Professional Documents
Culture Documents
Notes
General Description of an SBC (Session Border
Controller)
The usage of an SBC (Session Border Controller) enables enterprises to extend SIP-based
applications beyond the Enterprise network boundaries, e.g., when users of Lotus Sametime
Unified Telephony are not all within the same IP network.
Users within each network may not have public IP addresses and/or NAT (Network Address
Translation) devices may be deployed within the networks. In these cases, SBCs are used to
allow SIP signaling to pass between the user devices and Lotus Sametime Unified Telephony.
The SBC also provides network topology hiding.
An SBC is basically a SIP-aware firewall that also serves as a SIP proxy or B2BUA (Back-toBack User Agent). The Acme Packet Net-Net 2600 and Net-Net 3800 SBCs behaves as a
B2BUA while the Branch and Com dasys SBC behaves as a proxy. The SBC is given a
publicly accessible URL and IP address, and SIP phones in the internet use this as the address
of their SIP registrar and proxy. The SBC also has a second IP address, and a separate LAN
connection, in the corporate LAN. Its function is to analyze, modify, and relay messaging
between the phone and the Lotus Sametime Unified Telephony system. Only proper SIP and
media (RTP, Real-Time Transport Protocol) packets are permitted through the firewall
function.
Remote Access
Subscribers want to use their phones regardless of location. The Acme Packet SBC
enables secure access to the Lotus Sametime Unified Telephony regardless of
public/private network or endpoint type.
SIP Trunking
Enterprise network operators realize the significant operational cost savings by
transitioning from TDM to IP (SIP) trunking. The Acme Packet SBC enables
enterprises to securely connect their IP Telephony solutions to carrier SIP trunking
services or between enterprise branch offices.
Security
Enterprises want their IP telephony network protected against attacks and
compromises. The Acme Packet SBC can be deployed to provide a secure access at all
points of interconnect.
Policy Enforcement
Allows Enterprises to define, enforce, and audit fine-grained policies on real-time
services such as VoIP, video, IM, presence, communications-enable applications and
other real-time services.
Remote Access
Subscribers want to use their phones regardless of location. The Acme Packet SBC
enables secure access to the Lotus Sametime Unified Telephony regardless of
public/private network or endpoint type.
SIP Trunking
Enterprise network operators realize the significant operational cost savings by
transitioning from TDM to IP (SIP) trunking. The Acme Packet SBC enables
enterprises to securely connect their IP Telephony solutions to carrier SIP trunking
services or between enterprise branch offices.
Security
Enterprises want their IP telephony network protected against attacks and
compromises. The Acme Packet SBC can be deployed to provide a secure access at all
points of interconnect.
Policy Enforcement
Allows Enterprises to define, enforce, and audit fine-grained policies on real-time
services such as VoIP, video, IM, presence, communications-enable applications and
other real-time services.
Security
o
Cryptographic authentication
Intrusion prevention
Routing
o
MoS-based routing
Presence-based routing
Monitoring
o
Control
QoS control
Interoperability
o
Remote Users
UDP connections on the core side between the SBC (Session Border Controller) and
Lotus Sametime Unified Telephony
On the core side of the SBC a single IP address is used, but unique ports are assigned
for each user.
TCP/TLS connection on the core side between the SBC and Lotus Sametime Unified
Telephony
On the core side of the SBC a single IP address is used but unique ports are assigned
for each user. Only a single layer 3 connection is used but unique port numbers are
sent in the 2nd Via header field and in the Contact header field to Lotus Sametime
Unified Telephony.
Branch Office
UDP/TCP/TLS connections on the core side between the SBC and Lotus Sametime
Unified Telephony.
On the core side of the SBC a single IP address is used per Branch, but unique ports
are assigned for each user. Only a single layer 3 connection is used but the unique port
numbers are sent in the 2nd Via header field and in the Contact header field to Lotus
Sametime Unified Telephony.
When Lotus Sametime Unified Telephony wishes to route a call to a remote user, ...
1. it sends a SIP INVITE to the topmost Via header address previously received in the
SIP REGISTER request from the SBC, i.e. the SBC core-side interface
2. it associates the Contact address in the SIP INVITE received at an IP address/port on
the core-side with a specific remote users public IP address/port. For this step the SBC
uses the registration binding information.
3. it forwards the SIP INVITE from the access-side of the SBC to the remote user's
device.
Lotus Sametime Unified Telephony cluster nodes are co-located in one data center (or
geo-separated but in the same sub-net).
If a High Availability SBC cluster is deployed, then failure of one SBC is transparent
to the branch users.
If a non-redundant SBC is used then failure of the SBC results in loss of service until
the SBC is repaired.
Lotus Sametime Unified Telephony cluster nodes are geo-separated in different data
centers with different sub-nets.
A data center outage requires the users to register with the SBC in the other data
center before they can originate or receive new calls. In this scenario the phones must
be configured with the IP addresses of the SBC's in both data centers and must
register with the secondary SBC when connectivity to the primary SBC is lost.
I put what I though the relationships are on the ACME. This is what I think it is.
I had a lab ACME that I was working on that I already had some configuration on it. Its a
working config, and I wanted to practice adding some config into it. I added two realmconfigs, two steering-pools, two sip-interfaces and a local-policy.
