Cisco Systems ASR 1000 User's Manual
Contents
1. Chapter Where Release Feature Name Related SBC Commands Documented Cisco IOS Integrated Session Border None Chapter 10 High XE Release Controller High Availability Availability Support 2 0 Cisco IOS Interim Authentication Header transport see Chapter 8 Integrated XE Release Support interim auth header Session Border 2 0 keyword Controller Security Cisco IOS IP NAPT Traversal Package and h248 napt package Chapter 8 Integrated XE Release Latch and Relatch Support Session Border 2 0 Controller Security Cisco IOS IPv4 Twice NAPT None Chapter 9 Topology XE Release Hiding 2 0 Cisco IOS IPv6 Inter Subscriber Blocking None Chapter 9 Topology XE Release Hiding 2 0 Cisco IOS IPv6 Support ipv6 address session Chapter 9 Topology XE Release border controller Hiding ae media address ipv6 media address pool ipv6 port range ipv6 debug sbc filter see ipv6 keyword show sbc dbe media flow stats see ipv6 keyword show sbc dbe signaling flow stats see ipv6 keyword Cisco IOS Local Source Properties Address None Chapter 8 Integrated XE Release jand Port Session Border 2 0 Controller Security Cisco IOS Locally Hairpinned Sessions None Chapter 7 H 248 XE Release Services Signaling 2 0 and Control Cisco IOS Logging Level in Configuring logging level Chapter 2 XE Release H 248 Logging Level logging filter control Configuring l 2 1 protocol Integrated2. Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 8 6 OL 15421 01 Contents CHAPTER Topology Hiding The Integrated Session Border Controller SBC for the Cisco ASR 1000 Series Routers has a primary purpose in protecting the network and providing seamless interworking functions The SBC can protect the network by hiding the network addresses and names for both the access customer side and the backbone network core side The SBC also provides network protection for firewalls or home gateway users with private addresses When a user connects to the outside network its IP address and port needs to be properly translated to protect its identity The data border element DBE performs translation of IP addresses and port numbers via Network Address and Port Translation NAPT and Network Address Translation NAT Traversal functions in both directions The DBE implementation supports the H 248 NAPT package the IP NAT Traversal Package and the ETSITS 102 333 specification for NAT Traversal but only one package can be active Latch and Relatch functions of the NAT Traversal are supported by the IP NAT Traversal package Support for these packages help protect IP addresses of the endpoints going across the other side of the network The NAPT implementations on the DBE described in more detail in this chapter are summarized below IPv4 Twice NAP
3. secondary media IP addr added using secondary IP addr interface sbc 1 ip address 25 25 25 25 255 0 0 0 secondary lt secondary IP addr configured on SBC interf ip address 1 1 1 1 255 0 0 0 Making Global Changes to Controllers Example You have configured H 248 controllers for the DBE and want to make a global change that affects all controllers Global changes are configured on the vDBE and consist of changing any one of the following control address local port use any local port amp Note You cannot make global changes to controllers while controllers are configured You cannot delete a controller while the controller is attached To change the control address and local port that globally affect configured controllers we recommend the following steps 1 Deactivate the DBE with the no activate command Enter into VDBE configuration mode with the vdbe command Detach the controller with the no attach controllers command Delete any configured controllers with the no controller h248 command Make the change to the control address or local port Add the controllers back with the controller h248 command Do Oo Ur om ee N Reconfigure the individual settings configured on each controller such as the remote address remote port and transport configuration that were removed with the no controller h248 command 8 Exit the Controller H 248 configuration mode with the exit command 9 Re attach each controlle
4. Signaling and Control MI H 248 Address Reporting Package Related Commands The package command enables the DBE to use the optional eroot package H 248 Address Reporting Package The H 248 Address Reporting Package is described in the H 248 Address Reporting Package section on page 8 2 H 248 Gate Information Ginfo Package Becomes Optional This enhancement removes the stipulation that the Gate Information Ginfo package properties are required in the DBE H 248 profile The DBE continues to support the Ginfo package properties as optional properties and supplies default values if values are not specified The Ginfo package properties are the following bill_corr property is defaulted to a value of 24 zero bytes gate_state property is defaulted to COMMITTED The termination is maintained across system failover and H 248 association loss at all times after the initial termination add Changes to committed gates are replicated to the redundant card immediately Therefore omitting this property has a minor performance overhead on redundant systems gate_side property is defaulted to SIDE_A for the first termination in a stream and to SIDE_B for the second termination in a stream DBE Restrictions The following is a restriction of DBE support for the H 248 Gate Information Package Becomes Optional feature If one of the Ginfo properties is omitted when adding a termination you cannot later specify a value f
5. remote port transport type amp Note You cannot change an individual controller setting remote address remote port or transport type unless you detach the controller first To change the remote address remote port or transport type setting on a controller we recommend the following steps 1 Deactivate the DBE with the no activate command Enter into VDBE configuration mode with the vdbe command Detach the controller with the no attach controllers command Enter into Controller H 248 configuration mode with the controller h248 command Make the change to the remote address remote port or transport type Exit the Controller H 248 configuration mode with the exit command Re attach the controller with the attach controllers command Exit the VDBE configuration mode with the exit command o o N on F WN Reactivate the DBE with the activate command The following example shows the initial configuration sbc mySbc dbe vdbe global use any local port control address h248 ipv4 172 25 2 26 controller h248 1 remote address ipv4 172 25 2 243 attach controllers activate location id 1 media address ipv4 20 20 20 20 media address ipv4 21 21 21 21 The following example illustrates a user trying to change the remote address and receiving an error message Router configure terminal Enter configuration commands one per line End with CNTL Z Router config sbc mySbc dbe Router config sbc db
6. Chapter1 Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview HI General Overview The SBC functions break down into two logically distinct areas as follows The signaling border element SBE function SBEs may support functions that include interworking between various signaling protocols such as H 323 and Session Initiation Protocol SIP call admission control advanced routing policy management network attack detection or call billing using RADIUS or DIAMETER As part of the call admission control function an SBE informs the data border element DBE of the various quality of service QoS and Network Address and Port Translation NAPT requirements for the call An SBE typically controls one or more media gateways An SBE may be known as a media gateway controller MGC The data border element DBE controls access of media packets to the network provides differentiated services and quality of service QoS for different media streams and prevents service theft The DBE consists of a set of data path functions and responds to the requests made by the SBE to open pinholes taking into account the specified Network Address Translation NAT firewall traversal and QoS requirements The Integrated Session Border Controller implements the DBE function on the Cisco ASR 1000 Series Aggregation Services Routers A table of DBE supported features is listed in Table 1 1 on page 1 4 Figure 1 1 shows an
7. Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 7 8 OL 15421 01 _ Chapter 7 H 248 Services Signaling and Control Nine Tier Termination Name Hierarchy W Displaying the Nine Tier Termination Name Hierarchy Example This section provides an example of the reported fields for the show command displaying the nine tier termination name hierarchy abe voice gn 0 1 0 1 ac 3 The entry Media flowing Yes either means that media has been observed flowing on the call within media timeout period or the call has failed over within the last media timeout period and Integrated SBC has not yet had a chance to observe whether media is flowing or not The statistics starting with Rtp are maintained and collected in real time when the command is issued Endpoint statistics beginning with Endpoint are collected from RTCP packets transmitted by endpoints and are updated as and when these RTCP packets are received Not all endpoints report RTCP endpoint statistics Not all endpoints that report RTCP statistics report all the fields shown The following example shows detailed statistics from an IPv4 media flow collected on the DBE Router show sbc mySbc dbe media flow stats detail SBC Service mySbc Media Flow Context ID Stream ID 2 State of Media Flow Active Call Established Time 23 50 20 UTC Jun 21 2007 Flow Priority Routine Side A Nam
8. Reference Cisco IOS Two Rate Three Color Policing control dscp Chapter 5 Quality of XE Release and Marking marker dscp Service and Bandwidth 2 0 pdr coefficient Management show sbc dbe forwarder stats Deployment of the Integrated Session Border Controller Deployment of the DBE function on the Cisco ASR 1000 Series Routers integrates a subset of the Integrated Session Border Controller feature set with Cisco IOS XE software A likely deployment scenario is that typical routing and broadband features are configured on the Cisco ASR 1000 Series Routers serving as the DBE operating with an external SBE The Integrated Session Border Controller functionality on the Cisco ASR 1000 Series Routers will eventually comprise both DBE and SBE functions with DBE being the first to be deployed DBE deployment of the SBC feature set is an optional feature supported on the Cisco ASR 1000 Series Routers DBE deployment on the Cisco ASR 1000 Series Routers does not include SBE support and no SBE related CLIs are implemented In the deployed distributed model the SBE and the DBE entities reside on different network elements and the DBE is controlled by one SBE at any one time The SBE interacts with the DBE using the H 248 Megaco media gateway controller protocol The SBE controls the DBE via the H 248 interface In this model the bearer or media flow always flows through the DBE and the SBE participates only in the signaling flow Th
9. Router config sbc dbe activate Initiates the DBE service of the SBC Step 22 end Example Router config sbc dbe end Exits SBC DBE configuration mode and returns to privileged EXEC mode What To Do Next See the Configuring H 248 Logging Level section on page 2 6 if you want to set console logging other than default logging and turn on H 248 logging messages See Chapter 4 Configuring Media Address Pools for information on what to configure next on the DBE Examples The DBE does not always attach or detach from its controller immediately You can use the show sbc dbe controllers command to display status information on whether the controller is attached or detached The following example uses the show sbc dbe controllers command to display status information showing that the vDBE with a location ID of 1 on an SBC called mySbc is attached to its controller Router show sbc mySbc dbe controllers SBC Service mySbc vDBE in DBE location 1 Media gateway controller in use H 248 controller address 210 229 108 252 2944 Status Sent Requests 1 Replies 6 Attached Received Failed Retried 6 0 0 1 0 0 Configured controllers H 248 controller 1 Remote address Transport Troubleshooting Tips 210 229 108 252 2944 using default port UDP Use this troubleshooting tip when you receive a Bad getbuffer log message Problem You receive a Bad getbuffer lo
10. SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to Increase Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0804R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 2008 Cisco Systems Inc All rights reserved CONTENTS Preface ix Document Revision History ix Objectives ix Intended Audience x Organization x Related Documentation xi Cisco ASR 1000 Series Router Documentation i xi Cisco IOS Release 12 2SR Software Publications xi Document Conventions xi Obtaining Documentation and Submitting a Service Request xiii cHapTer L Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview 1 1 Contents 1 1 General Overview 1 1 Distributed and Unified Models 1 2 Sup
11. flow being supported by IPv6 No NAPT TCP with latching Another method assumes that all flows of RTSP are delivered over TCP connections that are initiated by the client side Each flow of RTP for video RTCP for video and RTP for FEC is delivered over each corresponding user datagram protocol UDP connection In addition when RTCP for FEC is used it is delivered over a separate UDP connection This method includes the following features The RTCP port number is always RTP port 1 This is done by the SBE instructing the DBE to set the Real time Transport Protocol RTP Specific Behavior rsb property of the Gate Management package to rsb ON at assignment of the RTCP port number The SBE assigns the RTP and FEC port numbers because the media flow support is IPv6 No NAPT oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers g Chapter7 H 248 Services Signaling and Control Hs Video on Demand VOD Support Cisco 10S XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 7 16 OL 15421 01 Contents CHAPTER Integrated Session Border Controller Security Integrated Session Border Controller SBC for the Cisco ASR 1000 Series Routers offers high security functions Enterprise users want to protect their network and service providers want to protect the
12. negotiation auto no keepalive no cdp enable end Subsequently when GigabitEthernet interface 1 changes status a service change with a wildcarded termination ID is reported to the SBE where 1 is the physical interface id in tier 5 of the nine tier termination ID and the SBE is able to associate status changes on GigabitEthernet interface 1 with a pinhole x x 1 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 E Chapter7 H 248 Services Signaling and Control Mi T MAX Timer T M AX Timer The T MAX timer is a timer that limits the maximum delay of retransmissions by the H 248 stack on a data border element DBE when sending messages to the media gateway controller MGC over an unreliable transport media such as the User Datagram Protocol UDP Related Commands The tmax timer command configures the value of the T MAX timer The tsc Delay Timer The tsc delay timer is a timer used to delay entry into the tsc quiesce state Delaying entry into the tsc quiesce state delays closing all the signaling pinholes gracefully and delaying a TerminationState of OutOfService where the tsc gtd property is set to ON The tsc delay timer is started when an H 248 Subtract command deletes the final termination from a context that does not have the tsc gtd property set to ON This delay provides a window during which cl
13. 248 Traffic Management Package Support 6 6 H 248 1v3 Support 6 6 DBE Restrictions 6 6 Related Commands 6 6 H 248 VLAN Package Syntax Level Support 6 6 DBE Restrictions 6 6 Related Commands 6 7 MGC Controlled Gateway Wide Properties 6 7 DBE Restrictions 6 7 CHAPTER 7 H 248 Services Signaling and Control 7 1 Contents 7 1 DBE Signaling Pinhole Support 7 2 DBE Restrictions 7 2 Extension to H 248 Audit Support 7 3 DBE Restrictions 7 3 Extension to H 248 Termination Wildcarding Support 7 3 DBE Restrictions 7 3 Flexible Address Prefix Provisioning 7 4 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Contents W E Contents DBE Restrictions 7 5 Local Source Properties Address and Port 7 5 Locally Hairpinned Sessions 7 5 Twice NAPT Pinhole Hairpinning 7 5 No NAPT Pinhole Hairpinning 7 5 DBE Restrictions 7 6 M GC Specified Local Addresses or Ports 7 6 DBE Restrictions 7 7 Multi Stream Terminations 7 7 DBE Restrictions 7 7 Nine Tier Termination Name Hierarchy 7 7 Restrictions for Nine Tier Termination Name Hierarchy 7 7 Information About Nine Tier Termination Name Hierarchy 7 8 Displaying the Nine Tier Termination Name Hierarchy 7 8 Displaying the Nine Tier Termination Name Hierarchy Example 7 9 Optional Local and Remote Descriptors 7 10 DBE Restrictions 7 10 Remote Source Address Mask Filtering 7 11 RTP Specific Behav
14. A string is a nonquoted set of characters shown in italics For example when setting an SNMP community string to public do not use quotation marks around the string or the string will include the quotation marks Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 E Preface A Command syntax descriptions use the following conventions Convention Description bold Bold text indicates commands and keywords that you enter exactly as shown italics Italic text indicates arguments for which you supply values x Square brackets enclose an optional element keyword or argument A vertical line indicates a choice within an optional or required set of keywords or arguments xl y Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional choice xl y Braces enclosing keywords or arguments separated by a vertical line indicate a required choice Nested sets of square brackets or braces indicate optional or required choices within optional or required elements For example Convention Description x y1z Braces and a vertical line within square brackets indicate a required choice within an optional element Examples use the following conventions Convention Description screen Examples of information displayed on the screen are set
15. After that SBC performs packet processing and updating The packet is forwarded out of the specified interface IPv6 packet forwarding works in the same way as IPv4 packet forwarding except for a few differences in the IP header processing Single NAPT for signaling means that packets arriving from an endpoint are addressed to an SBC media address When they are passed to the media gateway controller MGC also know as an SBE the packets need to keep the endpoint s source IP address and port number Therefore only destination addresses and ports are translated in Single NAPT When the MGC SBE sends a reply back to the endpoint the Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter9 Topology Hiding IPv6 Pinholes IPv6 Support packet has the endpoint s IP address as the destination address and the MGC SBE IP address as the source address In Single NAPT the DBE changes the source address to use the DBE IP address See the IPv6 Single NAPT for Signaling section on page 9 7 No NAPT means the received SBC packets do not contain any DBE local addresses because the DBE does not translate any IP addresses and ports during packet forwarding The DBE rewrites neither the source nor destination addresses and ports in both directions See the IPv6 No NAPT Support for Media Flows section on page 9 6 DBE support of IPv6 p
16. Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers checksum accordingly OL 15421 01 E Chapter5 Quality of Service and Bandwidth Management HE QoS Bandwidth Allocation QoS Bandwidth Allocation The DBE supports QoS bandwidth allocation The DBE has the ability to limit excess traffic beyond the allocated bandwidth by performing session based policing For information on the different types of policing performed by the DBE see the H 248 Traffic Management Package Support section on page 5 1 the RTCP Policing section on page 5 4 and the Two Rate Three Color Policing and Marking section on page 5 5 RTCP Policing An SBC session may be of two types media or signaling The media portion of the call comprises the Real time Transport Protocol RTP stream and optionally a Real time Control Protocol RTCP stream Calls typically have both a RTP and RTCP stream Each session may be subject to policing RTCP sessions are not explicitly configured using the H 248 protocol and therefore cannot have their policing parameters set Instead the policing parameters for RTCP sessions are derived from the corresponding RTCP flows depending on the usage of the ETSI TS 102 333 Traffic Management Tman package For more information on the Tman package see the H 248 Traffic Management Package Support section on page 5 1 RTCP Policing Using Tman Package The H 248 Tman
17. DBE s local media address and port 2001 88 8 2028 for this pinhole User side A only knows the DBE s local address and port 2001 88 8 2028 The source IP address is within the specified gm rsam so the DBE matches this packet to the flow The DBE applies QoS policing and forwards the packet to the MGC user side B without rewriting the source IP address and port Under Single NAPT processing the DBE changes the destination address and port to 2001 11 11 5060 on the MGC side B by replacing 2001 88 8 2028 with side B s address and port from the remote descriptor on side B The MGC side B does not know about the 2001 88 8 2028 address and port on the DBE After the DBE performs latching the source address and port from side A becomes in effect the destination address and port in step 3 and step 4 for side B The MGC side B sends a packet to user side A with the destination address and port 2001 10 10 5060 copied from the source IP address and port of the packet it just received that is the address and port of side A The DBE has intercepted the packet and matched it to the side B flow The DBE applies QoS policing and forwards the packet to side A without rewriting the destination IP address and port 2001 10 10 5060 However under Single NAPT processing the DBE rewrites the source IP address and port 2001 11 11 5060 to be 2001 88 8 2028 which is the local address and port of the side A flow DBE Restrictions The follo
18. Examples page 2 9 Cisco H 248 Profile page 2 14 Prerequisites for Integrated Session Border Controller When running SBC with 500 or more active calls ensure you configure the huge buffer size to 65535 bytes with the buffer huge size 65535 command The increased buffer size is required because by default Cisco IOS software sets the huge buffer size to be 18084 bytes which is not large enough for H 248 audit responses when there are more than 500 active calls Restrictions for Integrated Session Border Controller The following are not supported by the SBC function on the Cisco ASR 1000 Series Routers Signaling Border Element SBE function and SBE CLIs Virtual Routing and Forwarding VRF and VRF Lite Digital signal processing DSP Network management system NMS configuration Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 EN Chapter 2 Configuring Integrated Session Border Controller HI Configuring Integrated Session Border Controller DBE Deployment Transcoding e SBC virtual interface does not support any existing Cisco IOS features Configuring Integrated Session Border Controller DBE Deployment This section contains steps to configure a typical DBE on the Cisco ASR 1000 Series Routers Prerequisites When running SBC with 500 or more active calls configure the huge buffer size to 65535 bytes with
19. Ginfo None Chapter 6 H 248 XE Release Package Becomes Optional Packages Signaling 2 0 and Control Cisco IOS H 248 Network Package Quality h248 media alert event Chapter 11 Quality XE Release Alert Event and Middlebox Monitoring and 2 0 Pinhole Timer Expired Event Statistics Gathering Cisco IOS H 248 Segmentation Package package segment Chapter 6 H 248 XE Release Support max pdu size Packages Signaling 2 0 package segment and Control seg timer value show sbc dbe controllers Cisco IOS H 248 Session Failure Reaction None Chapter 6 H 248 XE Release Package Packages Signaling 2 0 and Control Cisco IOS H 248 Termination State Control show sbc dbe Chapter 6 H 248 XE Release Package media flow stats Packages Signaling 2 0 show sbedhe and Control signaling flow stats Cisco IOS H 248 Traffic Management None Chapter 5 Quality of XE Release Package Support Service and Bandwidth 2 0 Management Cisco IOS H 248 VLAN Package show sbc dbe Chapter 6 H 248 XE Release Syntax Level Support media flow stats Packages Signaling 2 0 show sbedb and Control signaling flow stats Cisco IOS H 248 1v3 Support h248 version Chapter 6 H 248 XE Release Packages Signaling 2 0 and Control oL 15421 01 Chapter 1 Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview HI Supported Integrated Session Border Controller Features
20. IP MPLS Network es ows E ajay E Managed Enterprise Residential Broadband Cisco 10S XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 19 Chapter1 Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview HI integrated Session Border Controller DBE Deployment Scenario Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 1 10 OL 15421 01 CHAPTER Configuring Integrated Session Border Controller This chapter describes fundamental configuration tasks required for typical data border element DBE deployment of the Integrated Session Border Controller SBC The Cisco ASR 1000 Series Aggregation Services Router serves as the DBE The DBE operates with a Signaling Border Element SBE also called a media gateway controller MGC For a complete description of commands used in this chapter refer to the Cisco IOS Integrated Session Border Controller Command Reference Contents Prerequisites for Integrated Session Border Controller page 2 1 Restrictions for Integrated Session Border Controller page 2 1 Configuring Integrated Session Border Controller DBE Deployment page 2 2 Configuring H 248 Logging Level page 2 6 Configuration
