Professional Documents
Culture Documents
SIP Request
Request
Description
INVITE
Indicates that a client is being invited to participate
in a call session
ACK
Confirms that the client has received a final response t
o an INVITE request
BYE
Terminates a call and can be sent by either the
caller o the callee
CANCEL
Cancels any pending request
OPTIONS
Queries the capabilities of servers
REGISTER
Registers the address listed in the To header field with
a SIP server. To and From header fields contain the same AOR.
SIP Responses
--------------------------------------------------------------------Type
|
|
Non-Final
|
1xx Provisional
180 Ringing
Examples
100 Trying
|
|
5xx Server Failure
nal Error
|
6xx Global Failure
trolling the opening and closing of media gates for bearer control.
Signaling Services:
SIP B2BUA/IMS P-CSCF/IMS I-BCF
H.323 Gatekeeper and Gateway
SIP-H.323 Inter-working Module
MGCP/NCS b2b virtual gateway and call agent
H.248 b2b virtual media gateway controller and gateway
NAT Relay: The NAT Relay functions provide application-layer gateway (AL
G) services for non-multimedia protocols including TFTP, HTTP, and DNS.
Routing Policy and Accounting: Routing all traffic to a well-known proxy
or routing all trafiic from network A to Network B. Local routing policies work
in conjuntion with DNS and ENYM to determine next-hop routing behavior.
Call admission and routing decisions are based on a wide range of polici
es enabling advanced routing and traffic management capabilities.
Accounting and QoS Reporting: Provides RADIUS CDRs that include accounti
ng information and provides per-session QoS metrics.
show features - Licensed feautures by typing
show version - OS image version by tiping
show version boot - Boot-loader version by typing
ACLI Modes
User mode
Super mode
Configuration mode - bootparam
-
media-manager
security
system
session-router
ntp-sync
prompt-enabled enabled
Up to five simultaneous Telnet/SSH session are supported. Configuration mode can
be entered within only one session at any given time. (Multiple configuration s
ession for training purposes)
Bootparam:
* Boot-related parameters. When changed, a rebbot is required.
* If stored in a NVRAM, no explicit saving is required.
System:
* Elements of a global nature: system parameters, physical interfaces, n
etwork interfaces, and so on.
Media-manager:
* Media-related elements: media-manager, realm-config, steering-pools, a
nd so on.
Session-router:
* Signaling-related elements, sip-config, sip-interface, session-agent,
and so on.
Security:
* Security-related elements: certificates, IP-Sec, and so on.
NTP-SYNC:
* NTP servers configuration
Configuration Element:
Is a logical grouping of parameters with values assigned to them.
Can be multi-or-single-instance, parent element or subelement (nested) o
r both
General
At any given time there are two configuration loaded in the SBCs RAM: The
"Running" configuration that determines how the SBC provides its services and t
he "Editing" configuration which is initially identical to the running configura
tion an can be changed at any time without affecting the service.
If changes where made in the editing config an have been saved in the da
taDoc.gz file (Last Saved Configuration). Now the two configs in the RAM are dif
ferent, but kept in non-volatile files. When the SBC is rebooted the editing con
figuration RAM area will be loaded from the dataDoc.gz and the running config RA
M area will be loaded from the dataDoc_nn.gz (Last Running Configuration) file.
Lets assume that the last save config is now made to be the runn-config.
The runn-config RAM area will now be overwritten with data from dataDoc-gz file.
Upon the next reboot both editing and running configuration RAM areas will be l
oaded from the dataDoc.gz file.
When an element is created (or modified) and the key you specified is alredy in
use, "error 409" is displayed when done is issued.
Flash File System
display-current-cfg-version - to see configVer.dat
display-running-cfg-version - to see runVer.dat
Backup operations on the SBC save backup copies of configurations, which are rel
atively xmall XML files.
