Cisco Systems ASR 1000 manual Topology Hiding, Contents

Page 87

C H A P T E R 9

Topology Hiding

The Integrated Session Border Controller (SBC) for the Cisco ASR 1000 Series Routers has a primary purpose in protecting the network and providing seamless interworking functions. The SBC can protect the network by hiding the network addresses and names for both the access (customer) side and the backbone (network core) side. The SBC also provides network protection for firewalls or home gateway users with private addresses.

When a user connects to the outside network, its IP address and port needs to be properly translated to protect its identity. The data border element (DBE) performs translation of IP addresses and port numbers via Network Address and Port Translation (NAPT) and Network Address Translation (NAT) Traversal functions in both directions.

The DBE implementation supports the H.248 NAPT package, the IP NAT Traversal Package, and the ETSI TS 102 333 specification for NAT Traversal, but only one package can be active. Latch and Relatch functions of the NAT Traversal are supported by the IP NAT Traversal package. Support for these packages help protect IP addresses of the endpoints going across the other side of the network.

The NAPT implementations on the DBE described in more detail in this chapter are summarized below:

IPv4 Twice NAPT—Where both access side and backbone side addresses are protected. In Twice NAPT, both the IP address and port are translated to a local IP address and port; and both of the end points on each side see the SBC address as a destination address.

IPv6 Single NAPT for signaling packets—This function is useful for protecting the signaling infrastructure part of the backbone side. The backbone side is able to identify the address of the customer; however, for the customer, only the interface address of the DBE is visible.

IPv6 No NAPT for media packets—With this method, there is no privacy on the customer side or backbone side. Both sides know each other’s address and the DBE transparently passes the packets.

For a complete description of commands used in this chapter, see the Cisco IOS Integrated Session Border Controller Command Reference.

Contents

NAPT and NAT Traversal, page 9-2

IP NAPT Traversal Package and Latch and Relatch Support, page 9-2

IPv4 Twice NAPT, page 9-2

IPv6 Inter-Subscriber Blocking, page 9-2

IPv6 Support, page 9-5

No NAPT Pinholes, page 9-9

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

 

OL-15421-01

9-1

 

 

 