21. Out Of Service Interface shutdown or interface online insertion and removal OIR The ServiceChange Notification for Interface Status Change feature has the following restrictions and conditions amp It is only supported on EtherChannel gigabit EtherChannel and fast EtherChannel and on all Ethernet interfaces EtherChannel may also be called port channel The sbc interface id command cannot be configured on VLAN subinterfaces or any subinterfaces When a ServiceChange notification is sent the termination ID is always reported wildcarded It is generated well before the Media Timeout event which has a 30 seconds default If an interface configured with the sbc interface id command goes down the affected terminations are marked Out Of Service If the DBE then receives an H 248 ADD or MODIFY request that moves one of these affected terminations In Service although the interface is marked down the ADD or MODIFY request is not rejected The request can move the termination state to in service even though the interface cannot accept any packets until it goes up When the interface changes status to either up or down the MG reports a service change with the affected termination IDs to the SBE Note The ServiceChange procedure is described in H 248 1v3 Annex F Configuring the ServiceChange Notification for Interface Status Change This section contains steps to configure the ServiceChange Notification f
22. RPR plus 10 3 RPR redundancy 10 2 rsam property 7 4 RTCP 5 4 policing 5 4 RTP 3 1 5 4 RTP specific behavior support 7 11 S SBE 1 2 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers IN 4 OL 15421 01 SDP 5 2 sdr property 5 2 security SBC 8 1 firewall 8 2 H 248 address reporting package 8 2 H 248 session failure reaction package 8 2 H 248 termination state control package 8 2 interim authentication header 8 3 local source properties address and port 8 4 NAPT and NAT traversal 8 5 remote source address mask filtering 8 5 topology hiding 8 5 8 6 traffic management policing 8 6 two rate three color policing and marking 8 6 segmentation package 6 2 ServiceChange notification for interface status change 11 6 session description protocol 5 2 session failure reaction package 6 3 8 2 Session Initiation Protocol 1 2 3 1 sfr package 6 3 signaling flow 9 5 9 7 signaling function 1 2 signaling packets 7 1 silent gate deletion 11 4 single NAPT illustration 9 8 SIP 1 2 3 1 software redundancy 10 2 SSO 10 3 standby RP 10 2 10 3 standby SBC module 10 2 stateful switchover 10 3 statistics gathering 11 1 subnet 8 4 sustainable data rate 5 2 switchover 10 2 synchronization 10 3 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers Index T termi
23. Recovery RTCP Packets Sent RTCP Packets Received RTCP Packets Lost DIMF Interworking No Media Flowing Yes Unexpected SrcAddr Packets No Billing ID 000000000000000000000000000000000000000000000000 Media directions allowed sendrecv Optional Local and Remote Descriptors The media gateway controller MGC can specify one or more local and remote descriptors in a Modify command because the MGC does not always specify the descriptors in a single Add command A descriptor might be an address or port allocation or bandwidth reservation The DBE process for adding or modifying local and remote descriptors is as follows The DBE accepts Add or Modify commands for a termination with zero or one local descriptor and zero or one remote descriptor for each stream The DBE reserves resources for a pinhole when the first local descriptor for either side of the pinhole is specified This includes but is not necessarily limited to address and port allocation and bandwidth reservation If the DBE resource reservation fails then one of the following may occur Ifthe Ginfo package is in use and the Ginfo or gate_state is provisional then the gate is deleted and the Add or Modify request is returned with error 510 failure response code of insufficient resources The gate reverts to its previous state and the Add or Modify request is returned with error 510 failure response code of insufficient resources MGC del
24. See the procedures described in the Configuring Integrated Session Border Controller DBE Deployment section on page 2 2 Restrictions for Configuring M edia Address Pools The ending address must be greater than or equal to the starting address The minimum port must be numerically lower than the maximum port Port ranges may not overlap e Address ranges may not overlap Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 EN Chapter4 Media Address Pools HZ Information About Media Address Pools Address ranges and single addresses may not overlap e Where arange of addresses is defined in a single command the addresses will share any port ranges assigned If there is a requirement to have different port ranges for different media addresses then the addresses must be configured separately e Media addresses and port ranges may only be deleted before the DBE is activated After DBE activation the DBE must be deactivated in order to delete addresses and port ranges Information About M edia Address Pools A media address is one of a pool of IP addresses on the DBE that is used for media relay functionality Addresses assigned by the media pool are the destination addresses used by packets that arrive at the DBE After you have configured a local media address or port range the media address or port range cannot be m
25. Session Border Controller Cisco IOS Media Address Pools media address pool ipv4 Chapter 4 Media XE Release i Address Pools 20 media address pool ipv6 port range Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers ie E OL 15421 01 Chapter 1 Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers Supported Integrated Session Border Controller Features i Chapter Where Release Feature Name Related SBC Commands Documented Cisco IOS MGC Controlled Gateway Wide None Chapter 6 H 248 XE Release Properties Packages Signaling 2 0 and Control Cisco IOS MGC Specified Local Addresses None Chapter 7 H 248 XE Release or Ports Services Signaling 2 0 and Control Cisco IOS Multi Stream Terminations None Chapter 7 H 248 XE Release Services Signaling 2 0 and Control Cisco IOS NAPT and NAT Traversal None Chapter 8 Integrated XE Release Session Border 2 0 Controller Security Cisco IOS Nine Tier Termination Name None Chapter 7 H 248 XE Release Hierarchy Services Signaling 2 0 and Control Cisco IOS Optional Local and Remote None Chapter 7 H 248 XE Release _ Descripto
26. Table 2 3 Optional Packages Package Name Package ID Version Support Dependent On Enhanced Root eroot N A Proprietary package Enhanced Traffic Management etman 1 Gate Information ginfo 1 Gate Recovery Information gri 1 Generic g 1 IP NAPT Traversal ipnapt 1 Media Gateway Overload Control ocp 1 Segmentation seg 1 Applicable for UDP transport where sufficiently large messages are required to be supported Session Failure Reaction sfr 1 Termination State Control tsc 1 m Cisco 10S XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Contents CHAPTER DTMF Interw orking This chapter describes the importance and function of dual tone multifrequency DTMF interworking between various signaling types and how DTMF is supported on the Integrated Session Border Controller For a complete description of commands used in this chapter refer to the Cisco IOS Integrated Session Border Controller Command Reference Information About DTMF Interworking page 3 1 RTP to SIP Interworking page 3 2 SIP to RTP Interworking page 3 2 Configuring Default Duration of a DTMF Event page 3 2 Information About DTM F Interw orking One of the features of the Integrated Session Border Controller is the ability to interwork between the various dual tone multifrequency DTMF signaling types DTMF interworking is used when the two en
27. and Latch and Relatch Support The IP NAPT Traversal Package and Latch and Relatch Support functions are described in Chapter 8 Integrated Session Border Controller Security IPv4 Twice NAPT The DBE successfully forwards media through Twice Network Address and Port Translation NAPT pinholes that form coupled pairs For Twice NAPT hairpinning the DBE forwards media on demand The SBE sees no differences between Twice NAPT hairpins and Twice NAPT non hairpins When forwarding media a hairpinned pair behaves the way two separate pinholes behave except that a packet going through a coupled pair has its IP Time to Live counter decremented only once not twice D Note Twice NAPT is only supported on IPv4 IPv6 Inter Subscriber Blocking Inter subscriber blocking prevents a subscriber from connecting to other subscribers without first going through a successful signaling call setup process and having a termination established for the stream When the SBC DBE is implemented in the IPv4 environment the DBE supports Twice NAPT which has well defined local media IP addresses or IP address pools In the IPv4 environment the DBE drops all SBC traffic destined for SBC local media IP addresses if there is no in service termination successfully retrieved However in the IPv6 environment the SBC DBE only supports No NAPT for media pinholes which unlike Twice NAPT does not have well defined local media IP addresses or IP address
28. call agent in case of failure or administrative shutdown of MGC and MG communication The sfr package includes the following functionality The specifications on signaling pinholes termination ID structure and validation of termination name from the Termination State Control tsc package also apply to the sfr package The deactivation timer is started when the H 248 association between the MGC and MG is lost The deactivation timer is cancelled if an association is regained e Media timeout is always enabled when the H 248 association is down OL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers jg Chapter6 H 248 Packages Signaling and Control W sH 248 Termination State Control Package The values of the sfr td sfr db sfr aa and sfr dt properties are reported to the MGC in Audit responses DBE Restrictions The following are restrictions of DBE support for the sfr package Terminations can be associated by context but not by VLAN because the VLAN value of the sfr aa property is not supported If a request includes the VLAN value the request is rejected with error 501 Not Implemented Properties in the sfr package cannot be manipulated by a wildcard Modify command Ifatermination belongs to multiple streams the sfr properties must be set consistently in all streams amp Note See the Multi Serv
29. chosen to be internal The other termination is chosen accordingly from the other pinhole If the termination with remote address A on one pinhole is internal then the termination with local address A on the other pinhole is also internal The DBE does not support choosing internal terminations based on termination names For No NAPT coupled pairs any Network Address Translation NAT latching requests are duplicated For example if a termination with remote address A in one pinhole requests NAT latching then the termination with remote address A in the other pinhole must also request NAT latching The request NAT latching can be done using the ipnapt latch H 248 signal Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter9 Topology Hiding HE No NAPT Pinholes A hairpin of two pinholes in which both external terminations are provisioned with the NAT latching instruction cannot latch and cannot forward media No NAPT pinholes are not allowed to re latch to the remote addresses on both sides IPv6 hairpinning are supported on UDP and TCP Coupling of Single NAPT pinholes is not supported Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 9 10 OL 15421 01 Contents CHAPTER High Availability Support This chapt
30. config sbc dbe vdbe local port 2946 lt Make change to local port Router config sbc dbe vdbe controller h248 1 Router config sbc dbe vdbe h248 remote address ipv4 172 25 2 243 lt Reconfigure Router config sbc dbe vdbe h248 remote port 2946 lt Reconfigure Router config sbc dbe vdbe h248 transport udp lt Reconfigure Router config sbc dbe vdbe h248 exit Router config sbc dbe vdbe attach controllers lt Re attach controller Router config sbc dbe vdbe exit Router config sbc dbe activate lt Reactivate the DBE Router config sbc dbe end The following example shows the modified running SBC configuration sbc mySbc dbe vdbe global local port 2946 control address h248 ipv4 172 25 2 26 controller h248 1 remote address ipv4 172 25 2 243 remote port 2946 transport udp attach controllers activate location id 1 media address ipv4 20 20 20 20 media address ipv4 21 21 21 21 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter 2 Configuring Integrated Session Border Controller Configuration Examples W Making Changes to Individual Controller Settings Example You want to change an individual setting configured on a controller and that controller is already configured Individual controller specific settings include any one of the following remote address
31. illegal combination of actions for any programming containing other fields and programming that sets the tman pol flag but only specifies one of the tman sdr or tman mbs values Table 5 1 describes the asymmetric flow policing behavior of the two sides of a gate based on whether the tman pol property is specified as ON OFF or Absent Each side of the gate behaves independently of the other side The Access Side might be the subscriber side to the DBE and the backbone side might be the network core to the DBE Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter 5 Quality of Service and Bandwidth Management DSCP Marking and IP Precedence Marking W Table 5 1 Asymmetric Flow Policing Independent Behavior of Signaling and Media Flows on Two Sides of a Media Gateway Access Side AC tman pol Absent ON OFF Property Absent Signaling No policing Signaling Policing per Tman Signaling No policing on AC and Media Policing per SDP parameters on AC and no policing BB on BB Media No policing on AC and Media Policing per Tman policing per SDP on BB Back parameters on AC and per SDP on Bone BB Side ON Signaling Policing per Tman Signaling Policing per Tman Signaling No policing on AC and BB parameters on BB and no parameters on AC and on BB policing per Tman parameters on policing on AC independently BB Media P
32. in Audit responses This feature allows the MGC to program multiple terminations with the same local address and port VPN ID and transport protocol as long as the multiple terminations are distinguished by their remote source address mask and the local address is taken from an MGC managed address range This feature supports a single local address for each phone where each phone transmits media using a single pinhole This means several signaling flows or pinholes can have the same address and port 1 ETSI TS 102 333 version 1 1 2 Gate Management Package OL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers jg Chapter8 Integrated Session Border Controller Security Topology Hiding Packets arriving at the SBC are classified into flows using the following data VPN ID destination address destination port protocol type and source address The source address is only required to match a remote source address mask rather than a specific remote address DBE Restrictions The following are restrictions of data border element DBE support for this feature Ifthe remote source address mask is specified for a termination then it must contain the address in the remote descriptor unless NAT latching techniques are used However if you want more than one flow on the same local address or port then the local address must be MGC managed
33. in Courier font bold screen Examples of text that you must enter are set in Courier bold font lt gt Angle brackets enclose text that is not printed to the screen such as passwords An exclamation point at the beginning of a line indicates a comment line Ex clamation points are also displayed by the Cisco IOS software for certain pro cesses Square brackets enclose default responses to system prompts The following conventions are used to attract the attention of the reader Caution amp Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Note Means reader take note Notes contain helpful suggestions or references to materials that may not be contained in this manual Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Preface je Tip Means the following information will help you solve a problem The tips information might not be troubleshooting or even an action but could be useful information similar to a Timesaver Obtaining Documentation and Submitting a Service Request For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco techn
34. new field napt_variant in the bcaGalEntTable MIB table If this field is set to H 248 37 then NAPT support can be requested by the media gateway controller MGC using the H 248 37 IP NAPT Traversal package In other words the MGC can request that the DBE wait for the first inbound media packet and latch onto it The DBE learns the remote address and port for the flow from that packet The MGC can request latching or relatching using the H 248 signal Latch and Relatch Support The DBE supports Latch and full Relatch support The Latch and Relatch signals control how the DBE learns remote addresses Latch and Relatch are commands from the media gateway controller MGC Latch is an event that occurs on a flow when certain packets arrive and are matched to that flow This event changes the admission criteria for a flow The ITU T H 248 37 standard describes the ipnapt latch signal with the napt parameter The napt parameter has the values OFF LATCH and RELATCH When the LATCH value is set the DBE ignores the addresses received in the RemoteDescriptor Instead the DBE uses the source address and source port from the incoming media streams to be the destination address and destination port of the outgoing streams The RELATCH value is similar to the LATCH value except that when the DBE detects a change of source IP address and port on the incoming media stream then the new source IP address and port are used as the destination addr
35. of H 248 event notification Previously event notification was subject to the following limitations If an H 248 event notification request from the DBE went unacknowledged by the MGC then details of that event were lost and the MG and MGC states could diverge as a result There is no current H 248 mechanism by which historical event information can be relearned by the MGC Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter 11 Quality Monitoring and Statistics Gathering Enhanced Event Notification and Auditing W Ifthe DBE switched to a new MGC for some reason the new MGC had no means to learn what events had occurred on the streams and terminations programmed on the DBE This behavior was particularly problematic for the nt qualert and emp phtoexp events which are used to indicate that media has ceased flowing on a particular stream and can trigger the MGC to delete the context once all streams within the context reported either of these events Ifan event notification failed and the event being notified was not the inactivity timer event it ito then the DBE did not reset the H 248 association with the MGC As a result the MGC could be unaware that it had failed to process some events Silent gate deletion could occur because the DBE would delete contexts when all streams within the context had received media dow
36. one for RTP packets one for RTCP packets Mono media sessions require two bi directional streams while a multimedia session with voice and video traffic would require four streams Setting the property value to OFF overrides the default DBE behavior in the following ways The DBE does not open the RTCP port for the given RTP flow However the RTCP port is not available for use by other flows The DBE does not reserve additional resources equal to 5 percent of those required for the RTP flow for processing the RTCP stream DBE Restrictions The following is a restriction of DBE support for this feature Enabling or disabling this property value is only valid for RTP flows It is ignored for other types of flows ServiceChange Notification for Interface Status Change This feature enables the media gateway MG to generate a ServiceChange H 248 notification to the media gateway controller MGC containing the termination ID of the physical interface on the data border element DBE when the interface experiences status changes The termination ID is a nine tier namestring associated with a pinhole or pair of terminations and it contains a physical interface id supplied by the user For example the MG notifies the MGC when a group of terminations is taken out of service link down or returned to service link up Although notification of interface status changes can be obtained via SNMP this feature provides a more reliable
37. package is used to set the sustained data rate tman sdr and the policing tman pol properties on the RTCP session The RTCP session derives its policing rate from the H 248 Tman package as follows When the sustained data rate tman sdr has been defined in bytes per second the RTCP rate limiting is 5 percent of the sustained data rate sdr However if the RTCP rate obtained by taking 5 percent of the sustained data rate is below 208 bytes per second then a minimum RTCP rate of 208 is used instead There is no associated warning for this action amp Note When the policing tman pol has been set to OFF the RTOP session is not rate limited RTCP Policing Not Using Tman Package RTCP policing can be implemented by not setting any of the properties of the H 248 Tman package When the tman sdr property is not specified the RTCP rate limiting is set at 5 percent of the codec for the RTP stream Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 5 4 OL 15421 01 Chapter5 Quality of Service and Bandwidth Management Two Rate Three Color Policing and Marking Ml Tw o Rate Three Color Policing and Marking Traffic policing is a traffic regulation mechanism that is used to limit the rate of traffic streams Policing allows you to control the maximum rate of traffic sent or received on an interface When the traffic rate exceeds the co
38. sbc dbe end Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers oL 15421 01 EEN Chapter4 Media Address Pools HI Configuring Media Address Pools Example Command or Action Purpose Step 8 show sbc sbc name dbe addresses Example Router show sbc mySbc dbe addresses Lists the media addresses and H 248 control addresses configured on DBEs Step 9 show sbc sbc name dbe media flow stats ipv4 A B C D port port number Example Router show sbc mySbc dbe media flow stats ipv4 10 0 1 1 port 20000 Displays the statistics about one or more media flows collected on the DBE and shows as an example the following reported fields e A B C D Optional Only displays media flows to and from this IPv4 media address port number Optional Only displays media flows to and from this port The RTCP packet statistics are collected from RTCP packets transmitted by endpoints and are updated when the RTCP packets are received Configuring Media Address Pools Example This section provides a sample configuration for media address pools The following sample script adds a single address 10 10 10 1 and two ranges of addresses 10 10 11 1 through 10 10 11 10 and 10 10 11 21 through 10 10 11 30 to the default media address pool Two port ranges are configured on the single address The first port range is for voice traffic a
39. send oaoa jooon jooo0 m 2001 recv 10310 17002 2001 11 11 2 User Side A recv send send 8988 2001 recv DBE 10 10 17002 2001 11 11 28988 E zz recv send g User Side B a 1 User side A sends a packet from IP address and port 2001 10 10 17002 to destination address and port 2001 11 11 28988 on side B The DBE intercepts this packet and matches it to the side A flow 2 The DBE applies QoS policing and forwards the packet to endpoint B without changing the destination address to a DBE local media address as is done in Single NAPT Under No NAPT processing the DBE does not rewrite either source or destination IP addresses and ports 3 Side B sends a packet from IP address and port 2001 11 11 28988 to originating source address and port 2001 10 10 17002 The DBE intercepts this packet and matches it to the side B flow 4 The DBE applies QoS policing and forwards the packet to user side A without rewriting either source or destination IP addresses and ports IPv6 Single NAPT for Signaling Support of IPv6 signaling flows requires Single NAPT The DBE is able to translate IP addresses and port numbers in both directions of a flow However Single NAPT means only one IP address and port is translated In Single NAPT processing the flow on one side of the pinhole is programmed with a local address and port that do not belong
40. set the termination to InService When tsc quiesce takes effect the gtd property is left as is which means that the termination requiesces the next time all associated terminations are subtracted Wildcard Subtracts on media terminations in multiple contexts result in multiple Deactivation Completed events to the MGC Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 6 4 OL 15421 01 Chapter6 H 248 Packages Signaling and Control H 248 Termination State Control Package Mi The tsc gtd and tsc ata properties and the tsc dc event if subscribed for are reported to the MGC in Audit responses The tsc suspend Feature The tsc suspend feature includes the following functionality Termination association by context or VLAN is not relevant to tsc suspend The trt property may be set to ON only when changing a termination to OutOfService Modification of trt can cause the following error cases trt set to ON and ServiceState set to InService trt set to ON and ServiceState is not supplied in which case it defaults to InService In each case the transaction is failed with error 421 Unknown action or illegal combination of actions This policing occurs before any other processing or checking The MG ignores cases where the termination is already OutOfService when trt is set to ON If the recovery timer is runnin
