Media Address Pools

You can configure Cisco Unified Border Element (SP Edition) with a single media address or a range of media addresses. In addition you can define one or more permissible port ranges for the configured addresses. This feature allows the administrator to configure or restrict the data border element (DBE) address by address pool with or without port range, and define class of service (CoS) affinity for each port range.


Note For Cisco IOS XE Release 2.4, this feature is supported in both the unified and distributed models.


Cisco Unified Border Element (SP Edition) was formerly known as Integrated Session Border Controller and may be commonly referred to in this document as the session border controller (SBC).

For a complete description of the commands used in this chapter, refer to the Cisco Unified Border Element (SP Edition) Command Reference: Unified Model at:

http://www.cisco.com/en/US/docs/ios/sbc/command/reference/sbcu_book.html

For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or a Cisco IOS master commands list.

Feature History for Media Address Pools

 

Release
Modification

Cisco IOS XE Release 2.1

This feature was introduced on the Cisco IOS XR.

Cisco IOS XE Release 2.4

Added support for SBC unified model.

Cisco IOS XE Release 3.2S

Added support for media address pool selection using port range tags.

Contents

This chapter contains the following sections:

Prerequisites—Implementing Media Address Pools

The following prerequisites are required to implement media address pools:

  • Before implementing media address pools, you must create a static route.

Note Creating a static route will fail if the remote peer is on the same VLAN as the interface VLAN of the media address.


  • Before implementing media address pools, Cisco Unified Border Element (SP Edition) must already be configured.

Restrictions for Configuring Media Address Pools

The restrictions for configuring media address pools are:

  • The ending address must be numerically higher than the starting address.
  • The minimum port must be numerically lower than the maximum port.
  • Port ranges may not overlap.
  • Address ranges may not overlap.
  • Address ranges and single addresses may not overlap.
  • Where a range of addresses are defined in a single command, they will share any port ranges assigned. If there is a requirement to have different port ranges for different media addresses, then the addresses must be configured separately.
  • Media addresses and port ranges may only be deleted before the DBE is activated. After DBE activation, the DBE must be deactivated in order to delete addresses and port ranges.
  • After you configure media addresses and pools of addresses, you cannot delete them unless you delete the DBE.
  • The port range tag is supported by only the signaling border element (SBE), and not the DBE.
  • The media address and the signaling address should not be identical. If the media address and the signaling address are identical, and the Cisco ASR 1000 Series Router selects an ephemeral port to send out signaling packets, the port may overlap with the port range of the media address. As a result, the signaling packets do not get punted up to the RP, and get dropped by the media packet filter. This may result in events such as incomplete TCP handshakes during the second leg of a call through the SBC.
  • The media address of the SBC must be unique, which means that:

It is not used by any features on the Cisco ASR 1000 Series Router other than sending and receiving call media.

It is not used by SBC call signaling.

Media Address Pools

If you do not specify a port range, all possible VoIP port numbers are valid. The full VoIP port range extends from 16384 to 32767 inclusive.

You can define a CoS affinity for each port range. The set of CoS is consistent with those used for Quality of Service (QoS) packet marking, and consists of voice and video. If you do not define an associated CoS affinity, then the affinity is for all call types.

You can modify the extent of the existing port ranges or the class of service (CoS) affinities of the existing port ranges, or delete an existing port range. Note that the configuration changes do not apply to the existing calls, but to the calls being set up after the configuration is committed.

From Cisco IOS Release 3.2S, support for selecting the media address pools using the port range tags has been added. A port range tag is a user-configured string that can be applied to a call in the Call Admission Control (CAC) policy in the SBC. A user can match the normal subset of call attributes when configuring a policy that applies a port range tag to a call, as with all the CAC policy fields. Similarly, tags can be added during the port range configurations on media addresses or media address pools.

When a call arrives at the SBC, it is passed to CAC as part of call setup. If a configured CAC policy matches the call, the policy assigns the port range tag to the call, after which the value is passed to the media component.

When selecting a local media address and port for a call, the SBC selects a port from a port range that can meet the following characteristics, which are applied in the order specified:

1. The media address range is in the requested VPN.

2. The media address range has an IP realm that matches the request for the media stream, if a media stream has been requested.

3. The port-range either has the same CoS configured as requested for the media stream, or has the "Any" CoS configured.

4. If the media stream has a port range tag specified, the port-range must have an identical port range tag configured. However, if the media stream does not have a port range tag specified, the port-range must have the default zero-length port range tag configured on it.

Configuring Media Address Pools

This section contains the steps for configuring media address pools.

