Chapter 8 Integrated Session Border Controller Security

Local Source Properties (Address and Port)

When latching, the DBE uses the remote address and port of a source endpoint as the destination endpoint address and port if the source IP address is within a specified Gate Management/remote source address mask (gm/rsam). This means that within a subnet any packet can be latched within a gm/rsam. The Relatch event waits until a packet arrives that fails the latched admission criteria, but which meets the relatch critera. The relatch may require stricter admission criteria than the original latching, such as packets may have to come from a specific remote address rather than from within the subnet. Or the relatch criteria might identify a different subnet. In relatching, one reason for the change in the source IP address and port could be a subscriber requiring a different service.

When the ntr package is in use, the DBE continues to attempt to relearn remote addresses and ports following any H.248 operation that modifies a termination whose endpoint is behind a NAT. Relearning continues to be timed out if no packets from a new remote source address and port are received within a suitable period.

When the ipnapt package is in use, the DBE does not attempt to relearn remote addresses and ports unless a Relatch is explicitly signaled by the MGC. Relatching is not timed out.

DBE Restrictions

The following are restrictions of DBE support for the IP NAPT Traversal (ipnapt) package and Latch and Relatch:

The DBE only supports either the NTR package or the IP NAPT Traversal package for a termination. You can configure either package with the h248-napt-packagecommand.

The DBE does not generate the notifyComplete signal when the Latch or Relatch signal completes.

With the IP NAPT Traversal package, the DBE does not automatically relatch on receipt of an H.248/Megaco request that modifies the gm/sam. If a Relatch is required, it must be explicitly signaled by the MGC. In addition, you cannot update the remote source address mask so that it no longer contains the previously latched remote address without signaling a Relatch.

Related Commands

The h248-napt-packagecommand defines which H.248 package (either ipnapt or ntr) the DBE uses for signaling NAT features.

Local Source Properties (Address and Port)

The data border element (DBE) is enhanced to support multiple terminations that share a single local address and port. The Gate Management/remote source address mask (gm/rsam) defines a remote subnet. The mask length is a property of the local address and port combination. Only multiple terminations that share the same local address and port are required to have the same gm/rsam length. Terminations with different local addresses or ports can have different gm/rsam lengths.

A gm/rsam having the same mask length allows multiple terminations to share a single local address and port combination, with the requirement that the terminations are configured with gm/rsams that are distinct. This enables the media gateway controller (MGC) to identify and match the terminations to the correct flow. For more information about Local Source Address and Local Source Port properties, see the ETSI TS 102 333 V1.1.2 Gate Mangement Package.

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

8-4

OL-15421-01

 

 

Page 84
Image 84
Cisco Systems ASR 1000 manual Local Source Properties Address and Port