41. the Integrated Session Border Controller software specific to these routers For information on general Cisco IOS software features that are also available on the Cisco ASR 1000 Series Routers see the feature module or the technology guide for that software feature Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 ix Preface Intended Audience This document is intended for the following people Experienced service provider administrators Cisco telecommunications management engineers Customers who use and manage Cisco ASR 1000 Series Routers Organization This document contains the following chapters Chapter Title Description 1 Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview Describes general architecture list of supported features and deployment scenario Configuring Integrated Session Border Controller Describes configuration tasks for data border element DBE functionality prerequisites restrictions configuration examples and the Cisco H 248 profile DTMF Interworking Describes support of dual tone multifrequency DTMF to interwork between two end points that do not use the same way of relaying DTMF tones Media Address Pools Describes how to configure the DBE address by address pool with or without port range and define class of se
42. the same local address and port are required to have the same gm rsam length Terminations with different local addresses or ports can have different gm rsam lengths A gm rsam having the same mask length allows multiple terminations to share a single local address and port combination with the requirement that the terminations are configured with gm rsams that are distinct This enables the media gateway controller MGC to identify and match the terminations to the correct flow For more information about Local Source Address and Local Source Port properties see the ETSI TS 102 333 V1 1 2 Gate Mangement Package Cisco 10S XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 8 4 OL 15421 01 _Chapter 8 Integrated Session Border Controller Security NAPT and NAT Traversal W amp Note A termination can be described as a point of entry or exit of media flows relative to the DBE Terminations may share a single local address and port under one or the other of the following conditions Terminations have an MGC managed local address in which case they must be specified with a proper gm sam Terminations are specified with a gm sam and the address is non local that is the pinhole is No NAPT or the termination is the one that is the unwritten flow of a Single NAPT pinhole This enhancement supports the following functionality e Call signal
43. the stream on which they occurred is deleted The h248 association timeout command configures the DBE to reset associations with a SBE when the controller does not respond to an event notification The h248 preserve gates command configures the DBE to preserve the media terminations or contexts when there is a media timeout while the association with the controller is down Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 11 4 OL 15421 01 Chapter 11 Quality Monitoring and Statistics Gathering H 248 Netw ork Package Quality Alert Event and Middlebox Pinhole Timer Expired Event E H 248 Netw ork Package Quality Alert Event and M iddlebox Pinhole Timer Expired Event When the DBE detects media loss media has stopped flowing and a call is not on hold the DBE may issue one or more H 248 Megaco events to the media gateway controller MGC a Network nt package Quality Alert qualert event a Middlebox Pinhole Timer Expired event or both events Netw ork Package Quality Alert Event The DBE will return a Network nt package Quality Alert qualert event when media loss is detected if the media gateway controller MGC requests it When the MGC requests an nt qualert event it specifies a Threshold parameter value based on a percentage of network quality loss Although the DBE accepts any valid value 0 through 99 for this parameter only a valu
44. the termination ID structure The following H 248 sub series transports are supported by the profile e Supported transports TCP or UDP Segmentation supported UDP Optional Use of the Interim Authentication Header defined in H 248 1v2 is optional within this profile Profile Packages This section specifies the packages that are supported in this profile Mandatory packages are packages that are supported in the profile Optional packages are packages that may be supported in the profile Table 2 2 shows the mandatory packages supported by the Cisco profile Table 2 2 Mandatory Packages Package Name Package ID Version Base Root root 2 Congestion Handling chp 1 DTMF Detection dd 1 DTMF Generation dg 1 Diffserv ds 1 Extended VPN Discrimination evpnd 1 Inactivity Timer it 1 Middlebox or EMP emp 1 NAT Traversal ntr 1 Network nt 1 RTP rtp 1 Traffic Management tman 1 Table 2 3 shows the optional packages supported by the Cisco profile Table 2 3 Optional Packages Package Name Package ID Version Support Dependent On Address Reporting adr 1 Extension to ipnapt package End Point Statistics epstat 1 oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers jg Chapter 2 Configuring Integrated Session Border Controller HE Cisco H 248 Profile
45. this configuration is entered consistently Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter7 H 248 Services Signaling and Control Extension to H 248 Audit Support W Extension to H 248 Audit Support Extension to H 248 Audit Support adds support for DBE auditing of the Signals ObservedEvents and EventBuffer descriptors in any of the Add Modify Subtract or AuditValue commands at any time on both sides of a media flow DBE Restrictions The following are restrictions of DBE support for the Extension to H 248 Audit Support feature When a termination endpoint has latched the Signals ObservedEvents and EventBuffer descriptors are empty For information on latching see the IP NAPT Traversal Package and Latch and Relatch Support section on page 8 3 When a termination has not yet latched the Signals ObservedEvents and EventBuffer descriptors contain other descriptors for example the Signals descriptor can contain the descriptor for the ipnapt latch signal The DBE only supports the DTMF injection and the ipnapt latch signals However the DTMF injection signal is defined as a brief signal and thus is not present in the Signals descriptor The DBE does not support the lockstep mode of event reporting Therefore the ObservedEvents and EventBuffer descriptors will never contain events Extension
46. to H 248 Termination Wildcarding Support Extension to H 248 Termination Wildcarding Support adds support for partially wildcarded termination names which allows a single command to replace one or more elements of a termination name with the wildcard character The media gateway controller MGC can issue H 248 commands using wildcarding at any level of the Nine Tier Termination Name Hierarchy For example any of the following wildcarded termination names would be valid operator sip 0 1023 0 operator sip 0 1023 0 4094 0 1023 0 For more information on the Nine Tier Termination Name Hierachy feature see the Nine Tier Termination Name Hierarchy section on page 7 7 DBE Restrictions The following are restrictions of DBE support for the Extension to H 248 Termination Wildcarding Support feature H 248 commands supporting wildcarded termination names are limited to the Audit Value Modify of ServiceState and Subtract commands In the event that both the Termination ID and Context ID are wildcarded then the Modify and Subtract commands must include an empty Audit descriptor and must request a wildcarded response Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 E Chapter7 H 248 Services Signaling and Control W Flexible Address Prefix Provisioning Partial wildcards which omi
47. to the SBC Instead that local address and port of the flow are specified by the MGC to match the remote address and port on the other side of the pinhole Thus incoming traffic downstream traffic of SIP server to access side is addressed directly to the remote endpoint and the SIP server details are hidden from subscribers Network topology must be used to route the downstream traffic through the DBE In one sense Single NAPT provides one way topology hiding SBC rewrites destination IP address and port for packets received from the user SBC does not rewrite source IP address and port of packets received from the user they are unchanged from the IP address and port of the source endpoint Correspondingly SBC rewrites the source IP address and port of packets received from the MGC but not the destination IP address or port oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers Chapter9 Topology Hiding Hi iPv6 Support Figure 9 2 illustrates a Single NAPT signaling flow through the DBE between user side A and user side B Figure 9 2 Single NAPT Signaling Flow recv send 2 A 10 10 5060 2001 88 8 2028 2001 10 10 5060 2001 11 11 5 a Jy a E D send recv 3 send a User Side A DBE User Side B amp User side A sends a packet from IP address and port 2001 10 10 5060 to the
48. to this package to negotiate the segmentation properties with MGC The DBE only supports sending of segmented messages the DBE does not support receiving of segmented messages from the MGC The DBE can send segmented messages only over UDP and can send segmented messages to H 248 1v3 MGCs only The DBE generates an error message when it receives segmented messages over Transmission Control Protocol TCP connections from MGCs The DBE sends unsegmented messages over TCP or UDP The maximum segment size is subject to the segmentation configuration and the maximum buffer size Related Commands The package segment max pdu size command is used to enable the Segmentation package and specify the maximum PDU size that UDP should use for H 248 control signaling The package is enabled by configuring the maximum PDU size to a value other than 0 A value of 0 disables the package By default the Segmentation package is disabled The show sbc dbe controllers command has been modified to include H 248 Segmentation statistics on the DBE H 248 Session Failure Reaction Package The Session Failure Reaction sfr package enables a media gateway controller MGC to instruct a media gateway MG to put a specified termination in the OutOfService state either gracefully or forcefully at the point where the H 248 association between them is lost Putting a termination in an OutOfService state is used to prevent signaling messages from reaching the
49. uses an H 248 version when it forms associations with an H 248 controller Example Version 2 is the default Router config sbc dbe vdbe h248 version 3 Step6 h248 napt package napt ntr Defines whether the DBE uses the Network Address and Port Translation NAPT or NAT Traversal NTR H 248 package for signaling NAT features NTR is the default Example Router config sbc dbe vdbe h248 napt package The example configures the DBE to use NAPT napt Step7 local port port num Configures the DBE to use the specific local port number when connecting to the default media gateway controller M Example Mae Router config sbc dbe vdbe local port 2971 Step8 control address h248 ipv4 A B C D Configures the DBE to use a specific IPv4 H 248 control address which is the local IP address the DBE uses as its own address when connecting to the SBE Example Router config sbc dbe vdbe control address h248 ipv4 200 50 1 41 Step9 logging level value Sets a specified logging level to generate detailed logs of H 248 messages sent and received Turns on console Example logging for the specified level and logs above that level Router config sbc dbe vdbe logging level 30 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 EN Chapter 2 Configuring Integrated Session Border Controller HI Configuring H 248 Logging Level Step 10 Step 11
50. well as signaling packets After the DBE creates media pinholes and defines the policy the DBE manages the media packets based on that policy The features in this chapter describe different H 248 services and controlling functions of the DBE For a complete description of commands used in this chapter see the Cisco IOS Integrated Session Border Controller Command Reference Contents DBE Signaling Pinhole Support page 7 2 Extension to H 248 Audit Support page 7 3 Extension to H 248 Termination Wildcarding Support page 7 3 Flexible Address Prefix Provisioning page 7 4 Local Source Properties Address and Port page 7 5 e Locally Hairpinned Sessions page 7 2 MGC Specified Local Addresses or Ports page 7 6 Multi Stream Terminations page 7 7 Nine Tier Termination Name Hierarchy page 7 7 Optional Local and Remote Descriptors page 7 10 e Remote Source Address Mask Filtering page 7 11 RTP Specific Behavior Support page 7 11 ServiceChange Notification for Interface Status Change page 7 11 T MAX Timer page 7 14 The tsc Delay Timer page 7 14 Video on Demand VOD Support page 7 6 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 o Chapter7 H 248 Services Signaling and Control W DBE Signaling Pinhole Support DBE Signaling Pinhole Support DBE Signaling Pinhole Support allows t
51. wildcard notation Multi tier prefixes can be less than nine tiers but must have the same depth Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 E Chapter7 H 248 Services Signaling and Control W sNiine Tier Termination Name Hierarchy Information About Nine Tier Termination Name Hierarchy The MG assigns a channel ID that is unique across all terminations realized on the data border element DBE Using a unique channel ID ensures that the termination ID as a whole is unique across all terminations on the DBE If a multi tier prefix is not desired the MGC may use a Choose wildcard for the termination ID that is in which case the MG allocates a prefix in the form ip lt flow id gt The only element within the hierarchy which may contain the CHOOSE attribute in an ADD request from the MGC is the channel element which is the final element The full termination name is stored persistently The termination naming hierarchy is extended to include nine tiers and is defined as follows lt operator gt lt service gt lt subscriber class gt lt Reservedl gt lt physical interface id gt lt Reserved2 gt lt sub interface id gt lt termination attribute gt lt channel gt lt operator gt yourcompanyname com others lt service gt sip voice video vphone
52. with layer 2 and layer 3 services such as security QoS IP Multicast that eliminate the need to create an overlay network of standalone SBC appliances With Integrated SBC SBC functionality and routing functionality both reside on the Cisco ASR 1000 Series Router The integration also allows SBC to build on the security and admission control features and virtual private network VPN awareness of the Cisco ASR 1000 Series Routers In general session border controllers are used as key components in interconnecting Voice over IP VoIP and multimedia networks of different enterprise customers and service providers SBCs are deployed at the edge of networks to meet the need for secure intelligent border element functions Using SBCs the end user can make voice and video calls to another end user without being concerned about protocols network reachability or safety of the network The SBC enables direct IP to IP interconnect between multiple administrative domains for session based services providing protocol interworking security and admission control and management The SBC is a session aware device that controls access to VoIP and other types of primarily media related networks A primary purpose of an SBC is to protect the interior of the network from excessive call load and malicious traffic Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 CEN
53. work identically on the Cisco ASR 1000 Series Aggregation Services Routers oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers my Chapter 10 High Availability Support W Hardware Redundancy Hardw are Redundancy Integrated Session Border Controller supports use of a redundant or standby Route Processor RP and redundant Embedded Services Processor ESP on the Cisco ASR 1006 Router The Cisco ASR 1006 Router has an ESP as well as an RP for dual hardware redundancy If the active RP or active ESP hardware fails the system performs a switchover to the standby RP or standby ESP RP and ESP hardware redundancy support is independent An RP failure does not require a switchover of the ESP hardware and an ESP failure does not require an RP switchover Hardware redundancy is available only on the Cisco ASR 1006 Router Softw are Redundancy On the Cisco ASR 1000 Series Routers Cisco IOS runs as one of many processes within the Cisco IOS XE operating system This architecture is different than on traditional Cisco IOS where all processes are run within Cisco IOS The Cisco ASR 1000 Series Router architecture allows for software redundancy opportunities not available on other Cisco IOS platforms Integrated Session Border Controller supports software redundancy by running a standby peer SBC module within the IOS process that resides in an active
54. 20 Router show run interface gigabitEthernet 0 2 Current configuration 505 bytes I interface GigabitEthernet0 2 description to AER1 1 gi0 0 0 2 ip address 12 11 21 2 255 255 255 252 ip access group Core_InFilter in load interval 30 carrier delay msec 5 media type sfp speed 1000 duplex full negotiation auto ipv6 address 2000 12 11 21 2 64 ipv6 traffic filter Core_InFilter_IPv6 in ipv6 traffic filter OutFilter_IPv6 out no ipv6 mld router snmp trap link status permit duplicates keepalive 1 service policy output CORE_OUT hold queue 1000 in hold queue 1000 out end Router show policy map CORE_OUT Policy Map CORE_OUT Class IPv6_intersubscriber police cir 8000 bc 1500 conform action drop exceed action drop Class class default Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers oa E OL 15421 01 Chapter9 Topology Hiding IPv6 Support W ACL Based Inter Subscriber Blocking Method In the following example of the ACL based inter subscriber blocking method packets entering the DBE from the access side are marked with DSCP 0 using the same INPUT_POLICY as the QoS method above but packets leaving the DBE use the ACL OutFilter_IPv6 as follows Router show ipv6 access list OutFilter IPv6 IPv access list OutFilter IPv6 permit icmp any any packet too big sequence 10 deny icmp any any sequence 20 deny ipv any any dscp defa
55. A prefix length of 0 for the remote source address mask is invalid The MGC is only allowed to specify local addresses and ports that lie within configured address and port ranges Related Commands The media address ipv4 command has dbe and mgc options that indicate whether an address pool is provided from which the DBE or MGC can allocate addresses The new media address pool ipv4 command creates a pool of sequential IPv4 media addresses that can be used by the DBE as local media addresses the command also has dbe and mgc options Topology Hiding Topology hiding is an important function of security because it protects the identity of the users and their network addresses See Chapter 9 Topology Hiding for more information Traffic Management Policing The data border element DBE supports the H 248 Traffic Management Tman package to police signaling and media streams The DBE can also monitor packets coming from the access customer side and from the backbone network core side For more information on the Tman package see the H 248 Traffic Management Package Support section on page 5 1 Tw o Rate Three Color Policing and Marking The data border element DBE supports Two Rate Three Color Policing and Marking to control the traffic coming from the user For more information on the Two Rate Three Color Policing and Marking feature see the Two Rate Three Color Policing and Marking section on page 5 5
56. ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCDE CCENT Cisco Eos Cisco Lumin Cisco StadiumVision the Cisco logo DCE and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn is a service mark and Access Registrar Aironet AsyncOS Bringing the Meeting To You Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP CCVP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation EtherFast EtherSwitch Event Center Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare
57. ASR 1000 Series Routers The documentation listed below is available online Cisco ASR 1000 Series Router Documentation For information on Integrated Session Border Controller commands see the Cisco IOS Integrated Session Border Controller Command Reference that was provided as part of this release For information on new Cisco ASR 1000 Series Router commands and commands in existing Cisco IOS features see the Cisco IOS command reference books on Cisco com for this release For hardware documentation for this router see the hardware documentation that was provided as a part of this release For information on new software features see the Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide new feature module documents and the Cisco IOS XE release notes that were provided as part of this release Cisco IOS Release 12 2SR Software Publications Documentation for the related Cisco IOS Release 12 2SR including command reference and system error messages can be found at the following URL http www cisco com en US products ps6922 tsd_products_support_series_home html Document Conventions This documentation uses the following conventions Convention Description or Ctrl The and Ctrl symbols represent the Control key For example the key com bination D or Ctrl D means hold down the Control key while you press the D key Keys are indicated in capital letters but are not case sensitive string
58. Address Pools DETAILED STEPS Command or Action Configuring Media Address Pools Mil Purpose Step1 configure terminal Enters global configuration mode Example Router configure terminal Step2 interface sbc Enters into interface configuration mode In the example an SBC virtual interface called 1 Example is configured Router config interface sbc 1 Step3 sbc sbc name dbe Enters into SBC DBE configuration mode Example Router config sbc mySbc dbe Step4 media address pool ipv4 A B C D E F G H Creates a pool of sequential IPv4 media addresses that can be used by the DBE as local media addresses Enters into SBC DBE media address Example fi d Router config sbc dbe media address pool ipv4 configuration mode 10 0 2 1 10 0 2 10 Step5 port range min port max port any voice video Creates a port range for the configured media signaling fax addresses in the pool and specifies a class of service such as any voice video signaling and fax for the Example port range Router config sbc dbe media address port range In the example a port range of 16384 to 30000 is TOISEN OIR ran created where the class of service for the port range is any class of service Step6 exit Exits SBC DBE media address configuration mode Example Router config sbc dbe media address exit Step7 end Exits SBC DBE configuration mode and returns to privileged EXEC mode Example Router config
59. Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 o Chapter 11 Quality Monitoring and Statistics Gathering Hs Provisioned Inactivity Timer Related Command The h248 media alert event command is used to enable or disable the Middlebox Pinhole Timer Expired event when the DBE detects media loss Provisioned Inactivity Timer The DBE can be configured with a default value for the H 248 connection s inactivity timer value the it and ito properties This default value is used if the media gateway controller MGC does not request that the DBE runs an inactivity timer The advantage is that the DBE can detect media gateway controller MGC failure whether or not the MGC has subscribed to the inactivity timer event The system default is that no provisioned inactivity timer is configured The provisioned timer is started when a successful response is received to the media gateway MG initial ServiceChange request to the MGC The MGC subscription timer duration can override the provisioned timer duration value if the MGC subscribes to the inactivity timer with a different timer duration than the provisioned timer duration However the subscribed timer value is replaced by the provisioned timer value if the MGC cancels its subscription or the association fails Related Command The h248 inactivity duration command configures the duration of the inactivity timer The provis
60. Border Controller DBE Deployment Scenario W This scenario requires the SP to provide capabilities such as opening pinholes for the duration of a conversation and doing this without exposing the devices behind the firewall to malicious threats In addition given that voice is extremely sensitive to issues such as delay latency and packet loss ensuring adequate performance is a challenge QoS mechanisms can be implemented to ensure proper priority is assigned to voice packets In this deployment scenario multiple applications share a common link Thus a mechanism that will limit bandwidth available to individual applications to ensure appropriate end to end quality is needed For voice this would involve correctly marking the packet to ensure appropriate priority as well as controlling the number of simultaneous calls at the network entry point Because the SP cannot dictate what IP phones their customers use protocol conversion functionality is needed especially H 323 to SIP conversion Service providers require measurement of traffic for reporting and billing purposes in this potential scenario Some carriers may also want to offer service level agreement SLA for voice for which they want to be able to provide their customers with the proof that these SLAs are being met Figure 1 4 on page 1 9 illustrates a deployment where Integrated SBC is used for VoIP interworking Figure 1 4 Integrated SBC Used for VoIP Interworking SP2
61. Pv6Inter Subscriber Blocking Ml because they have an SBC DBE updated DSCP value Depending on the QoS classification you also have the flexibility of blocking partial traffic between subscribers without a session established or blocking all the traffic between them IPv6 inter subscriber blocking can be implemented using two methods Quality of Service QoS policy map based inter subscriber blocking or access control list ACL based inter subscriber blocking In the following example of the QoS policy map based inter subscriber blocking method all the packets entering the router DBE through 0 1 1101 are marked using the policy map INPUT_POLICY with DSCP default 0 Any packets leaving the DBE gigabitEthernet 0 2 with DSCP 0 will be blocked by the class map IPv6_intersubscriber in the policy map CORE_OUT IPv6_intersubscriber uses the ACL ipv6_dscpO_any Router show run interface gigabitEthernet 0 1 1101 Current configuration 711 bytes I interface GigabitEthernet0 1 1101 encapsulation dot1Q 1101 ip dhcp relay information option subscriber id 1101 ip address 12 21 1 1 255 255 255 0 ip access group InFilter IPv4 in ip access group OutFilter_IPv4 out ip verify unicast reverse path ip helper address 12 1 99 2 pppoe enable group global ipv address 2000 12 21 1 1 64 ipv address FE80 1 link local ipv traffic filter InFilter_IPv6 in ipv traffic filter OutFilter IPv6 out ipv6 verify unicast reverse p
