Cisco Systems ASR 1000 manual Firewall Media Pinhole Control, Address Reporting Package

Page 82

Chapter 8 Integrated Session Border Controller Security

Firewall (Media Pinhole Control)

Firewall (Media Pinhole Control)

The SBE Call Admission Control (CAC) function inspects the signaling message and instructs the firewall in the DBE to open and close pinholes as needed for the media streams and signaling.

H.248 Address Reporting Package

The data border element (DBE) supports the H.248 Address Reporting (adr) package, defined in “Draft New H.248.37 Amendment 1”, ITU-T document TD-27. The adr package extends the existing IP NAPT Traversal (ipnapt) package, and adds a new Remote Source Address Change (rsac) event with two parameters: New Remote Source Address (nrsa), and New Remote Source Port (nrsp).

The rsac event is generated by the media gateway (MG) when the remote source address for the termination changes (that is, when a stream latches), and is used to report the newly detected remote source address and port to which the stream has been latched.

The event is generated in both the LATCH and RELATCH scenarios. The DBE reports the event subscription with the audit response when the media gateway controller (MGC) audits the packages.

For further information on support for the H.248 IP NAPT Traversal package, see the “IP NAPT Traversal Package and Latch and Relatch Support” section on page 8-3

DBE Restrictions

The following are restrictions for adr package support:

The MGC must explicitly subscribe for the rsac event.

The adr package can be used only in conjunction with the IP NAPT Traversal package.

H.248 Session Failure Reaction Package

The data border element (DBE) supports the H.248 Session Failure Reaction (SFR) package. From a security point of view, the media gateway controller (MGC) can put a termination out of service when the H.248 connection between the MGC and media gateway (MG) is lost.

For more information on the SFR package, see the “H.248 Session Failure Reaction Package” section on page 6-3.

H.248 Termination State Control Package

The data border element (DBE) supports the Termination State Control (TSC) package to monitor signaling pinholes.

The “tsc-quiesce” feature of the TSC package helps the media gateway controller (MGC) monitor a signaling pinhole and put the pinhole in “not-in-service” mode when all terminations are subtracted.

For more information on the TSC package, see the “H.248 Termination State Control Package” section on page 6-4.

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

8-2

OL-15421-01

 

 

