Event Acknowledgment Objectives PrefaceDocument Revision History OL-15421-01 May 5 This document was first publishedIntended Audience OrganizationCisco ASR 1000 Series Router Documentation Related DocumentationDocument Conventions Cisco IOS Release 12.2SR Software PublicationsXii Obtaining Documentation and Submitting a Service Request XiiiXiv Contents Cisco ASR 1000 Series Routers OverviewGeneral Overview Distributed and Unified Models Example of SBC High Level ArchitectureOn page 1-3illustrates the unified model Supported Integrated Session Border Controller Features Release Feature Name Related SBC Commands DocumentedPackage segment None Cisco IOS Logging Level in ConfiguringCisco IOS XE ReleaseMedia-address ipv4 Transaction-pending command Deployment of the Integrated Session Border ControllerIntegrated SBC Used for VoIP Interworking Integrated Session Border Controller DBE Deployment Scenario Configuring Integrated Session Border Controller Prerequisites for Integrated Session Border ControllerRestrictions for Integrated Session Border Controller Prerequisites Summary StepsEnters global configuration mode Enables privileged Exec modeEnter your password if prompted Enters into interface configuration modeConfigures the H.248 controller for the DBE and enters into Configures the DBE to use a specific IPv4 H.248 controlOwn address when connecting to the SBE Controller H.248 configuration modeTroubleshooting Tips What To Do NextExamples Configuring H.248 Logging Level Sets a specified logging level to generate detailed logs Creates the DBE service on the SBC and enters intoSBC-DBE configuration mode Messages sent and received. Turns on consoleEnabling H.248 Logging Requests and Responses Configuration Examples This section provides the following configuration examplesExample H.248 Log Output SBC DBE Configuration Steps Example Making Global Changes to Controllers Example Following example shows the initial SBC configuration == Make change to local portMaking Changes to Individual Controller Settings Example Control-address h248 ipv4 172.25.2.26 controller h248Cisco H.248 Profile Topology Priority Indicator Yes Emergency IndicatorIeps Indicator Yes Overview of ProfileProfile Packages Package ID VersionPackage ID Version Support Dependent On Dtmf Interworking Information About Dtmf InterworkingConfiguring Default Duration of a Dtmf Event RTP to SIP InterworkingSIP to RTP Interworking Name of the DBE service Enters the mode of a DBE service and enters into SBC-DBEConfiguration mode. Use the sbc-name argument to specify Configures the default duration of a Dtmf eventPage Restrictions for Configuring Media Address Pools Media Address PoolsPrerequisites for Implementing Media Address Pools Configuring Media Address Pools Information About Media Address PoolsConfiguration mode Is configuredEnters into SBC-DBE configuration mode Creates a port range for the configured mediaConfiguring Media Address Pools Example Quality of Service and Bandwidth Management Traffic Management Package SupportPage Dscp Marking and IP Precedence Marking Dscp Re-MarkingsParameters on AC and per SDP on QoS Bandwidth Allocation Rtcp Policing Using Tman PackageRtcp Policing Not Using Tman Package Rtcp PolicingTwo-Rate Three-Color Policing and Marking Enabling Two-Rate Three-Color Policing and MarkingImplementing Two-Rate Three-Color Policing and Marking DBE Restrictions Related Commands Page Packages-Signaling and Control Enabling Optional H.248 PackagesAddress Reporting Package Segmentation Package SupportSession Failure Reaction Package Tsc-quiesce Feature Termination State Control PackageTsc-suspend Feature 248.1v3 Support Vlan Package Syntax-Level SupportMGC-Controlled Gateway-Wide Properties Page Services-Signaling and Control DBE Signaling Pinhole Support Extension to H.248 Audit Support Extension to H.248 Termination Wildcarding SupportFlexible Address Prefix Provisioning Twice Napt Pinhole Hairpinning Local Source Properties Address and PortLocally Hairpinned Sessions No Napt Pinhole HairpinningMGC-Specified Local Addresses or Ports Multi-Stream Terminations Nine-Tier Termination Name HierarchyRestrictions for Nine-Tier Termination Name Hierarchy Information About Nine-Tier Termination Name Hierarchy Displaying the Nine-Tier Termination Name HierarchyDisplaying the Nine-Tier Termination Name Hierarchy Example Abc/voice/gn/0/1/0/1/ac/3Optional Local and Remote Descriptors ServiceChange Notification for Interface Status Change Remote Source Address Mask FilteringRTP Specific Behavior Support Sbc interface-id value End Configuration Example Output Tmax-timercommand configures the value of the T-MAX timer MAX TimerTsc-Delay Timer Video on Demand VOD SupportServices-Signaling and Control Video on Demand VOD Support Services-Signaling and Control Video on Demand VOD Support Integrated Session Border Controller Security Firewall Media Pinhole Control Interim Authentication Header Support Latch and Relatch SupportLocal Source Properties Address and Port Napt and NAT Traversal Etsi TS 102 333 version 1.1.2 Gate Management PackageTopology Hiding Traffic Management PolicingTopology Hiding IPv4 Twice Napt IPv6 Inter-Subscriber BlockingQoS Policy-Map-Based Inter-Subscriber Blocking Method Router# show run interface gigabitEthernet 0/1.1101Router# show class-map IPv6intersubscriber IPv6 Support ACL-Based Inter-Subscriber Blocking MethodIPv6 Pinholes IPv6 No Napt Support for Media FlowsIPv6 Single Napt for Signaling Send RecvSingle Napt Signaling Flow No Napt Pinholes Topology Hiding No Napt Pinholes High Availability Support Integrated Session Border Controller High Availability10-1 Route Processor Redundancy RPR Hardware RedundancySoftware Redundancy 10-2SSO Support Issu Support10-3 10-4 High Availability Support Issu SupportQuality Monitoring and Statistics Gathering 11-1DBE Status Notification Congestion-threshold CommandBilling and Call Detail Records Enhanced Event Notification and AuditingRetention and Returning of H.248 Event Information 11-3Silent Gate Deletion Association ResetResetting the Media Timeout Timers 11-4Middlebox Pinhole Timer Expired Event Network Package Quality Alert Event11-5 Provisioned Inactivity Timer Related Command11-6 IN-1 IN-2 IN-3 RTP specific behavior support SBE Pinhole Pinhole timeoutPolicing Asymmetric policing Ipv6 packets IN-4IN-5 IN-6