62. RP If the SBC module fails then Integrated SBC switches over to the standby SBC module in the standby IOS process The standby IOS process may reside on the same Route Processor as the active IOS process Cisco ASR 1002 and Cisco ASR 1004 Routers or it may be on a redundant standby RP Cisco ASR 1006 Router On the Cisco ASR 1002 and Cisco ASR 1004 Routers a standby Cisco IOS process is running on the same Route Processor as the active Cisco IOS process In the event of a Cisco IOS failure the router switches to the standby Cisco IOS process No redundant Route Processor or redundant ESP is available on the Cisco ASR 1002 Series and Cisco ASR 1004 Series Routers On the Cisco ASR 1006 Routers the data border element DBE can have a redundant Route Processor and a redundant ESP In the event of failure of the active Cisco IOS process the router switches to the standby Cisco IOS process running on a separate standby Route Processor SBC redundancy at the ESP level is provided only if a standby redundant ESP is used SBC components running on the active ESP have identical peer components running on the standby ESP In this case if the SBC components running on the active ESP fail then a switchover to the backup ESP occurs The following types of software redundancy are supported on Integrated Session Border Controller Route Processor Redundancy RPR Stateful Switchover SSO In Service Software Upgrade ISSU Route Processor Redun
63. S software image support To access Cisco Feature Navigator go to http www cisco com go fn An account on Cisco com is not required Note Table 1 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train Unless noted otherwise subsequent releases of that Cisco IOS XE software release train also support that feature Table 1 1 lists features in alphabetical order and associated SBC commands that are supported on the Integrated Session Border Controller DBE deployment on the Cisco ASR 1000 Series Routers Table 1 1 Supported Integrated Session Border Controller Features Chapter Where Release Feature Name Related SBC Commands Documented Cisco IOS Billing and Call Detail Records None Chapter 11 Quality XE Release Monitoring and 2 0 Statistics Gathering Cisco IOS DTMF Interworking dtmf duration Chapter 3 DTMF XE Release Interworking 2 0 Cisco IOS DBE Signaling Pinhole Support None Chapter 7 H 248 XE Release Services Signaling 2 0 and Control Cisco IOS DBE Status Notification None Chapter 11 Quality XE Release Monitoring and 2 0 Statistics Gathering Cisco IOS DSCP Marking and IP Precedence None Chapter 5 Quality of XE Release Marking Service and Bandwidth 2 0 Management Cisco IOS Enabling Optional H 248 package Chapter 6 H 248 XE Release Packages Packages Signaling 2 0 and Contr
64. SBC DBE configuration mode and returns to privileged EXEC mode Enabling H 248 Logging Requests and Responses EN Because the default logging level of 63 is set on by default you can use the logging level command to enable other logging levels In particular logging level 30 generates logs showing H 248 requests sent and responses received The logging level command sets the severity logging level on the DBE and limits logging messages displayed on the console to messages for that specified level and above For example a specified logging level of 30 would display log messages from logging levels 30 40 50 60 70 80 and 90 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 _ Chapter 2 Configuring Integrated Session Border Controller Configuration Examples W Note that some messages may be displayed on the standby Route Processor RP because some of the components remain in the active stage on the standby RP and may produce those messages The lower the log level the more syslog bandwidth is taken up Integrated Session Border Controller SBC debug commands that set the logging level and the H 248 protocol message filter such as debug sbc log level and debug sbc filter can be enabled at the same time The logging level command works with Integrated SBC and Cisco IOS debug commands as follows If logging and logging
65. SR 1000 Series Aggregation Services Routers OL 15421 01 TEN Chapter3 DTMF Interworking HI Configuring Default Duration of a DTMF Event Cisco 10S XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 3 4 OL 15421 01 CHAPTER Media Address Pools You can configure Integrated Session Border Controller SBC with a single media address or a range of sequential media addresses In addition you can define one or more permissible port ranges for the configured addresses This feature allows the administrator to configure or restrict the data border element DBE address by address pool with or without port range and define class of service CoS affinity for each port range For a complete description of commands used in this chapter refer to the Cisco IOS Integrated Session Border Controller Command Reference Contents Prerequisites for Implementing Media Address Pools page 4 1 Restrictions for Configuring Media Address Pools page 4 1 Information About Media Address Pools page 4 2 Configuring Media Address Pools page 4 2 Configuring Media Address Pools Example page 4 4 Prerequisites for Implementing M edia Address Pools The following prerequisites are required to implement media address pools On the DBE you must be the Admin user to enter SBC commands Before implementing media address pools the SBC must already be created
66. Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Command or Action Purpose logging filter control protocol Example Router config sbc dbe vdbe logging filter control protocol Optional Sets the H 248 protocol message filter for console logging to display only the H 248 text without any internal message logs controller h248 controller index Example Router config sbc dbe vdbe controller h248 2 Configures the H 248 controller for the DBE and enters into Controller H 248 configuration mode In the example the configured number 2 identifies the H 248 controller for the DBE remote address ipv4 A B C D Example Router config sbc dbe vdbe h248 remote address ipv4 200 50 1 254 Configures the IPv4 remote address of the H 248 controller for the SBE In the example 200 50 1 254 is configured as the remote SBE IP address remote port port num Example Router config sbc dbe vdbe h248 remote port 2971 Configures the port number of the H 248 controller that is used to connect to the SBE exit Example Router config sbc dbe vdbe h248 exit Exits Controller H 248 configuration mode attach controllers Example Router config sbc dbe vdbe attach controllers Attaches the DBE to an H 248 controller exit Example Router config sbc dbe vdbe exit Exits VDBE configuration mode end Example Router config sbc dbe end Exits
67. T Where both access side and backbone side addresses are protected In Twice NAPT both the IP address and port are translated to a local IP address and port and both of the end points on each side see the SBC address as a destination address IPv6 Single NAPT for signaling packets This function is useful for protecting the signaling infrastructure part of the backbone side The backbone side is able to identify the address of the customer however for the customer only the interface address of the DBE is visible IPv6 No NAPT for media packets With this method there is no privacy on the customer side or backbone side Both sides know each other s address and the DBE transparently passes the packets For a complete description of commands used in this chapter see the Cisco IOS Integrated Session Border Controller Command Reference NAPT and NAT Traversal page 9 2 IP NAPT Traversal Package and Latch and Relatch Support page 9 2 IPv4 Twice NAPT page 9 2 IPv6 Inter Subscriber Blocking page 9 2 IPv6 Support page 9 5 No NAPT Pinholes page 9 9 oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers my Chapter9 Topology Hiding E NAPT and NAT Traversal NAPT and NAT Traversal NAPT and NAT Traversal are described in Chapter 8 Integrated Session Border Controller Security IP NAPT Traversal Package
68. The SBE sees no differences between Twice NAPT hairpins and Twice NAPT non hairpins When forwarding media a hairpin behaves the way two separate pinholes behave except that a packet going through a coupled pair has its IP Time to Live counter decremented only once not twice Note Twice NAPT is only supported on IPv4 No NAPT Pinhole Hairpinning No NAPT pinholes can form hairpins only under the following circumstances Both pinholes are No NAPT Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 a Chapter7 H 248 Services Signaling and Control MGC Specified Local Addresses or Ports Each internal termination has local and remote addresses that are identical to those of the external termination on the associated pinhole amp Note The two terminations between which media loops back are called the internal terminations of their respective pinholes Only external terminations directly receive packets from the network Any remote source address masks rsams are duplicated For example if a termination with remote address A in one pinhole has an rsam of 1111 2222 3333 4444 48 then the termination with remote address A in the other pinhole also has an rsam of 1111 2222 3333 4444 48 DBE Restrictions The following are DBE restrictions for the Locally Hairpinned Sessions feature For N
69. VOD systems enabling users to select and watch or listen to video and audio content over a network as part of an interactive television system VOD systems can either stream content through a set top box that allows the user to view in real time Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 7 14 OL 15421 01 Chapter7 H 248 Services Signaling and Control Video on Demand VOD Support W such as pay per view or download content to a delivery device for future viewing Delivery devices include computers digital video recorders personal video recorders portable media players mobile phones and any system that can receive on demand audio visual content over a network The Integrated SBC supports different methods for delivering VOD packets over the Internet One method assumes that all flows of real time streaming protocol RTSP real time transport protocol RTP real time control protocol RTCP and forward error correction FEC are delivered over one TCP connection that is initiated by the client side This method includes the following features The TCP connection is always initiated by the client side The local address and port number on the client or user side are specifically assigned by the signaling border element SBE The local address and port number on the back bone or server side are any based on the media
70. ackage 7 4 H H 248 address reporting package 8 2 H 248 association 11 3 11 4 H 248 event notification 11 2 H 248 event subscription 11 4 H 248 logging 2 6 H 248 Megaco 1 8 H 248 packages 6 1 address reporting package 6 2 base root package 6 7 enabling optional H 248 packages 6 1 gate information package becomes optional 6 2 H 248 1v3 support 6 6 MGC controlled gateway wide properties 6 7 segmentation package 6 2 session failure reaction package 6 3 termination state control 6 4 traffic management package 6 6 VLAN package syntax level support 6 6 H 248 protocol 1 8 H 248 services 11 6 audit support extension 7 3 DBE signaling pinhole support 7 2 flexible address prefix provisioning 7 4 hairpin 7 5 local source properties address and port 7 5 MGC specified local addresses or ports 7 6 multi stream terminations 7 7 nine tier termination name hierarchy 7 7 optional local remote descriptors 7 10 remote source address mask filtering 7 11 RTP specific behavior support 7 11 ServiceChange Notification for Interface Status Change 7 11 termination wildcarding support extension 7 3 t max timer 7 14 tsc delay timer 7 14 H 248v3 7 7 hairpin DBE restrictions 7 6 no NAPT pinholes 7 5 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers IN 2 OL 15421 01 twice NAPT pinholes 7 5 hairpin support 7 5 hardware redundan
71. age 2 11 e Making Global Changes to Controllers Example page 2 11 e Making Changes to Individual Controller Settings Example page 2 13 oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers jg Chapter 2 Configuring Integrated Session Border Controller Hs Configuration Examples SBC DBE Configuration Steps Example The following steps list the tasks you need to do to configure an SBC DBE deployment on the Cisco ASR 1000 Series Routers Create an SBC virtual interface Configure IP addresses on the SBC virtual interface Create the DBE service on the SBC Configure the default VDBE Take the default use any local port command behavior Configure the DBE to use a local H 248 control address to connect to the SBE Configure the H 248 controller for the DBE Configure the remote address of the H 248 controller for the SBE Attach the DBE to an H 248 controller Configure a location ID for the DBE 18 ON Se eee re e PS Add an IPv4 address so it can be used by the DBE as a local media address 12 Initiate the DBE service of the SBC The following is a sample configuration representing the ordered tasks used to configure an SBC DBE deployed on the Cisco ASR 1000 Series Routers interface sbc 1 ip address 1 1 1 1 255 0 0 0 sbc mySbc dbe vdbe global control address h248 ipv4 210 229 108 254 controller h248 1 remote addr
72. ain multiple streams Previously only a single stream for each termination was allowed which meant that multi stream calls needed to be signaled using multiple pairs of terminations This enhancement supports the new H 248 1v3 syntax in which several streams can occupy the same termination DBE Restrictions The following is a restriction of DBE support for this feature e Auditing of per stream statistics is only supported when using H 248 1v3 This is a restriction of the H 248 protocol Nine Tier Termination Name Hierarchy The Nine Tier Termination Name Hierarchy feature adds support for a nine tier termination name schema where the multi tier prefix is supplied by the media gateway controller MGC and the final element the channel ID is generated by the media gateway MG All MGCs that the MG is configured to contact must use the same termination name schema A termination is the point of entry or exit of media flows relative to the MG The MG understands how the flows entering and leaving each termination are related to each other This feature plays an important role in identifying the company transaction service such as voice or video and termination attributes such as access backbone etc Restrictions for Nine Tier Termination Name Hierarchy Only the final element may contain the CHOOSE wildcard The DBE will not extract any meaning from any elements of the termination ID The exception is reserved for
73. alue2 pdr coefficient value3 command The control dscp value keyword enables the Two Rate Three Color Policing and Marking feature for a specific flow if value matches the DSCP value for the flow in the diffserv package transmitted via H 248 The marker dscp value2 keyword colors traffic packets with a DSCP value2 This traffic conforms to the peak data rate pdr but does not conform to the sustainable data rate sdr The pdr coefficient value3 keyword applies the following formula to calculate the pdr value which is not passed from H 248 The pdr coefficient value is calculated as pdr sdr value3 100 and pdr must be greater than sdr Traffic not conforming to either of the sdr or pdr rates These packets are dropped wy Note The Two Rate Three Color Policing and Marking feature is not enabled for a particular flow if the DSCP value set by H 248 for that flow does not match the configured control dsep value Traffic flows must have the Two Rate Three Color Policing and Marking feature enabled to use the three parameters configurable with the Two Rate Three Color CLI Traffic flows that do not have the Two Rate Three Color Policing and Marking feature enabled are subject to normal Tman based policing with pdr sdr and mbs parameters configured via H 248 regardless of the pdr coefficient configured via the Two Rate Three Color CLI The DBE supports dual token bucket policing to support this feature The DBE use
74. ame dbe vdbe global dtmf duration duration exit mone we LY pP end Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 3 2 OL 15421 01 _ Chapter 3 DTMF Interw orking DETAILED STEPS Command or Action Configuring Default Duration ofa DTMF Event Hl Purpose Step1 enable Enables privileged EXEC mode Enter your password if prompted Example Router gt enable Step2 configure terminal Enters global configuration mode Example Router configure terminal Step3 sbc sbc name dbe Enters the mode of a DBE service and enters into SBC DBE configuration mode Use the sbc name argument to specify the name of the DBE service Example Router config sbc global dbe Step4 vdbe global Enters into VDBE configuration mode with a default DBE named global Example Only one DBE is supported and its name must be global Router config sbc dbe vdbe global Step5 dtmf duration duration Configures the default duration of a DTMF event in milliseconds Example Router config sbc dbe vdbe dtmf duration 250 Step6 exit Exits VDBE configuration mode Example Router config sbc dbe vdbe exit Step7 end Exits SBC DBE configuration mode and returns to privileged EXEC mode Example Router config sbc dbe end Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco A
75. an package during call setup The mbs property is used for pdr policing as well and has an assumed minimal value of 1500 bytes Two DSCP values control and marker DSCPs and the pdr coefficient are configured via the control dscp marker dscp pdr coefficient CLI The control dscp value configured must match the diffserv DSCP value for a specific flow to enable the Two Rate Three Color Policing and Marking feature If any one of the conditions is not met this feature is not enabled for the flow Implementing Tw o Rate Three Color Policing and Marking In the Two Rate Three Color Policing and Marking feature only two rates sdr and pdr allow traffic to be policed into three categories of traffic which are handled as follows Traffic conforming to both sdr and pdr These packets are colored using the DSCP value provisioned via the H 248 diffserv package that is H 248 passes the DSCP value These packets are forwarded and the DSCP value comes from the H 248 diffserv package Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 E Chapter5 Quality of Service and Bandwidth Management His Two Rate Three Color Policing and Marking Traffic not conforming to the lower sdr rate but conforming to the higher pdr rate These packets are colored with the marker DSCP value and pdr configured with the control dscp value marker dsep v
76. ate Control Package section on page 6 4 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 8 2 OL 15421 01 Chapter8 Integrated Session Border Controller Security Interim Authentication Header Support W Interim Authentication Header Support Interim Authentication Header IAH Support provides protocol level support that allows you to insert an IAH in the messages and to set all fields in the IAH header to zeroes You are able to send and receive null IAH headers DBE Restrictions The following is a restriction of Interim Authentication Header IAH Support The data border element DBE only checks that the received messages are syntactically correct and does not confirm that an IAH is present Related Commands The interim auth header keyword is added to the transport command to insert the IAH into H 248 messages IP NAPT Traversal Package and Latch and Relatch Support The data border element DBE supports the IP NAPT Traversal IP NAPT package that is defined in H 248 37 IP NAPT traversal is an alternative method to the existing support of the NAT Traversal NTR package defined in ETSI TS 102 333 IP Network Address and Port Translation IP NAPT defines two signals Latch and Relatch to control how the DBE learns remote addresses for endpoints behind a Network Address Translation NAT The NAPT package is defined through a
77. ath ipv mld explicit tracking ipv mld access group VLAN1 ipv6 dhcp relay destination 2000 12 1 99 2 snmp trap link status no cdp enable service policy input INPUT_POLICY service policy output PARENT OUTPUT POLICY end Router show policy map INPUT POLICY Policy Map INPUT POLICY Class class default set dscp default Router show policy map PARENT OUTPUT POLICY Policy Map PARENT OUTPUT POLICY Class class default Average Rate Traffic Shaping cir 100000000 bps service policy CHILD _OUTPUT_POLICY Router show policy map CHILD OUTPUT POLICY Policy Map CHILD OUTPUT _POLICY Class EF set cos 5 set dscp ef OL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers jg Chapter9 Topology Hiding HI sIPv6 Inter Subscriber Blocking priority level 1 10000 kbps Class AF4 set cos 4 priority level 2 75000 kbps Class AF1 set cos 1 priority level 2 5000 kbps Class IPv6 _intersubscriber police cir 8000 bc 1500 conform action drop exceed action drop Class class default set cos 0 bandwidth 9990 kbps queue limit 1 packets Router show class map IPv6_intersubscriber Class Map match all IPv6 _intersubscriber id 16 Match access group name ipv6 _dscp0_any Router show ipv6 access list ipv6 dscp0 any IPv6 access list ipv6_dscp0_any permit ipv6 any any dscp default sequence 10 deny ipv6 any any sequence
78. ation media up event media down event and invalid source alert to the SBE for billing and security purposes H 248 Network Quality Alert nt qualert event The H 248 nt qualert event offers another method to check whether there are any hung calls A voice call is considered a hung call when media packets are not present on the active stream and the call is not on hold nor has the hold timer expired The H 248 nt qualert feature generates a middlebox pinhole timer expired event when it detects this type of media loss This feature is enabled by default Discarded Packets Statistics The DBE tracks dropped packets when incoming packets fail to match the address and port mask specified using the H 248 Gate Management package With this type of reporting the DBE collects accurate packet information for a given user and also enhances network security congestion threshold Command The congestion threshold command configures the DBE to signal a congestion event to the SBE when a maximum percentage has been reached When the DBE reaches the maximum configured congestion threshold percentage for either number of calls or media bandwidth it sends a congestion message to the SBE DBE Status Notification The DBE notifies the SBE about critical status changes for example resource shortage or performance degradation Enhanced Event Notification and Auditing The Enhanced Event Notification and Auditing features address some of the limitations
79. can be modified and audited by the media gateway controller MGC normalMGExecutionTime normalMGCExecutionTime e MGProvisionalResponseTimer Value e MGCProvisionalResponseTimer Value e MGOriginatedPendingLimit e MGCOriginatedPendingLimit In addition the following read only properties may be audited e maxNrOfContexts maxTerminationsPerContext DBE Restrictions The following is a restriction of DBE support for this feature The property field values are stored where set by H 248 and returned on subsequent audits However the property values are not used by the DBE and do not affect the DBE s behavior Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 a Chapter6 H 248 Packages Signaling and Control Hs MGC Controlled Gatew ay Wide Properties Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 6 8 OL 15421 01 CHAPTER H 248 Services Signaling and Control The data border element DBE of the Integrated Session Border Controller SBC manages media packets but it also takes part in forwarding signaling packets to the signaling border element SBE In this way the DBE helps in signaling interworking The SBE generates controlling packets and through the H 248 interface informs the DBE on management of media packets as
80. cy 10 2 hiding network address 9 1 high availability 10 1 huge buffer size 2 1 hung call 11 2 illustration No NAPT 9 7 inactivity timer 11 6 in service software upgrade 10 3 interim authentication header 8 3 inter subscriber blocking 9 2 IP NAt traversal 9 1 IP precedence marking 5 3 ipv4 9 2 IPv4 twice NAPT 9 2 ipv6 9 5 no NAPT 9 6 pinholes 9 5 9 6 single NAPT 9 5 9 7 ISSU 10 3 L latch 8 2 8 3 9 1 LLQ 5 1 local address 7 6 local port 7 6 8 4 local source properties address and port 8 4 logging level 2 6 lost calls 10 3 M marker dscp value 5 5 marking 5 5 mask length 8 4 maximum burst size 5 2 mbs property 5 2 media address pools configuring 4 2 7 8 example 4 4 7 9 prerequisites 4 1 restrictions 4 1 media failure 11 5 media flow 9 5 9 6 media gateway 1 2 media gateway controller 1 2 media gateway controller failure 11 6 media gateway controller version 3 6 6 media loss 11 5 media packets 1 2 7 1 media pinhole control 8 2 media timeout 11 3 media timeout timers 11 4 MGC 1 2 MGC controlled gateway wide properties 6 7 MGC specified local addresses or ports 7 6 middlebox pinhole timer expired 11 2 11 5 multiple terminations 8 5 multi stream terminations 7 7 Index NAPT 9 1 NAPT and NAT traversal 8 5 NAT 91 network package quality alertevent 11 5 network quality alert 11 2 nine tier termination name hierarchy 7 7 no NAPT 9 5 9 9 no NAPT pinholes 7 5 notes u
