Chapter 8 Integrated Session Border Controller Security

Topology Hiding

Packets arriving at the SBC are classified into flows using the following data: VPN ID, destination address, destination port, protocol type, and source address. The source address is only required to match a remote source address mask rather than a specific remote address.

DBE Restrictions

The following are restrictions of data border element (DBE) support for this feature:

If the remote source address mask is specified for a termination, then it must contain the address in the remote descriptor, unless NAT latching techniques are used. However if you want more than one flow on the same local address or port, then the local address must be MGC-managed.

A prefix length of 0 for the remote source address mask is invalid.

The MGC is only allowed to specify local addresses and ports that lie within configured address and port ranges.

Related Commands

The media-address ipv4 command has dbe and mgc options that indicate whether an address pool is provided from which the DBE or MGC can allocate addresses.

The new media-address pool ipv4 command creates a pool of sequential IPv4 media addresses that can be used by the DBE as local media addresses; the command also has dbe and mgc options.

Topology Hiding

Topology hiding is an important function of security because it protects the identity of the users and their network addresses. See Chapter 9, “Topology Hiding” for more information.

Traffic Management Policing

The data border element (DBE) supports the H.248 Traffic Management (Tman) package to police signaling and media streams. The DBE can also monitor packets coming from the access (customer) side and from the backbone (network core) side.

For more information on the Tman package, see the “H.248 Traffic Management Package Support” section on page 5-1.

Two-Rate Three-Color Policing and Marking

The data border element (DBE) supports Two-Rate Three-Color Policing and Marking to control the traffic coming from the user.

For more information on the Two-Rate Three-Color Policing and Marking feature, see the “Two-RateThree-Color Policing and Marking” section on page 5-5.

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

8-6

OL-15421-01

 

 

Page 86
Image 86
Cisco Systems ASR 1000 manual Topology Hiding, Traffic Management Policing