SUMMARY STEPS

1. configure terminal

2. sbc service-name

3. media-address { ipv4 | ipv6 } { addr } [ nat-mode twice-nat | vrf vrf-name | managed-by { dbe | mgc }]
or
media-address pool { ipv4 | ipv6 } { start-addr } { end-addr } [ nat-mode twice-nat | vrf vrf-name | managed-by { dbe | mgc }]

4. port-range min-port max-port [ any | voice | video | signaling | fax | tag tag-string ]

5. end

6. show sbc service-name sbe addresses

DETAILED STEPS

 

Command or Action
Purpose

Step 1

configure terminal

 

Router# configure terminal

Enables the global configuration mode.

Step 2

sbc service-name

 

Router(config)# sbc MySBC

Creates the SBC service on the Cisco Unified Border Element (SP Edition) and enters the SBC configuration mode.

Use the service-name argument to define the name of the SBC.

Step 3

media-address { ipv4 | ipv6 } { addr } [ nat-mode twice-nat | vrf vrf-name | managed-by { dbe | mgc }]

 

Router(config-sbc)# media-address ipv4 10.10.10.1

Adds an IPv4 or IPv6 address to the set of addresses that can be used by the DBE as a local media address.

  • addr —Local IPv4 or IPv6 address on an SBC interface that can be used for media arriving on the DBE.
  • nat-mode twice-nat —(Optional) Allows local addresses to be reserved for Twice-NAT pinholes.
  • vrf vrf-name —(Optional) Specifies that the IP address is associated with a specific VPN routing and forwarding (VRF) instance. If the VRF is not specified, the address is assumed to be an address on the global VPN.
  • managed-by —(Optional) Specifies whether the DBE or the MGC is allowed to select these addresses as local addresses for flows.
  • dbe —(Optional) Specifies that only the DBE is allowed to select these addresses as local addresses for flows.
  • mgc —(Optional) Specifies that only the media gateway controller (MGC) is allowed to select these addresses as local addresses for flows.

 

or

 

media-address pool { ipv4 | ipv6 } { start-addr } { end-addr } [ nat-mode twice-nat | vrf vrf-name | managed-by { dbe | mgc }]

 

Router(config-sbc)# media-address pool ipv4 10.10.10.1 10.10.10.20

Creates a pool of sequential IPv4 and IPv6 media addresses that can be used by the SBC as local media addresses, and enters the SBC media address pool configuration mode.

  • start-addr —Starting IPv4 and IPv6 media address in a range of addresses.
  • end-addr —Ending IPv4 and IPv6 media address in a range of addresses. The ending address must be numerically greater than the starting address.
  • nat-mode twice-nat —(Optional) Allows local addresses to be reserved for Twice-NAT pinholes.
  • vrf vrf-name —(Optional) Specifies that the IP addresses are associated with a specific VRF instance. If the VRF instance is not specified, the address is assumed to be an address on the global VPN.
  • managed-by —(Optional) Specifies whether the DBE or the MGC is allowed to select these addresses as local addresses for flows.
  • dbe —(Optional) Specifies that only the DBE is allowed to select these addresses as local addresses for flows.
  • mgc —(Optional) Specifies that only the MGC is allowed to select these addresses as local addresses for flows.

Step 4

port-range min-port max-port [ any | voice | video | signaling | fax | tag tag-string ]

 

Router(config-sbc-media-address-pool)# port-range 16384 30000 video

Creates a pool of sequential IPv4 media addresses that can be used by the SBC as local media addresses, and enters the SBC media address pool configuration mode.

In the SBC media address pool configuration mode, the CoS for the port range is video.

Step 5

end

 

Router(config-sbc)# end

Returns to the Privileged EXEC mode.

Step 6

show sbc sbe addresses

 

Router# show sbc dmsbc-node9 sbe addresses

Lists the addresses configured on the SBEs.


Note There is a known issue for the media-address command. If a secondary IP address under an interface SBC is configured as a media-address, when you use the no form of the media-address command to remove that media-address, the corresponding secondary IP address under that interface SBC will be removed as well. Furthermore, if that secondary IP address is configured under some interface SBC both on Active and Standby (in B2B redundancy), removing that media-address will also remove that secondary IP address on Standby. For behaviors about IPv6 address under interface SBC are the same as that of secondary IPv4 address under interface SBC.


Configuring the Port Range Tag for the CAC Policy

This section contains the steps to configure the port range tag for applying to a call in the CAC policy in the SBC.


Note The caller and callee commands have been used in this procedure. In some scenarios, the branch command can be used as an alternative to the caller and callee command pair. The branch command has been introduced in Release 3.5.0. See the “Configuring Directed Nonlimiting CAC Policies” section for information about this command.


