Академический Документы
Профессиональный Документы
Культура Документы
of the SE2600
the SE2600
Chapter 8 FAQ
Core network
NAT Firewall
Intranet
Terminal
Terminal
Voice over IP (VoIP) users reside in different virtual private networks (VPNs) and their IP addresses may be overlapped.
The network address translation (NAT)/firewall does not support the application level gateway (ALG) function of VoIP signaling,
including Session Initiation Protocol (SIP), H.323, H.248, and Media Gateway Control Protocol (MGCP) signaling. The ordinary
NAT modifies only the address information at the IP layer of a packet. (See the characters in blue in the right figure.)
For SIP signaling, after the VoIP user registers, its private network address is recorded in the core network. (See the characters
in red in the right figure.) As a result, signaling fails during the call.
Regarding the NAT/firewall channel keepalive, if the VoIP terminal does not trigger services for a long time after it is registered,
the NAT/firewall disables its channel. As a result, the VoIP terminal cannot function as the callee.
Upgrade the NAT/firewall at the egress of the enterprise network so that the NAT/firewall
supports the ALG function of VoIP signaling.
——Enterprises are unwilling to pay for it and the VoIP upgrade is performed in conjunction with
the firewall upgrade.
Upgrade the NAT/firewall at the egress of the enterprise network so that the NAT/firewall
supports the ALG function of network generation network (NGN) signaling.
——Enterprises are unwilling to pay for it.
The operator gives up the users in the VPN; instead, it provides services only for the users of
the public network.
——The operator is unwilling to give up the very important client (VIC).
It is required to deploy a device beside the core network to protect the core network from
different types of attacks:
Ordinary DoS attack and distributed denial of service (DDoS) attack
VoIP signaling attacks (The core network in the operator's VPN still hardly defends
against these types of attacks.)
It is required that the SBC provide the topology hiding function to shield the real IP address
of one party from the other party in the communication, thus implementing security isolation.
AS Charging
LIG
IWF
HSS
I/S-CSCF I-BCF
LRF
BGCF
Other IP networks
SGF
P-CSCF MRFC MGCF
PSTN/ISDN
PCRF SPDF
Access side session border controller (A-SBC): P-CSCF+SPDF+ Core Border Gateway Function (C-BGF)
Interconnect side session border controller (I-SBC): interworking function (IWF) + interconnection border control function (I-BCF) +
interconnection border gateway function (I-BGF)
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential
Typical Networking of the SBC
A-SBC I-SBC
Peer network
Signaling
S-CSCF
Media
IMS CN
S-CSCF
SIP
SIP
Access
network IP
BRAS Third party CP
A-SBC I-SBC
A-BGF+P-CSCF+SPDF I-BCF+ I-BGF + IWF
• The A-SBC includes the BGF, P-CSCF, and SPDF. The I-SBC includes the I-BCF, I-
BGF, and IWF. These functions are physically integrated.
• The interface between the A-SBC/I-SBC and the core network is an SIP interface.
P-CSCF
Signaling
Control NAT traversal
through the COPS interface. I/S-CSCF Media
Diameter I-BCF/IWF
SPDF
COPS
H.248
H.248
Access network
IP
Third Party CP
BRAS C-BGF
I-BGF
If the A-BGF or I-BGF needs to be used in a session, the P-CSCF/SPDF or the I-BCF/SPDF sends a request about media components
description of resource reservation or NAPT binding information, to the specified A-BGF/I-BGF. The A-BGF/I-BGF then performs
corresponding operations according to the policy delivered by the P-CSCF/SPDF or I-BCF/SPDF.
This mode is usually called the BGF mode (signaling NAT + media proxy, MIDCOM). In this mode, the SE2600 provides the following
functions:
Processes media under the control of the SPDF (RM9000) through the Ia interface.
Signaling NAT: In addition to performing signaling NAT, the SBC keeps the NAT channel alive under the control of the P-CSCF through the
COPS interface (a private interface of Huawei). It is because the SBC needs to perform IP-layer signaling NAT and force signaling packets to
pass through the IP route planning, thus having requirements for the IP bearer network.
Note: Signaling NAT consists of signaling NAT of the SBC and the keepalive of the NAT channel attached to the SBC.
I-SBC
• Signaling proxy + media proxy + embedded I-BCF
It is a preferred scheme in Vodafone and will be one of the preferred schemes in the
IMS solution in 2010. The IWF is optional.
• Media proxy (I-BGF providing the Ia interface externally)—The SE2600 does not
support it but the SE2300 supports it.