backup-config
backup-config
backup-config
backup-config
<filename>
<filename>
<filename>
<filename>
M00
Media
0
0
enabled
enabled
FULL
100
50
disabled
admin@127.0.0.1
2015-10-08 15:50:27
M00
0
Conexion to SoftPhone
192.168.10.1
255.255.255.0
192.168.10.254
disabled
0
retry-count
retry-timeout
health-score
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
signaling-mtu
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by
last-modified-date
0
1
0
11
0
192.168.10.1
192.168.10.1
admin@127.0.0.1
2015-10-08 15:57:26
|
|
|
|
|
|
|
|
|
Policy-Based
Single SIP-NAT
|
Realm bridging
|
Network (SSNHAN)
|
|
|
|
(PBRB)
|
|---------------
Open-Access
Single SIP-NAT
Internet (OAI)
Homed in Trusted
|
|
SIP-NA
T Bridge
Network (SSNHTN)
(
SNB)
PBRB: Simplest, most versatile, but not always capable of addressing all issues
HMRRB: Most cmmonly used in peering deployments
SSNHTN: Used in many access deployments if HMRs do not work optimally
SSNHAN and SNB: Archaic, no longer in common use
Realm Bridging Models for H.323
Peering/Trunking - B2BGK - B2BGW
Access/Remote Worker - Registration-Caching - Registration-Proxy
Creating a Realm Configuration Element
realm-config
identifier
description
addr-prefix
network-interfaces
mm-in-realm
mm-in-network
mm-same-ip
mm-in-system
bw-cac-non-mm
core
0.0.0.0
M10:0
disabled
enabled
enabled
enabled
disabled
msm-release
max-bandwidth
fallback-bandwidth
max-priority-bandwidth
max-latency
max-jitter
max-packet-loss
observ-window-size
disabled
0
0
0
0
0
0
0
The SBC configuration is very flexible: A realm can use a dedicated netw
ork-interface or share a network interface with other realms.
SIP Interfaces
The sip-config element:
Must be created in order for the SBC to handle SIP, is a global,
single instance.
The SIPD is the B2BUA application responsable for most of the SBCs signaling beha
vioral features.
The SIP-Interface (The EDGE proxy function) is the SIP protocol stack and makes
the SBC look like a SIP proxy.
Receives and transmits SIP signaling messages, provides a service pipe to the SI
P daemon (sipd).
Define SIP signaling IP addresses, ports, transport protocols, and various SIP p
rocessing policies.
sip-interface
state
realm-id
description
sip-port
address
port
transport-protocol
tls-profile
allow-anonymous
multi-home-addrs
ims-aka-profile
enabled
peer1
192.168.10.1
5060
UDP
all
rather from SDP body. When enabled, the SBC will "lock down" a flow upon receipt
the first RTP packet at an allocated media port.
The steering-pool:
Is the SBCs media interface (for a given realm)
Receives and transmits RTP packets
Defines a media IP address and pool (range) of ports from which port(s)
are dynamically allocated for every established session.
Provides call admission control (CAC) by setting a limit of session goin
g into and out of a realm
Steering pools define sets of ports that are used for steering media flows from
one realm to another through the SBC, through the SDP body, will indicate to the
device to send media there.
In the rewritten SDP body, the SBC replace:
The original IP address with the steering pools IP address.
The original port with a port allocated from the pool.
Steering Pool Configuration
A steering-pool must be assigned to every realm in which media is handle
d by the SBC.
--------------------------------------------------------------------------------------------------A steering pool can only be assigned to ONE realm. But a realm can have more tha
n one steering pool.
--------------------------------------------------------------------------------------------------Steering Pool-Based Call Admission Control
The steering pool size limits the maximum number of current calls (incom
ing+outgoing) in a realm.
A call can "consume" two or four UDP ports.
steering-pool
ip-address
start-port
end-port
realm-id
network-interface
last-modified-by
last-modified-date
192.168.10.1
20000
29999
peer1
admin@127.0.0.1
2015-10-11 00:25:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Routing consists of:
Identifying a SIP requests ingress realm,
Applying relevant rules, and
Determining the egress realm and the destination in it where the re-orig
inated SIP request will be sent
It is based on information in the SIP message, NOT on L3 information.
SIPD
Local-Policy
SIP-NAT
Routing
YES
NO
YES
Stati
c and limited
Translation
NO
Very Flexible
YES
For request-URI
YES
For any Header
Session Agent
Is an external signaling entity that the SBC interacts with
Is known by the SBC through a corresponding configuration element
Is viewed by the SBC as as more "privileged" device
Benefits of a SA:
The SBC can apply constraints on signaling traffic to/from that device.
The SBC can apply various translations and header manipulations to signa
ling messages to/from that device
The SBC can reject incoming signaling messages from other (non-SA) devic
es
Its name can be user as a next-hop in LP
It can be agruped with other SA in order to form a single logical entity
(Think about redundancy and load-balancing)
Session Agent Groups (SAG)
is a single local element that refers to a group of functionally equival
ent session agents.
Individual constraints might differ for session agents in the gr
oup.
Commonly used for load balancing, a session agent group can functions as
a (single logical) next-hop
That way, traffic sent to this next hop can be load-balanced and
never sent to a group member that is down
The load-balancing scheme can be set to:
Hunt (First SA listed in the group that is responsive)
Round-robin
Least-loaded
Propdist
Lowsusrate
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Header Manipulation Rules (HMRs)
Is an extremely powerful tool by which ANYTHING, in ANY header, can be m
anipulated.
HMRs are based on the "sip-manipulation" configuration element, also ref
erred to as a "rule set"
A rule set contains "header rules"; a header rule may contain "elements
rules"
- A header rule "works" on an entire header
- An element rule "works" on items within a specific header.