SUMMARY STEPS

1. configure terminal

2. sbc service-name

3. sbe

4. cac-policy-set policy-set-id

5. cac-table table-name

6. table-type {policy-set | limit { list of limit tables}}

7. entry entry-id

8. cac-scope { list of scope options }

9. caller port-range-tag { adj-name | none | string tag-string }

10. callee port-range-tag { adj-name | none | string tag-string }

11. action [ next-table goto-table-name | cac-complete ]

12. exit

13. exit

14. complete

15. exit

16. cac-policy-set global policy-set-id

17. end

18. show sbc sbc-name sbe cac-policy-set id table name entry id

DETAILED STEPS

 

Command or Action
Purpose

Step 1

configure terminal

 

Router# configure terminal

Enables global configuration mode.

Step 2

sbc service-name

 

Router(config)# sbc mysbc

Enters the SBC service mode.

  • Use the service-name argument to define the name of the service.

Step 3

sbe

 

Router(config-sbc)# sbe

Enters the SBE entity mode within an SBC service.

Step 4

cac-policy-set policy-set-id

 

Router(config-sbc-sbe)# cac-policy-set 1

Enters the CAC policy set configuration mode within an SBE entity, creating a new policy set, if necessary.

  • policy-set-id —The call policy set number that can range from 1 to 2147483647.

Step 5

cac-table table-name

 

Router(config-sbc-sbe-cacpolicy)# cac-table StandardListByAccount

Enters the CAC table mode for configuration of an admission control table (creating one if necessary) within the context of an SBE policy set.

Step 6

table-type {policy-set | limit {list of limit tables}}

 

Router(config-sbc-sbe-cacpolicy-cactable)# table-type policy-set

Configures the table type of a CAC table within the context of an SBE policy set.

When the policy-set keyword is specified, use the cac-scope command to configure the scope in each entry at which limits are applied in a CAC Policy Set table.

Note In Policy Set tables, the event, call, or message is applied to all the entries.

Step 7

entry entry-id

 

Router(config-sbc-sbe-cacpolicy-
cactable)# entry 1

Enters the CAC table entry mode to create or modify an entry in an admission control table.

Step 8

cac-scope {list of scope options}

 

Router(config-sbc-sbe-cacpolicy-cactable-entry)# cac-scope category

 

Configures the scope within each entry at which limits are applied in a policy set table.

  • list of scope options —Specifies one of the following strings used to match events:

account —Events that are from the same account.

adjacency —Events that are from the same adjacency.

adj-group —Events that are from members of the same adjacency group.

call —Scope limits are per single call.

category —Events that have same category.

dst-account —Events that are sent to the same account.

dst-adj-group —Events that are sent to the same adjacency group.

dst-adjacency —Events that are sent to the same adjacency.

dst-number —Events that have same destination.

global —Scope limits are global

src-account —Events that are from the same account.

src-adj-group —Events that are from the same adjacency group.

src-adjacency —Events that are from the same adjacency.

src-number —Events that have the same source number.

sub-category —The limits specified in this scope apply to all events sent to or received from members of the same subscriber category.

sub-category-pfx —The limits specified in this scope apply to all events sent to or received from members of the same subscriber category prefix.

subscriber —The limits specified in this scope apply to all events sent to or received from individual subscribers (a device that is registered with a Registrar server)

Step 9

caller port-range-tag { adj-name | none | string tag-string }

 

Router(config-sbc-sbe-cacpolicy-cactable-entry)# caller port-range-tag adj-name

Configures the port range tag for a caller. This tag is used when selecting the media address and port.

  • adj-name —Uses the source adjacency name as a port range tag.
  • none —Prompts the SBC to not use a port range tag for calls matching the CAC entry, and removes previously found strings, if any.
  • string tag-string —Specifies the explicit port range tag string.

Step 10

callee port-range-tag { adj-name | none | string tag-string }

 

Router(config-sbc-sbe-cacpolicy-cactable-entry)# callee port-range-tag string GenericCorePortRange

Configures the port range tag for a callee. This tag is used when selecting the media address and port.

  • adj-name —Uses the destination adjacency name as a port range tag.
  • none —Prompts the SBC to not use a port range tag for calls matching the CAC entry, and removes previously found strings, if any.
  • string tag-string —Specifies the explicit port range tag string.

Step 11

action [ next-table goto-table-name | cac-complete]

 

Router(config-sbc-sbe-cacpolicy-cactable-entry)# action cac-complete

Configures the action to perform after this entry in an admission control table. Possible actions are:

  • Identify the next CAC table to process using the next-table keyword and the goto-table-name argument.
  • Stop processing for this scope using the cac-complete keyword.

Step 12

exit

 

Router(config-sbc-sbe-cacpolicy-cactable-entry)# exit

Exits the entry mode, and enters the CAC table mode.

