Table Of Contents

DBE Signaling Pinhole Support

Contents

Restrictions for DBE Signaling Pinhole Support

Information About DBE Signaling Pinhole Support

H.248 Profile Changes

How to Display the DBE Signaling Pinhole Statistics

Displaying the Statistics About Signaling Flows Collected on the DBE

Displaying the Statistics About Signaling Flows Collected on the DBE: Example

Displaying Summary Information on Signaling Pinholes

Displaying Summary Information on Signaling Pinholes: Example

Additional References

Related Documents

Standards

MIBs

Technical Assistance

DBE Signaling Pinhole Support

---

The DBE signaling pinhole feature allows the media gateway controller (MGC) to directly control policing of the signaling flows through the SBC interfaces on the data border element (DBE). The policing is carried out at a per signaling flow level via the H.248 association between the MGC and DBE. This new feature eliminates the need to have a separate firewall device to protect the MGC.

Without this feature, signaling packets are addressed to the signaling border element (SBE), and the DBE acts as a router, forwarding the packets to the SBE. When the DBE signaling pinhole support is enabled, the DBE can police signaling packets, using Traffic Management (Tman). The DBE has application-level pinholes created to have those packets forwarded to the SBE. Normal IP forwarding is disabled on the SBC interfaces of the DBE.

Feature History for DBE Signaling Pinhole Support

Release	Modification
Release 3.5.0	This command was first introduced on the Cisco CRS-1.
Release 3.6.0	No modification.

Contents

This module contains the following sections:

•Restrictions for DBE Signaling Pinhole Support

•Information About DBE Signaling Pinhole Support

•How to Display the DBE Signaling Pinhole Statistics

•Additional References

Restrictions for DBE Signaling Pinhole Support

•Where signaling pinholes are enabled, the forwarded IP packets must be addressed to an address/port belonging to the DBE. The DBE matches the packet to a pinhole, using the VPN/address/port the packet was received on. Therefore, each pinhole must have a unique VPN/address/port on the DBE.

•The DBE only rewrites information within the IP/UDP or IP/TCP headers. It does not update any other parts of the forwarded packets.

•The Media Packet Forwarder (MPF) may only police traffic received on an SBC interface. If there are other interfaces on the device, then the traffic received on them is forwarded as normal.

•The MPF does not generate media-down indications for the signaling pinholes. Therefore, they cannot time out, and can only be closed by the MGC.

•There is no way to configure a "catch-all" pinhole to allow signaling traffic that is dropped if it did not match any configured pinhole.

•Configured port-ranges affect all types of ports (UDP and TCP). It is not possible to specify different ranges for different types of ports.

•The MGC can only specify the local address and port when initially allocating the termination. It cannot modify the termination's local address and port after it has been created (and its corresponding local addresses and ports that have been selected for it).

•If a signaling port range is not configured, then the default range is the same as that for media ports (1-65535). For this reason it is recommended that a signaling port range is explicitly configured. The configured range must not clash with the address/port used by the MG for its connection to the MGC. It is up to the user to ensure this configuration is entered consistently.

•Signaling packets tend to be larger than media packets and consequently have a higher risk of IP fragmentation. If fragmentation does occur, only the initial fragment carries the TCP/UDP header with the port numbers used by MPF to classify a packet to a flow. MPF is unable to handle IP fragments. MPF will drop all fragments including the first one.

Information About DBE Signaling Pinhole Support

The DBE signaling pinhole support includes the following functions:

•The DBE only forwards traffic that is received on a configured pinhole. The packet must be addressed to a VPN/address/port on an SBC interface on the DBE.

•Signaling pinholes are configured in the same way as media pinholes over H.248. They can be differentiated from media pinholes by session descriptions as defined in the session description protocol (SDP) in the local and remote descriptors. The "m=application" line indicates that the termination is a signaling pinhole.

•The data rate through a signaling pinhole is unlimited.

•H.248 RTP statistics are not reported for signaling pinholes since they do not carry RTP traffic.

H.248 Profile Changes

In order to enable the new feature, the DBE now supports the following packages with the profile version three:

•IP NAT traversal (ipnapt)

•Optional traffic management (Tman) package

How to Display the DBE Signaling Pinhole Statistics

This section describes the changes in the show commands that display the information about the DBE signaling pinhole.

