Cisco Systems ASR 1000 manual IPv6 Support, ACL-Based Inter-Subscriber Blocking Method

Page 91

Chapter 9 Topology Hiding

IPv6 Support

ACL-Based Inter-Subscriber Blocking Method

In the following example of the ACL-based inter-subscriber blocking method, packets entering the DBE from the access side are marked with DSCP=0 using the same INPUT_POLICY as the QoS method above, but packets leaving the DBE use the ACL OutFilter_IPv6 as follows:

Router# show ipv6 access-list OutFilter_IPv6 IPv6 access list OutFilter_IPv6

permit icmp any any packet-too-big sequence 10 deny icmp any any sequence 20

deny ipv6 any any dscp default sequence 40 permit ipv6 any any sequence 50

DBE Restrictions

The following is a restriction of DBE support for IPv6 inter-subscriber blocking:

Because the configuration of inter-subscriber blocking in the IPv6 environment relies on Cisco IOS QoS to mark the DSCP value in the ingress feature process, the original DSCP value of the packets arriving at the DBE router will not be preserved.

IPv6 Support

IPv6 support includes the following functionality:

The DBE supports IPv6 pinholes for both media endpoints and signaling endpoints. See the “IPv6 Pinholes” section on page 9-6.

Note Pinhole is an informal term for a pair of terminations in the same stream and same context.

Media flows do not support Network Address and Port Translation (NAPT); they must be No NAPT.

As a result, you cannot configure any media addresses under IPv6. Media flows may consist of voice or video.

Signaling flows support Single NAPT.

You are able to configure signaling addresses under IPv6.

The DBE examines all IPv6 packets that arrive from the network and determines which ones belong to authorized SBC media streams. The DBE normally uses the destination (and possibly the source) IP address and port for packet classification. The DBE identifies packets belonging to an authorized media stream as SBC packets and applies the appropriate traffic policing rules to the packets. The counter showing number of packets received is modified.

After that, SBC performs packet processing and updating. The packet is forwarded out of the specified interface. IPv6 packet forwarding works in the same way as IPv4 packet forwarding, except for a few differences in the IP header processing.

Single NAPT for signaling means that packets arriving from an endpoint are addressed to an SBC media address. When they are passed to the media gateway controller (MGC), also know as an SBE, the packets need to keep the endpoint’s source IP address and port number. Therefore, only destination addresses and ports are translated in Single NAPT. When the MGC/SBE sends a reply back to the endpoint, the

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

 

OL-15421-01

9-5

 

 

 