81. dancy RPR RPR allows you to run with a standby RP without state synchronization In the event of a fatal error on the active RP the system switches to the standby RP which then completes its initialization Because all the state information held by the formerly active RP is lost the newly active RP has to configure itself and relearn all the state information Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 10 2 OL 15421 01 Chapter 10 High Availability Support SSO Support W Upon an RPR based RP switchover event all SBC calls already established in a steady state at the time of the switchover are lost Some SBC calls in the process of being established at the time of the switchover are dropped as gracefully as possible No new calls can be established briefly after the initial switchover event An SBC call reconciliation takes place after an RPR based RP switchover to ensure that both RP and Embedded Services Processor ESP are in sync RPR redundancy can allow for IOS fast software upgrades when ISSU is unavailable In RPR mode no Cisco IOS SBC state information is synchronized to the standby RP Therefore all calls are dropped upon an RPR based switchover D Note RPR is supported on the Cisco ASR 1000 Series Routers while RPR is not You can use Stateful Switchover SSO instead of RPR SSO Support Integrated Session Borde
82. destination address and port that was either specified in the remote descriptor or latched to within a gm rsam that matches the local address mask IPv6 No NAPT Support for M edia Flows To support IPv6 on the DBE deployment media flows do not support NAPT No NAPT support means that no IP addresses and ports are translated by the DBE from a private address to a public address for multiple users to share a single public address Because media addresses and ports are not translated media flows on both sides of the media address are programmed with private local addresses and ports that do not belong to the DBE These local addresses and ports are specified by the MGC to match the remote address and port on the opposite side of the media address Traffic in both directions is addressed directly to the remote endpoint on the other side of the DBE The DBE rewrites neither the source nor destination addresses and ports in both directions because the DBE does not translate any IP addresses and ports during packet forwarding Neither the source address nor destination address contains any DBE local media addresses Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter9 Topology Hiding IPv6 Support W Figure 9 1 illustrates a No NAPT media flow through the DBE between user side A and user side B Figure 9 1 No NAPT Media Flow
83. dpoints do not use the same type for relaying DTMF tones DTMF dialing consists of simultaneous voice band tones generated when a button is pressed on a telephone The challenge comes from a scenario where one side uses Real time Transport Protocol RTP and the other uses Session Initiation Protocol SIP signaling to enable advanced telephony services Examples of the types of services and platforms that are supported by DTMF interworking are various voice web browser services Centrex switches or business service platforms calling card services and unified message servers All of these applications require DTMF interworking for the user to communicate with the application outside of the media connection The Cisco ASR 1000 Series Aggregation Services Routers only support DTMF interworking between RTP and SIP DTMF indication types This type of DTMF interworking provides for DTMF signals generated by SIP to be inserted into an RTP stream and RTP DTMF tones to be extracted and to generate a SIP message The following are ways of generating a DTMF tone SIP digit detection and generation package A SIP message is sent from the endpoint to the SIP proxy indicating that there has been a DTMF event the type and the duration of the event oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers jg Chapter3 DTMF Interworking HT RTP to SIP Interwork
84. e vdbe Router config sbc dbe vdbe controller h248 1 Router config sbc dbe vdbe h248 remote address ipv4 210 229 108 253 SBC remote address cannot be changed while controllers are attached Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter 2 Configuring Integrated Session Border Controller HE Cisco H 248 Profile The following example illustrates the user following the recommended steps to change the remote address Router config sbc dbe vdbe h248 exit config sbc dbe vdbe exit config sbc dbe no activate config sbc dbe vdbe config sbc dbe vdbe no attach controllers config sbc dbe vdbe controller h248 1 config sbc dbe vdbe h248 remote address ipv4 210 229 108 253 lt change remote addr config sbc dbe vdbe h248 exit config sbc dbe vdbe attach controllers config sbc dbe vdbe exit config sbc dbe activate config sbc dbe end Router Router Router Router Router Router Router Router Router Router Router The following example shows the modified running SBC configuration sbc mySbc dbe vdbe global use any local port control address h248 ipv4 172 25 2 26 controller h248 1 remote address ipv4 210 229 108 253 attach controllers activate location id 1 media address ipv4 20 20 20 20 media address ipv4 21 21 21 21 Cisco H 248 Profile H 248 profiles define option values set
85. e DBE is responsible for the media flows and consists of a set of data path functions The DBE responds to the requests made by the SBE to open pinholes taking into account the specified NAT firewall traversal and QoS requirements For the DBE a new interface type is defined for the SBC virtual interface You configure a virtual interface as part of the SBC configuration and the virtual interface has media IPs as primary or secondary IP addresses The SBC virtual interface does not support any existing Cisco IOS features The Cisco IOS XE image containing SBC software leverages existing Cisco IOS install and packaging facilities for software release delivery and installation Cisco IOS commands have been introduced to configure the DBE For information on commands see the Cisco IOS Integrated Session Border Controller Command Reference Integrated Session Border Controller DBE Deployment Scenario ie p One potential deployment scenario for Integrated Session Border Controller on the Cisco ASR 1000 Series Routers is in a network architecture where the service provider SP provides voice data and video services to their residential broadband customers over a single link Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter 1 Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview Integrated Session
86. e abc voice gn 0 1 0 1 ac 3 Reserved Bandwidth 12 bytes second Status InService VRF Name Global VLAN Tags Priorities o 0 0 0 Local Address 202 50 255 113 Local Port 20000 Remote Address 100 50 255 110 Remote Port 20000 Remote Source Address Mask 100 50 255 0 24 Packets Received 2272 Packets Sent 1784 Packets Discarded 0 Data Received 266 bytes Data Sent 209 bytes Data Discarded 0 bytes GM Discarded Packets 0 Time To Recovery Not known RTCP Packets Sent Not known RTCP Packets Received Not known RTCP Packets Lost Not known DIMF Interworking No Media Flowing Yes Unexpected SrcAddr Packets No Billing ID 000000000000000000000000000000000000000000000000 Media directions allowed sendrecv Side B Name abc voice gn 0 1 0 1 bb 4 Reserved Bandwidth 23 bytes second Status InService VRF Name Global VLAN Tags Priorities 0 0 O 0 Local Address 202 50 255 113 Local Port 20002 Remote Address 200 50 255 110 Remote Port 30000 OL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers g Chapter 7 H 248 Services Signaling and Control HI Optional Local and Remote Descriptors Packets Received 2249 Packets Sent 2272 Packets Discarded 465 Data Received 263 bytes Data Sent 266 bytes Data Discarded 54 bytes GM Discarded Packets 0 Not known Not known Not known Not known Time To
87. e of 99 triggers the generation of the nt qualert event because the DBE only detects complete media failure and is not able to detect partial frame loss which can occur during network congestion Requests for nt qualert events are on a per stream or per termination basis but the event is always reported on a per stream basis The event subscription can be added or removed during the lifetime of the stream The event is monitored independently for each side of the stream Middlebox Pinhole Timer Expired Event The h248 media alert event command defines whether a Middlebox Pinhole Timer Expired event is generated when the DBE detects media loss amp Note The Middlebox Pinhole Timer Expired event and the Network package Quality Alert event are independently generated so that either both or neither of these events are generated when the DBE detects media loss DBE Restrictions The following are restrictions of DBE support for the H 248 Network Package Quality Alert Event feature The DBE does not send notification when the last termination in a context expires The DBE deletes the context when all of its terminations time out during an H 248 association outage When an H 248 association is down and then resumes the DBE resumes sending notification events However during the H 248 association outage notification events may be lost after retries 1 ETSI TS 101 332 Version 4 1 1 Cisco IOS XE Integrated Session
88. eletion is blocked all gates media terminations and contexts remain on the device until they are deleted by the SBE or the DBE service is deactivated Resetting the M edia Timeout Timers The DBE will stop re arming the media timeout timers after a pinhole timeout occurs As a result the receipt of a packet on a pinhole on which a media timeout has occurred will not generate a media up notification or restart the timer again The media timeout timers can be restarted by the MGC by its sending in a Modify request for the pinhole An example of a Modify request is to change the state of an H 248 event subscription In this case the Modify request takes the call on hold or off hold and the DBE forwarding process changes the nt qualert event subscription which in turn restarts the media timeout timers DBE Restrictions The following are DBE restrictions for Enhanced Event Notification and Auditing After the DBE has determined that the Notify message for a given event occurrence has failed it does not attempt to send the Notify message again The event buffering model of DBE is unchanged The DBE continues to detect and report events that match the current events descriptor Receipt of a transaction response acknowledgement for an Audit Value response is not used to clear the ObservedEvents descriptor Related Commands The h248 event storage command enables permanent H 248 event storage which retains all H 248 events until
89. er Configures the DBE to use either UDP or TCP for H 248 control signaling The command also configures the H 248 controller to insert the interim authentication header into the H 248 messages and set all fields in the header to zeroes exit Example Router config sbc dbe vdbe h248 exit Exits Controller H 248 configuration mode attach controllers Example Router config sbc dbe vdbe attach controllers Attaches the DBE to an H 248 controller exit Example Router config sbc dbe vdbe exit Exits VDBE configuration mode location id location id Example Router config sbc dbe location id 1 Configures a location ID for the DBE The location ID is used by the network to route calls media address ipv4 A B C D Example Router config sbc dbe media address ipv4 1 1 1 1 255 0 0 0 Adds the IPv4 address to the set of addresses which can be used by the DBE as a local media address This address is the SBC virtual interface address Configure this command for each IP address that you specified under the SBC virtual interface in Step 4 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter 2 Configuring Integrated Session Border Controller Command or Action Configuring Integrated Session Border Controller DBE Deployment W Purpose Step 21 activate Example
90. er Subscriber Blocking Method 9 3 ACL Based Inter Subscriber Blocking Method 9 5 DBE Restrictions 9 5 IPv6 Support 9 5 IPv6 Pinholes 9 6 IPv6 No NAPT Support for Media Flows 9 6 IPv6 Single NAPT for Signaling 97 DBE Restrictions 9 8 Related Commands 9 9 No NAPT Pinholes 9 9 DBE Restrictions 9 9 cHaPTER LO High Availability Support 10 1 Contents 10 1 Integrated Session Border Controller High Availability 10 1 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers oL 15421 01 Contents W E Contents CHAPTER 11 INDEX Hardware Redundancy 10 2 Software Redundancy 10 2 Route Processor Redundancy RPR 10 2 SSO Support 10 3 ISSU Support 10 3 Quality M onitoring and Statistics Gathering 11 1 Contents 11 1 Billing and Call Detail Records 11 2 congestion threshold Command 11 2 DBE Status Notification 11 2 Enhanced Event Notification and Auditing 11 2 Retention and Returning of H 248 Event Information 11 3 Permanent H 248 Event Storage 11 3 H 248 Events Storage Until Event Acknowledgment 11 3 Association Reset 11 4 Silent Gate Deletion 11 4 Resetting the Media Timeout Timers 11 4 DBE Restrictions 11 4 Related Commands 11 4 H 248 Network Package Quality Alert Event and M iddlebox Pinhole Timer Expired Event Network Package Quality Alert Event 11 5 M iddlebox Pinhole Timer Expired Event 11 5 DBE Restrictions 11 5 Related Command 11 6 Pr
91. er describes high availability support for the Integrated Session Border Controller SBC on the Cisco ASR 1000 Series Aggregation Services Routers Integrated Session Border Controller High Availability page 10 1 Hardware Redundancy page 10 2 Software Redundancy page 10 2 Route Processor Redundancy RPR page 10 2 SSO Support page 10 3 ISSU Support page 10 3 Integrated Session Border Controller High Availability The Cisco ASR 1000 Series Routers include the Cisco ASR 1002 Cisco ASR 1004 and Cisco ASR 1006 Routers The different models support different types of redundancy Integrated Session Border Controller supports the redundancy available on each model On the Cisco ASR 1002 and Cisco ASR 1004 Routers only software redundancy is available These models have dual Cisco IOS software modules running on the same Route Processor with one active and the other in standby mode The Cisco ASR 1006 Routers offer dual hardware redundancy and software redundancy Integrated SBC high availability is provided in the standard image for the Cisco ASR 1000 Series Routers There is no special configuration required For additional information see the High Availability Overview section in the Cisco ASR 1000 Series Aggregation Services Routers Software Configuration Guide Also see the Cisco IOS High Availability Configuration Guide for information on high availability features that are on other Cisco platforms and that
92. ess and port for outgoing packets After relatching any packets received with the old source address and port are discarded Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter8 Integrated Session Border Controller Security W Local Source Properties Address and Port When latching the DBE uses the remote address and port of a source endpoint as the destination endpoint address and port if the source IP address is within a specified Gate Management remote source address mask gm rsam This means that within a subnet any packet can be latched within a gm rsam The Relatch event waits until a packet arrives that fails the latched admission criteria but which meets the relatch critera The relatch may require stricter admission criteria than the original latching such as packets may have to come from a specific remote address rather than from within the subnet Or the relatch criteria might identify a different subnet In relatching one reason for the change in the source IP address and port could be a subscriber requiring a different service When the ntr package is in use the DBE continues to attempt to relearn remote addresses and ports following any H 248 operation that modifies a termination whose endpoint is behind a NAT Relearning continues to be timed out if no packets from a new remote source address and port are received withi
93. ess ipv4 210 229 108 252 attach controllers location id 1 media address ipv4 1 1 1 1 activate Configuring Primary IP and Primary Media IP Addresses Example The following example shows the running configuration where the primary IP address and primary media IP addresses have been configured sbc mySbc dbe vdbe global use any local port control address h248 ipv4 210 229 108 254 controller h248 1 remote address ipv4 210 229 108 252 attach controllers activate location id 1 media address ipv4 1 1 1 1 lt primary local media IP address added using primary IP addr interface sbc 1 ip address 1 1 1 1 255 0 0 0 lt primary IP address was configured on SBC interface Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 2 10 OL 15421 01 Chapter 2 Configuring Integrated Session Border Controller Configuration Examples W Configuring Secondary IP and Secondary Media IP Addresses Example The following example shows the running configuration where a secondary IP address and secondary media IP address are configured after the primary IP address and primary media address have been configured sbc mySbc dbe vdbe global use any local port control address h248 ipv4 210 229 108 254 controller h248 1 remote address ipv4 210 229 108 252 attach controllers activate location id 1 media address ipv4 1 1 1 1 media address ipv4 25 25 25 25 lt
94. etes the gate if required DBE Restrictions The following are restrictions of DBE support for this feature As with current behavior the DBE rejects attempts to change the addresses and ports in the local descriptor once they have been selected Partially specified terminations those without both a local and remote descriptor must have a termination state of OutOfService If an attempt is made to place a partially specified termination InService then the request is rejected with error 421 Unknown action or illegal combination of actions response Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 _ Chapter 7 H 248 Services Signaling and Control Remote Source Address Mask Filtering W Remote Source Address Mask Filtering The Remote Source Address Mask Filtering feature is described in the Remote Source Address Mask Filtering section on page 8 5 RTP Specific Behavior Support This feature adds support for the Real time Transport Protocol RTP Specific Behavior rsb property of the ETSI TS 102 333 version 1 1 2 Gate Management GM package This support allows the media gateway controller MGC to disable RTP specific behavior for a given termination In this case the MGC overrides the default DBE behavior for RTP flows Terminations representing gates for RTP traffic typically require two streams per media
95. etfoctdn CISCO Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers Cisco IOS XE Release 2 1 May 5 2008 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San J ose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Customer Order Number OL 15421 01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California Berkeley UCB as part of UCB s public domain version of the UNIX operating system All rights reserved Copyright 1981 Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
96. example SBE DBE architecture your SBC architecture may differ Figure 1 1 Example of SBC High Level Architecture Signaling Border Element SBE H 323 SIP Policy HA AAA CDR VPN control Z interface ava NAPT Qos RTP Policy HA Data Border Element DBE 280018 Distributed and Unified M odels The SBC can operate in two modes or models unified and distributed In the unified model both the SBE and DBE logical entities co exist on the same network element In the distributed model the SBE and the DBE entities reside on different network elements Logically each of the SBE entities could control multiple DBE elements The DBE is controlled by one SBE at any one time m Cisco lOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter1 Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview General Overview W Figure 1 2 on page 1 3 illustrates the unified model Figure 1 2 Unified SBC Model Domain A 271026 _ Ea Domain B The Integrated Session Border Controller runs under the distributed model and provides the DBE functionality The distributed model offers advantages over the unified model as follows Scalable to a larger number of sessions Operational advanta
97. g and LocalControl is modified Iftrt is ON and the recovery timer rt is non zero the recovery timer will be cancelled and restarted with the new rt value Iftrt is OFF or rt is zero the timer is stopped Ifthe MGC manually changes a suspended termination from OutOfService to InService the recovery timer is stopped However if the MGC re applies OutOfService state to an already suspended termination this has no effect on the recovery timer and does not cancel recovery The tsc trt and tsc rt properties and the tsc rc event if subscribed for are reported to the MGC in Audit responses DBE Restrictions The following is a restriction of DBE support for the tsc package Terminations can be associated by context but not by VLAN This means that the VLAN value of the tsc ata property is not supported If a request includes the VLAN value the request is rejected with error 501 Not Implemented D Note See the MultiService Forum Contribution document Contribution Number msf2006 117 03 for more information about the tsc package Related Commands The tsc ttr statistic is reported in the show sbc dbe media flow stats and show sbc dbe signaling flow stats command outputs The tsc trt property is reported as ON if the termination is OutOfService with the recovery timer running and OFF otherwise Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregati
98. g message OL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers ig Chapter 2 Configuring Integrated Session Border Controller HI Configuring H 248 Logging Level You run over 500 active calls on your DBE deployment and you receive the following log message Feb 11 11 35 52 909 SYS 2 GETBUF Bad getbuffer bytes 34506 Process SBC main process ipl 0 pid 183 Traceback 70EDFC 747354 9942D0 AFC6E4 BO1AC4 29637B0 2960FCC 24C7F04 24C7918 24C7ADO 24D97AC 24D8790 2987C70 Feb 11 11 35 52 909 SBC 2 MSG 0303 0046 sckrecv2 c 991 Socket write error Sockets error code 255 Socket ID 0 Feb 11 11 35 52 909 SSBC 2 MSG 0303 0025 sckis c 112 General sockets layer error detected Sockets error code 255 Feb 11 11 35 52 909 SBC 2 MSG 2E01 0014 gctpfsm c 730 An association with a peer has become disconnected Peer s address 200 10 255 252 Peer s port 2944 Reason code 0X04 Solution Change huge buffer size Change your huge buffer size to 65535 bytes This is the recommended huge buffer size for deployment of more than 500 active calls due to the need for increased buffer size for H 248 audit responses Configuring H 248 Logging Level SUMMARY STEPS This section contains steps to configure a sample configuration where console logging for H 248 messages sent and received is turned on and the H 248 protoc
99. ge 6 2 H 248 Gate Information Ginfo Package Becomes Optional page 6 2 H 248 Segmentation Package Support page 6 2 e H 248 Session Failure Reaction Package page 6 3 H 248 Termination State Control Package page 6 4 H 248 Traffic Management Package Support page 6 6 H 248 1v3 Support page 6 6 H 248 VLAN Package Syntax Level Support page 6 6 e MGC Controlled Gateway Wide Properties page 6 7 Enabling Optional H 248 Packages H 248 profiles define option values sets of packages naming conventions and other details for an entire set of applications The SBC DBE deployment for the Cisco ASR 1000 Series Routers currently supports only one such profile SBC_GateControl The SBC_GateControl profile a Cisco internal profile based on ITU T Recommendation H 248 1 Version 2 defines functionality between the DBE and the MGC While all mandatory items in the profile are supported automatically by the DBE it is possible to configure the optional Enhanced Root eroot package to interoperate with the MGC SBE The eroot package is a proprietary package for the transport of the location ID and media gateway MG ID from the signaling border element SBE For more information on the Cisco H 248 profile see the Cisco H 248 Profile section on page 2 14 oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers g Chapter6 H 248 Packages
100. ges because the SBE can be upgraded or serviced separately from the DBE The distributed model aligns well with typical voice deployments where the SBE can be co located with part of the call agent The many to many interface offers capability to load share and balance across networks Operators have the flexibility to optimize on loading of the SBE or DBE Figure 1 3 on page 1 3 illustrates the distributed model Figure 1 3 Distributed SBC Model 271027 Standard H 248 Interface Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 EN Chapter 1 Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview HI Supported Integrated Session Border Controller Features Supported Integrated Session Border Controller Features The supported features roadmap lists the features documented in this guide Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers and provides links to where they are documented Any related configuration commands for a feature are listed and documented in the Cisco IOS Integrated Session Border Controller Command Reference Finding Support Information for Platforms and Cisco IOS and Catalyst OS Softw are Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst O
101. he media gateway controller MGC to directly control policing of signaling flows through the SBC interfaces on the DBE The policing is at a per signaling flow level via the H 248 association between the MGC and the DBE The feature removes the need to have a separate firewall device to protect the MGC Without this feature signaling packets are addressed to the SBE and the DBE acts as a router forwarding the packets to the SBE With this feature enabled the DBE can police signaling packets using the ETSI TS 102 333 Traffic Management Tman package The DBE has application level pinholes created to allow those packets to be forwarded to the SBE Normal IP forwarding is disabled on the SBC interfaces of the DBE DBE Signaling Pinhole Support includes the following functionality The DBE only forwards traffic that is received on a configured pinhole The packet must be addressed to a VPN address or port on an SBC interface on the DBE Signaling pinholes are configured in the same way as media pinholes over H 248 They can be differentiated from media pinholes by session descriptions as defined in the Session Description Protocol SDP in the local and remote descriptors The m application line indicates that the termination is a signaling pinhole The data rate through a signaling pinhole can be unlimited The MGC can specify the VPN address and port of the pinhole on the DBE when it is created This must be selected from the addre
