Cisco Systems ASR 1000 manual IPv4 Twice Napt, IPv6 Inter-Subscriber Blocking

Page 88

Chapter 9 Topology Hiding

NAPT and NAT Traversal

NAPT and NAT Traversal

NAPT and NAT Traversal are described in Chapter 8, “Integrated Session Border Controller Security.”.

IP NAPT Traversal Package and Latch and Relatch Support

The IP NAPT Traversal Package and Latch and Relatch Support functions are described in Chapter 8, “Integrated Session Border Controller Security.”.

IPv4 Twice NAPT

The DBE successfully forwards media through Twice Network Address and Port Translation (NAPT) pinholes that form coupled pairs. For Twice NAPT hairpinning, the DBE forwards media on demand. The SBE sees no differences between Twice NAPT hairpins and Twice NAPT non-hairpins.

When forwarding media, a hairpinned pair behaves the way two separate pinholes behave, except that a packet going through a coupled pair has its IP Time-to-Live counter decremented only once, not twice.

Note Twice NAPT is only supported on IPv4.

IPv6 Inter-Subscriber Blocking

Inter-subscriber blocking prevents a subscriber from connecting to other subscribers without first going through a successful signaling/call setup process and having a termination established for the stream.

When the SBC DBE is implemented in the IPv4 environment, the DBE supports Twice NAPT, which has well-defined local media IP addresses or IP address pools. In the IPv4 environment, the DBE drops all SBC traffic destined for SBC local media IP addresses if there is no in-service termination successfully retrieved.

However, in the IPv6 environment, the SBC DBE only supports No NAPT for media pinholes, which, unlike Twice NAPT, does not have well-defined local media IP addresses or IP address pools. Because the same DBE router routes non-SBC IPv6 traffic (which does not have SBC termination flow entry whatsoever), the default operation for IPv6 traffic that does not have a corresponding termination flow entry is to continue to switch these packets. This can result in a situation where subscribers are still able to connect to other subscribers through the SBC DBE router without completing the signaling and call setup process.

To support inter-subscriber blocking in the IPv6 environment, you must classify subscribers at the ingress interface so that non-SBC traffic and SBC traffic can be differentiated.

For example, you might configure QoS at the ingress interface to mark all subscriber traffic with an unused unique differentiated services code point (DSCP) value, and then configure QoS at the egress interface to drop all the packets with this unused unique DSCP value. For SBC traffic with a termination flow entry, a separate DSCP value should be used to replace the original DSCP for these SBC packets as part of the normal diffserv package processing. As a result of this configuration, SBC packets with a session established will be routed and forwarded though the egress interface without being dropped

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

9-2

OL-15421-01

 

 

