Cisco Systems ASR 1000 manual Topology Hiding, Traffic Management Policing

Page 86

Chapter 8 Integrated Session Border Controller Security

Topology Hiding

Packets arriving at the SBC are classified into flows using the following data: VPN ID, destination address, destination port, protocol type, and source address. The source address is only required to match a remote source address mask rather than a specific remote address.

DBE Restrictions

The following are restrictions of data border element (DBE) support for this feature:

•If the remote source address mask is specified for a termination, then it must contain the address in the remote descriptor, unless NAT latching techniques are used. However if you want more than one flow on the same local address or port, then the local address must be MGC-managed.

•A prefix length of 0 for the remote source address mask is invalid.

•The MGC is only allowed to specify local addresses and ports that lie within configured address and port ranges.

Related Commands

•The media-address ipv4 command has dbe and mgc options that indicate whether an address pool is provided from which the DBE or MGC can allocate addresses.

•The new media-address pool ipv4 command creates a pool of sequential IPv4 media addresses that can be used by the DBE as local media addresses; the command also has dbe and mgc options.

Topology Hiding

Topology hiding is an important function of security because it protects the identity of the users and their network addresses. See Chapter 9, “Topology Hiding” for more information.

Traffic Management Policing

The data border element (DBE) supports the H.248 Traffic Management (Tman) package to police signaling and media streams. The DBE can also monitor packets coming from the access (customer) side and from the backbone (network core) side.

For more information on the Tman package, see the “H.248 Traffic Management Package Support” section on page 5-1.

Two-Rate Three-Color Policing and Marking

The data border element (DBE) supports Two-Rate Three-Color Policing and Marking to control the traffic coming from the user.

For more information on the Two-Rate Three-Color Policing and Marking feature, see the “Two-RateThree-Color Policing and Marking” section on page 5-5.