TestACME# config t
TestACME(configure)# media-manager
TestACME(media-manager)# realm-config
TestACME(configure)# media-manager
TestACME(media-manager)# realm-config
TestACME(realm-config)# identifier Outside
TestACME(realm-config)# network-inter m10:0
TestACME(realm-config)# out-man NAT_IP
TestACME(realm-config)# account disabled
TestACME(realm-config)# exit
Save Changes [y/n]?: y
**TestACME(media-manager)# realm-config
**TestACME(realm-config)# identifier Inside
**TestACME(realm-config)# network-interfaces m00:0
**TestACME(realm-config)# out-man NAT_IP
**TestACME(realm-config)# exit
Save Changes [y/n]?: y
**TestACME(media-manager)# steering-pool
**TestACME(steering-pool)# ip-add 192.168.9.91
**TestACME(steering-pool)# start-port 7000
**TestACME(steering-pool)# end-port 7999
**TestACME(steering-pool)# realm-id Outside
**TestACME(steering-pool)# exit
Save Changes [y/n]?: y
steering-pool
ip-address
192.168.9.91
start-port
7000
end-port
7999
realm-id
Outside
network-interface
last-modified-by
admin@10.1.1.1.
last-modified-date
2013-11-18 14:35:22
**TestACME(media-manager)# steering-pool
**TestACME(steering-pool)# ip-add 192.168.90.75
**TestACME(steering-pool)# start-port 7000
**TestACME(steering-pool)# end-port 7999
**TestACME(steering-pool)# realm-id Inside
**TestACME(steering-pool)# exit
Save Changes [y/n]?: y
steering-pool
ip-address
192.168.90.75
start-port
7000
end-port
7999
realm-id
Inside
network-interface
last-modified-by
last-modified-date
admin@10.1.1.1.
2013-11-18 14:36:37
**TestACME(media-manager)# exit
**TestACME(configure)# session-router
**TestACME(session-router)# sip-interface
**TestACME(sip-interface)# realm-id Outside
**TestACME(sip-interface)# sip-port
**TestACME(sip-port)# address 192.168.9.91
**TestACME(sip-port)# port 5060
**TestACME(sip-port)# transport-protocol udp
**TestACME(sip-port)# allow-anonymous all
**TestACME(sip-port)# exit
Save Changes [y/n]?: y
sip-port
address
192.168.9.91
port
5060
transport-protocol
UDP
tls-profile
allow-anonymous
all
ims-aka-profile
**TestACME(sip-interface)# trans-expire 14
**TestACME(sip-interface)# out-manipulationid NAT_IP
**TestACME(sip-interface)# rfc2833-mode preferred
**TestACME(sip-interface)# add-sdp-invite invite
**TestACME(sip-interface)# add-sdp-profiles G729 PCMU telephone-event
**TestACME(sip-interface)# exit
Save Changes [y/n]?: y
**TestACME(session-router)# sip-interface
**TestACME(sip-interface)# realm-id Inside
**TestACME(sip-interface)# sip-port
**TestACME(sip-port)# add 192.168.90.75
**TestACME(sip-port)# port 5060
**TestACME(sip-port)# transport-protocol udp
**TestACME(sip-port)# allow-anonymous all
**TestACME(sip-port)# exit
Save Changes [y/n]?: y
sip-port
address
192.168.90.75
port
5060
transport-protocol
UDP
tls-profile
allow-anonymous
all
ims-aka-profile
**TestACME(sip-interface)# trans-expire 14
**TestACME(sip-interface)# out-manipulationid NAT_IP
**TestACME(sip-interface)# rfc2833-mode preferred
**TestACME(sip-interface)# exit
realm
Outside
action
replace-uri
terminate-recursion
disabled
carrier
start-time
0000
end-time
2400
days-of-week
U-S
cost
0
app-protocol
state
enabled
methods
media-profiles
lookup
single
next-key
eloc-str-lkup
disabled
eloc-str-match
**TestACME(session-router)# exit
**TestACME(configure)# exit
ACME Packet: How To Change The System Clock/Time On A 4250 ACME Packet
Net-Net Device
ACME01# show clock
05:25:13 UTC THU OCT 22 2013
ACME01#
ACME01# systime-set
Date YYYY MM DD: 2013 10 24
Time HH MM: 08 04
WARNING: Changing the time can have an adverse
effect on session processing
Do you want to continue [y/n]?: y
Setting time to: THU OCT 24 08:04:00 2013
ACME01# save-config
ACME Packet 4250 Net-Net: How do you take a capture from an ACME 4250 NetNet device?
To turn logging on, do the following:
ACME4250# notify sipd debug
ACME4250#
enabled SIP Debugging
ACME4250# notify sipd siplog
ACME4250#
To turn logging off, do the following:
ACME4250# notify sipd nodebug
ACME4250#
disabled SIP Debugging
ACME4250# notify sipd nosiplog
ACME4250#
Now you have to get the logs. You will need to FTP into the ACME box and get
the logs, like
this:
C:\Users\shane>ftp 10.1.1.1
Connected to 10.1.1.1.
220 ACME4250 FTP server (VxWorks 6.4) ready.
User (10.1.1.1:(none)): shane
331 Password required for user.
Password: password
230 User user logged in.
ftp> cd /ramdrv/logs
250 CWD command successful.
ftp> asc
200 Type set to A.
ftp> get sipmsg.log
200 PORT command successful.
150 Opening ASCII mode data connection for '/ramdrv/logs/sipmsg.log' (131546
bytes).
226 Transfer complete.
ftp: 135087 bytes received in 0.23Seconds 577.29Kbytes/sec.
ftp> get log.sipd
200 PORT command successful.
150 Opening ASCII mode data connection for '/ramdrv/logs/log.sipd' (625802
bytes).
226 Transfer complete.
ftp: 634808 bytes received in 0.39Seconds 1627.71Kbytes/sec.
ftp> bye
221 Goodbye.
no expiration
installed at 09:55:30 OCT 29 2013
Total session capacity: 4000
ACMESYSTEM(license)#