Page 87 Page 89
Image 88
Page 87 Page 89
Contents Americas Headquarters Page N T E N T S IiiQoS Bandwidth Allocation Traffic Management Package Support Local Source Properties Address and Port IPv6 Support ViiEvents Storage Until Event Acknowledgment Preface Document Revision HistoryObjectives OL-15421-01 May 5 This document was first publishedIntended Audience OrganizationRelated Documentation Document ConventionsCisco ASR 1000 Series Router Documentation Cisco IOS Release 12.2SR Software PublicationsXii Obtaining Documentation and Submitting a Service Request XiiiXiv Cisco ASR 1000 Series Routers Overview ContentsGeneral Overview Distributed and Unified Models Example of SBC High Level ArchitectureOn page 1-3illustrates the unified model Supported Integrated Session Border Controller Features Release Feature Name Related SBC Commands DocumentedPackage segment Cisco IOS Logging Level in Configuring Cisco IOSNone XE ReleaseMedia-address ipv4 Transaction-pending command Deployment of the Integrated Session Border ControllerIntegrated SBC Used for VoIP Interworking Integrated Session Border Controller DBE Deployment Scenario Prerequisites for Integrated Session Border Controller Configuring Integrated Session Border ControllerRestrictions for Integrated Session Border Controller Prerequisites Summary StepsEnables privileged Exec mode Enter your password if promptedEnters global configuration mode Enters into interface configuration modeConfigures the DBE to use a specific IPv4 H.248 control Own address when connecting to the SBEConfigures the H.248 controller for the DBE and enters into Controller H.248 configuration modeWhat To Do Next Troubleshooting TipsExamples Configuring H.248 Logging Level Creates the DBE service on the SBC and enters into SBC-DBE configuration modeSets a specified logging level to generate detailed logs Messages sent and received. Turns on consoleEnabling H.248 Logging Requests and Responses This section provides the following configuration examples Configuration ExamplesExample H.248 Log Output SBC DBE Configuration Steps Example Making Global Changes to Controllers Example Following example shows the initial SBC configuration == Make change to local portMaking Changes to Individual Controller Settings Example Control-address h248 ipv4 172.25.2.26 controller h248Topology Priority Indicator Yes Emergency Indicator Ieps Indicator YesCisco H.248 Profile Overview of ProfileProfile Packages Package ID VersionPackage ID Version Support Dependent On Dtmf Interworking Information About Dtmf InterworkingRTP to SIP Interworking Configuring Default Duration of a Dtmf EventSIP to RTP Interworking Enters the mode of a DBE service and enters into SBC-DBE Configuration mode. Use the sbc-name argument to specifyName of the DBE service Configures the default duration of a Dtmf eventPage Media Address Pools Restrictions for Configuring Media Address PoolsPrerequisites for Implementing Media Address Pools Configuring Media Address Pools Information About Media Address PoolsIs configured Enters into SBC-DBE configuration modeConfiguration mode Creates a port range for the configured mediaConfiguring Media Address Pools Example Quality of Service and Bandwidth Management Traffic Management Package SupportPage Dscp Re-Markings Dscp Marking and IP Precedence MarkingParameters on AC and per SDP on Rtcp Policing Using Tman Package Rtcp Policing Not Using Tman PackageQoS Bandwidth Allocation Rtcp PolicingEnabling Two-Rate Three-Color Policing and Marking Two-Rate Three-Color Policing and MarkingImplementing Two-Rate Three-Color Policing and Marking DBE Restrictions Related Commands Page Packages-Signaling and Control Enabling Optional H.248 PackagesAddress Reporting Package Segmentation Package SupportSession Failure Reaction Package Tsc-quiesce Feature Termination State Control PackageTsc-suspend Feature 248.1v3 Support Vlan Package Syntax-Level SupportMGC-Controlled Gateway-Wide Properties Page Services-Signaling and Control DBE Signaling Pinhole Support Extension to H.248 Audit Support Extension to H.248 Termination Wildcarding SupportFlexible Address Prefix Provisioning Local Source Properties Address and Port Locally Hairpinned SessionsTwice Napt Pinhole Hairpinning No Napt Pinhole HairpinningMGC-Specified Local Addresses or Ports Nine-Tier Termination Name Hierarchy Multi-Stream TerminationsRestrictions for Nine-Tier Termination Name Hierarchy Information About Nine-Tier Termination Name Hierarchy Displaying the Nine-Tier Termination Name HierarchyDisplaying the Nine-Tier Termination Name Hierarchy Example Abc/voice/gn/0/1/0/1/ac/3Optional Local and Remote Descriptors Remote Source Address Mask Filtering ServiceChange Notification for Interface Status ChangeRTP Specific Behavior Support Sbc interface-id value End Configuration Example Output MAX Timer Tsc-Delay TimerTmax-timercommand configures the value of the T-MAX timer Video on Demand VOD SupportServices-Signaling and Control Video on Demand VOD Support Services-Signaling and Control Video on Demand VOD Support Integrated Session Border Controller Security Firewall Media Pinhole Control Interim Authentication Header Support Latch and Relatch SupportLocal Source Properties Address and Port Napt and NAT Traversal Etsi TS 102 333 version 1.1.2 Gate Management PackageTopology Hiding Traffic Management PolicingTopology Hiding IPv4 Twice Napt IPv6 Inter-Subscriber BlockingQoS Policy-Map-Based Inter-Subscriber Blocking Method Router# show run interface gigabitEthernet 0/1.1101Router# show class-map IPv6intersubscriber IPv6 Support ACL-Based Inter-Subscriber Blocking MethodIPv6 Pinholes IPv6 No Napt Support for Media FlowsIPv6 Single Napt for Signaling Send RecvSingle Napt Signaling Flow No Napt Pinholes Topology Hiding No Napt Pinholes Integrated Session Border Controller High Availability High Availability Support10-1 Hardware Redundancy Software RedundancyRoute Processor Redundancy RPR 10-2Issu Support SSO Support10-3 10-4 High Availability Support Issu SupportQuality Monitoring and Statistics Gathering 11-1Congestion-threshold Command Billing and Call Detail RecordsDBE Status Notification Enhanced Event Notification and AuditingRetention and Returning of H.248 Event Information 11-3Association Reset Resetting the Media Timeout TimersSilent Gate Deletion 11-4Network Package Quality Alert Event Middlebox Pinhole Timer Expired Event11-5 Related Command Provisioned Inactivity Timer11-6 IN-1 IN-2 IN-3 Pinhole Pinhole timeout Policing Asymmetric policing Ipv6 packetsRTP specific behavior support SBE IN-4IN-5 IN-6
Top Page Image Contents