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

8-6	OL-15421-01

Image 86

Contents Americas Headquarters Page N T E N T S IiiQoS Bandwidth Allocation Traffic Management Package Support Local Source Properties Address and Port IPv6 Support ViiEvents Storage Until Event Acknowledgment Objectives PrefaceDocument Revision History OL-15421-01 May 5 This document was first publishedIntended Audience OrganizationCisco ASR 1000 Series Router Documentation Related DocumentationDocument Conventions Cisco IOS Release 12.2SR Software PublicationsXii Obtaining Documentation and Submitting a Service Request XiiiXiv General Overview ContentsCisco ASR 1000 Series Routers Overview Distributed and Unified Models Example of SBC High Level ArchitectureOn page 1-3illustrates the unified model Supported Integrated Session Border Controller Features Release Feature Name Related SBC Commands DocumentedPackage segment None Cisco IOS Logging Level in ConfiguringCisco IOS XE ReleaseMedia-address ipv4 Transaction-pending command Deployment of the Integrated Session Border ControllerIntegrated SBC Used for VoIP Interworking Integrated Session Border Controller DBE Deployment Scenario Restrictions for Integrated Session Border Controller Configuring Integrated Session Border ControllerPrerequisites for Integrated Session Border Controller Prerequisites Summary StepsEnters global configuration mode Enables privileged Exec modeEnter your password if prompted Enters into interface configuration modeConfigures the H.248 controller for the DBE and enters into Configures the DBE to use a specific IPv4 H.248 controlOwn address when connecting to the SBE Controller H.248 configuration modeExamples Troubleshooting TipsWhat To Do Next Configuring H.248 Logging Level Sets a specified logging level to generate detailed logs Creates the DBE service on the SBC and enters intoSBC-DBE configuration mode Messages sent and received. Turns on consoleEnabling H.248 Logging Requests and Responses Example H.248 Log Output Configuration ExamplesThis section provides the following configuration examples SBC DBE Configuration Steps Example Making Global Changes to Controllers Example Following example shows the initial SBC configuration == Make change to local portMaking Changes to Individual Controller Settings Example Control-address h248 ipv4 172.25.2.26 controller h248Cisco H.248 Profile Topology Priority Indicator Yes Emergency IndicatorIeps Indicator Yes Overview of ProfileProfile Packages Package ID VersionPackage ID Version Support Dependent On Dtmf Interworking Information About Dtmf InterworkingSIP to RTP Interworking Configuring Default Duration of a Dtmf EventRTP to SIP Interworking Name of the DBE service Enters the mode of a DBE service and enters into SBC-DBEConfiguration mode. Use the sbc-name argument to specify Configures the default duration of a Dtmf eventPage Prerequisites for Implementing Media Address Pools Restrictions for Configuring Media Address PoolsMedia Address Pools Configuring Media Address Pools Information About Media Address PoolsConfiguration mode Is configuredEnters into SBC-DBE configuration mode Creates a port range for the configured mediaConfiguring Media Address Pools Example Quality of Service and Bandwidth Management Traffic Management Package SupportPage Parameters on AC and per SDP on Dscp Marking and IP Precedence MarkingDscp Re-Markings QoS Bandwidth Allocation Rtcp Policing Using Tman PackageRtcp Policing Not Using Tman Package Rtcp PolicingImplementing Two-Rate Three-Color Policing and Marking Two-Rate Three-Color Policing and MarkingEnabling Two-Rate Three-Color Policing and Marking DBE Restrictions Related Commands Page Packages-Signaling and Control Enabling Optional H.248 PackagesAddress Reporting Package Segmentation Package SupportSession Failure Reaction Package Tsc-quiesce Feature Termination State Control PackageTsc-suspend Feature 248.1v3 Support Vlan Package Syntax-Level SupportMGC-Controlled Gateway-Wide Properties Page Services-Signaling and Control DBE Signaling Pinhole Support Extension to H.248 Audit Support Extension to H.248 Termination Wildcarding SupportFlexible Address Prefix Provisioning Twice Napt Pinhole Hairpinning Local Source Properties Address and PortLocally Hairpinned Sessions No Napt Pinhole HairpinningMGC-Specified Local Addresses or Ports Restrictions for Nine-Tier Termination Name Hierarchy Multi-Stream TerminationsNine-Tier Termination Name Hierarchy Information About Nine-Tier Termination Name Hierarchy Displaying the Nine-Tier Termination Name HierarchyDisplaying the Nine-Tier Termination Name Hierarchy Example Abc/voice/gn/0/1/0/1/ac/3Optional Local and Remote Descriptors RTP Specific Behavior Support ServiceChange Notification for Interface Status ChangeRemote Source Address Mask Filtering Sbc interface-id value End Configuration Example Output Tmax-timercommand configures the value of the T-MAX timer MAX TimerTsc-Delay Timer Video on Demand VOD SupportServices-Signaling and Control Video on Demand VOD Support Services-Signaling and Control Video on Demand VOD Support Integrated Session Border Controller Security Firewall Media Pinhole Control Interim Authentication Header Support Latch and Relatch SupportLocal Source Properties Address and Port Napt and NAT Traversal Etsi TS 102 333 version 1.1.2 Gate Management PackageTopology Hiding Traffic Management PolicingTopology Hiding IPv4 Twice Napt IPv6 Inter-Subscriber BlockingQoS Policy-Map-Based Inter-Subscriber Blocking Method Router# show run interface gigabitEthernet 0/1.1101Router# show class-map IPv6intersubscriber IPv6 Support ACL-Based Inter-Subscriber Blocking MethodIPv6 Pinholes IPv6 No Napt Support for Media FlowsIPv6 Single Napt for Signaling Send RecvSingle Napt Signaling Flow No Napt Pinholes Topology Hiding No Napt Pinholes 10-1 High Availability SupportIntegrated Session Border Controller High Availability Route Processor Redundancy RPR Hardware RedundancySoftware Redundancy 10-210-3 SSO SupportIssu Support 10-4 High Availability Support Issu SupportQuality Monitoring and Statistics Gathering 11-1DBE Status Notification Congestion-threshold CommandBilling and Call Detail Records Enhanced Event Notification and AuditingRetention and Returning of H.248 Event Information 11-3Silent Gate Deletion Association ResetResetting the Media Timeout Timers 11-411-5 Middlebox Pinhole Timer Expired EventNetwork Package Quality Alert Event 11-6 Provisioned Inactivity TimerRelated Command IN-1 IN-2 IN-3 RTP specific behavior support SBE Pinhole Pinhole timeoutPolicing Asymmetric policing Ipv6 packets IN-4IN-5 IN-6