FAN FAN
(Redundancy) (Redundancy)
SFU
LPU SFU板 SPU
… …
交换矩阵
Load sharing
LPU (3+1备份)
(4 SFU, 3+1)
SPU
The SE2600, adopting the distributed hardware structure, consists of the SRU, SPU, SFU,
and LPU. The SRU is responsible for configuration management; the LPU is responsible for
receiving and sending packets; the SFU is responsible for exchanging packets between the
LPU and the SPU; the SPU is responsible for processing SBC services, such as signaling
distribution, signaling proxy, and media proxy.
The SE2600 supports the DC power module in 1+1 hot backup mode and 9 fans. Thus, even
if one of the fans is faulty, the SE2600 can still work normally.
• Interface: Function:
Route management
Data configuration
To M2000 Device
management and
maintenance
Inter-board outband
Console communication of
the entire system
Function:
Interface
Function:
Signaling proxy
Media proxy
P-CSCF
I-BCF
C-BGF/I-BGF
Security
Quality of service (QoS)
NAT traversal
Interface: does not provide
the external interface.
Function:
The LPU provides the physical interfaces to
connect the external network or network
element (NE), such as the IP multimedia
subsystem (IMS) core network or the
terminal network. The physical interfaces
usually are connected to routers or Ethernet
switches.
The LPU obtains the routing table from the
SRU.
Interfaces
24GE electrical interface
24GE optical interface
1 x 10GE interface (Presently, this interface
is not used for the commercial purpose.)
NE40-E
The SE2600 is developed based on the NE40-E. This architecture has the
following advantages:
The SE2600 features large capacity, high performance, and high integration. An
SE2600, working in 1+1 hot backup mode, supports a maximum of 600 thousand
registered users, 2400 CAPs, and 60 thousand G.711 concurrent two-way media
streams.
The SE2600 can directly inherit the features of the versatile routing platform
(VRP), such as the dynamic routing protocol, port binding, and bidirectional
forwarding detection (BFD). This ensures the networking reliability.
The SE2600 adopts the multi-core CPU, thus meeting service requirements while
meeting performance requirements.
The SE2600 features the flexible software architecture and can work in different
application scenarios, such as the NGN, IMS, user access, international gateway
exchange, and protocol conversion.
SBC
P-CSCF
Signaling
Keep signaling NAT
I/S-CSCF Media
entries alive through
the private COPS
interface. Diameter I-BCF/IWF
SPDF
COPS
H.248
H.248
Access network
IP
3rd Party CP
BRAS C-BGF
I-BGF
Signaling plane
• Signaling packets pass through the BGF and the BGF performs only IP layer NAT for signaling packets.
• The P-CSCF notifies the BGF to perform NAT traversal on the signaling plane through the private COPS interface.
Media plane
• The SPDF (RM9000) controls the BGF through the Ia interface to deal with media streams.
• NAT traversal on the media plane is performed by the BGF.
Terminal
NAT/FW SBC IMS core network
200
INVITE:
OK: 200
INVITE:
OK: 200
INVITE:
OK:
Source
SourceIP:IP:
20.1.3.8
192.168.1.2 Source
SourceIP:IP:
20.1.3.8
20.1.2.3 Source
SourceIP:IP:
10.10.5.7
10.10.3.5
Dest
DestIP:IP:
192.168.1.2
20.1.3.8 Dest
DestIP:IP:
20.1.2.3
20.1.3.8 Dest
DestIP:IP:
10.10.3.5
10.10.5.7
SDP:20.1.3.8/7003
SDP:192.168.1.2/3008 SDP:20.1.3.8/7003
SDP:192.168.1.2/3008 SDP:20.1.5.9/9000
SDP:20.1.3.8/5007
20.1.3.8
192.168.1.2 192.168.1.2 | 20.1.2.3 20.1.5.9
Terminal 1
NAT/FW SBC Terminal 2
RTP:
RTPIP address of the RTP:
RTP(dropped)
RTP RTP:
RTP:
RTP:
Locked
unreachable private
Source IP:IP:
Source 192.168.1.1
network
20.1.3.8 Source
Source IP:
SourceIP: 20.1.2.3
IP:20.1.3.8
20.1.3.8 Source
SourceIP:
Source IP:20.1.5.9
IP: 20.1.5.9
20.1.3.8
S Port 3008
S Port: 7003 SSPort:
S Port
Port::7003
8028
7003 S
SSPort
Port:::9000
Port 9000
5007
Dest
DestIP:IP:
20.1.3.8
192.168.1.2 Dest
DestIP:
Dest IP:20.1.3.8
192.168.1.2
20.1.2.3 Dest
DestIP:
Dest IP:20.1.3.8
IP: 20.1.3.8
20.1.5.9
DD
Port : 7003
Port: 3008 DDPort:
D Port: 7003
Port:3008
8028 D
DDPort:
Port:5007
Port: 5007
9000
Signaling still
SBC need to pass
the SBC.
Media
implements
interworking
bypassing the
SBC.