Step 13

exit

 

Router(config-sbc-sbe-cacpolicy-cactable)# exit

Exits the CAC table mode, and enters the CAC policy mode.

Step 14

complete

 

Router(config-sbc-sbe-cacpolicy)# complete

Completes the CAC policy set after you commit the entire set.

Step 15

exit

 

Router(config-sbc-sbe-cacpolicy)# exit

Exits the CAC policy mode, and enters the SBE configuration mode.

Step 16

cac-policy-set global policy-set-id

 

Router(config-sbc-sbe)# cac-policy-set global 23

Activates the global CAC policy set. The CAC policy set must be in a complete state before it can be assigned as the default policy.

  • policy-set-id —The call policy set number, ranging from 1 to 2147483647. The policy set must be in a complete state before it can be assigned as the default policy.

Step 17

end

 

Router(config-sbc-sbe-cacpolicy-cactable)# end

Exits the CAC table mode, and enters the privileged EXEC mode.

Step 18

show sbc sbc-name sbe cac-policy-set id table name entry id

 

Router# show sbc MySBC sbe cac-policy-set 1 table StandardListByAccount entry 1

Lists detailed information, such as caller and callee port range tags, pertaining to a given entry in a CAC policy table.

Configuring Media Address Pools: Example

This section provides sample configurations for media address pools. The following example shows the creation of a static route for the media pool address.

At the Route Processor (RP):

Router(config)# ip route 87.87.29.8 255.255.255.248 87.87.29.100
!

 

The following example creates a pool of IPv4 media addresses that can be used by the DBE as local media addresses:

Router(config)# sbc test dbe
Router(config-sbc-dbe)# media-address pool ipv4 87.87.29.8 87.87.29.15
 

The following sample script adds a single address (10.10.10.1), and two ranges of addresses (10.10.11.1 through 10.10.11.10 and 10.10.11.21 through 10.10.11.30) to the media address pool.

Two port ranges are configured on the single address. The first port range is for voice traffic, and runs from port 16384 to 20000 inclusively. The second one is for video traffic, and runs from port 20001 to 65535 inclusively.

The first range of addresses also has two similar port ranges configured that apply to all ten addresses within the range. The second range of addresses has a single port range defined, and no service class associated with it.

Router(config)# sbc test dbe
Router(config-sbc-dbe)# media-address ipv4 10.10.10.1
Router(config-sbc-dbe-media-address pool)# port-range 16384 20000 voice
Router(config-sbc-dbe-media-address pool)# exit
 
Router(config-sbc-dbe)# media-address ipv4 10.10.10.1
Router(config-sbc-dbe-media-address pool)# port-range 20001 65535 video
Router(config-sbc-dbe-media-address pool)# exit
 
Router(config-sbc-dbe)# media-address pool ipv4 10.10.11.1 10.10.11.10
Router(config-sbc-dbe-media-address pool)# port-range 16384 30000 voice
Router(config-sbc-dbe-media-address pool)# exit
 
Router(config-sbc-dbe)# media-address pool ipv4 10.10.11.1 10.10.11.10
Router(config-sbc-dbe-media-address pool)# port-range 30001 40000 video
Router(config-sbc-dbe-media-address pool)# exit
 
Router(config-sbc-dbe)# media-address pool ipv4 10.10.11.21 10.10.11.30
Router(config-sbc-dbe-media-address pool)# port-range 20000 40000 any
 

The following example shows how to add an IPv4 address to the set of addresses that can be used by the SBE as a local media address, and how to configure a port range tag:

sbc MySBC
media-address ipv4 10.33.33.1
port-range 2000 4000 voice tag GoldCustomerA
port-range 4001 6000 video tag HighBwCustomer
port-range 10000 12005 tag Adjacency_IMS_Core
 
no port-range 10000 12005 tag

 

The following example shows how to create a pool of IPv6 media addresses that can be used by the SBE as local media addresses, and how to configure a port range tag:

sbc MySBC
media-address pool ipv6 CAFE:1234:1234:1234::0001 CAFE:1234:1234:1234::0012
port-range 2000 4000 voice tag LowBW@CustomerA
port-range 4001 6000 signaling
port-range 10000 12005 fax tag FaxGWAdjacency23

 

Configuring a Port Range Tag for the CAC Policy: Example

This section provides a sample configuration of a port range tag for applying to a call in a CAC policy set in the SBC:

sbc MySBC
sbe
cac-policy-set 1
cac-table Table1
table-type policy-set instigate
.
.
.
entry 1
cac-scope global
caller port-range-tag adj-name
callee port-range-tag adj-name
action next-table Table2
.
.
.
cac-table Table2
table-type limit account
entry 1
match-value GoldAccount
caller port-range-tag string LargeBWPorts
callee port-range-tag none