Displaying the Statistics About Signaling Flows Collected on the DBE

The possible classes of service which can be applied to the DBE media-address port-range command are extended to include an additional class of service, the signaling class. If a local address/port is not specified by the MGC for a signaling pinhole, then the DBE selects an address/port from a port range identified by the signaling class of service. If the MGC does provide an address/port, then it must fall within a port range identified by the signaling class of service.

A new command, dbe signaling-flow-stats is added to the show command:

show services sbc service-name dbe signaling-flow-stats [vrf vrf-name [ipv4 A.B.C.D [port port-number]]]

Syntax	Description
show services sbc service-name dbe signaling-flow-stats [vrf vrf-name [ipv4 A.B.C.D [port port-number]]] Example: RP/0/0/CPU0:router# show services sbc my sbc dbe signaling-flow-stats vrf vpn3 ipv4 10.1.1.1 port 24000	Lists the statistics about one or more signaling flows collected on the DBE. The example below shows the reported fields. •service-name—The SBC service name •(Optional) vrf-name—Only display media flows to/from this VPN •(Optional) A.B.C.D—Only display media flows to/from this IPv4 media address •(Optional) port-number—Only display media flows to/from this port

Displaying the Statistics About Signaling Flows Collected on the DBE: Example

SBC Service "mySbc"

  signalingFlow 1

      FlowPairState Open

      PinholeAge  15340 ms

      PinholeBandwidth 1500

      Side A

        VpnId vpn3

        LocalAddress 10.1.1.1

        LocalPort 24000

        RemoteAddress 192.168.1.1

        RemotePort 32420

        PacketsRcvd 300

        OctetsRcvd 6000

        PacketsSent 100

        OctetsSent 2000

        PacketsDiscarded 0

        OctetsDiscarded 0

      Side B

        VpnId <none>

        LocalAddress 10.1.1.2

        LocalPort 24002

        RemoteAddress 172.192.2.3

        RemotePort 24002

        PacketsRcvd 100

        OctetsRcvd 2000

        PacketsSent 300

        OctetsSent 6000

        PacketsDiscarded 0

        OctetsDiscarded 0

Displaying Summary Information on Signaling Pinholes

The media-stats command is now extended to include summary information on signaling pinholes.

show services sbc service-name dbe media-stats

Syntax	Description
show services sbc service-name dbe media-stats Example: RP/0/0/CPU0:router# show services sbc my sbc dbe media-stats	Lists general DBE statistics. These statistics do not include contributions from active calls. •service-name—The SBC service name

Displaying Summary Information on Signaling Pinholes: Example

In the example below, the Active Media Flows counts the number of flows for which media has been observed within the media-timeout period, or when the call has failed over within the last media-timeout period, and the SBC has not yet observed whether media is flowing or not.

The Unclassified Pkts statistic includes all packets received on the SVI interface that are not matched to a valid media flow. This includes media packets not matched to a flow, signaling packets not matched to a flow, and any other traffic.

SBC Service "mySbc"

  Available Bandwidth    = 40 Mbps

  Available Flows        = 1000

  Available Packet Rate  = 500 (packets/second)

  Active Media Flows     = 56          

  Peak Media Flows       = 156

  Total Media Flows      = 78

  Active Signaling Flows = 108          

  Peak Signaling Flows   = 186

  Total Signaling Flows  = 244

  Unclassified Pkts      = 100

  RTP Packets Received   = 1009

  RTP Octets Received    = 20000

  RTP Packets Sent       = 1009

  RTP Octets Sent        = 20000

  RTP Packets Discarded  = 0

  RTP Octets Discarded   = 0

  No Media Count         = 0

  Route Error Count      = 0

Additional References

The following sections provide references related to DBE Signaling Pinhole Support.

Related Documents

Related Topic	Document Title
Cisco IOS XR master command reference	Cisco IOS XR Master Commands List
Cisco IOS XR SBC interface configuration commands	Cisco IOS XR Session Border Controller Command Reference
Initial system bootup and configuration information for a router using the Cisco IOS XR Software	Cisco IOS XR Getting Started Guide
Cisco IOS XR command modes	Cisco IOS XR Command Mode Reference

Standards

Standards	Title
No new or modified standards are supported by this feature, and support from existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
—	To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

Technical Assistance

Description	Link
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/techsupport