102. hich the stream has been latched The event is generated in both the LATCH and RELATCH scenarios The DBE reports the event subscription with the audit response when the media gateway controller MGC audits the packages For further information on support for the H 248 IP NAPT Traversal package see the IP NAPT Traversal Package and Latch and Relatch Support section on page 8 3 DBE Restrictions The following are restrictions for adr package support The MGC must explicitly subscribe for the rsac event The adr package can be used only in conjunction with the IP NAPT Traversal package H 248 Session Failure Reaction Package The data border element DBE supports the H 248 Session Failure Reaction SFR package From a security point of view the media gateway controller MGC can put a termination out of service when the H 248 connection between the MGC and media gateway MG is lost For more information on the SFR package see the H 248 Session Failure Reaction Package section on page 6 3 H 248 Termination State Control Package The data border element DBE supports the Termination State Control TSC package to monitor signaling pinholes The tsc quiesce feature of the TSC package helps the media gateway controller MGC monitor a signaling pinhole and put the pinhole in not in service mode when all terminations are subtracted For more information on the TSC package see the H 248 Termination St
103. ical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader application The RSS feeds are a free service and Cisco currently supports RSS version 2 0 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 g xi Preface Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers xiv OL 15421 01 CHAPTER Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview This chapter presents an overview of the Integrated Session Border Controller SBC supported features and deployment of the Integrated Session Border Controller on the Cisco ASR 1000 Series Routers Contents General Overview page 1 1 Supported Integrated Session Border Controller Features page 1 4 Deployment of the Integrated Session Border Controller page 1 8 Integrated Session Border Controller DBE Deployment Scenario page 1 8 General Overview The Integrated Session Border Controller is integrated with other features on the Cisco ASR 1000 Series Routers without requiring additional application specific hardware such as service blades SBC is integrated
104. ice Forum Contribution document Contribution Number msf2006 117 03 for more information about the sfr package H 248 Termination State Control Package The Termination State Control tsc package enhances the capabilities of the media gateway controller MGC to support the following two features tsc quiesce The MGC can instruct the media gateway MG to set the ServiceState property of a signaling pinhole to OutOfService state at the point where all associated media terminations are subtracted The MG informs the MGC when this has occurred This feature is known as tsc quiesce tsc suspend The MGC can put a signaling pinhole out of action for a given period of time The MG informs the MGC when the signaling pinhole becomes operational again and the MGC can query the time remaining until the suspension ends This feature is known as tsc suspend A signaling pinhole is composed of two terminations If either termination is out of service the entire pinhole is out of service It is up to the MGC whether to provision one or both terminations with the relevant properties If the MGC chooses to provision only one termination the MG does not impact the other termination The tsc quiesce Feature The tsc quiesce feature includes the following functionality Quiesce is not symmetrical Adding a media termination does not cause a quiesced OutOfService signaling pinhole to automatically move to InService The MGC must explicitly
105. ing RTP DTMF insertion The RTP packets contain information in their headers indicating that a DTMF is being generated The endpoints interpret these messages and play the DTMF locally In band waveform The DTMF is sent as part of the voice waveform RTP to SIP Interw orking In the case where the RTP stream is carrying the DTMF stream the RTP packet is removed from the stream and the DBE sends an H 248 message to the SBE indicating that a DTMF event has occurred and that this should be converted into a SIP DTMF event SIP to RTP Interw orking In the case of an endpoint generating a SIP signal the SIP DTMF signals arrive completely out of band An endpoint that supports SIP DTMF generates the signals to the SBE The SBE recognizes that this is a DTMF message and sends an H 248 message to the DBE that a DTMF tone is required to be inserted into the RTP stream The DBE then inserts the RTP DTMF packets into the audio stream Configuring Default Duration of a DTMF Event For a complete description of commands used in this chapter see the Cisco IOS Integrated Session Border Controller Command Reference Use the dtmf duration command in VDBE configuration mode to configure a default duration of a DTMF event If there is no DTMF duration configured the system default is 200 milliseconds Prerequisites Before implementing interworking DTMF the DBE must already be created SUMMARY STEPS enable configure terminal sbe sbc n
106. ing can be routed to the MGC through the DBE e Call signaling from different subscribers can be routed through different pinholes on the DBE These different pinholes can share the same IP address and port on the subscriber side on the DBE This is a typical scenario on the User Network Interface where it is simpler to publish a single IP and port to many subscribers DBE Restrictions The following is a restriction of DBE support for this feature Only three different lengths of network masks can be in use at the same time on a given local address and port combination Otherwise the DBE issues error 510 Insufficient Resources NAPT and NAT Traversal The data border element DBE performs translation of IP addresses and port numbers via Network Address and Port Translation NAPT and Network Address Translation NAT Traversal functions in both directions NAT converts an IP address from a private address to a public address in real time It allows multiple users to share a single public IP address The DBE can learn the NAT s public address and latch onto it for that flow Remote Source Address Mask Filtering This feature adds support for the Remote Source Address Filtering saf and Remote Source Address Mask rsam properties of the ETSI TS 102 333 Gate Management GM package The media gateway controller MGC can specify the gm saf and gm rsam properties of terminations in Add and Modify requests The SBC reports them
107. inholes includes the following functionality The DBE supports forwarding of media from one IPv6 endpoint to another IPv6 endpoint The DBE supports IPv4 and IPv6 endpoints simultaneously However no interworking between IPv4 and IPv6 endpoints is supported IPv4 endpoints can only forward media to other IPv4 endpoints and IPv6 endpoints can only forward media to other IPv6 endpoints The DBE supports configuration of IPv6 pinhole addresses and pinhole address pools DBE supports signaling pinholes using IPv6 addresses Support is added for the MGC to specify the address and port in the Megaco local descriptor for terminations as one of the following An address and port that are not owned by the SBC and not configured in a media address range on the SBC but matching the remote address and port for the other termination in the stream An address range in the form of a classless interdomain routing CIDR mask for example 10 13 8 0 21 together with a 0 port number that does not overlap with any address ranges owned by the SBC or any media address range configured on the SBC but the address and port match the gm rsam Gate Management remote source address mask for the other termination in the stream SBC recognizes these local addresses as signifying Single NAPT pinholes And if specified for both terminations in the stream SBC recognizes these addresses as No NAPT pinholes All pinholes only forward packets to a full
108. ion on ISSU compatibility For information on the ISSU process see the Cisco IOS In Service Software Upgrade and Enhanced Fast Software Upgrade Process document at http www cisco com en US docs ios 12_2sb feature guide sb_issu html oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers jg Chapter 10 High Availability Support WE ISSU Support Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers EZH OL 15421 01 Contents CHAPTER Quality Monitoring and Statistics Gathering The Data Border Element DBE deployment of the Integrated Session Border Controller SBC has a main objective in supporting quality monitoring and statistics reporting The DBE supports generation of event messages detailing significant events that occur on each call In addition the DBE supports generation of correct billing call usage and detail records Some of the monitoring events that the DBE tracks and reports are as follows Checking on occurrence of hung calls using the H 248 Network Quality Alert event Reporting on congestion events and critical status changes such as a resource shortage or performance degradation quality degradations of media streams and service level agreement SLA violations Reporting media timeout while the association with the controller
109. ioned duration time is zero unless the user sets the duration parameter It returns to zero if the user configures the no h248 inactivity duration command ServiceChange Notification for Interface Status Change This feature enables the media gateway MG to generate a ServiceChange H 248 notification to the media gateway controller MGC containing the Termination ID of the physical interface on the data border element DBE when the interface experiences status changes This feature is described in the ServiceChange Notification for Interface Status Change section on page 7 11 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 11 6 OL 15421 01 A active RP 10 2 adr package 8 2 architecture deployment scenario 1 8 SBC example 1 2 ASR 1002 Router 10 1 ASR 1004 Router 10 1 ASR 1006 Router 10 1 association failure 11 6 association reset 11 4 audit support extension 7 3 bandwidth allocation 5 4 base root version 2 package 6 7 billing 11 2 C call statistics 11 2 cautions usage in text i xii CBWFQ 5 1 CHOOSE wildcard 7 6 Cisco ASR 1002 Router 10 1 Cisco ASR 1004 Router 10 1 Cisco ASR 1006 Router 10 1 Cisco H 248 profile 2 14 class of service 4 1 collecting statistics 11 2 commands supported 1 4 INDEX command syntax conventions i xii configuring Cisco H 248 profile 2 14 controller individual 2 13 contro
110. ior Support 7 11 DBE Restrictions 7 11 ServiceChange Notification for Interface Status Change 7 11 Configuring the ServiceChange Notification for Interface Status Change Configuration Example Output 7 13 T MAX Timer 7 14 Related Commands 7 14 The tsc Delay Timer 7 14 DBE Restrictions 7 14 Video on Demand VOD Support 7 14 CHAPTER 8 Integrated Session Border Controller Security 8 1 Contents 8 1 Firewall Media Pinhole Control 8 2 H 248 Address Reporting Package 8 2 DBE Restrictions 8 2 H 248 Session Failure Reaction Package 8 2 H 248 Termination State Control Package 8 2 Interim Authentication Header Support 8 3 7 12 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 DBE Restrictions 8 3 Related Commands 8 3 IP NAPT Traversal Package and Latch and Relatch Support 8 3 Latch and Relatch Support 8 3 DBE Restrictions 8 4 Related Commands 8 4 Local Source Properties Address and Port 8 4 DBE Restrictions 85 NAPT and NAT Traversal 85 Remote Source Address Mask Filtering 8 5 DBE Restrictions 8 6 Related Commands 8 6 Topology Hiding 8 6 Traffic Management Policing 86 Two Rate Three Color Policing and Marking 8 6 CHAPTER 9 Topology Hiding 9 1 Contents 91 NAPT and NAT Traversal 9 2 IP NAPT Traversal Package and Latch and Relatch Support 9 2 IPv4 Twice NAPT 92 IPv6 Inter Subscriber Blocking 9 2 QoS Policy M ap Based Int
111. ir core or backbone network Because service providers allow direct users to come into their network to access different services it is critical to have high security Customers also want to police the data coming into their networks and require notification if any unwanted user tries to access the network The data border element DBE implementation supports various security features and policing of incoming data For example the DBE supports the ETSI TS 102 333 Gate Management GM package to control addressing for the local as well as the remote party The DBE uses the source address mask and remote source address filtering to specify a range of addresses rather than a specific address and port for the source or remote address of the arriving packet Data coming from other defined addresses are dropped and reported to the Signaling Border Element SBE for security reasons Local Source Properties Address and Port and Remote Source Address Mask Filtering described in this chapter are supported features of the GM package This chapter describes or cross references supported security features For a complete description of commands used in this chapter see the Cisco IOS Integrated Session Border Controller Command Reference Firewall Media Pinhole Control page 8 2 H 248 Address Reporting Package page 8 2 e H 248 Session Failure Reaction Package page 8 2 H 248 Termination State Control Package page 8 2 Interim Authenticati
112. is down Enabling H 248 event storage and reporting Detecting media gateway controller MGC failure For a complete description of commands used in this chapter see the Cisco IOS Integrated Session Border Controller Command Reference Billing and Call Detail Records page 11 2 congestion threshold Command page 11 2 DBE Status Notification page 11 2 Enhanced Event Notification and Auditing page 11 2 H 248 Network Package Quality Alert Event and Middlebox Pinhole Timer Expired Event page 11 5 Provisioned Inactivity Timer page 11 6 ServiceChange Notification for Interface Status Change page 11 6 OL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers my Chapter 11 Quality Monitoring and Statistics Gathering W sBilling and Call Detail Records Billing and Call Detail Records One main function of SBC is to generate correct billing call detail and usage records The DBE supports collecting statistics data and sending the data to the Signaling Border Element SBE The following are some of the methods by which the DBE keeps track of statistics Call statistics The DBE generates statistics for a given call by collecting information such as packet count and packets dropped The DBE also snoops into the RTCP packets and reports back to the SBE at the end of the call The DBE tracks and reports other statistics such as call dur
113. level are enabled by the logging level command logging can only be disabled by the logging level command The undebug all and no debug sbc log level commands have no effect If logging and logging level are enabled by a debug command logging can be disabled by the undebug all and no debug sbc log level commands If two different logging levels are set by both a debug command and the logging level command the lower logging level is applied If the same level is set using both the logging level command and a debug command to turn off logging for that level you must disable logging using both the logging level command and the debug command Example H 248 Log Output The following shows sample log output produced on an H 248 ADD request with logging level set to 30 Sep 10 06 38 39 039 SBC 7 MSG 2E01 0092 SBC MG CTRL gctarecv c 1397 Application has completed processing a transaction asynchronously Transaction ID 3 Transaction type 0X01 Sep 10 06 38 49 539 SBC 7 MSG 2E01 0050 SBC MG CTRL gctphash c 701 A hash table has been resized The previous size of the hash table was 1024 entries The new size of the hash table is 512 entries Configuration Examples This section provides the following configuration examples SBC DBE Configuration Steps Example page 2 10 Configuring Primary IP and Primary Media IP Addresses Example page 2 10 Configuring Secondary IP and Secondary Media IP Addresses Example p
114. llers global 2 11 DBE 2 2 2 6 2 10 3 2 7 12 detailed steps 2 3 2 7 3 3 7 13 DTMF 3 2 H 248 logging levels 2 6 media address pools 4 2 primary IP address 2 10 primary media IP address 2 10 restrictions 2 1 secondary IP address 2 11 secondary media IP address 2 11 summary steps 2 2 2 6 3 2 7 12 congestion event 11 2 console logging 2 6 control dscp value 5 5 controller attached 2 5 show sbc dbe controllers command 2 5 controlling packets 7 1 CoS 41 D data border element 1 2 DBE 1 2 media address pools 4 1 DBE signaling pinhole support 7 2 deployment DBE 1 8 Cisco 10S XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 E index differentiated services code point 5 3 diffserv package 5 5 discarded packets statistics 11 2 distributed model 1 2 1 8 dropped calls 10 3 DSCP 5 3 two rate three color policing and marking 5 5 DTMF 11 3 interworking 3 1 dual tone multifrequency 3 1 embedded services processor 10 2 enhanced root package 6 1 eroot package 6 1 ESP 10 2 event acknowledgment 11 3 events storage 11 3 event subscription 11 4 F features supported 1 4 firewall 8 2 9 1 flexible address prefix provisioning 7 4 G gate information package becomes optional 6 2 gate management remote source address mask 8 4 gate management package 8 1 8 5 ginfo package 6 2 7 10 gm rsam 8 4 GM p
115. lor Policing and Marking feature and configures differentiated services code point DSCP values and the peak data rate pdr coefficient for the feature on the data border element DBE for each affected flow The show sbc dbe forwarder stats command output entries are added to report statistics of colored traffic For a description of the commands used refer to the Cisco IOS Integrated Session Border Controller Command Reference Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 g 57 Chapter5 Quality of Service and Bandwidth Management His Two Rate Three Color Policing and Marking Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 5 8 OL 15421 01 Contents CHAPTER H 248 Packages Signaling and Control The data border element DBE deployment of the Integrated Session Border Controller SBC for the Cisco ASR 1000 Series Routers supports standard H 248 packages that are used to make the Cisco ASR 1000 Series Router function as the DBE in distributed mode H 248 packages are described or cross referenced in this chapter For a complete description of commands used in this chapter see the Cisco IOS Integrated Session Border Controller Command Reference Enabling Optional H 248 Packages page 6 1 H 248 Address Reporting Package pa
116. me or different shared addresses Any length of network masks is allowed This feature is applicable to both IPv4 and IPv6 flows If there is only one network mask in a dummy entry the DBE uses this network mask to mask out the source IP of the incoming packet and together with the destination IP port constructs a new hash key to locate the corresponding termination flow entry from the flow table If multiple network masks are configured in the dummy entry the DBE masks the source IP of the incoming packets using the multiple network masks stored in the dummy entry sequentially from longest to shortest If a flow entry is located then the DBE stops the flow retrieval operation and continues the rest of SBC processing When a termination is subtracted its network mask length is removed from the dummy entry if the termination is the last one with that gm sam network mask length Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers lt OL 15421 01 Chapter7 H 248 Services Signaling and Control Local Source Properties Address and Port W DBE Restrictions The following are restrictions of DBE support for the Flexible Address Prefix Provisioning feature Only three different lengths of network masks can be in use on a given shared address at one time When multiple mask lengths are used on a shared local address there is extra overhead of ha
117. mple Router config interface sbc 1 Step4 ip address ip address Configures an IP address on the SBC virtual interface Example Router config if ip address 1 1 1 1 255 0 0 0 Step5 exit Exits interface configuration mode Example Router config if exit Step6 sbc sbc name dbe Creates the DBE service on the SBC called mySbc in the example and enters into SBC DBE configuration mode Example Router config sbc mySbc dbe Step7 vdbe global Enters into VDBE configuration mode with a default DBE named global Example Only one DBE is supported and its name must be global Router config sbc dbe vdbe global Step8 h248 version version Specifies that the DBE uses an H 248 version when it forms associations with an H 248 controller Example Version 2 is the default Router config sbc dbe vdbe h248 version 3 Step9 h248 napt package napt ntr Defines whether the DBE uses the Network Address and Port Translation NAPT or NAT Traversal NTR H 248 package for signaling NAT features NTR is the default Example Router config sbc dbe vdbe h248 napt package The example configures the DBE to use NAPT napt Step10 local port port num Configures the DBE to use the specific local port number when connecting to the default media gateway controller M Example GE Router config sbc dbe vdbe local port 2947 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggrega
118. n a suitable period When the ipnapt package is in use the DBE does not attempt to relearn remote addresses and ports unless a Relatch is explicitly signaled by the MGC Relatching is not timed out DBE Restrictions The following are restrictions of DBE support for the IP NAPT Traversal ipnapt package and Latch and Relatch The DBE only supports either the NTR package or the IP NAPT Traversal package for a termination You can configure either package with the h248 napt package command The DBE does not generate the notifyComplete signal when the Latch or Relatch signal completes With the IP NAPT Traversal package the DBE does not automatically relatch on receipt of an H 248 Megaco request that modifies the gm sam If a Relatch is required it must be explicitly signaled by the MGC In addition you cannot update the remote source address mask so that it no longer contains the previously latched remote address without signaling a Relatch Related Commands The h248 napt package command defines which H 248 package either ipnapt or ntr the DBE uses for signaling NAT features Local Source Properties Address and Port The data border element DBE is enhanced to support multiple terminations that share a single local address and port The Gate Management remote source address mask gm rsam defines a remote subnet The mask length is a property of the local address and port combination Only multiple terminations that share
119. n for real time voice video and multimedia traffic The packet marked for higher priority is delivered faster than non prioritized packets The Cisco ASR 1000 Series Aggregation Services Routers support QoS functions such as Low Latency Queueing LLQ Class Based Weighted Fair Queueing CBWFQ and shaping at the subinterface level At the SBC level the data border element DBE has different packages to enhance QoS and these packages are described in this chapter For a complete description of commands used in this chapter refer to the Cisco IOS Integrated Session Border Controller Command Reference H 248 Traffic Management Package Support page 5 1 DSCP Marking and IP Precedence Marking page 5 3 QoS Bandwidth Allocation page 5 4 RTCP Policing page 5 4 e Two Rate Three Color Policing and Marking page 5 5 H 248 Traffic Management Package Support The DBE supports the sustained data rate tman sdr maximum burst size tman mbs and policing tman pol properties of the ETSI TS 102 333 Traffic Management Tman package Support of these tman properties allows additional pinhole programming in the Tman package to inform the DBE how to police media and signaling flows These tman properties can be assigned to both media and signaling flows The DBE performs asymmetric policing Asymmetric policing allows the MGC to impose different flow policing on traffic traveling in each direction on the same stream For example traffic t
120. n indications and there was no current H 248 association with an MGC With Enhanced Event Notification and Auditing these limitations have been minimized with the following features Retention and Returning of H 248 Event Information e Association Reset Silent Gate Deletion Resetting the Media Timeout Timers Retention and Returning of H 248 Event Information The storage of H 248 events is always turned on by default A configuration option the h248 event storage command enables two modes of H 248 events storage permanent H 248 events storage and H 248 events storage until the events are acknowledged by the media gateway controller MGC Permanent H 248 Event Storage The h248 event storage command enables permanent events storage In this mode all H 248 events are retained until the stream on which they occurred is deleted These events are stored internally and reported to the SBE using a Notify command A subsequent audit of the ObservedEvents descriptor for the stream can be used to return any events that are stored with timestamp information indicating when the event actually occurred To reduce the memory required to store event information the DBE only stores the most recent event of each type for each stream The only exception is the dd etd event which indicates that the end of a dual tone multifrequency DTMF tone has been detected and also indicates which tone was detected All instances of this event are sto
