Cisco IOS XR Session Border Controller Configuration Guide Release 3.6
DBE Signaling Pinhole Support
Downloads: This chapterpdf (PDF - 371.0KB) The complete bookPDF (PDF - 12.8MB) | Feedback

DBE Signaling Pinhole Support

Table Of Contents

DBE Signaling Pinhole Support

Contents

Restrictions for DBE Signaling Pinhole Support

Information About DBE Signaling Pinhole Support

H.248 Profile Changes

How to Display the DBE Signaling Pinhole Statistics

Displaying the Statistics About Signaling Flows Collected on the DBE

Displaying the Statistics About Signaling Flows Collected on the DBE: Example

Displaying Summary Information on Signaling Pinholes

Displaying Summary Information on Signaling Pinholes: Example

Additional References

Related Documents

Standards

MIBs

Technical Assistance


DBE Signaling Pinhole Support


The DBE signaling pinhole feature allows the media gateway controller (MGC) to directly control policing of the signaling flows through the SBC interfaces on the data border element (DBE). The policing is carried out at a per signaling flow level via the H.248 association between the MGC and DBE. This new feature eliminates the need to have a separate firewall device to protect the MGC.

Without this feature, signaling packets are addressed to the signaling border element (SBE), and the DBE acts as a router, forwarding the packets to the SBE. When the DBE signaling pinhole support is enabled, the DBE can police signaling packets, using Traffic Management (Tman). The DBE has application-level pinholes created to have those packets forwarded to the SBE. Normal IP forwarding is disabled on the SBC interfaces of the DBE.

Feature History for DBE Signaling Pinhole Support

Release
Modification

Release 3.5.0

This command was first introduced on the Cisco CRS-1.

Release 3.6.0

No modification.


Contents

This module contains the following sections:

Restrictions for DBE Signaling Pinhole Support

Information About DBE Signaling Pinhole Support

How to Display the DBE Signaling Pinhole Statistics

Additional References

Restrictions for DBE Signaling Pinhole Support

Where signaling pinholes are enabled, the forwarded IP packets must be addressed to an address/port belonging to the DBE. The DBE matches the packet to a pinhole, using the VPN/address/port the packet was received on. Therefore, each pinhole must have a unique VPN/address/port on the DBE.

The DBE only rewrites information within the IP/UDP or IP/TCP headers. It does not update any other parts of the forwarded packets.

The Media Packet Forwarder (MPF) may only police traffic received on an SBC interface. If there are other interfaces on the device, then the traffic received on them is forwarded as normal.

The MPF does not generate media-down indications for the signaling pinholes. Therefore, they cannot time out, and can only be closed by the MGC.

There is no way to configure a "catch-all" pinhole to allow signaling traffic that is dropped if it did not match any configured pinhole.

Configured port-ranges affect all types of ports (UDP and TCP). It is not possible to specify different ranges for different types of ports.

The MGC can only specify the local address and port when initially allocating the termination. It cannot modify the termination's local address and port after it has been created (and its corresponding local addresses and ports that have been selected for it).

If a signaling port range is not configured, then the default range is the same as that for media ports (1-65535). For this reason it is recommended that a signaling port range is explicitly configured. The configured range must not clash with the address/port used by the MG for its connection to the MGC. It is up to the user to ensure this configuration is entered consistently.

Signaling packets tend to be larger than media packets and consequently have a higher risk of IP fragmentation. If fragmentation does occur, only the initial fragment carries the TCP/UDP header with the port numbers used by MPF to classify a packet to a flow. MPF is unable to handle IP fragments. MPF will drop all fragments including the first one.

Information About DBE Signaling Pinhole Support

The DBE signaling pinhole support includes the following functions:

The DBE only forwards traffic that is received on a configured pinhole. The packet must be addressed to a VPN/address/port on an SBC interface on the DBE.

Signaling pinholes are configured in the same way as media pinholes over H.248. They can be differentiated from media pinholes by session descriptions as defined in the session description protocol (SDP) in the local and remote descriptors. The "m=application" line indicates that the termination is a signaling pinhole.

The data rate through a signaling pinhole is unlimited.

H.248 RTP statistics are not reported for signaling pinholes since they do not carry RTP traffic.

H.248 Profile Changes

In order to enable the new feature, the DBE now supports the following packages with the profile version three:

IP NAT traversal (ipnapt)

Optional traffic management (Tman) package

How to Display the DBE Signaling Pinhole Statistics

This section describes the changes in the show commands that display the information about the DBE signaling pinhole.

