Cisco Systems ASR 1000 manual Local Source Properties Address and Port

Page 84

Chapter 8 Integrated Session Border Controller Security

Local Source Properties (Address and Port)

When latching, the DBE uses the remote address and port of a source endpoint as the destination endpoint address and port if the source IP address is within a specified Gate Management/remote source address mask (gm/rsam). This means that within a subnet any packet can be latched within a gm/rsam. The Relatch event waits until a packet arrives that fails the latched admission criteria, but which meets the relatch critera. The relatch may require stricter admission criteria than the original latching, such as packets may have to come from a specific remote address rather than from within the subnet. Or the relatch criteria might identify a different subnet. In relatching, one reason for the change in the source IP address and port could be a subscriber requiring a different service.

When the ntr package is in use, the DBE continues to attempt to relearn remote addresses and ports following any H.248 operation that modifies a termination whose endpoint is behind a NAT. Relearning continues to be timed out if no packets from a new remote source address and port are received within a suitable period.

When the ipnapt package is in use, the DBE does not attempt to relearn remote addresses and ports unless a Relatch is explicitly signaled by the MGC. Relatching is not timed out.

DBE Restrictions

The following are restrictions of DBE support for the IP NAPT Traversal (ipnapt) package and Latch and Relatch:

The DBE only supports either the NTR package or the IP NAPT Traversal package for a termination. You can configure either package with the h248-napt-packagecommand.

The DBE does not generate the notifyComplete signal when the Latch or Relatch signal completes.

With the IP NAPT Traversal package, the DBE does not automatically relatch on receipt of an H.248/Megaco request that modifies the gm/sam. If a Relatch is required, it must be explicitly signaled by the MGC. In addition, you cannot update the remote source address mask so that it no longer contains the previously latched remote address without signaling a Relatch.

Related Commands

The h248-napt-packagecommand defines which H.248 package (either ipnapt or ntr) the DBE uses for signaling NAT features.

Local Source Properties (Address and Port)

The data border element (DBE) is enhanced to support multiple terminations that share a single local address and port. The Gate Management/remote source address mask (gm/rsam) defines a remote subnet. The mask length is a property of the local address and port combination. Only multiple terminations that share the same local address and port are required to have the same gm/rsam length. Terminations with different local addresses or ports can have different gm/rsam lengths.

A gm/rsam having the same mask length allows multiple terminations to share a single local address and port combination, with the requirement that the terminations are configured with gm/rsams that are distinct. This enables the media gateway controller (MGC) to identify and match the terminations to the correct flow. For more information about Local Source Address and Local Source Port properties, see the ETSI TS 102 333 V1.1.2 Gate Mangement Package.

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

8-4

OL-15421-01

 

 

