Table Of Contents
Configuring SIP Bind Features
Contents
Restrictions for SIP Bind Features
Information About SIP Bind Features
Source Address
Voice Media Stream Processing
How to Configure SIP Bind Features
Setting the IP Address of an Interface to Be Bound
SUMMARY STEPS
Configuring the bind Command
Monitoring the bind Command
Troubleshooting Tips
Configuration Example for SIP Bind Features
Additional References
Configuring SIP Bind Features
This chapter describes the SIP Gateway Support for the bind Command feature. With the addition of the bind command, you can configure the source IP address of signaling packets or both signaling and media packets.
Feature History for SIP Gateway Support for the bind Command
Release
|
Modification
|
12.2(2)XB
|
This feature was introduced.
|
12.2(2)XB2
|
This feature was implemented on an additional platform.
|
12.2(8)T
|
This feature was implemented on additional platforms.
|
12.2(11)T
|
This feature was implemented on additional platforms.
|
12.3(4)T
|
Under the name SIP Gateway Support Enhancements to the bind Command, the feature was expanded to provide the flexibility to specify different source interfaces for signaling and media, and allow network administrators a finer granularity of control on the network interfaces used for voice traffic.
|
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Restrictions for SIP Bind Features
•Information About SIP Bind Features
•How to Configure SIP Bind Features
•Configuration Example for SIP Bind Features
•Additional References
Restrictions for SIP Bind Features
•Although the bind all command is an accepted configuration, it does not appear in show running-config command output. Because the bind all command is equivalent to issuing the commands bind source and bind media, those are the commands that appear in the show running-config command output.
Information About SIP Bind Features
Note When you configure SIP on a router, the ports on all its interfaces are open by default. This makes the router vulnerable to malicious attackers who can execute toll fraud across the gateway if the router has a public IP address and a public switched telephone network (PSTN) connection. To eliminate the threat, you should bind an interface to an IP address so that only those ports are open to the outside world. In addition, you should protect any public or untrusted interface by configuring a firewall or an access control list (ACL) to prevent unwanted traffic from traversing the router.
Feature benefits include the following:
•SIP signaling and media paths can advertise the same source IP address on the gateway for certain applications, even if the paths used different addresses to reach the source. This eliminates confusion for firewall applications that, before to the use of binding, may have taken action on several different source address packets.
•Firewalls filter messages based on variables such as the message source, the target address, and available ports. Normally a firewall opens only certain addresses or port combination to the outside world and those addresses can change dynamically. Because VoIP technology requires the use of more than one address or port combination, the bind command adds flexibility by assigning a gateway to a specific interface (and therefore the associated address) for the signaling or media application.
•You can obtain a predefined and separate interface for both signaling and media traffic. Once a bind command is in effect, the interface it limits is bound solely to that purpose. Administrators can therefore dictate the use of one network to transport the signaling and another network to transport the media. The benefits of administrator control are:
–Administrators know the traffic that run on specific networks, thereby making debugging easier.
–Administrators know the capacity of the network and the target traffic, thereby making engineering and planning easier.
–Traffic is controlled, thereby allowing QoS to be monitored.
•The bind media command relaxes the constraints imposed by the bind control and bind all commands, which can not be set during an active call. The bind media command works with active calls.
To configure SIP Gateway Support for the bind Command, you should understand the following concepts:
•Source Address
•Voice Media Stream Processing
Source Address
In early releases of Cisco IOS software with SIP functionality, the source address of a packet going out of the gateway was never deterministic. That is, the session protocols and VoIP layers always depended on the IP layer to give the best local address. The best local address was then used as the source address (the address showing where the SIP request came from) for signaling and media packets. Using this nondeterministic address occasionally caused confusion for firewall applications, because a firewall could not be configured with an exact address and would take action on several different source address packets.
However, the bind command allows you to configure the source IP address of signaling and media packets to a specific interface's IP address. Thus, the address that goes out on the packet is bound to the IP address of the interface specified with the bind command. Packets that are not destined to the bound address are discarded.
When you do not want to specify a bind address or if the interface is down, the IP layer still provides the best local address.
The bind command performs different functions based on the state of the interface (see Table 40).
Table 40 State of the Interface for Bind Command
Interface State
|
Result Using Bind Command
|
Shutdown
With or without active calls
|
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) socket listeners are initially closed. (Socket listeners receive datagrams addressed to the socket.)
Then the sockets are opened to listen to any IP address.
If the outgoing gateway has the bind command enabled and has an active call, the call becomes a one-way call with media flowing from the outgoing gateway to the terminating gateway.
|
No Shutdown
No Active Calls
|
TCP and UDP socket listeners are initially closed. (Socket listeners receive datagrams addressed to the socket.)
Then the sockets are opened and bound to the IP address set by the bind command.
The sockets accept packets destined for the bound address only.
|
No Shutdown
Active Calls
|
TCP and UDP socket listeners are initially closed.
Then the sockets are opened to listen to any IP address.
|
Bound-interface IP address is removed
|
TCP and UDP socket listeners are initially closed.
