Chapter 9 Topology Hiding

NAPT and NAT Traversal

NAPT and NAT Traversal

NAPT and NAT Traversal are described in Chapter 8, “Integrated Session Border Controller Security.”.

IP NAPT Traversal Package and Latch and Relatch Support

The IP NAPT Traversal Package and Latch and Relatch Support functions are described in Chapter 8, “Integrated Session Border Controller Security.”.

IPv4 Twice NAPT

The DBE successfully forwards media through Twice Network Address and Port Translation (NAPT) pinholes that form coupled pairs. For Twice NAPT hairpinning, the DBE forwards media on demand. The SBE sees no differences between Twice NAPT hairpins and Twice NAPT non-hairpins.

When forwarding media, a hairpinned pair behaves the way two separate pinholes behave, except that a packet going through a coupled pair has its IP Time-to-Live counter decremented only once, not twice.

Note Twice NAPT is only supported on IPv4.

IPv6 Inter-Subscriber Blocking

Inter-subscriber blocking prevents a subscriber from connecting to other subscribers without first going through a successful signaling/call setup process and having a termination established for the stream.

When the SBC DBE is implemented in the IPv4 environment, the DBE supports Twice NAPT, which has well-defined local media IP addresses or IP address pools. In the IPv4 environment, the DBE drops all SBC traffic destined for SBC local media IP addresses if there is no in-service termination successfully retrieved.

However, in the IPv6 environment, the SBC DBE only supports No NAPT for media pinholes, which, unlike Twice NAPT, does not have well-defined local media IP addresses or IP address pools. Because the same DBE router routes non-SBC IPv6 traffic (which does not have SBC termination flow entry whatsoever), the default operation for IPv6 traffic that does not have a corresponding termination flow entry is to continue to switch these packets. This can result in a situation where subscribers are still able to connect to other subscribers through the SBC DBE router without completing the signaling and call setup process.

To support inter-subscriber blocking in the IPv6 environment, you must classify subscribers at the ingress interface so that non-SBC traffic and SBC traffic can be differentiated.

For example, you might configure QoS at the ingress interface to mark all subscriber traffic with an unused unique differentiated services code point (DSCP) value, and then configure QoS at the egress interface to drop all the packets with this unused unique DSCP value. For SBC traffic with a termination flow entry, a separate DSCP value should be used to replace the original DSCP for these SBC packets as part of the normal diffserv package processing. As a result of this configuration, SBC packets with a session established will be routed and forwarded though the egress interface without being dropped

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

9-2

OL-15421-01

 

 

Page 88
Image 88
Cisco Systems ASR 1000 manual IPv4 Twice Napt, IPv6 Inter-Subscriber Blocking