When properly applied, a rule-set acts on SIP messages that go through:
A session agent, or
A realm, or
A sip-interface
A rule-set can be applied so it affects either inbound or outbound traffic, oir
both.
An element rule functions on a specific item that can be:
A parameter - Example: ;tag=b5hsskk
A non-parameter Example: +6182928
------------------------------------------------------Parameters in a header have the form ;<name>=<value>:
Referenced by "name"
Other items have various forms
Easily referenced by predefined "types"
--------------------------------------------------------"
Applying Rule Sets
For an existing rule-set to function, it must be "applied" to:
- A session-agent and/or
- A realm and/or
- A sip-interface
Doing so also determines whether the rule-set will act upon incoming or outgoing
SIP traffic
----------------------------------------------------------------SIP manipulations may be applied incoming (BEFORE REALM BRIDGING HAS OCURRED) or
outgoing (AFTER REALM BRIDGING HAS OCCURRED)
----------------------------------------------------------------The header manipulation rules (HMR) mechanism is a key feature for interopeabili
ty.
With HMR, any header and any element in a header can be added, replaced, or remo
ved.
Actions can be unconditional or taken on conditions that can be very simple to v
ery complex.
Rule sets can be tested by SBC commands before being applied.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Peering PBRB Model
Is preerred because it:
Provides the best performance
Is the simplest to configure
Possible issues:
Topology hinding is not guaranteed for all headers fields
The limitation of this model is that the topology is not completely hidden, simp
ly because LP is a routing element and does not affect the SIP message "From:" a
nd "To:" header fields. Those fields and more non-routing header-fields will go
througth the SBC unchanged.
steering pools -- realm-id, address, ports
sip-interfaces -- realm-id, address:port, transport protocol
realms
-- id, net-int
networl-interfaces -- MXX:Y, address
physical-interfaces -- MXX
system-config, sip-config, media-manager
Peering HMRRB Model
The Header Manipulation Rules Realm Bridging (HMRRB) model is the best i
n most deployments because it:
Provides the best topology hidding
Allows any additional header manipulation
Possible issues:
The need to configure and test HMRs.
SIP Peering Access Control
SIP peering access control is archived by configuring the combination odf addres
s-prefix and allow-anonymous
realm-config
identifier
description
addr-prefix
network-interfaces
peer1
192.168.10.0/24
M00:0
mm-in-realm
mm-in-network
mm-same-ip
mm-in-system
bw-cac-non-mm
msm-release
disabled
enabled
enabled
enabled
disabled
disabled
sip-interface
state
realm-id
description
sip-port
address
port
transport-protocol
tls-profile
allow-anonymous
enabled
peer1
192.168.10.1
5060
UDP
realm-prefix
The SBC looks at the IP address in the "Via:" header field and checks wheter it
matches the add-prefix pattern, The allow anonymous parameter, which can be set
differently in each SIP port of a given SIP interface, acts like an "access mode
" control.
For more flexibility, more than one prefix can be set in a realm. This is done u
sing the add-additional-prefix and remove-additional-prefix ACLI commands.
Allow-anonymous
all
agents-only
Realm-prefix
add-prefix
Ignored
non-zero)
matches the add-prefix in the
realm-config
Configuration
local-policy
from-address
to-address
source-realm
description
activate-time
deactivate-time
state
policy-priority
next-hop
realm
action
terminate-recursion
app-protocol
methods
lookup
next-key
last-modified-by
*
*
core
enabled
none
192.168.10.254
peer1
none
disabled
single
admin@127.0.0.1
be
last-modified-date
local-policy
from-address
to-address
source-realm
description
activate-time
deactivate-time
state
policy-priority
next-hop
realm
action
terminate-recursion
app-protocol
methods
lookup
next-key
last-modified-by
last-modified-date
sip-manipulation
name
description
split-headers
join-headers
header-rule
name
header-name
action
comparison-type
msg-type
methods
match-value
new-value
element-rule
name
parameter-name
type
action
match-val-type
comparison-type
match-value
new-value
header-rule
name
header-name
action
comparison-type
msg-type
methods
match-value
new-value
element-rule
name
parameter-name
type
action
match-val-type
2015-10-11 14:30:18
*
*
peer1
enabled
none
172.16.0.100
core
none
disabled
single
admin@127.0.0.1
2015-10-11 14:29:39
NAT_IP
To_hr
To
manipulate
case-sensitive
request
INVITE
To_er
uri-host
replace
ip
case-sensitive
$REMOTE_IP
From_hr
From
manipulate
case-sensitive
request
INVITE
From_er
uri-host
replace
ip
comparison-type
match-value
new-value
last-modified-by
last-modified-date
session-agent
hostname
ip-address
port
state
app-protocol
app-type
transport-method
realm-id
sip-interface
state
realm-id
description
sip-port
address
port
transport-protocol
tls-profile
allow-anonymous
multi-home-addrs
ims-aka-profile
case-sensitive
$LOCAL_IP
admin@127.0.0.1
2015-10-11 15:16:09
phone-ivan
192.168.10.254
5060
enabled
SIP
UDP
peer1
enabled
peer1
192.168.10.1
5060
UDP
agents-only
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Access-Backbone Configuration Models
Policy-Based Realm Bridging (PBRB) - preferred
Single SIP-NAT Homed in Trusted Network (SSNHTN) - provides additional topology
hiding
Single SIP-NAT Homed in Access Network (SSNHAN) - very rarely used
SIP-NAT Bridge (SNB) - no longer being deployed
Access realm: A population of endpoints and proxies; some endpoints or proxies a
re behind a NAT device (for example, a firewall)
Backbone realm: Proxies, registrars, SIP application servers, and gateways.