121. nation name hierarchy 7 7 termination state control 6 4 termination state control package 8 2 termination wildcarding support extension 7 3 timeout timers 11 4 tips usage in text i xiii Tman package 5 1 t max timer 7 14 token bucket 5 6 topology hiding 8 5 8 6 9 1 traffic management H 248 5 1 asymmetric policing 5 3 mbs property 5 2 pdr property 5 5 pol property 5 2 RTCP policing 5 4 sdr prooperty 5 2 two rate three color policing and marking 5 5 traffic management package 8 6 troubleshooting Bad getbuffer 2 5 huge buffer size 2 6 tsc package 6 4 tsc quiesce 6 4 tsc suspend 6 5 tsc delay timer 7 14 twice NAPT pinholes 7 5 two rate three color policing and marking 5 5 8 6 U unified model 1 2 V version 3 6 6 oL 15421 01 E E index video on demand systems 7 14 VLAN package syntax level support 6 6 VoD support 7 14 voice over IP 1 1 voice tones 3 1 Ww wildcarding support 7 3 m Cisco 10S XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01
122. nd runs from port 16384 to 20000 inclusively The second one is for video traffic and runs from port 20001 to 65535 inclusively The first range of addresses also has two similar port ranges configured that apply to all ten addresses within the range The second range of addresses has a single port range defined and no service class associated with it Router config interface sbc 1 config sbc mySBC dbe config sbc dbe media address ipv4 10 10 10 1 config sbc dbe media address port range 16384 20000 voice config sbc dbe media address port range 20001 65535 video config sbc dbe media address exit config sbc dbe media address pool ipv4 10 10 11 1 10 10 11 10 config sbc dbe media address port range 16384 30000 voice config sbc dbe media address port range 30001 40000 video config sbc dbe media address exit config sbc dbe media address pool ipv4 10 10 11 21 10 10 11 30 config sbc dbe media address port range 20000 40000 any Router Router Router Router Router Router Router Router Router Router Router Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Contents CHAPTER Quality of Service and Bandwidth Management Integrated Session Border Controller SBC for the Cisco ASR 1000 Series Routers provides Quality of Service QoS and bandwidth management features to assure quality end to end connectio
123. nfigured maximum rate policing drops or re marks the excess traffic The ETSI TS 102 333 Traffic Management Tman package defined a number of properties to allow traffic policing to be explicitly enabled However because the current H 248 standard only supported specifying one rate with a traffic flow the only action available in the H 248 standard for non conforming packets had been to discard them See the Enhanced Event Notification and Auditing section on page 11 2 The Two Rate Three Color Policing and Marking feature is an enhancement to how the DBE polices traffic flow by introducing two rate policing and three color marking The DBE previously supported three tman properties pol policing sdr sustainable data rate and mbs maximum burst size In supporting the Two Rate Three Color Policing and Marking feature the DBE uses one additional property of the ETSI TS 102 333 Traffic Management Tman package pdr peak data rate Defines the peak data rate in bytes per second that is permitted for the stream See the H 248 Traffic Management Package Support section on page 5 1 for more information on the tman properties Enabling Two Rate Three Color Policing and Marking All of the following conditions must occur to enable the Two Rate Three Color Policing and Marking feature for a specific flow The DSCP value is provisioned via diffserv package during call setup The sdr and mbs are provisioned via the Tm
124. o NAPT pinholes the DBE chooses the internal terminations as follows The first specified termination is chosen to be internal The other termination is chosen accordingly from the other pinhole If the termination with remote address A on one pinhole is internal then the termination with local address A on the other pinhole is also internal The DBE does not support choosing internal terminations based on termination names For No NAPT hairpins any Network Address Translation NAT latching requests are duplicated For example if a termination with remote address A in one pinhole requests NAT latching then the termination with remote address A in the other pinhole must also request NAT latching The request NAT latching can be done using the ipnapt latch H 248 signal A hairpin in which both external terminations are provisioned with the NAT latching instruction cannot latch and cannot forward media No NAPT pinholes are not allowed to re latch to the remote addresses on both sides IPv6 hairpins are supported on UDP and TCP Single NAPT pinhole hairpins are not supported MGC Specified Local Addresses or Ports m Cisco lOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers This feature allows a media gateway controller MGC to specify a local address or port for media and signaling flows through the DBE The MGC specifies a specific address or p
125. odified while the DBE service is active Deactivate the DBE with the no activate command before modifying the IPv4 or IPv6 media addresses or port ranges If you do not specify a port range all possible VoIP port numbers are valid The full VoIP port range extends from 1 to 65535 inclusive You can define a class of service CoS affinity for each port range The set of classes of service is consistent with those used for QoS packet marking and consists of voice video signaling fax or any If you do not define an associated CoS affinity then the affinity is for all call types You can modify the extent of existing port ranges or the CoS affinities of existing port ranges or delete an existing port range Any configuration changes do not apply to existing calls but apply to calls being set up after the configuration has been committed Configuring Media Address Pools This section contains steps for configuring media address pools on a DBE SUMMARY STEPS configure terminal interface sbc sbe sbc name dbe media address pool ipv4 A B C D E F G H port range min port max port any voice video signaling fax exit end show sbc sbc name dbe addresses 1O 00 ea a show sbc sbc name dbe media flow stats ipv4 A B C D port port number Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 4 2 OL 15421 01 Chapter 4 Media
126. ol Cisco IOS Enhanced Event Notification and h248 association timeout Chapter 11 Quality XE Release Auditing Monitoring and h248 t st 2 0 Buen sere Statistics Gathering h248 preserve gates Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter 1 Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers Supported Integrated Session Border Controller Features i Chapter Where Release Feature Name Related SBC Commands Documented Cisco IOS Extension to H 248 Audit Support None Chapter 7 H 248 XE Release Services Signaling 2 0 and Control Cisco IOS Extension to H 248 Termination None Chapter 7 H 248 XE Release Wildcarding Support Services Signaling 2 0 and Control Cisco IOS Firewall Media Pinhole Control None Chapter 8 Integrated XE Release Session Border 2 0 Controller Security Cisco IOS Flexible Address Prefix None Chapter 7 H 248 XE Release Provisioning Services Signaling 2 0 and Control Cisco IOS H 248 Address Reporting Package None Chapter 8 Integrated XE Release Session Border 2 0 Controller Security Cisco IOS H 248 Gate Information
127. ol message filter is enabled to display only the H 248 text without any internal message logs 1 enable 2 configure terminal 3 sbc sbc name dbe 4 vdbe global 5 h248 version version 6 h248 napt package napt ntr 7 local port port num 8 control address h248 ipv4 A B C D 9 logging level value 10 logging filter control protocol Optional 11 controller h248 controller index 12 remote address ipv4 A B C D 13 remote port port num 14 exit 15 attach controllers m Cisco 10S XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter 2 Configuring Integrated Session Border Controller 16 exit 17 end DETAILED STEPS Configuring H 248 Logging Level Hi Command or Action Purpose Step1 enable Enables privileged EXEC mode Enter your password if prompted Example Router gt enable Step2 configure terminal Enters global configuration mode Example Router configure terminal Step3 sbc sbc name dbe Creates the DBE service on the SBC and enters into SBC DBE configuration mode Example Router config sbc global dbe Step4 vdbe global Enters into VDBE configuration mode with a default DBE named global Example Only one DBE is supported and its name must be global Router config sbc dbe vdbe global Step5 248 version version Specifies that the DBE
128. olicing per Tman Media Policing per Tman Media No policing on AC and parameters on BB and per SDP parameters on AC and on BB policing per Tman parameters on on AC independently BB OFF Signaling No policing on BB Signaling No policing on BB and Signaling No policing on BB and and AC policing per Tman parameters on AC Media No policing on BB and ac Media No policing on BB and AC policing per SDP on AC Media No policing on BB and policing per Tman parameters on AC DSCP Marking and IP Precedence Marking The DBE supports marking of differentiated services code point DSCP bits and IP precedence marking for egress traffic and media relay Using standard router features these markings can be used to prioritize packets for faster delivery or for lower risk of drop under congestion The DBE supports statistics collection and saves all QoS statistics including packets transmitted per second and packets dropped for exceeding allocated bandwidth on a per call or per interface basis DSCP Re M arkings For every media stream the DBE receives a DSCP value to use in the Real time Transport Protocol RTP and Real time Control Protocol RTCP packets The DBE receives these values at the call setup time on a per flow basis and maintains the values as a part of the connection table entry The DBE modifies the type of service TOS bits in the IP header for every outgoing packet and updates the Cisco IOS XE Integrated Session Border
129. on Header Support page 8 3 IP NAPT Traversal Package and Latch and Relatch Support page 8 3 Local Source Properties Address and Port page 8 4 NAPT and NAT Traversal page 8 5 Remote Source Address Mask Filtering page 8 5 Topology Hiding page 8 6 Traffic Management Policing page 8 6 Two Rate Three Color Policing and Marking page 8 6 oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers g Chapter 8 Integrated Session Border Controller Security Hi firewall Media Pinhole Control Firewall Media Pinhole Control The SBE Call Admission Control CAC function inspects the signaling message and instructs the firewall in the DBE to open and close pinholes as needed for the media streams and signaling H 248 Address Reporting Package The data border element DBE supports the H 248 Address Reporting adr package defined in Draft New H 248 37 Amendment 1 ITU T document TD 27 The adr package extends the existing IP NAPT Traversal ipnapt package and adds a new Remote Source Address Change rsac event with two parameters New Remote Source Address nrsa and New Remote Source Port nrsp The rsac event is generated by the media gateway MG when the remote source address for the termination changes that is when a stream latches and is used to report the newly detected remote source address and port to w
130. on Services Routers OL 15421 01 Chapter6 H 248 Packages Signaling and Control W H 248 Traffic Management Package Support H 248 Traffic Management Package Support The DBE supports the sustained data rate tman sdr maximum burst size tman mbs and policing tman pol properties of the ETSI TS 102 333 Traffic Management Tman package Support of these tman properties allows additional pinhole programming in the Tman package to inform the DBE how to police media and signaling flows These tman properties can be assigned to both media and signaling flows The DBE performs asymmetric flow policing The Traffic Management package is described in the H 248 Traffic Management Package Support section on page 5 1 H 248 1v3 Support H 248 1v3 Support allows the DBE to interoperate with an SBE which requires H 248 1v3 or Media Gateway Controller MGC version 3 The DBE can only accept version 3 once it is configured to support version 3 On contacting an SBE the DBE advertises for H 248 1 version 3 and confirms the version received in the response from the SBE If the SBE supports a lower version than was advertised the DBE logs the event disconnects from the SBE and tries an alternative SBE until an SBE with H 248 1v3 is found A new field beaGalEntMegacoVersion is added to the MG Abstraction Layer entity MIB DBE Restrictions The following is a restriction of H 248 1v3 Support The DBE rejects attempts to neg
131. ontents 41 Prerequisites for Implementing Media Address Pools 4 1 Restrictions for Configuring Media Address Pools 4 1 Information About Media Address Pools 4 2 Configuring Media Address Pools 4 2 Configuring M edia Address Pools Example 4 4 CHAPTER 5 Quality of Service and Bandwidth Management 5 1 Contents 5 1 H 248 Traffic Management Package Support 5 1 DSCP Marking and IP Precedence Marking 5 3 DSCP Re Markings 5 3 QoS Bandwidth Allocation 5 4 RTCP Policing 5 4 RTCP Policing Using Tman Package 5 4 RTCP Policing Not Using Tman Package 5 4 Two Rate Three Color Policing and Marking 5 5 Enabling Two Rate Three Color Policing and Marking 5 5 Implementing Two Rate Three Color Policing and Marking 5 5 DBE Restrictions 5 6 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers iv OL 15421 01 Related Commands 5 7 CHAPTER 6 H 248 Packages Signaling and Control 6 1 Contents 61 Enabling Optional H 248 Packages 6 1 Related Commands 6 2 H 248 Address Reporting Package 6 2 H 248 Gate Information Ginfo Package Becomes Optional 6 2 DBE Restrictions 6 2 H 248 Segmentation Package Support 6 2 DBE Restrictions 6 3 Related Commands 6 3 H 248 Session Failure Reaction Package 6 3 DBE Restrictions 6 4 H 248 Termination State Control Package 64 The tsc quiesce Feature 6 4 The tsc suspend Feature 6 5 DBE Restrictions 6 5 Related Commands 6 5 H
132. or Interface Status Change feature on the Cisco ASR 1000 Series Routers SUMMARY STEPS m e WN FF enable configure terminal interface type number sbc interface id value end m Cisco 10S XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter7 H 248 Services Signaling and Control ServiceChange Notification for Interface Status Change il DETAILED STEPS Command or Action Purpose Step1 enable Enables privileged EXEC mode Enter your password if prompted Example Router gt enable Step2 configure terminal Enters global configuration mode Example Router configure terminal Step3 interface type number Configures an interface type and enters into interface configuration mode Example Router config interface port channel 99 Step4 sbc interface id value Maps the physical interface id contained in the termination ID for the pinhole to the port channel interface Example Router config if sbc interface id 2 Step5 end Exits interface configuration mode and returns to privileged EXEC mode Example Router config if end Configuration Example Output In the following configuration output example the sbe interface id command maps physical interface id 1 contained in the termination ID for the pinhole to GigabitEthernet interface 1 interface gigabitethernetl sbc interface id 1 no ip address
133. or that property value on an Add termination request An attempt to do fails with error 421 indicating Unknown action or illegal combination of actions H 248 Segmentation Package Support When an H 248 association is established over the User Datagram Protocol UDP the H 248 message can be too big to fit inside one UDP packet and as a result H 248 based segmentation is required The H 248 Segmentation seg package defined in H 248 1v3 Annex E defines the following four properties to use when performing this segmentation e MGSegmentationTimerValue MGCSegmentationTimer Value MGMaxPDUSize MGCMaxPDUSize Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 6 2 OL 15421 01 Chapter6 H 248 Packages Signaling and Control H 248 Session Failure Reaction Package i Segmentation package support includes the following functionality If the media gateway controller MGC does not receive all the message segments or expected segmented responses it sends error 459 Ifthe MGC receives all the segmented responses but the DBE does not receive a TransactionResponseAcknowledgement then the DBE cannot send an error message because this behavior is not defined in the H 248 specification DBE Restrictions The following are restrictions of DBE support for the Segmentation package The DBE must support H 248 segmentation in addition
134. ort for terminations in H 248 Add and Modify requests instead of using the CHOOSE wildcard If either address or port is not specified it is selected by the DBE from one of the DBE managed address ranges The following error messages describe how the functionality has failed Requested address and port do not belong to a range that has been configured on the DBE with the appropriate class of service for the flow Megaco error 421 Unknown action or illegal combination of actions Media port number requested is an odd number Megaco error 500 Internal Software Failure Request attempted to change the local address and port for an existing flow Megaco error 501 Not Implemented OL 15421 01 Chapter7 H 248 Services Signaling and Control Multi Stream Terminations Ml Requested address or port is already in use by another flow or was in use by a recently deleted flow Megaco error 510 Insufficient Resources DBE Restrictions The following are restrictions of DBE support for this feature The addresses and ports specified must fall within a valid address or port range configured on the DBE and not marked as MGC managed The class of service of the port range must match the type of flow being allocated Real time Transport Protocol RTP flows cannot be set up to use odd numbered ports Multi Stream Terminations This enhancement allows a single H 248 termination to cont
135. osing SIP messages can flow to the endpoints before the signaling pinhole is closed by the media gateway MG and the context enters the tsc quiesce state After the tsc delay timer expires the context enters the tsc quiesce state the signaling pinhole is closed and if subscribed the MG generates H 248 event notifications for the tsc dc event The tsc delay timer is set to a value of 2 seconds For more information on the tsc quiesce state see the H 248 Termination State Control Package section on page 6 4 DBE Restrictions The following are restrictions of DBE support for the tsc delay timer Ifan H 248 Modify command explicitly changes the tsc gtd property so that all terminations within the context have the tsc gtd property set to ON the tsc delay timer is not started and the tsc quiesce state occurs immediately The duration of the tsc delay timer cannot be modified While the tsc delay timer is running for a context the MG can accept further programming for that context If as a result of this interim programming the context is no longer in the tsc quiesce state for example if new streams are added without the tsc gtd property set or the tsc gtd property is changed for existing streams then the tsc delay timer stops and no further action is taken unless the context re enters the tsc quiesce state at a later time Video on Demand VOD Support Integrated Session Border Controller supports video on demand
136. otiate with the MGC to a lower version once the DBE is configured to support version 3 Related Commands The h248 version command defines the version of the H 248 protocol which the DBE uses when forming associations with an H 248 controller H 248 VLAN Package Syntax Level Support The DBE provides syntax level support of the H 248 VLAN package The media gateway controller MGC can program up to two VLAN tags and associated Ethernet priorities as defined in the H 248 VLAN package The DBE can accept store and return VLAN tag and priority information at the syntax level for media streams DBE Restrictions The following is a restriction of DBE support for the H 248 VLAN package The DBE does not use the VLAN tag and priority information 1 ETSI TS 102 333 version 1 1 2 Traffic Management Package Cisco 10S XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 6 6 OL 15421 01 Chapter6 H 248 Packages Signaling and Control MGC Controlled Gateway Wide Properties W Related Commands The VLAN tag and priority information is returned in the show sbc dbe media flow stats and show sbc dbe signaling flow stats command outputs M GC Controlled Gatew ay W ide Properties This feature adds support for all of the properties in Version 2 of the H 248 Base Root package as defined in H 248 1v3 The following properties of the Base Root Version 2 package
137. ovisioned Inactivity Timer 11 6 Related Command 11 6 ServiceChange Notification for Interface Status Change 11 6 11 5 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers viii i OL 15421 01 Preface This preface describes the objectives and organization of this document and explains how to find additional information on related products and services This preface contains the following sections Document Revision History page ix Objectives page ix Intended Audience page x Organization page x Related Documentation page xi Document Conventions page xi Obtaining Documentation and Submitting a Service Request page xiii Document Revision History The Document Revision History records technical changes to this document The table shows the software release number and document revision number for the change the date of the change and a brief summary of the change Release No Revision Date Change Summary 2 1 OL 15421 01 May 5 2008 This document was first published Objectives This document describes the Integrated Session Border Controller functions features restrictions and configuration tasks for the Cisco ASR 1000 Series Aggregation Services Routers It is not intended as a comprehensive guide to all of the software features that can be run using the Cisco ASR 1000 Series Routers but only
138. pools Because the same DBE router routes non SBC IPv6 traffic which does not have SBC termination flow entry whatsoever the default operation for IPv6 traffic that does not have a corresponding termination flow entry is to continue to switch these packets This can result in a situation where subscribers are still able to connect to other subscribers through the SBC DBE router without completing the signaling and call setup process To support inter subscriber blocking in the IPv6 environment you must classify subscribers at the ingress interface so that non SBC traffic and SBC traffic can be differentiated For example you might configure QoS at the ingress interface to mark all subscriber traffic with an unused unique differentiated services code point DSCP value and then configure QoS at the egress interface to drop all the packets with this unused unique DSCP value For SBC traffic with a termination flow entry a separate DSCP value should be used to replace the original DSCP for these SBC packets as part of the normal diffserv package processing As a result of this configuration SBC packets with a session established will be routed and forwarded though the egress interface without being dropped Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter9 Topology Hiding QoS Policy M ap Based Inter Subscriber Blocking Method I
139. ported Integrated Session Border Controller Features 1 4 Deployment of the Integrated Session Border Controller 1 8 Integrated Session Border Controller DBE Deployment Scenario 1 8 CHAPTER 2 Configuring Integrated Session Border Controller 2 1 Contents 2 1 Prerequisites for Integrated Session Border Controller 2 1 Restrictions for Integrated Session Border Controller 2 1 Configuring Integrated Session Border Controller DBE Deployment 2 2 Prerequisites 2 2 What To Do Next 25 Examples 2 5 Troubleshooting Tips 2 5 Configuring H 248 Logging Level 2 6 Enabling H 248 Logging Requests and Responses 2 8 Example H 248 Log Output 2 9 Configuration Examples 2 9 SBC DBE Configuration Steps Example 2 10 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 g ii E Contents Configuring Primary IP and Primary M edia IP Addresses Example 2 10 Configuring Secondary IP and Secondary M edia IP Addresses Example 2 11 M aking Global Changes to Controllers Example 2 11 M aking Changes to Individual Controller Settings Example 2 13 Cisco H 248 Profile 2 14 Overview of Profile 2 14 Profile Packages 2 15 CHAPTER 3 DTMF Interworking 3 1 Contents 3 1 Information About DTM F Interworking 3 1 RTP to SIP Interworking 3 2 SIP to RTP Interworking 3 2 Configuring Default Duration of a DTM F Event 3 2 Prerequisites 3 2 CHAPTER 4 Media Address Pools 4 1 C
140. r Controller support for Stateful Switchover SSO allows for stateful IOS process switchovers where critical state information is synchronized between one Route Processor used as the active processor and the other RP used as the standby processor When Cisco IOS is configured for SSO the SBC module running on the active IOS process constantly replicates its internal state to its standby peer SBC module on the standby IOS process In this way the standby SBC module is kept in sync with the active IOS process and has all the state information necessary to retain active calls and resume call processing in the event the active IOS process fails and an SSO occurs For information on SSO see the Cisco IOS High Availability Configuration Guide at http www cisco com en US products ps6922 products_installation_and_configuration_guides_list ht ml ISSU Support Integrated Session Border Controller supports In Service Software Upgrade ISSU with a redundant RP or redundant IOS process The ISSU process allows software to be updated or otherwise modified on a standby RP or standby IOS process while packet forwarding on the active RP or active IOS process continues For the Cisco ASR 1000 Series Routers ISSU compatibility depends on the software package being upgraded and the hardware configuration See the High Availability Overview section in the Cisco ASR 1000 Aggregation Services Router Software Configuration Guide for more updated informat