Page 90 Page 92
Image 91
Page 90 Page 92
Contents Americas Headquarters Page Iii N T E N T SQoS Bandwidth Allocation Traffic Management Package Support Local Source Properties Address and Port Vii IPv6 SupportEvents Storage Until Event Acknowledgment OL-15421-01 May 5 This document was first published PrefaceDocument Revision History ObjectivesOrganization Intended AudienceCisco IOS Release 12.2SR Software Publications Related DocumentationDocument Conventions Cisco ASR 1000 Series Router DocumentationXii Xiii Obtaining Documentation and Submitting a Service RequestXiv Cisco ASR 1000 Series Routers Overview ContentsGeneral Overview Example of SBC High Level Architecture Distributed and Unified ModelsOn page 1-3illustrates the unified model Release Feature Name Related SBC Commands Documented Supported Integrated Session Border Controller FeaturesPackage segment XE Release Cisco IOS Logging Level in ConfiguringCisco IOS NoneMedia-address ipv4 Deployment of the Integrated Session Border Controller Transaction-pending commandIntegrated SBC Used for VoIP Interworking Integrated Session Border Controller DBE Deployment Scenario Prerequisites for Integrated Session Border Controller Configuring Integrated Session Border ControllerRestrictions for Integrated Session Border Controller Summary Steps PrerequisitesEnters into interface configuration mode Enables privileged Exec modeEnter your password if prompted Enters global configuration modeController H.248 configuration mode Configures the DBE to use a specific IPv4 H.248 controlOwn address when connecting to the SBE Configures the H.248 controller for the DBE and enters intoWhat To Do Next Troubleshooting TipsExamples Configuring H.248 Logging Level Messages sent and received. Turns on console Creates the DBE service on the SBC and enters intoSBC-DBE configuration mode Sets a specified logging level to generate detailed logsEnabling H.248 Logging Requests and Responses This section provides the following configuration examples Configuration ExamplesExample H.248 Log Output SBC DBE Configuration Steps Example Making Global Changes to Controllers Example == Make change to local port Following example shows the initial SBC configurationControl-address h248 ipv4 172.25.2.26 controller h248 Making Changes to Individual Controller Settings ExampleOverview of Profile Topology Priority Indicator Yes Emergency IndicatorIeps Indicator Yes Cisco H.248 ProfilePackage ID Version Profile PackagesPackage ID Version Support Dependent On Information About Dtmf Interworking Dtmf InterworkingRTP to SIP Interworking Configuring Default Duration of a Dtmf EventSIP to RTP Interworking Configures the default duration of a Dtmf event Enters the mode of a DBE service and enters into SBC-DBEConfiguration mode. Use the sbc-name argument to specify Name of the DBE servicePage Media Address Pools Restrictions for Configuring Media Address PoolsPrerequisites for Implementing Media Address Pools Information About Media Address Pools Configuring Media Address PoolsCreates a port range for the configured media Is configuredEnters into SBC-DBE configuration mode Configuration modeConfiguring Media Address Pools Example Traffic Management Package Support Quality of Service and Bandwidth ManagementPage Dscp Re-Markings Dscp Marking and IP Precedence MarkingParameters on AC and per SDP on Rtcp Policing Rtcp Policing Using Tman PackageRtcp Policing Not Using Tman Package QoS Bandwidth AllocationEnabling Two-Rate Three-Color Policing and Marking Two-Rate Three-Color Policing and MarkingImplementing Two-Rate Three-Color Policing and Marking DBE Restrictions Related Commands Page Enabling Optional H.248 Packages Packages-Signaling and ControlSegmentation Package Support Address Reporting PackageSession Failure Reaction Package Termination State Control Package Tsc-quiesce FeatureTsc-suspend Feature Vlan Package Syntax-Level Support 248.1v3 SupportMGC-Controlled Gateway-Wide Properties Page Services-Signaling and Control DBE Signaling Pinhole Support Extension to H.248 Termination Wildcarding Support Extension to H.248 Audit SupportFlexible Address Prefix Provisioning No Napt Pinhole Hairpinning Local Source Properties Address and PortLocally Hairpinned Sessions Twice Napt Pinhole HairpinningMGC-Specified Local Addresses or Ports Nine-Tier Termination Name Hierarchy Multi-Stream TerminationsRestrictions for Nine-Tier Termination Name Hierarchy Displaying the Nine-Tier Termination Name Hierarchy Information About Nine-Tier Termination Name HierarchyAbc/voice/gn/0/1/0/1/ac/3 Displaying the Nine-Tier Termination Name Hierarchy ExampleOptional Local and Remote Descriptors Remote Source Address Mask Filtering ServiceChange Notification for Interface Status ChangeRTP Specific Behavior Support Sbc interface-id value End Configuration Example Output Video on Demand VOD Support MAX TimerTsc-Delay Timer Tmax-timercommand configures the value of the T-MAX timerServices-Signaling and Control Video on Demand VOD Support Services-Signaling and Control Video on Demand VOD Support Integrated Session Border Controller Security Firewall Media Pinhole Control Latch and Relatch Support Interim Authentication Header SupportLocal Source Properties Address and Port Etsi TS 102 333 version 1.1.2 Gate Management Package Napt and NAT TraversalTraffic Management Policing Topology HidingTopology Hiding IPv6 Inter-Subscriber Blocking IPv4 Twice NaptRouter# show run interface gigabitEthernet 0/1.1101 QoS Policy-Map-Based Inter-Subscriber Blocking MethodRouter# show class-map IPv6intersubscriber ACL-Based Inter-Subscriber Blocking Method IPv6 SupportIPv6 No Napt Support for Media Flows IPv6 PinholesSend Recv IPv6 Single Napt for SignalingSingle Napt Signaling Flow No Napt Pinholes Topology Hiding No Napt Pinholes Integrated Session Border Controller High Availability High Availability Support10-1 10-2 Hardware RedundancySoftware Redundancy Route Processor Redundancy RPRIssu Support SSO Support10-3 High Availability Support Issu Support 10-411-1 Quality Monitoring and Statistics GatheringEnhanced Event Notification and Auditing Congestion-threshold CommandBilling and Call Detail Records DBE Status Notification11-3 Retention and Returning of H.248 Event Information11-4 Association ResetResetting the Media Timeout Timers Silent Gate DeletionNetwork Package Quality Alert Event Middlebox Pinhole Timer Expired Event11-5 Related Command Provisioned Inactivity Timer11-6 IN-1 IN-2 IN-3 IN-4 Pinhole Pinhole timeoutPolicing Asymmetric policing Ipv6 packets RTP specific behavior support SBEIN-5 IN-6
Top Page Image Contents