Cisco Systems ASR 1000 NAPT and NAT Traversal, IP NAPT Traversal Package and Latch and Relatch Support, IPv4 Twice NAPT , IPv6 Inter-Subscriber Blocking

9-2

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

OL-15421-01

Chapter 9 Topology Hiding

NAPT and NAT Traversal

NAPT and NAT Traversal

NAPT and NAT Trav e r sal are described in Chapter 8, “Integrated Session Border Controller Security.”.

IP NAPT Traversal Package and Latch and Relatch Support

The IP NAPT Traversal Package and Latch and Relatch Support functions are described in Chapter 8,

“Integrated Session Border Controller Security.”.

IPv4 Twice NAPT

The DBE successfully forwards media through Twice Network Address and Port Translation (NAPT)

pinholes that form coupled pairs. For Twice NAPT hairpinning, the DBE forwards media on demand.

The SBE sees no differences between Twice NAPT hairpins and Twice NAPT non-hairpins.

When forwarding media, a hairpinned pair behaves the way two separate pinholes behave, except that a

packet going through a coupled pair has its IP Time-to-Live counter decremented only once, not twice.

Note Twice NAPT is only supported on IPv4.

IPv6 Inter-Subscriber Blocking

Inter-subscriber blocking prevents a subscriber from connecting to other subscribers withou t first going

through a successful signaling/call setup process and having a termination established for the stream.

When the SBC DBE is implemented in the IPv4 environment, the DBE supports Twice NAPT, which has

well-defined local media IP addresses or IP address pools. In the IPv4 environment, the DBE drops all

SBC traffic destined for SBC local media IP addresses if there is no in-service termination successfully

retrieved.

However, in the IPv6 environment, the SBC DBE only supports No NAPT for media pinholes, which,

unlike Twice NAPT, does not have well-defined local media IP addresses or IP address pools. Because

the same DBE router routes non-SBC IPv6 traffic (which does not have SBC termination flow entry

whatsoever), the default operation for IPv6 traffic that does not have a corresponding termination flow

entry is to continue to switch these packets. This can result in a situation where subscribers are still able

to connect to other subscribers through the SBC DBE router without completing the signaling and call

setup process.

To support inter-subscriber blocking in the IPv6 environment, you must classify subscribers at the

ingress interface so that non-SBC traffic and SBC traffic can be differentiated.

For example, you might configure QoS at the ingress interface to mark all subscriber traffic with an

unused unique differentiated services code point (DSCP) value, and then configure QoS at the egress

interface to drop all the packets with this unused unique DSCP value. For SBC traffic with a termination

flow entry, a separate DSCP value should be used to replace the original DSCP for these SBC packets

as part of the normal diffserv package processing. As a result of this configuration, SBC packets with a

session established will be routed and forwarded though the egress interface without being dropped