141. r with the attach controllers command 10 Exit the VDBE configuration mode with the exit command 11 Reactive the DBE with the activate command Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Chapter 2 Configuring Integrated Session Border Controller Hs Configuration Examples The following example shows the initial SBC configuration sbc mySbc dbe vdbe global use any local port control address h248 ipv4 172 25 2 26 controller h248 1 remote address ipv4 172 25 2 243 remote port 2946 transport udp attach controllers activate location id 1 media address ipv4 20 20 20 20 media address ipv4 21 21 21 21 The following example illustrates a user trying to change the local port number while the controllers are configured and receiving an error message Router configure terminal Enter configuration commands one per line End with CNTL Z Router config sbc mySbc dbe Router config sbc dbe vdbe Router config sbc dbe vdbe local port 2946 SBC local port cannot be changed while controllers are configured The following example illustrates the user following the recommended steps to change the local port Router config sbc dbe vdbe exit Router config sbc dbe no activate Router config sbc dbe vdbe Router config sbc dbe vdbe no attach controllers Router config sbc dbe vdbe no controller h248 1 Router
142. raveling from the subscriber side to the DBE can be policed independently of traffic from the network core to the DBE Asymmetric policing is accomplished by allowing the tman pol property to be specified separately for the two sides of a gate which typically might be the access subscriber side and the back bone side The tman pol property can be specified as ON OFF or Absent on either the access side or the back bone side 1 ETSI TS 102 333 version 1 1 2 Traffic Management Package oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers my Chapter5 Quality of Service and Bandwidth Management H 248 Traffic Management Package Support for either a media flow or signaling flow Once tman pol is specified as ON and both the tman sdr and tman mbs properties are present the DBE polices traffic based on the values of the tman sdr and tman mbs parameters The supported tman properties have the following functions The tman sdr property defines the sustainable data rate in bytes per second that is permitted for the stream It has a numerical value The tman mbs property defines maximum burst size in bytes for the stream It has a numerical value The tman pol policing property can be set to ON or OFF or Absent When the tman pol property is set to ON policing is applied at the point of entry for traffic entering the media gatewa
143. rce Address Mask rsam property of the ETSI TS 102 333 Gate Management GM package is not involved in the flow entry hash key construction there are no limits to the network mask length because the mask specific to each flow is used to validate the SBC packets after the flow entry is retrieved that is the expected gm rsam information is obtained from the flow entry that is stored during the signaling call setup process However when features such as Local Source Properties Address and Port or Remote Source Address Mask Filtering are used where flows from various source IPs can connect to the same service destination IP address and port the source IP network mask gm rsam network mask must be used in the hash key construction in addition to the destination IP and port in order to identify and retrieve a unique flow entry Because there is no way to know about the existence of the multiple terminations when the data border element DBE tries to construct the hash key for retrieving the flow entry support has been added for the Flexible Address Prefix Provisioning feature This feature creates a dummy entry using the service IP and port to construct a hash key when the first termination with this service IP and port combination is established This dummy entry is shared among all the terminations sharing the same service IP and port for storing network masks and supports three different lengths of network masks on a given shared address at one ti
144. red because the entire sequence of tones is likely to be significant H 248 Events Storage Until Event Acknowledgment The system default is the mode where H 248 events are stored only until the events are acknowledged by the media gateway controller MGC This can also be enabled by the no h248 event storage command H 248 events other than those relating to a media timeout are deleted by the MGC after the MGC has acknowledged them In this mode the H 248 events relating to a media timeout are retained if the H 248 association fails oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers my Chapter 11 Quality Monitoring and Statistics Gathering HI Enhanced Event Notification and Auditing Association Reset A configuration option the h248 association timeout command has been added that allows an alternative association reset behavior The possible options are The it ito event is the only event where failure to notify the SBE about it causes the H 248 association with the SBE to be reset This behavior is the default and the standard H 248 protocol behavior Failure of any event notification causes an H 248 association with the SBE to be reset Silent Gate Deletion To prevent silent gate deletion a configuration option the h248 preserve gates command has been added that allows you to block this behavior When silent gate d
145. resses The port range ipv6 command creates a port range associated with a single IPv6 media address or a pool of IPv6 media addresses IPv6 addresses must be configured with the signaling keyword The any voice video and fax keywords supported in the IPv4 port range command are not supported in IPv6 The ipv6 ipv6 address keyword is added to the debug sbc filter command The ipv6 ipv6 address keyword is added to the show sbc dbe media flow stats and show sbc dbe signaling flow stats commands No NAPT Pinholes No NAPT pinholes can form coupled pairs only under the following circumstances Both pinholes are No NAPT Each internal termination has local and remote addresses that are identical to those of the external termination on the associated pinhole amp Note The two terminations between which media loops back are called the internal terminations of their respective pinholes Only external terminations directly receive packets from the network Any remote source address masks rsams are duplicated For example if a termination with remote address A in one pinhole has an rsam of 1111 2222 3333 4444 48 then the termination with remote address A in the other pinhole also has an rsam of 1111 2222 3333 4444 48 DBE Restrictions The following are DBE restrictions for the No NAPT Pinholes feature The DBE chooses the internal terminations as follows The first specified termination is
146. rs Services Signaling 2 0 and Control Cisco IOS Provisioned Inactivity Timer h248 inactivity duration Chapter 11 Quality XE Release Monitoring and 2 0 Statistics Gathering Cisco IOS QoS Bandwidth Allocation None Chapter 5 Quality of XE Release Service and Bandwidth 2 0 Management Cisco IOS Remote Source Address Mask media address ipv4 Chapter 8 Integrated XE Release Filtering Session Border dia add l ipv4 2 0 a Ad a Controller Security Cisco IOS RTCP Policing None Chapter 5 Quality of XE Release Service and Bandwidth 2 0 Management Cisco IOS RTP Specific Behavior Support None Chapter 7 H 248 XE Release Services Signaling 2 0 and Control Cisco IOS ServiceChange Notification for sbc interface id Chapter 7 H 248 XE Release Interface Status Change Services Signaling 2 1 and Control Cisco IOS T MAX Timer tmax timer Chapter 7 H 248 XE Release Services Signaling 2 0 and Control Cisco IOS The tsc Delay Timer None Chapter 7 H 248 XE Release Services Signaling 2 0 and Control oL 15421 01 m Chapter1 Integrated Session Border Controller for the Cisco ASR 1000 Series Routers Overview Deployment of the Integrated Session Border Controller Chapter Where Release Feature Name Related SBC Commands Documented Cisco IOS transaction pending command __ transaction pending Cisco IOS Integrated XE Release Session Border 2 0 1 Controller Command
147. rvice for each port range Quality of Service and Bandwidth Management Describes features the DBE has to enhance Quality of Service QoS H 248 Packages Signaling and Control Describes support of standard H 248 packages H 248 Services Signaling and Control Describes different H 248 services and controlling functions of the DBE Integrated Session Border Controller Security Describes various high security features and policing of incoming data Topology Hiding Describes the various features by which Integrated Session Border Controller protects the network by hiding the network address and names for both the customer and core network sides and properly translating the IP address and port when a user connects to the outside network Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 Preface Chapter Title Description 10 High Availability Support Describes hardware and software redundancy support for Integrated Session Border Controller on the Cisco ASR 1000 Series Routers 11 Quality Monitoring and Statistics Describes DBE support for monitoring events and Gathering generation of event notification correct billing and call usage records Related Documentation This section refers you to other documentation that also might be useful as you configure your Cisco
148. s a token bucket algorithm to manage the maximum rate of traffic This algorithm is used to define the maximum rate of traffic allowed on an interface at a given moment in time The token bucket algorithm processes as follows each arriving packet s size frame s size is subtracted from the contents of the bucket If the bucket does not have enough tokens for the arriving packet the packet is dropped and no tokens are removed The passage of time fills the bucket with tokens and the dispatching of a packet depletes the bucket DBE Restrictions The following are DBE restrictions for the Two Rate Three Color Policing and Marking feature The DSCP values configured via CLI are global Specifically the DSCP values are shared among all the terminations when this feature is enabled e The Two Rate Three Color CLI is only applicable to future new call flows and do not trigger any backtrack to established terminations e A media gateway controller MGC also called the SBE is only able to use the Tman fields if the DBE supports the various features which make up Tman support Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 5 6 OL 15421 01 Chapter5 Quality of Service and Bandwidth Management Two Rate Three Color Policing and Marking Ml Related Commands The control dscp marker dscp pdr coefficient command enables the Two Rate Three Co
149. s of packages naming conventions and other details for an entire set of applications The SBC DBE deployment for the Cisco ASR 1000 Series Routers currently supports only one profile SBC_GateControl The SBC_GateControl profile a Cisco internal profile based on ITU T Recommendation H 248 1 Version 2 defines functionality between the DBE and the MGC Overview of Profile The profile connection model supports the following Maximum number of contexts Provisioned Maximum number of terminations per context 68 Allowed terminations type combinations IP IP Table 2 1 shows the context attributes and values that are supported by the profile Table 2 1 Context Attributes Context Attribute Supported Values Supported Topology No N A Priority Indicator Yes 0 to 15 Emergency Indicator Yes ON OFF IEPS Indicator Yes ON OFF Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 2 14 OL 15421 01 _ Chapter 2 Configuring Integrated Session Border Controller Cisco H 248 Profile W Table 2 1 Context Attributes Context Attribute Supported Values Supported Context Attribute Descriptor No N A ContextIDList Parameter No N A AND OR Context Attribute No N A The termination ID structure is provisioned in the MGC The MGC is at liberty to choose any termination naming structure The DBE can accept 3 to 9 fields in
150. sage in text i xii notification Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers OL 15421 01 m E index DBE status notification 11 2 enhanced event notification 11 2 H 248 events storage 11 3 nt qualert 11 2 11 4 11 5 O optional local remote descriptors 7 10 overview SBC 1 1 P packet forwarding 9 5 pdr coefficient 5 5 pdr property 5 5 peak data rate 5 5 permanent events storage 11 3 pinhole 7 5 pinhole timeout 11 4 policing asymmetric policing 5 1 ipv6 packets 9 5 RTCP 5 4 security functions 8 1 signaling flows 7 2 tman pol property 5 2 token bucket 5 6 two rate three color 5 5 two rate three color policing and marking 5 5 port range CoS 42 media address pools 4 1 4 2 profile packages 2 15 profile H 248 eroot package 6 1 protecting network 9 1 provisioned inactivity timer 11 6 Q QoS 5 1 diffserv package 5 5 DSCP 5 5 pdr coefficient 5 5 two rate three color policing and marking 5 5 quality monitoring 11 1 Quality of Service 5 1 R real time control protocol 5 4 real time transport protocol 3 1 5 4 re arming 11 4 redundancy 10 1 hardware 10 2 ISSU 10 3 RPR 10 2 software 10 2 SSO 10 3 relatch 8 2 8 3 9 1 remote source address mask 7 4 remote source address mask filtering 8 5 resetting media timeout timers 11 4 route processor 10 2 RP 10 2 RPR based RP switchover 10 3
151. sh key construction and flow entry lookup Local Source Properties Address and Port The Local Source Properties Address and Port feature is described in the Local Source Properties Address and Port section on page 8 4 Locally Hairpinned Sessions The DBE supports hairpinning of calls between subscribers connected to the same DBE for IPv4 and IPv6 packets A hairpin consists of two pinholes or two pairs of terminations on the DBE that the media gateway controller MGC has provisioned with local and remote addresses whereby media from one pinhole should travel directly loops back to the other pinhole The MGC also known as an SBE does not differentiate whether Add requests are sent to the same or different DBEs for a flow setup In a hairpin media call flow setup two pairs of terminations internally connect the backbone BB side to logically merge two separate DBEs into one DBE The flow resembles a hairpin This feature is useful for interoperation with signaling border elements SBEs that provision two pinholes even in the case where the SBE does not require media to be sent further into the network D Note Pinhole is an informal term for a pair of terminations in the same stream and same context Twice NAPT Pinhole Hairpinning The DBE successfully forwards media through Twice Network Address and Port Translation NAPT pinholes that form a hairpin For Twice NAPT hairpinning the DBE forwards media on demand
152. ss and port range available on the DBE and must not already have been allocated for another use This function is intended to be used for signaling pinholes but it can be used for any pinhole The address and port range available must be separately configured on both the MGC and the DBE Each endpoint must have a signaling pinhole associated with it in order for it to communicate with the SIP server Signaling pinholes are forwarded in the same way as media pinholes that is packets are forwarded after the policing bandwidth usage is checked and the IP header is re written The only exception is that signaling pinholes do not time out if the flow of signaling packets stops Signaling pinholes can be used for other than just SIP traffic such as for non RTP media streams of any kind However you need to specify a bandwidth limit using the Traffic Management Tman package if you want policing DBE Restrictions The following are DBE restrictions for DBE Signaling Pinhole Support The endpoint still needs to be sending its signaling to a local address owned by the DBE configured as a media address If a signaling port range is not configured then by default the range is the same as that for media ports 16384 to 32767 For this reason it is recommended that a signaling port range is explicitly configured The configured range must not clash with the address and port used by the media gateway for its connection to the MGC You need to ensure
153. t one or more tiers of the termination name are not supported For example operator sip is not supported but operator sip is The exception is the full wildcard which is simply You can construct transactions with multiple overlapping wildcarded commands and when a single transaction contains multiple commands referencing the same terminations the commands operate in order However when a termination is subtracted any other commands affecting it are ignored For example suppose a media gateway MG has a single termination a b 1 The following are examples of overlapping wildcarded commands and their returns audit value a audit value b returns a b 1 in the response twice modify a modify b modifies termination a b 1 with the second modify overwriting the first and return success to both commands subtract a subtract b subtracts a b 1 as part of the first subtract and ignores the second subtract subtract a modify b subtracts termination a b 1 and ignores the modify modify a subtract b does the same as above When a wildcard command is ignored under these circumstances the response to that command is error 431 No Termination ID matched a wildcard When a non wildcarded command is ignored the response is error 430 Unknown Termination ID Flexible Address Prefix Provisioning When the Remote Sou
154. the buffer huge size 65535 command to ensure the buffer is large enough for H 248 audit responses SUMMARY STEPS enable configure terminal interface sbe interface number ip address ip address exit sbe sbc name dbe vdbe global h248 version version WO 0o N O OE o o A h248 napt package napt ntr m S local port port num control address h248 ipv4 A B C D e me N F controller h248 controller index remote address ipv4 A B C D e me P Ww remote port port num ol transport udp tcp interim auth header m D exit m attach controllers me co exit m so location id location id media address ipv4 A B C D N N e So activate N N end Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers 2 2 OL 15421 01 _ Chapter 2 Configuring Integrated Session Border Controller DETAILED STEPS Command or Action Configuring Integrated Session Border Controller DBE Deployment W Purpose Step1 enable Enables privileged EXEC mode Enter your password if prompted Example Router gt enable Step2 configure terminal Enters global configuration mode Example Router configure terminal Step3 interface sbc interface number Creates an SBC virtual interface numbered 1 in the example and enters into interface configuration mode Exa
155. tion Services Routers OL 15421 01 EN Chapter 2 Configuring Integrated Session Border Controller HI Configuring Integrated Session Border Controller DBE Deployment Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Command or Action Purpose control address h248 ipv4 A B c D Example Router config sbc dbe vdbe control address h248 ipv4 210 229 108 254 Configures the DBE to use a specific IPv4 H 248 control address which is the local IP address the DBE uses as its own address when connecting to the SBE controller h248 controller index Example Router config sbc dbe vdbe controller h248 1 Configures the H 248 controller for the DBE and enters into Controller H 248 configuration mode In the example the configured number identifies the H 248 controller for the DBE remote address ipv4 A B C D Example Router config sbc dbe vdbe h248 remote address ipv4 210 229 108 252 Configures the IPv4 remote address of the H 248 controller for the SBE In the example 210 229 108 252 is configured as the remote SBE IP address remote port port num Example Router config sbc dbe vdbe h248 remote port 2947 Configures the port number of the H 248 controller that is used to connect to the SBE transport udp tcp interim auth header Example Router config sbc dbe vdbe h248 transport udp interim auth head
156. transport than SNMP and consolidates the information on the MGC for simpler management The MGC is also referred to as a signaling border element SBE In order for the SBE to be informed about status changes on a physical interface on the DBE you can use the sbe interface id command to map that physical interface to the physical interface id contained in the termination ID Thus the SBE is able to associate status changes on the physical interface with a pinhole The command inserts the termination ID in the ServiceChange H 248 message Therefore when the physical interface changes status the MG is able to report a service change with that particular termination ID to the SBE oL 15421 01 Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers jg Chapter7 H 248 Services Signaling and Control W sServiceChange Notification for Interface Status Change Note For more details on the sbc interface id command see the Cisco IOS Integrated Session Border Controller Command Reference The ServiceChange H 248 notification is generated by any of the following events Link up and link down For link up MG Service Restoration event The ServiceChangeMethod is Restart and the ServiceChangeReason is 900 Service Restored For link down MG Service Cancellation event The ServiceChangeMethod is Forced and the ServiceChangeReason is 905 Term taken
157. ult sequence 40 permit ipv6 any any sequence 50 DBE Restrictions The following is a restriction of DBE support for IPv6 inter subscriber blocking Because the configuration of inter subscriber blocking in the IPv6 environment relies on Cisco IOS QoS to mark the DSCP value in the ingress feature process the original DSCP value of the packets arriving at the DBE router will not be preserved IPv6 Support IPv6 support includes the following functionality The DBE supports IPv6 pinholes for both media endpoints and signaling endpoints See the IPv6 Pinholes section on page 9 6 amp Note Pinhole is an informal term for a pair of terminations in the same stream and same context Media flows do not support Network Address and Port Translation NAPT they must be No NAPT As aresult you cannot configure any media addresses under IPv6 Media flows may consist of voice or video Signaling flows support Single NAPT You are able to configure signaling addresses under IPv6 The DBE examines all IPv6 packets that arrive from the network and determines which ones belong to authorized SBC media streams The DBE normally uses the destination and possibly the source IP address and port for packet classification The DBE identifies packets belonging to an authorized media stream as SBC packets and applies the appropriate traffic policing rules to the packets The counter showing number of packets received is modified
158. video phone mon monitor others lt subscriber class gt gn public ur priority url emergency lt Reservedl gt digit 0 15 lt physical interface id gt digit 0 1023 lt Reserved2 gt digit 0 4095 lt sub interface id gt digit 0 4095 lt termination attribute gt de d c ac access bb backbone mon monitor lt channel gt digit 0 4294967295 Displaying the Nine Tier Termination Name Hierarchy This section describes the show command for the nine tier termination name hierarchy The media flow stats show command is extended to include the full termination ID in the response show sbc sbc name dbe media flow stats summary detail vrf vrf name ipv4 A B C D ipv6 ipv6 address port port number Syntax Description show sbc sbc name dbe media flow stats Lists the statistics about one or more media flows summary detail vrf vrf name ipv4 collected on the DBE A B C D ipv6 ipv6 address port port number sbc name The SBC service name e Optional A B C D Only display media Example flows to or from this IPv4 media address RP 0 0 CPU0 router show services sbc my i Optional ipv6 address Only display sbc dbe media flow stats vrf vpn3 ipv4 10 1 1 1 port 24000 media flows to or from the specified IPv6 media IP address Optional port number Only display media flows to or from this port
159. wing are restrictions of DBE support for IPv6 pinholes DBE does not support IPv6 for control communications with the SBE H 248 communication with the controlling SBE is over IPv4 only DBE does not support IPv6 addresses that are not global unicast addresses DBE does not support IPv6 addresses that do not use the default zone DBE does not use the IPv6 Flow Label to classify packets It continues to use the transport protocol type UDP TCP and local and remote ports as with IPv4 Outgoing packets originating from the DBE such as DTMF packets have a Flow Label of 0 DBE does not support forwarding between IPv4 and IPv6 endpoints In particular 6 to 4 addresses prefixed with 2002 16 are treated as global unicast native IPv6 addresses Intra Site Automatic Tunnel Addressing Protocol ISATAP link local addresses are not supported Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers n OL 15421 01 Chapter9 Topology Hiding No NAPT Pinholes Ml Related Commands The ipv6 address session border controller command sets or creates the IPv6 address prefix on an SBC interface The media address ipv6 command adds an IPv6 address to the set of addresses that can be used by the DBE as a local media address The media address pool ipv6 command creates a pool of sequential IPv6 media addresses that can be used by the DBE as local media add
160. y MG When both the tman sdr and tman mbs properties are present and the tm pol property is ON the DBE polices traffic based on the sdr and mbs Tman parameters However the absence of both tman sdr and tman mbs properties is permissible In this case the DBE polices traffic based on the Session Description Protocol SDP amp Note If either the tman sdr or tman mbs property is present then the other property must be present that is both the tman sdr and tman mbs properties must be present In this case the DBE polices traffic based on the sdr and mbs parameters When the tman pol property is set to OFF no policing is applied to traffic entering the media gateway Ifthe tman pol property is Absent policing is done based on the SDP for the stream for a media flow No policing is done for a signaling flow amp Note Absent means that the property has not been defined If no tman properties tman pol tman sdr and tman mbs have been defined then the behavior for a media flow is to calculate the required bandwidth from the Session Description Protocol SDP in the local descriptor For a signaling flow the behavior is to perform no policing The tman properties tman pol tman sdr and tman mbs are defined using Add and Modify requests and they are returned on subsequent responses to Audit requests The tman properties have the following caveat The DBE issues error 421 indicating Unknown action or
Download Pdf Manuals
Related Search