Then the sockets are opened to listen to any address, because the IP address has been removed. This happens even when SIP was never bound to an IP address.
A message stating that the IP address has been deleted from SIP bound interface is printed.
If the outgoing gateway has bind enabled and has an active call, the call becomes a one-way call with media flowing from the outgoing gateway to the terminating gateway.
|
The physical cable is pulled on the bound port, or
the Interface layer goes down
|
TCP and UDP socket listeners are initially closed.
Then the sockets are opened and bound to listen to any address.
When the pulled cable is replaced, the result is as documented for no shutdown interfaces.
|
A bind interface is shutdown, or
its IP address is changed, or
the physical cable is pulled while SIP calls are active
|
The call becomes a one-way call with media flowing in only one direction. It flows from the gateway where the change or shutdown took place, to the gateway where no change occurred. Thus, the gateway with the status change no longer receives media.
The call is then disconnected, but the disconnected message is not understood by the gateway with the status change, and the call is still assumed to be active.
|
Note If there are active calls, the bind command does not take effect if it is issued for the first time or while another bind command is in effect. A message reminds you that there are active calls and that the change cannot take effect.
|
Voice Media Stream Processing
The SIP Gateway Support Enhancements to the bind Command feature extends the current capabilities of the bind command by supporting a deterministic network interface for the voice media stream. Before the voice media stream addition, the bind command supported a deterministic network interface for control (signaling) traffic or all traffic. With the SIP Gateway Support Enhancements to the bind Command feature a finer granularity of control is achieved on the network interfaces used for voice traffic.
If multiple bind commands are issued in sequence—that is, if one bind command is configured and then another bind command is configured—a set interaction happens between the commands. Table 41 describes the expected command behavior.
Table 41 Interaction Between Previously Set and New bind Commands
Interface State
|
bind Command
|
Result Using bind Command
|
Without active calls
|
bind all
|
New bind control and bind media commands are generated to override any existing bind control and bind media commands.
|
bind control
|
Overrides any existing bind control command.
|
bind media
|
Overrides any existing bind media command.
|
With active calls
|
bind all or bind control
|
The command is blocked, and the following messages are displayed:
00:16:39: There are active calls
00:16:39: configure_sip_bind_command: The bind command change will not take effect
|
bind media
|
Succeeds and overrides any existing bind media command.
|
The bind all and bind control commands perform different functions based on the state of the interface. Table 41 describes the actions performed based on the interface state.
Note Table 41 applies to bind media only if the media interface is the same as the bind control interface. If the two interfaces are different, media behavior is independent of the interface state.
Table 42 bind all and bind control Functions, Based on Interface State
Interface State
|
Result Using bind all or bind control Commands
|
Shutdown
With or without active calls
|
TCP and User Datagram Protocol (UDP) socket listeners are initially closed. (Socket listeners receive datagrams addressed to the socket.)
Then the sockets are opened to listen to any IP address.
If the outgoing gateway has the bind command enabled and has an active call, the call becomes a one-way call with media flowing from the outgoing gateway to the terminating gateway.
|
Not shutdown
Without active calls
|
TCP and UDP socket listeners are initially closed. (Socket listeners receive datagrams addressed to the socket.)
Then the sockets are opened and bound to the IP address set by the bind command.
The sockets accept packets destined for the bound address only.
|
Not shutdown
With active calls
|
TCP and UDP socket listeners are initially closed.
Then the sockets are opened to listen to any IP address.
|
Bound interface's IP address is removed.
|
TCP and UDP socket listeners are initially closed.
Then the sockets are opened to listen to any address because the IP address has been removed.
A message is printed that states the IP address has been deleted from the bound SIP interface.
If the outgoing gateway has the bind command enabled and has an active call, the call becomes a one-way call with media flowing from the outgoing gateway to the terminating gateway.
|
The physical cable is pulled on the bound port, or the interface layer goes down.
|
TCP and UDP socket listeners are initially closed.
Then the sockets are opened and bound to listen to any address.
When the pulled cable is replaced, the result is as documented for interfaces that are not shutdown.
|
A bind interface is shut down, or its IP address is changed, or the physical cable is pulled while SIP calls are active.
|
The call becomes a one-way call with media flowing in only one direction. The media flows from the gateway where the change or shutdown took place to the gateway where no change occurred. Thus, the gateway with the status change no longer receives media.
The call is then disconnected, but the disconnected message is not understood by the gateway with the status change, and the call is still assumed to be active.
|
How to Configure SIP Bind Features
This section contains the following procedures:
•Setting the IP Address of an Interface to Be Bound
•Configuring the bind Command
•Monitoring the bind Command (optional)
•Troubleshooting Tips
Note•Before you perform a procedure, familiarize yourself with the following information:
–"Restrictions for SIP Bind Features" section
•For help with a procedure, see the monitoring and troubleshooting sections listed above.
Setting the IP Address of an Interface to Be Bound
To set the IP address of an interface to be bound, perform the following steps.