Page 86 Page 88
Image 87
Page 86 Page 88
Contents Americas Headquarters Page Iii N T E N T SQoS Bandwidth Allocation Traffic Management Package Support Local Source Properties Address and Port Vii IPv6 SupportEvents Storage Until Event Acknowledgment OL-15421-01 May 5 This document was first published PrefaceDocument Revision History ObjectivesOrganization Intended AudienceCisco IOS Release 12.2SR Software Publications Related DocumentationDocument Conventions Cisco ASR 1000 Series Router DocumentationXii Xiii Obtaining Documentation and Submitting a Service RequestXiv Contents Cisco ASR 1000 Series Routers OverviewGeneral Overview Example of SBC High Level Architecture Distributed and Unified ModelsOn page 1-3illustrates the unified model Release Feature Name Related SBC Commands Documented Supported Integrated Session Border Controller FeaturesPackage segment XE Release Cisco IOS Logging Level in ConfiguringCisco IOS NoneMedia-address ipv4 Deployment of the Integrated Session Border Controller Transaction-pending commandIntegrated SBC Used for VoIP Interworking Integrated Session Border Controller DBE Deployment Scenario Configuring Integrated Session Border Controller Prerequisites for Integrated Session Border ControllerRestrictions for Integrated Session Border Controller Summary Steps PrerequisitesEnters into interface configuration mode Enables privileged Exec modeEnter your password if prompted Enters global configuration modeController H.248 configuration mode Configures the DBE to use a specific IPv4 H.248 controlOwn address when connecting to the SBE Configures the H.248 controller for the DBE and enters intoTroubleshooting Tips What To Do NextExamples Configuring H.248 Logging Level Messages sent and received. Turns on console Creates the DBE service on the SBC and enters intoSBC-DBE configuration mode Sets a specified logging level to generate detailed logsEnabling H.248 Logging Requests and Responses Configuration Examples This section provides the following configuration examplesExample H.248 Log Output SBC DBE Configuration Steps Example Making Global Changes to Controllers Example == Make change to local port Following example shows the initial SBC configurationControl-address h248 ipv4 172.25.2.26 controller h248 Making Changes to Individual Controller Settings ExampleOverview of Profile Topology Priority Indicator Yes Emergency IndicatorIeps Indicator Yes Cisco H.248 ProfilePackage ID Version Profile PackagesPackage ID Version Support Dependent On Information About Dtmf Interworking Dtmf InterworkingConfiguring Default Duration of a Dtmf Event RTP to SIP InterworkingSIP to RTP Interworking Configures the default duration of a Dtmf event Enters the mode of a DBE service and enters into SBC-DBEConfiguration mode. Use the sbc-name argument to specify Name of the DBE servicePage Restrictions for Configuring Media Address Pools Media Address PoolsPrerequisites for Implementing Media Address Pools Information About Media Address Pools Configuring Media Address PoolsCreates a port range for the configured media Is configuredEnters into SBC-DBE configuration mode Configuration modeConfiguring Media Address Pools Example Traffic Management Package Support Quality of Service and Bandwidth ManagementPage Dscp Marking and IP Precedence Marking Dscp Re-MarkingsParameters on AC and per SDP on Rtcp Policing Rtcp Policing Using Tman PackageRtcp Policing Not Using Tman Package QoS Bandwidth AllocationTwo-Rate Three-Color Policing and Marking Enabling Two-Rate Three-Color Policing and MarkingImplementing Two-Rate Three-Color Policing and Marking DBE Restrictions Related Commands Page Enabling Optional H.248 Packages Packages-Signaling and ControlSegmentation Package Support Address Reporting PackageSession Failure Reaction Package Termination State Control Package Tsc-quiesce FeatureTsc-suspend Feature Vlan Package Syntax-Level Support 248.1v3 SupportMGC-Controlled Gateway-Wide Properties Page Services-Signaling and Control DBE Signaling Pinhole Support Extension to H.248 Termination Wildcarding Support Extension to H.248 Audit SupportFlexible Address Prefix Provisioning No Napt Pinhole Hairpinning Local Source Properties Address and PortLocally Hairpinned Sessions Twice Napt Pinhole HairpinningMGC-Specified Local Addresses or Ports Multi-Stream Terminations Nine-Tier Termination Name HierarchyRestrictions for Nine-Tier Termination Name Hierarchy Displaying the Nine-Tier Termination Name Hierarchy Information About Nine-Tier Termination Name HierarchyAbc/voice/gn/0/1/0/1/ac/3 Displaying the Nine-Tier Termination Name Hierarchy ExampleOptional Local and Remote Descriptors ServiceChange Notification for Interface Status Change Remote Source Address Mask FilteringRTP Specific Behavior Support Sbc interface-id value End Configuration Example Output Video on Demand VOD Support MAX TimerTsc-Delay Timer Tmax-timercommand configures the value of the T-MAX timerServices-Signaling and Control Video on Demand VOD Support Services-Signaling and Control Video on Demand VOD Support Integrated Session Border Controller Security Firewall Media Pinhole Control Latch and Relatch Support Interim Authentication Header SupportLocal Source Properties Address and Port Etsi TS 102 333 version 1.1.2 Gate Management Package Napt and NAT TraversalTraffic Management Policing Topology HidingTopology Hiding IPv6 Inter-Subscriber Blocking IPv4 Twice NaptRouter# show run interface gigabitEthernet 0/1.1101 QoS Policy-Map-Based Inter-Subscriber Blocking MethodRouter# show class-map IPv6intersubscriber ACL-Based Inter-Subscriber Blocking Method IPv6 SupportIPv6 No Napt Support for Media Flows IPv6 PinholesSend Recv IPv6 Single Napt for SignalingSingle Napt Signaling Flow No Napt Pinholes Topology Hiding No Napt Pinholes High Availability Support Integrated Session Border Controller High Availability10-1 10-2 Hardware RedundancySoftware Redundancy Route Processor Redundancy RPRSSO Support Issu Support10-3 High Availability Support Issu Support 10-411-1 Quality Monitoring and Statistics GatheringEnhanced Event Notification and Auditing Congestion-threshold CommandBilling and Call Detail Records DBE Status Notification11-3 Retention and Returning of H.248 Event Information11-4 Association ResetResetting the Media Timeout Timers Silent Gate DeletionMiddlebox Pinhole Timer Expired Event Network Package Quality Alert Event11-5 Provisioned Inactivity Timer Related Command11-6 IN-1 IN-2 IN-3 IN-4 Pinhole Pinhole timeoutPolicing Asymmetric policing Ipv6 packets RTP specific behavior support SBEIN-5 IN-6
Top Page Image Contents