Cisco Systems ASR 1000 Integrated Session Border Controller Security

CHAPT ER

8-1

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

OL-15421-01

8

Integrated Session Border Controller Security

Integrated Session Border Controller (SBC) for the Cisco ASR 1000 Series Routers offers high security

functions. Enterprise users want to protect their network and service providers want to protect their core

or backbone network. Because service providers allow direct users to come into their network to access

different services, it is critical to have high security. Customers also want to police the data coming into

their networks and require notification if any unwanted user tries to access the network. The data border

element (DBE) implementation supports various security features and policing of incoming data.

For example, the DBE supports the ETSI TS 102 333 Gate Management (GM) package to control

addressing for the local as well as the remote party. The DBE uses the source address mask and remote

source address filtering to specify a range of addresses rather than a specific address and port for the

source or remote address of the arriving packet. Data coming from other defined addresses are dropped

and reported to the Signaling Border Element (SBE) for security reasons. Local Source Properties

(Address and Port) and Remote Source Address Mask Filtering, described in this chapter, are supported

features of the GM package.

This chapter describes or cross-references supported security features. For a complete description of

commands used in this chapter, see the Cisco IOS Integrated Session Border Controller Command

Reference.

Contents

• Firewall (Media Pinhole Control), page 8-2

• H.248 Address Reporting Package, page 8-2

• H.248 Session Failure Reaction Package, page 8-2

• H.248 Termination State Control Package, page 8-2

• Interim Authentication Header Support, page 8-3

• IP NAPT Traversal Package and Latch and Relatch Support, page 8-3

• Local Source Properties (Address and Port), page 8-4

• NAPT and NAT Traversal, page 8-5

• Remote Source Address Mask Filtering, page 8-5

• Topology Hiding, page 8-6

• Traffic Management Policing, page 8-6

• Two-Rate Three-Color Policing and Marking, page 8-6

Contents

Main Page CONTENTS Page Page Page Page Page Preface Document Revision History Objectives Intended Audience Organization Related Documentation Cisco ASR 1000 Series Router Documentation Cisco IOS Release 12.2SR Software Publications Document Conventions Page Obtaining Documentation and Submitting a Service Request Page Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview General Overview Distributed and Unified Models Page Supported Integrated Session Border Controller Features Page Page Page Deployment of the Integrated Session Border Controller Integrated Session Border Controller DBE Deployment Scenario Page Page Configuring Integrated Session Border Controller Prerequisites for Integrated Session Border Controller Restrictions for Integrated Session Border Controller Configuring Integrated Session Border Controller DBE Deployment Prerequisites Page Page What To Do Next Examples Troubleshooting Tips Configuring H.248 Logging Level Page Enabling H.248 Logging Requests and Responses Example H.248 Log Output Configuration Examples SBC DBE Configuration Steps: Example Configuring Primary IP and Primary Media IP Addresses: Example Configuring Secondary IP and Secondary Media IP Addresses: Example Making Global Changes to Controllers: Example 2-12 The following example shows the initial SBC configuration: The following example illustrates the user following the recommended steps to change the local port: The following example shows the modified running SBC configuration: Making Changes to Individual Controller Settings: Example Cisco H.248 Profile Overview of Profile Profile Packages Page DTMF Interworking Information About DTMF Interworking RTP to SIP Interworking SIP to RTP Interworking Configuring Default Duration of a DTMF Event Prerequisites Page Page Media Address Pools Prerequisites for Implementing Media Address Pools Restrictions for Configuring Media Address Pools Information About Media Address Pools Configuring Media Address Pools Page Configuring Media Address Pools Example Quality of Service and Bandwidth Management H.248 Traffic Management Package Support Page DSCP Marking and IP Precedence Marking DSCP Re-Markings QoS Bandwidth Allocation RTCP Policing RTCP Policing Using Tman Package RTCP Policing Not Using Tman Package Two-Rate Three-Color Policing and Marking Enabling Two-Rate Three-Color Policing and Marking Implementing Two-Rate Three-Color Policing and Marking Page Page Page H.248 PackagesSignaling and Control Enabling Optional H.248 Packages H.248 Address Reporting Package H.248 Gate Information (Ginfo) Package Becomes Optional H.248 Segmentation Package Support H.248 Session Failure Reaction Package H.248 Termination State Control Package The tsc-quiesce Feature The tsc-suspend Feature H.248 Traffic Management Package Support H.248.1v3 Support H.248 VLAN Package Syntax-Level Support MGC-Controlled Gateway-Wide Properties Page H.248 ServicesSignaling and Control DBE Signaling Pinhole Support Extension to H.248 Audit Support Extension to H.248 Termination Wildcarding Support Flexible Address Prefix Provisioning Local Source Properties (Address and Port) Locally Hairpinned Sessions Twice NAPT Pinhole Hairpinning No NAPT Pinhole Hairpinning MGC-Specified Local Addresses or Ports Multi-Stream Terminations Nine-Tier Termination Name Hierarchy Restrictions for Nine-Tier Termination Name Hierarchy Information About Nine-Tier Termination Name Hierarchy Displaying the Nine-Tier Termination Name Hierarchy 7-9 Displaying the Nine-Tier Termination Name Hierarchy: Example Optional Local and Remote Descriptors Remote Source Address Mask Filtering RTP Specific Behavior Support ServiceChange Notification for Interface Status Change Configuring the ServiceChange Notification for Interface Status Change Configuration Example Output T-MAX Timer The tsc-Delay Timer Video on Demand (VOD) Support Page Page Integrated Session Border Controller Security Firewall (Media Pinhole Control) H.248 Address Reporting Package H.248 Session Failure Reaction Package H.248 Termination State Control Package Interim Authentication Header Support IP NAPT Traversal Package and Latch and Relatch Support Latch and Relatch Support Local Source Properties (Address and Port) NAPT and NAT Traversal Remote Source Address Mask Filtering Topology Hiding Traffic Management Policing Two-Rate Three-Color Policing and Marking Topology Hiding NAPT and NAT Traversal IP NAPT Traversal Package and Latch and Relatch Support IPv4 Twice NAPT IPv6 Inter-Subscriber Blocking QoS Policy-Map-Based Inter-Subscriber Blocking Method 9-4 ACL-Based Inter-Subscriber Blocking Method IPv6 Support IPv6 Pinholes IPv6 No NAPT Support for Media Flows IPv6 Single NAPT for Signaling Page No NAPT Pinholes Page High Availability Support Integrated Session Border Controller High Availability Hardware Redundancy Software Redundancy Route Processor Redundancy (RPR) SSO Support ISSU Support Page Quality Monitoring and Statistics Gathering Billing and Call Detail Records congestion-threshold Command DBE Status Notification Enhanced Event Notification and Auditing Retention and Returning of H.248 Event Information Permanent H.248 Event Storage H.248 Events Storage Until Event Acknowledgment Association Reset Silent Gate Deletion Resetting the Media Timeout Timers H.248 Network Package Quality Alert Event and Middlebox Pinhole Timer Expired Event Network Package Quality Alert Event Middlebox Pinhole Timer Expired Event Related Command Provisioned Inactivity Timer Related Command ServiceChange Notification for Interface Status Change INDEX A B C D E F G H I L M N O P Q R S T U V W