Cisco Systems ASR 1000 manual Interim Authentication Header Support, Latch and Relatch Support

Page 83

Chapter 8 Integrated Session Border Controller Security

Interim Authentication Header Support

Interim Authentication Header Support

Interim Authentication Header (IAH) Support provides protocol-level support that allows you to insert an IAH in the messages and to set all fields in the IAH header to zeroes. You are able to send and receive null IAH headers.

DBE Restrictions

The following is a restriction of Interim Authentication Header (IAH) Support:

The data border element (DBE) only checks that the received messages are syntactically correct and does not confirm that an IAH is present.

Related Commands

The interim-auth-headerkeyword is added to the transport command to insert the IAH into H.248 messages.

IP NAPT Traversal Package and Latch and Relatch Support

The data border element (DBE) supports the IP NAPT Traversal (IP NAPT) package that is defined in H.248.37. IP NAPT traversal is an alternative method to the existing support of the NAT Traversal (NTR) package, defined in ETSI TS 102 333. IP Network Address and Port Translation (IP NAPT) defines two signals, Latch and Relatch, to control how the DBE learns remote addresses for endpoints behind a Network Address Translation (NAT).

The NAPT package is defined through a new field, napt_variant, in the bcaGalEntTable MIB table. If this field is set to “H.248.37,” then NAPT support can be requested by the media gateway controller (MGC) using the H.248.37 IP NAPT Traversal package. In other words, the MGC can request that the DBE wait for the first inbound media packet and “latch” onto it. The DBE learns the remote address and port for the flow from that packet. The MGC can request latching or relatching using the H.248 signal.

Latch and Relatch Support

The DBE supports Latch and full Relatch support. The Latch and Relatch signals control how the DBE learns remote addresses. Latch and Relatch are commands from the media gateway controller (MGC). Latch is an event that occurs on a flow when certain packets arrive and are matched to that flow. This event changes the admission criteria for a flow.

The ITU-T H.248.37 standard describes the ipnapt/latch signal with the napt parameter. The napt parameter has the values OFF, LATCH, and RELATCH.

When the LATCH value is set, the DBE ignores the addresses received in the RemoteDescriptor. Instead, the DBE uses the source address and source port from the incoming media streams to be the destination address and destination port of the outgoing streams.

The RELATCH value is similar to the LATCH value except that when the DBE detects a change of source IP address and port on the incoming media stream, then the new source IP address and port are used as the destination address and port for outgoing packets. After relatching, any packets received with the old source address and port are discarded.

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

 

OL-15421-01

8-3

 

 

 