Application
layer Over load protection/ Call admission control
Anti-signaling flooding
IP layer
IPSec TLS
Media
IP layer firewall pinhole
firewall
Static packet Dynamic packet
filtering filtering
层次化防攻击为电信级业务提供了安全保障。
Bandwidth embezzlement
prevention (CAR)
Topology hiding
SE2600
Valid user
Zombie
Bandwidth embezzlement
prevention (CAR)
ACL/packet filtering
Attack media packet
IP layer attack defense
CAC
Bandwidth embezzlement
prevention (CAR)
SE2600
Topology hiding
CAC
Topology hiding
ACL/packet filtering
Bandwidth
embezzlement
prevention (CAR)
Topology hiding
The SE2600, being deployed between the
terminal and the Softswitch, can hide the
topology of the Softswitch in the core network
from the terminal. The SE2600, being
deployed between the Softswitches, can also
hind the topology of the Softswitch from each
other.
Switching network
Pool
Site 1 Site 2 Site 3 Site n
Core1 Core2 Core3
A-SBC
3G SBC
GGSN
IP backbone
network
xDSL
BRAS Interface binding
Interface binding refers to binding multiple physical interfaces into a logical interface.
When one interface is faulty, services can be switched to other interfaces immediately.
OSPF dynamic routing can improve link reliability. In the presence of multiple links, if
one link is faulty, OSPF can help reselect an available link through recalculation, thus
improving the networking reliability.
Usually OSPF convergence is complete within seconds, which cannot meet the
requirements of real-time services. Therefore, OSPF over BFD and static route over
BFD are introduced. When a link is faulty, rerouting can be complete in short time.
Consequently, real-time services are not affected.
Support session-based QoS and provides different QoS marks for different users.
Support session-based CAR and bandwidth reservation to guarantee bandwidth for each
call.
Provide the packet loss rate, packet loss number, jitter, media type, and number of
forwarded RTP packets and bytes of the caller and the callee.
SBC
Media stream
Signaling
SBC
Gk/gw SIP server
H.323 signaling
Network A SIP signaling
Media stream
Item Value
Number of registered users 600 K
CAPS/BHCA 2400 CAPS/ 8.6 M BHCA
The SE2600 can perform local management through command lines, Telnet,
and SSH. The NMS can performs alarm management over the SE2600:
Configuration
Upgrade and maintenance
NMS
Configuration: The configuration of the SE2600 is very simple and a total of 50 or
60 command lines need to be configured. Through the Console interface or Telnet,
you can easily manage the SE2600. For the consideration of security, you can
use SSH-based Telnet to configure the SE2600.
Upgrade and maintenance: The SE2600 supports the version upgrade by FTP or
SFTP. In addition, the SE2600 supports the lossless upgrade in 1+1 hot backup
mode. That is, the backup board is upgraded, services are switched from the
master board to the backup board, and then the master board is upgraded. The
SE2600 also supports user-based debugging, which has detailed logs, alarms,
and the black box for routine maintenance and fault location.
NMS: The SE2600 can be connected with the NMS through SNMPv1/v2/v3 and
report alarms.
3G
GGSN
IMS core
network
xDSL
BRAS
Router1
SBC
LPU LPU SPU SPU
Router2
Uplink
Downlink
Standby downlink
The I-SBC delivers functional entities such as the I-BCF, I-BGF, and IWF. These
functional entities are physically co-located but logically separated.
The SE2600 is the transfer point for signaling protocols. All signaling packets between
the two networks pass through the SE2600 to implement functions such as CAC.
IWF
• The SE2600 supports interworking between the SIP network and the H.323 network.
• The SE2600 supports interworking between the NGN SIP network and the IMS SIP network.
TrGw
• The SE2600 supports the switching of signaling and media streams between different networks.
l One SE2600 can be partitioned into several A-SBCs to provide services for different subnets or
access networks.
l The multi-subnet functional entity of the SE2600 is implemented through the virtual NE technology.
The LPU has physical interfaces. The configurations of the interface addresses
on the SE2600 are the same as those on the SE2300.
The SPU is responsible for processing services. It provides logical interfaces
only.
The logical interfaces of the SPU consist of signaling interfaces and physical
interfaces.
The functional entity, in nature, is a logical SBC. Each functional entity consists
of one or more processing units.
One processing unit, in nature, is a multi-core CPU. One SPU has two
processing units.
Mapping groups on the SE2600 are the same as those on the SE2300.
Both upstream traffic and downstream traffic pass through the LPU. Therefore, the LPU is usually
assigned two IP addresses.
Interface IP addresses on the LPU can be assigned in either of the following modes:
Configuring the physical interface
When the device traffic is smaller than 2 Gbit/s or the interconnected device does not support
the trunk, the physical interface needs to be configured.
interface GigabitEthernet1/0/0
ip address 202.10.0.2 255.255.255.0
Each SPU has two processing units. For example, two processing units on SPU 3 are 3/0 and 3/1.