Displaying the Statistics About Signaling Flows Collected on the DBE

The possible classes of service which can be applied to the DBE media-address port-range command are extended to include an additional class of service, the signaling class. If a local address/port is not specified by the MGC for a signaling pinhole, then the DBE selects an address/port from a port range identified by the signaling class of service. If the MGC does provide an address/port, then it must fall within a port range identified by the signaling class of service.

A new command, dbe signaling-flow-stats is added to the show command:

show services sbc service-name dbe signaling-flow-stats [vrf vrf-name [ipv4 A.B.C.D [port port-number]]]

Syntax
Description

show services sbc service-name dbe signaling-flow-stats [vrf vrf-name [ipv4 A.B.C.D [port port-number]]]

Example:

RP/0/0/CPU0:router# show services sbc my sbc dbe signaling-flow-stats vrf vpn3 ipv4 10.1.1.1 port 24000

Lists the statistics about one or more signaling flows collected on the DBE. The example below shows the reported fields.

service-name—The SBC service name

(Optional) vrf-name—Only display media flows to/from this VPN

(Optional) A.B.C.D—Only display media flows to/from this IPv4 media address

(Optional) port-number—Only display media flows to/from this port


Displaying the Statistics About Signaling Flows Collected on the DBE: Example

SBC Service "mySbc"
  signalingFlow 1
      FlowPairState Open
      PinholeAge  15340 ms
      PinholeBandwidth 1500
      Side A
        VpnId vpn3
        LocalAddress 10.1.1.1
        LocalPort 24000
        RemoteAddress 192.168.1.1
        RemotePort 32420
        PacketsRcvd 300
        OctetsRcvd 6000
        PacketsSent 100
        OctetsSent 2000
        PacketsDiscarded 0
        OctetsDiscarded 0
      Side B
        VpnId <none>
        LocalAddress 10.1.1.2
        LocalPort 24002
        RemoteAddress 172.192.2.3
        RemotePort 24002
        PacketsRcvd 100
        OctetsRcvd 2000
        PacketsSent 300
        OctetsSent 6000
        PacketsDiscarded 0
        OctetsDiscarded 0

Displaying Summary Information on Signaling Pinholes

The media-stats command is now extended to include summary information on signaling pinholes.

show services sbc service-name dbe media-stats

Syntax
Description

show services sbc service-name dbe media-stats

Example:

RP/0/0/CPU0:router# show services sbc my sbc dbe media-stats

Lists general DBE statistics. These statistics do not include contributions from active calls.

service-name—The SBC service name


Displaying Summary Information on Signaling Pinholes: Example

In the example below, the Active Media Flows counts the number of flows for which media has been observed within the media-timeout period, or when the call has failed over within the last media-timeout period, and the SBC has not yet observed whether media is flowing or not.

The Unclassified Pkts statistic includes all packets received on the SVI interface that are not matched to a valid media flow. This includes media packets not matched to a flow, signaling packets not matched to a flow, and any other traffic.

SBC Service "mySbc"
  Available Bandwidth    = 40 Mbps
  Available Flows        = 1000
  Available Packet Rate  = 500 (packets/second)
  Active Media Flows     = 56          
  Peak Media Flows       = 156
  Total Media Flows      = 78
  Active Signaling Flows = 108          
  Peak Signaling Flows   = 186
  Total Signaling Flows  = 244
  Unclassified Pkts      = 100
  RTP Packets Received   = 1009
  RTP Octets Received    = 20000
  RTP Packets Sent       = 1009
  RTP Octets Sent        = 20000
  RTP Packets Discarded  = 0
  RTP Octets Discarded   = 0
  No Media Count         = 0
  Route Error Count      = 0

Additional References

The following sections provide references related to DBE Signaling Pinhole Support.

Related Documents

Related Topic
Document Title

Cisco IOS XR master command reference

Cisco IOS XR Master Commands List

Cisco IOS XR SBC interface configuration commands

Cisco IOS XR Session Border Controller Command Reference

Initial system bootup and configuration information for a router using the Cisco IOS XR Software

Cisco IOS XR Getting Started Guide

Cisco IOS XR command modes

Cisco IOS XR Command Mode Reference


Standards

Standards
Title

No new or modified standards are supported by this feature, and support from existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu:

http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport