Filter
Top Products
7-2
Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers
OL-15421-01
Chapter 7 H.248 Services—Signaling and Control
DBE Signaling Pinhole Support
DBE Signaling Pinhole Support
DBE Signaling Pinhole Support allows the media gateway controller (MGC) to directly control policing
of signaling flows through the SBC interfaces on the DBE. The policing is at a per signaling flow level,
via the H.248 association between the MGC and the DBE. The feature removes the need to have a
separate firewall device to protect the MGC.
Without this feature, signaling packets are addressed to the SBE, and the DBE acts as a router,
forwarding the packets to the SBE. With this feature enabled, the DBE can police signaling packets using
the ETSI TS 102 333 Traffic Management (Tman) package. The DBE has application-level pinholes
created to allow those packets to be forwarded to the SBE. Normal IP forwarding is disabled on the SBC
interfaces of the DBE.
DBE Signaling Pinhole Support includes the following functionality:
• The DBE only forwards traffic that is received on a configured pinhole. The packet must be
addressed to a VPN, address, or port on an SBC interface on the DBE.
• Signaling pinholes are configured in the same way as media pinholes over H.248. They can be
differentiated from media pinholes by session descriptions as defined in the Session Description
Protocol (SDP) in the local and remote descriptors. The “m=application” line indicates that the
termination is a signaling pinhole.
• The data rate through a signaling pinhole can be unlimited.
• The MGC can specify the VPN, address, and port of the pinhole on the DBE when it is created. This
must be selected from the address and port range available on the DBE, and must not already have
been allocated for another use. This function is intended to be used for signaling pinholes, but it can
be used for any pinhole. The address and port range available must be separately configured on both
the MGC and the DBE.
• Each endpoint must have a signaling pinhole associated with it in order for it to communicate with
the SIP server.
• Signaling pinholes are forwarded in the same way as media pinholes; that is, packets are forwarded
after the policing bandwidth usage is checked and the IP header is re-written. The only exception is
that signaling pinholes do not time out if the flow of signaling packets stops.
• Signaling pinholes can be used for other than just SIP traffic, such as for non-RTP media streams of
any kind. However, you need to specify a bandwidth limit using the Traffic Management (Tman)
package if you want policing.
DBE Restrictions
The following are DBE restrictions for DBE Signaling Pinhole Support:
• The endpoint still needs to be sending its signaling to a local address owned by the DBE configured
as a media address
• If a signaling port range is not configured, then by default the range is the same as that for media
ports (16384 to 32767). For this reason, it is recommended that a signaling port range is explicitly
configured. The configured range must not clash with the address and port used by the media
gateway for its connection to the MGC. You need to ensure this configuration is entered consistently.