Page 82 Page 84
Image 83
Page 82 Page 84
Contents Americas Headquarters Page Iii N T E N T SQoS Bandwidth Allocation Traffic Management Package Support Local Source Properties Address and Port Vii IPv6 SupportEvents Storage Until Event Acknowledgment OL-15421-01 May 5 This document was first published PrefaceDocument Revision History ObjectivesOrganization Intended AudienceCisco IOS Release 12.2SR Software Publications Related DocumentationDocument Conventions Cisco ASR 1000 Series Router DocumentationXii Xiii Obtaining Documentation and Submitting a Service RequestXiv General Overview ContentsCisco ASR 1000 Series Routers Overview Example of SBC High Level Architecture Distributed and Unified ModelsOn page 1-3illustrates the unified model Release Feature Name Related SBC Commands Documented Supported Integrated Session Border Controller FeaturesPackage segment XE Release Cisco IOS Logging Level in ConfiguringCisco IOS NoneMedia-address ipv4 Deployment of the Integrated Session Border Controller Transaction-pending commandIntegrated SBC Used for VoIP Interworking Integrated Session Border Controller DBE Deployment Scenario Restrictions for Integrated Session Border Controller Configuring Integrated Session Border ControllerPrerequisites for Integrated Session Border Controller Summary Steps PrerequisitesEnters into interface configuration mode Enables privileged Exec modeEnter your password if prompted Enters global configuration modeController H.248 configuration mode Configures the DBE to use a specific IPv4 H.248 controlOwn address when connecting to the SBE Configures the H.248 controller for the DBE and enters intoExamples Troubleshooting TipsWhat To Do Next Configuring H.248 Logging Level Messages sent and received. Turns on console Creates the DBE service on the SBC and enters intoSBC-DBE configuration mode Sets a specified logging level to generate detailed logsEnabling H.248 Logging Requests and Responses Example H.248 Log Output Configuration ExamplesThis section provides the following configuration examples SBC DBE Configuration Steps Example Making Global Changes to Controllers Example == Make change to local port Following example shows the initial SBC configurationControl-address h248 ipv4 172.25.2.26 controller h248 Making Changes to Individual Controller Settings ExampleOverview of Profile Topology Priority Indicator Yes Emergency IndicatorIeps Indicator Yes Cisco H.248 ProfilePackage ID Version Profile PackagesPackage ID Version Support Dependent On Information About Dtmf Interworking Dtmf InterworkingSIP to RTP Interworking Configuring Default Duration of a Dtmf EventRTP to SIP Interworking Configures the default duration of a Dtmf event Enters the mode of a DBE service and enters into SBC-DBEConfiguration mode. Use the sbc-name argument to specify Name of the DBE servicePage Prerequisites for Implementing Media Address Pools Restrictions for Configuring Media Address PoolsMedia Address Pools Information About Media Address Pools Configuring Media Address PoolsCreates a port range for the configured media Is configuredEnters into SBC-DBE configuration mode Configuration modeConfiguring Media Address Pools Example Traffic Management Package Support Quality of Service and Bandwidth ManagementPage Parameters on AC and per SDP on Dscp Marking and IP Precedence MarkingDscp Re-Markings Rtcp Policing Rtcp Policing Using Tman PackageRtcp Policing Not Using Tman Package QoS Bandwidth AllocationImplementing Two-Rate Three-Color Policing and Marking Two-Rate Three-Color Policing and MarkingEnabling Two-Rate Three-Color Policing and Marking DBE Restrictions Related Commands Page Enabling Optional H.248 Packages Packages-Signaling and ControlSegmentation Package Support Address Reporting PackageSession Failure Reaction Package Termination State Control Package Tsc-quiesce FeatureTsc-suspend Feature Vlan Package Syntax-Level Support 248.1v3 SupportMGC-Controlled Gateway-Wide Properties Page Services-Signaling and Control DBE Signaling Pinhole Support Extension to H.248 Termination Wildcarding Support Extension to H.248 Audit SupportFlexible Address Prefix Provisioning No Napt Pinhole Hairpinning Local Source Properties Address and PortLocally Hairpinned Sessions Twice Napt Pinhole HairpinningMGC-Specified Local Addresses or Ports Restrictions for Nine-Tier Termination Name Hierarchy Multi-Stream TerminationsNine-Tier Termination Name Hierarchy Displaying the Nine-Tier Termination Name Hierarchy Information About Nine-Tier Termination Name HierarchyAbc/voice/gn/0/1/0/1/ac/3 Displaying the Nine-Tier Termination Name Hierarchy ExampleOptional Local and Remote Descriptors RTP Specific Behavior Support ServiceChange Notification for Interface Status ChangeRemote Source Address Mask Filtering Sbc interface-id value End Configuration Example Output Video on Demand VOD Support MAX TimerTsc-Delay Timer Tmax-timercommand configures the value of the T-MAX timerServices-Signaling and Control Video on Demand VOD Support Services-Signaling and Control Video on Demand VOD Support Integrated Session Border Controller Security Firewall Media Pinhole Control Latch and Relatch Support Interim Authentication Header SupportLocal Source Properties Address and Port Etsi TS 102 333 version 1.1.2 Gate Management Package Napt and NAT TraversalTraffic Management Policing Topology HidingTopology Hiding IPv6 Inter-Subscriber Blocking IPv4 Twice NaptRouter# show run interface gigabitEthernet 0/1.1101 QoS Policy-Map-Based Inter-Subscriber Blocking MethodRouter# show class-map IPv6intersubscriber ACL-Based Inter-Subscriber Blocking Method IPv6 SupportIPv6 No Napt Support for Media Flows IPv6 PinholesSend Recv IPv6 Single Napt for SignalingSingle Napt Signaling Flow No Napt Pinholes Topology Hiding No Napt Pinholes 10-1 High Availability SupportIntegrated Session Border Controller High Availability 10-2 Hardware RedundancySoftware Redundancy Route Processor Redundancy RPR10-3 SSO SupportIssu Support High Availability Support Issu Support 10-411-1 Quality Monitoring and Statistics GatheringEnhanced Event Notification and Auditing Congestion-threshold CommandBilling and Call Detail Records DBE Status Notification11-3 Retention and Returning of H.248 Event Information11-4 Association ResetResetting the Media Timeout Timers Silent Gate Deletion11-5 Middlebox Pinhole Timer Expired EventNetwork Package Quality Alert Event 11-6 Provisioned Inactivity TimerRelated Command IN-1 IN-2 IN-3 IN-4 Pinhole Pinhole timeoutPolicing Asymmetric policing Ipv6 packets RTP specific behavior support SBEIN-5 IN-6
Top Page Image Contents