Each processing unit can be divided into 32 interfaces, such as 3/0/0, 3/0/1, and 3/0/31.
The interfaces used for transmitting signaling packets and media packets have separate names,
such as Signal-if 3/0/0 and Media-if 3/0/0.
Only one board needs to be configured between the two boards in master/slave mode. For
example, only the boards in slots 3, 5, and 7 need to be configured.
For example:
interface Signal-if3/0/0
ip address 202.10.0.20 255.255.255.255
interface Media-if3/0/0
The functional entity work in two modes: proxy and interworking gateway.
The functional entity contains at least one processing unit and can contain all processing units.
Each processing unit, however, cannot belong to two or more functional entities.
A dispatch processing unit needs to be specified in each functional entity.
Each processing unit belongs to a certain functional entity and accordingly the IP address of this
processing unit also belongs to this functional entity.
For example:
# Configure functional entity 2.
sbc function-entity 2
# Configure the operating mode as the I-SBC.
mode ip-intercom
# Configure 3/0 as the dispatch processing unit
include dispatch process-unit 3/0
# Add 3/1 and 5/0 together with 3/0 to functional entity 1. Thus, 3/0 can process services
in addition to dispatching services. When the system is in the full load, the dispatch
processing unit is not supposed to process services.
include process-unit 3/1
include process-unit 5/0
All services are interrupted probably because the SE2600 is faulty, the peripheral device is
faulty, or the link between the SE2600 and the peripheral is faulty. Do as follows to check
the fault:
1. Log in to the SE2600 and then run display device check the status of boards.
2. Run display ip interface brief to check whether the interfaces of the SE2600 are normal
in the link state.
3. Check whether the routes between the SE2600 and its neighboring devices are connected
normally. The specific method is to use the address on the specified Signal-if interface as
the source address to ping the neighboring router and core network device, such as the I-
CSCF and the SoftX3000. If the ping operation fails, it indicates that the route fails. In this
case, check whether the neighboring device works normally.
4. Run display cpu-usage slot board-number to check whether the CPU usage of the SPU
is over high.
5. Run display sbc defend signaling-flood state to check whether the SE2600 is under
attack.
6. If all the preceding check items are normal, contact Huawei technical engineers. The same
applies to the procedures for collecting information and resetting boards.
In proxy mode, the user registration failure results from several causes. The following are common scenarios and
solutions:
After services run a period of time, all newly initiated registration requests fail. In this case, rectify the fault by
referring to the handling method in All Service Interruption.
During the deployment, commissioning engineers find user registration failures. It is probably caused by incorrect
configurations. In this case, locate the fault according to error codes in the Deployment and Commissioning Guide.
Error codes define several typical configuration errors, which helps directly locate the incorrect configuration.
In the case of the registration failure of a single user or several users, use the signaling trace function. During the
signaling trace, contents of SIP packets are displayed. Perform the preliminary fault location according to
displayed packet contents to check whether the response packet sent by the Softswitch is the 200 OK packet. If
the fault cannot be located, provide trace information for Huawei R&D personnel. The specific operations in the
signaling trace are as follows:
In the hidden view, run sbc trace enable to enable the signaling trace function.
Run sbc trace id 0 srcip IP address of the terminal srcport port number of the terminal to configure the trace
target.
In the user view, run terminal debugging to enable the debugging function.
After a user initiates the registration request, relevant information is displayed.
In the user view run undo terminal debugging to disable the terminal debugging.
In the hidden view, run undo sbc trace all to delete the trace target.
In the hidden view, run undo sbc trace enable to disable the signaling trace function.
Perform the preliminary fault location according to error codes. For the details
about how to use call error codes, see the Deployment and Commissioning
Guide.
If the fault cannot be located, contact Huawei R&D personnel. Information
collecting here is same as that in board resetting.
After the signaling connection is set up, run display sbc rtp-session count to
view the number of session tables and to check whether sessions are set up
correctly.
If the session of a single user is different, run display sbc sip ccb name *** in
the hidden view to view the call CCB and session table by user name.
Hardware platform NE20 (in centralized mode) NE40E (in distributed mode)
Application mode 1. NGN: acting as a proxy device and 1. IMS: acting as both the A-SBC
an interworking gateway and I-SBC
2. IMS 6.0: acting as a proxy device 2. NGN: acting as a proxy device
and providing the standard Ia and an interworking gateway
interface
Number of 50 K 600 K
registered users
Number of 7K 60 K
concurrent calls
CAPS NGN: 150 2,400
IMS: 50
BHCA NGN: 540 K 8610 K
IMS: 180 K
C-BGF/I-BGF Support Support The SE2600 does not support the BGF with the
distributed architecture and does not provide the
Ia interface.
I-BCF Not support Support