Page 83 Page 85
Image 84
Page 83 Page 85
Contents Americas Headquarters Page N T E N T S IiiQoS Bandwidth Allocation Traffic Management Package Support Local Source Properties Address and Port IPv6 Support ViiEvents Storage Until Event Acknowledgment Preface Document Revision HistoryObjectives OL-15421-01 May 5 This document was first publishedIntended Audience OrganizationRelated Documentation Document ConventionsCisco ASR 1000 Series Router Documentation Cisco IOS Release 12.2SR Software PublicationsXii Obtaining Documentation and Submitting a Service Request XiiiXiv Contents Cisco ASR 1000 Series Routers OverviewGeneral Overview Distributed and Unified Models Example of SBC High Level ArchitectureOn page 1-3illustrates the unified model Supported Integrated Session Border Controller Features Release Feature Name Related SBC Commands DocumentedPackage segment Cisco IOS Logging Level in Configuring Cisco IOSNone XE ReleaseMedia-address ipv4 Transaction-pending command Deployment of the Integrated Session Border ControllerIntegrated SBC Used for VoIP Interworking Integrated Session Border Controller DBE Deployment Scenario Configuring Integrated Session Border Controller Prerequisites for Integrated Session Border ControllerRestrictions for Integrated Session Border Controller Prerequisites Summary StepsEnables privileged Exec mode Enter your password if promptedEnters global configuration mode Enters into interface configuration modeConfigures the DBE to use a specific IPv4 H.248 control Own address when connecting to the SBEConfigures the H.248 controller for the DBE and enters into Controller H.248 configuration modeTroubleshooting Tips What To Do NextExamples Configuring H.248 Logging Level Creates the DBE service on the SBC and enters into SBC-DBE configuration modeSets a specified logging level to generate detailed logs Messages sent and received. Turns on consoleEnabling H.248 Logging Requests and Responses Configuration Examples This section provides the following configuration examplesExample H.248 Log Output SBC DBE Configuration Steps Example Making Global Changes to Controllers Example Following example shows the initial SBC configuration == Make change to local portMaking Changes to Individual Controller Settings Example Control-address h248 ipv4 172.25.2.26 controller h248Topology Priority Indicator Yes Emergency Indicator Ieps Indicator YesCisco H.248 Profile Overview of ProfileProfile Packages Package ID VersionPackage ID Version Support Dependent On Dtmf Interworking Information About Dtmf InterworkingConfiguring Default Duration of a Dtmf Event RTP to SIP InterworkingSIP to RTP Interworking Enters the mode of a DBE service and enters into SBC-DBE Configuration mode. Use the sbc-name argument to specifyName of the DBE service Configures the default duration of a Dtmf eventPage Restrictions for Configuring Media Address Pools Media Address PoolsPrerequisites for Implementing Media Address Pools Configuring Media Address Pools Information About Media Address PoolsIs configured Enters into SBC-DBE configuration modeConfiguration mode Creates a port range for the configured mediaConfiguring Media Address Pools Example Quality of Service and Bandwidth Management Traffic Management Package SupportPage Dscp Marking and IP Precedence Marking Dscp Re-MarkingsParameters on AC and per SDP on Rtcp Policing Using Tman Package Rtcp Policing Not Using Tman PackageQoS Bandwidth Allocation Rtcp PolicingTwo-Rate Three-Color Policing and Marking Enabling Two-Rate Three-Color Policing and MarkingImplementing Two-Rate Three-Color Policing and Marking DBE Restrictions Related Commands Page Packages-Signaling and Control Enabling Optional H.248 PackagesAddress Reporting Package Segmentation Package SupportSession Failure Reaction Package Tsc-quiesce Feature Termination State Control PackageTsc-suspend Feature 248.1v3 Support Vlan Package Syntax-Level SupportMGC-Controlled Gateway-Wide Properties Page Services-Signaling and Control DBE Signaling Pinhole Support Extension to H.248 Audit Support Extension to H.248 Termination Wildcarding SupportFlexible Address Prefix Provisioning Local Source Properties Address and Port Locally Hairpinned SessionsTwice Napt Pinhole Hairpinning No Napt Pinhole HairpinningMGC-Specified Local Addresses or Ports Multi-Stream Terminations Nine-Tier Termination Name HierarchyRestrictions for Nine-Tier Termination Name Hierarchy Information About Nine-Tier Termination Name Hierarchy Displaying the Nine-Tier Termination Name HierarchyDisplaying the Nine-Tier Termination Name Hierarchy Example Abc/voice/gn/0/1/0/1/ac/3Optional Local and Remote Descriptors ServiceChange Notification for Interface Status Change Remote Source Address Mask FilteringRTP Specific Behavior Support Sbc interface-id value End Configuration Example Output MAX Timer Tsc-Delay TimerTmax-timercommand configures the value of the T-MAX timer Video on Demand VOD SupportServices-Signaling and Control Video on Demand VOD Support Services-Signaling and Control Video on Demand VOD Support Integrated Session Border Controller Security Firewall Media Pinhole Control Interim Authentication Header Support Latch and Relatch SupportLocal Source Properties Address and Port Napt and NAT Traversal Etsi TS 102 333 version 1.1.2 Gate Management PackageTopology Hiding Traffic Management PolicingTopology Hiding IPv4 Twice Napt IPv6 Inter-Subscriber BlockingQoS Policy-Map-Based Inter-Subscriber Blocking Method Router# show run interface gigabitEthernet 0/1.1101Router# show class-map IPv6intersubscriber IPv6 Support ACL-Based Inter-Subscriber Blocking MethodIPv6 Pinholes IPv6 No Napt Support for Media FlowsIPv6 Single Napt for Signaling Send RecvSingle Napt Signaling Flow No Napt Pinholes Topology Hiding No Napt Pinholes High Availability Support Integrated Session Border Controller High Availability10-1 Hardware Redundancy Software RedundancyRoute Processor Redundancy RPR 10-2SSO Support Issu Support10-3 10-4 High Availability Support Issu SupportQuality Monitoring and Statistics Gathering 11-1Congestion-threshold Command Billing and Call Detail RecordsDBE Status Notification Enhanced Event Notification and AuditingRetention and Returning of H.248 Event Information 11-3Association Reset Resetting the Media Timeout TimersSilent Gate Deletion 11-4Middlebox Pinhole Timer Expired Event Network Package Quality Alert Event11-5 Provisioned Inactivity Timer Related Command11-6 IN-1 IN-2 IN-3 Pinhole Pinhole timeout Policing Asymmetric policing Ipv6 packetsRTP specific behavior support SBE IN-4IN-5 IN-6
Top Page Image Contents