Chapter 8 Integrated Session Border Controller Security
Topology Hiding
Packets arriving at the SBC are classified into flows using the following data: VPN ID, destination address, destination port, protocol type, and source address. The source address is only required to match a remote source address mask rather than a specific remote address.
DBE Restrictions
The following are restrictions of data border element (DBE) support for this feature:
•If the remote source address mask is specified for a termination, then it must contain the address in the remote descriptor, unless NAT latching techniques are used. However if you want more than one flow on the same local address or port, then the local address must be
•A prefix length of 0 for the remote source address mask is invalid.
•The MGC is only allowed to specify local addresses and ports that lie within configured address and port ranges.
Related Commands
•The
•The new
Topology Hiding
Topology hiding is an important function of security because it protects the identity of the users and their network addresses. See Chapter 9, “Topology Hiding” for more information.
Traffic Management Policing
The data border element (DBE) supports the H.248 Traffic Management (Tman) package to police signaling and media streams. The DBE can also monitor packets coming from the access (customer) side and from the backbone (network core) side.
For more information on the Tman package, see the “H.248 Traffic Management Package Support” section on page
Two-Rate Three-Color Policing and Marking
The data border element (DBE) supports
For more information on the
Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers
| ||
|