The Access-backbone model is asymmetrical, in cntrast to the Peering model, whic
h is symmetrical. A key differentiator of an Access-Backbone model is that REGIS
TER messages do cross the SBC.
Access to Backbone - Local Policy or SIP-NAT
Backbone to Access - Registration Caching
Registration Caching: Purpose
The SBC maintains a cache with an entry for each endpoints so that it ca
n:
a. keep endpoint information
Phone number
IP address and port within the access realm
Whether or not it is behind a NAT device
If yes, the NATed IP address and port
b. Route requests from backbone realm to access realm
informati
the "rout
for routi
LP mechan
Keeps all endpoints related IPa addresses and ports in the registration c
ache, including a flag indicating "behind NAT"
Manipulates registration expiration time in order to make an endpoint re
-register freuently, thus keeping the NAT device open for incoming calls.
The SBC may uses "Adaptative HNT" to optimize for that.
Media Laching (Media Addresses and ports issues)
Two big issues:
1. The initiators SDP body indicates to the other device to send
its media to a destination that is unreachble
2. Any media packet sent to the initiator will be rejected as un
solicited packet (no media port is open in the firewall)
The SBC must wait until the first RTP packet is sent
Only then will the IP:port the media comes from be known and lat
ched by the SBC.
Is a mechanism by which the SBC will "lock down" a flow upon receipt of
the first RTP pacjet at an allocated media port.
Is always enabled when an endpoint is determined to be behind a NAT devi
ce.
Symmetric Latching
Is defined as "symmetric" when:
The endpoint is determined to be behind a NAT device
Media to the endpoint is sent by the SBC to the same IP:Port whe
re it comes from (regardless of the IP:Port in the SDP body)
Access PBRB Model
The policy-based realm bridging (PBRB) model is preferred because it:
Provides the best performance
It the simplest to configure
Possible issues:
Topology hiding is not always guaranted
endpoints should use domain-name-based AORs.
It is common for the devices in the backbone to be configured as session agents.
These devices are typically services providers registrars, proxies, switches, g
ateways, messaging systems, and son on.
Some registrars will reject registration requests if the "To:" field does not in
clude the backbone domain.
Access SSNHTN Model
It uses:
PBRB:
LP for access to backbone routing
Registration-caching backbone to access routing
And in addition:
SIP-NAT mechanismo for good topology hinding
The SIP-NAT environment involves:
One home realm
The SBC is said to reside in this realm
Any number of external realms thah can be
Pairs of peering realms
Access realms
Backbone realms
A SIP-NAT configuration element per each external realm that provides static rou
ting and topology hiding.
In Access-backbone, the backbone realm is normally considered to be a "trusted n
etwork" (SP Network). Id the backbone realm in an Access-Backbone deployment is
assigned as a home realm, then we have an HTN (Homed in Trusted Network) model.
We can have several access realms (all externals)
If the home realm is an access realm, , then we have an HAN (Home in access netw
ork). Here we are limited to one access realm, but we can have more than one bac
kbone realm.
If traffic is exchanged between peering external realms, it must cross the home
realm. This path will be subject to two sip-nat translations (one for each exter
nal realm) and is called SNB (SIP NAT Bridging)
If traffic is exchanged only between an external realm and the home realm, the p
ath is only subject to one sip-translation ans is called SSN (Single SIP-NAT)
SIP-NAT logical model
The SIP-NAT element contains the IP addresses translations and the list of heade
r subject to them
External-proxy-address (EPA)
External-address (EA)
Home-address (HA)
Home-proxy-address (HPA)
session-router -> sip-nat
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Border Element Redundancy Protocol (BERP), interfaces wancom1 and wancom2 to che
ckpoint health, state, media flow, and signaling information.
The HA cluster functioning is closely related to the alarm subsystem.