Image 82
Contents Americas Headquarters Page N T E N T S IiiQoS Bandwidth Allocation Traffic Management Package Support Local Source Properties Address and Port IPv6 Support ViiEvents Storage Until Event Acknowledgment Objectives PrefaceDocument Revision History OL-15421-01 May 5 This document was first publishedIntended Audience OrganizationCisco ASR 1000 Series Router Documentation Related DocumentationDocument Conventions Cisco IOS Release 12.2SR Software PublicationsXii Obtaining Documentation and Submitting a Service Request XiiiXiv Cisco ASR 1000 Series Routers Overview ContentsGeneral Overview Distributed and Unified Models Example of SBC High Level ArchitectureOn page 1-3illustrates the unified model Supported Integrated Session Border Controller Features Release Feature Name Related SBC Commands DocumentedPackage segment None Cisco IOS Logging Level in ConfiguringCisco IOS XE ReleaseMedia-address ipv4 Transaction-pending command Deployment of the Integrated Session Border ControllerIntegrated SBC Used for VoIP Interworking Integrated Session Border Controller DBE Deployment Scenario Prerequisites for Integrated Session Border Controller Configuring Integrated Session Border ControllerRestrictions for Integrated Session Border Controller Prerequisites Summary StepsEnters global configuration mode Enables privileged Exec modeEnter your password if prompted Enters into interface configuration modeConfigures the H.248 controller for the DBE and enters into Configures the DBE to use a specific IPv4 H.248 controlOwn address when connecting to the SBE Controller H.248 configuration modeWhat To Do Next Troubleshooting TipsExamples Configuring H.248 Logging Level Sets a specified logging level to generate detailed logs Creates the DBE service on the SBC and enters intoSBC-DBE configuration mode Messages sent and received. Turns on consoleEnabling H.248 Logging Requests and Responses This section provides the following configuration examples Configuration ExamplesExample H.248 Log Output SBC DBE Configuration Steps Example Making Global Changes to Controllers Example Following example shows the initial SBC configuration == Make change to local portMaking Changes to Individual Controller Settings Example Control-address h248 ipv4 172.25.2.26 controller h248Cisco H.248 Profile Topology Priority Indicator Yes Emergency IndicatorIeps Indicator Yes Overview of ProfileProfile Packages Package ID VersionPackage ID Version Support Dependent On Dtmf Interworking Information About Dtmf InterworkingRTP to SIP Interworking Configuring Default Duration of a Dtmf EventSIP to RTP Interworking Name of the DBE service Enters the mode of a DBE service and enters into SBC-DBEConfiguration mode. Use the sbc-name argument to specify Configures the default duration of a Dtmf eventPage Media Address Pools Restrictions for Configuring Media Address PoolsPrerequisites for Implementing Media Address Pools Configuring Media Address Pools Information About Media Address PoolsConfiguration mode Is configuredEnters into SBC-DBE configuration mode Creates a port range for the configured mediaConfiguring Media Address Pools Example Quality of Service and Bandwidth Management Traffic Management Package SupportPage Dscp Re-Markings Dscp Marking and IP Precedence MarkingParameters on AC and per SDP on QoS Bandwidth Allocation Rtcp Policing Using Tman PackageRtcp Policing Not Using Tman Package Rtcp PolicingEnabling Two-Rate Three-Color Policing and Marking Two-Rate Three-Color Policing and MarkingImplementing Two-Rate Three-Color Policing and Marking DBE Restrictions Related Commands Page Packages-Signaling and Control Enabling Optional H.248 PackagesAddress Reporting Package Segmentation Package SupportSession Failure Reaction Package Tsc-quiesce Feature Termination State Control PackageTsc-suspend Feature 248.1v3 Support Vlan Package Syntax-Level SupportMGC-Controlled Gateway-Wide Properties Page Services-Signaling and Control DBE Signaling Pinhole Support Extension to H.248 Audit Support Extension to H.248 Termination Wildcarding SupportFlexible Address Prefix Provisioning Twice Napt Pinhole Hairpinning Local Source Properties Address and PortLocally Hairpinned Sessions No Napt Pinhole HairpinningMGC-Specified Local Addresses or Ports Nine-Tier Termination Name Hierarchy Multi-Stream TerminationsRestrictions for Nine-Tier Termination Name Hierarchy Information About Nine-Tier Termination Name Hierarchy Displaying the Nine-Tier Termination Name HierarchyDisplaying the Nine-Tier Termination Name Hierarchy Example Abc/voice/gn/0/1/0/1/ac/3Optional Local and Remote Descriptors Remote Source Address Mask Filtering ServiceChange Notification for Interface Status ChangeRTP Specific Behavior Support Sbc interface-id value End Configuration Example Output Tmax-timercommand configures the value of the T-MAX timer MAX TimerTsc-Delay Timer Video on Demand VOD SupportServices-Signaling and Control Video on Demand VOD Support Services-Signaling and Control Video on Demand VOD Support Integrated Session Border Controller Security Firewall Media Pinhole Control Interim Authentication Header Support Latch and Relatch SupportLocal Source Properties Address and Port Napt and NAT Traversal Etsi TS 102 333 version 1.1.2 Gate Management PackageTopology Hiding Traffic Management PolicingTopology Hiding IPv4 Twice Napt IPv6 Inter-Subscriber BlockingQoS Policy-Map-Based Inter-Subscriber Blocking Method Router# show run interface gigabitEthernet 0/1.1101Router# show class-map IPv6intersubscriber IPv6 Support ACL-Based Inter-Subscriber Blocking MethodIPv6 Pinholes IPv6 No Napt Support for Media FlowsIPv6 Single Napt for Signaling Send RecvSingle Napt Signaling Flow No Napt Pinholes Topology Hiding No Napt Pinholes Integrated Session Border Controller High Availability High Availability Support10-1 Route Processor Redundancy RPR Hardware RedundancySoftware Redundancy 10-2Issu Support SSO Support10-3 10-4 High Availability Support Issu SupportQuality Monitoring and Statistics Gathering 11-1DBE Status Notification Congestion-threshold CommandBilling and Call Detail Records Enhanced Event Notification and AuditingRetention and Returning of H.248 Event Information 11-3Silent Gate Deletion Association ResetResetting the Media Timeout Timers 11-4Network Package Quality Alert Event Middlebox Pinhole Timer Expired Event11-5 Related Command Provisioned Inactivity Timer11-6 IN-1 IN-2 IN-3 RTP specific behavior support SBE Pinhole Pinhole timeoutPolicing Asymmetric policing Ipv6 packets IN-4IN-5 IN-6