Note•You must perform this procedure before you can use the bind command.
•The bind media command applies to specific interfaces.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface
4. ip address
5. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode. Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface type/number
Example:
Router(config)# interface fastethernet0
|
Configures an interface type. The argument is as follows:
•type/number—Type of interface to be configured and the port, connector, or interface card number.
To find the specific definition of this command for your router, see the Cisco IOS Voice, Video, and Fax Command Reference, Release 12.3T.
|
Step 4
|
ip address ip-address mask [secondary]
Example:
Router(config-if)# ip address 192.168.200.33
255.255.255.0
|
Configures a primary or secondary IP address for an interface. Keyword and argument are as follows:
•ip-address mask—IP address and mask for the associated IP subnet.
•secondary—Makes the configured address a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.
To find the correct definition of this command for your router, see the Cisco IOS Voice, Video, and Fax Command Reference, Release 12.3T.
|
Step 5
|
exit
Example:
Router(config-if)# exit
|
Exits the current mode.
|
Configuring the bind Command
To configure the bind command, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. voice service voip
4. sip
5. bind
6. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode. Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
voice service voip
Example:
Router(config)# voice service voip
|
Enters voice-service VoIP configuration mode.
|
Step 4
|
sip
Example:
Router(conf-voi-serv)# sip
|
Enters SIP configuration mode.
|
Step 5
|
bind {control | media | all} source interface
interface-id
Example:
Router(conf-serv-sip)# bind {control} source-
interface FastEthernet0
|
Sets a source interface for signaling and media packets. Keywords and arguments are as follows:
•control—Binds signaling packets.
•media—Binds media packets.
•all—Binds signaling and media packets.
•source interface interface-id—Type of interface and its ID:
–Async—Async interface
–BVI—Bridge-group virtual interface
–CTunnel—CTunnel interface
–Dialer—Dialer interface
–Ethernet—IEEE 802.3
–FastEthernet—Fast Ethernet IEEE 802.3
–Lex—Lex interface
–Loopback—Loopback interface
–Multilink—Multilink-group interface
–Null—Null interface
–Serial—Serial interface (Frame Relay)
–Tunnel—Tunnel interface
–Vif—PGM multicast host interface
–Virtual-Template—Virtual template interface
–Virtual-TokenRing—Virtual token ring
|
Step 6
|
exit
Example:
Router(conf-serv-sip)# exit
|
Exits the current mode.
|
Monitoring the bind Command
To monitor the bind command, perform the following steps.
SUMMARY STEPS
1. show ip sockets
2. show sip-ua status
DETAILED STEPS
Step 1 show ip sockets
Use this command to display IP socket information and indicate whether the bind address of the receiving gateway is set.
The following sample output indicates that the bind address of the receiving gateway is set.
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 --any-- 2517 0 0 9 0
17 --listen-- 172.18.192.204 1698 0 0 1 0
17 0.0.0.0 0 172.18.192.204 67 0 0 489 0
17 0.0.0.0 0 172.18.192.204 5060 0 0 A1 0
Step 2 show sip-ua status
Use this command to display SIP user-agent status and indicate whether bind is enabled.
The following sample output indicates that signaling is disabled and media on 172.18.192.204 is enabled.
Router# show sip-ua status
SIP User Agent for UDP : ENABLED
SIP User Agent for TCP : ENABLED
SIP User Agent bind status(signaling): Disabled
SIP User Agent bind status(media): ENABLED 172.18.192.204
SIP DNS SRV version: 2 (rfc 2782)
Redirection (3xx) message handling: ENABLED
SDP application configuration:
Version line (v=) required
Session name line (s=) required
Timespec line (t=) required
Media supported: audio image
Network types supported: IN
Address types supported: IP4
Transport types supported: RTP/AVP udptl
Troubleshooting Tips
Note For general troubleshooting tips and a list of important debug commands, see the "General Troubleshooting Tips" section on page 18.
Configuration Example for SIP Bind Features
Note IP addresses and hostnames in examples are fictitious.
This sample output shows that bind is enabled on router 172.18.192.204:
Router# show running-config
Building configuration...
Current configuration : 2791 bytes
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
ip ftp source-interface Ethernet0
bind control source-interface FastEthernet0
ip address 172.18.192.204 255.255.255.0
ip rsvp bandwidth 75000 100
no supervisory disconnect lcfo
destination-pattern 5550111
destination-pattern 5550133
session target ipv4:172.18.200.33
Additional References
General SIP References
•"SIP Feature Roadmap" on Page 1—Describes how to access Cisco Feature Navigator; also lists and describes, by Cisco IOS release, SIP features for that release.
•"Overview of SIP" on page 1—Describes underlying SIP technology; also lists related documents, standards, MIBs, RFCs, and how to obtain technical assistance.
References Mentioned in This Chapter
•Cisco IOS Voice, Video, and Fax Command Reference, Release 12.3T at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122tcr/122tvr/index.htm
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
