Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
When CUCM servers and IP Phones need to connect to the Internet, Cisco Unified Border
Element can be used as an application proxy. When used in this way, Cisco Unified
Border Element splits off-net calls inside the CUCM cluster and outside the cluster in the
PSTN into two separate call legs. Cisco Unified Border Element also features signaling
interworking from SIP to SIP, SIP to H.323, H.323 to SIP, and H.323 to H.323.
NOTE Cisco Unified Border Element (CUBE) used to be called Cisco Multiservice
IP-to-IP Gateway.
The Cisco Unified Border Element can function in two modes:
• Flow-around: In this mode, only signaling is intercepted by Cisco Unified Border
Element. Media exchange occurs directly between endpoints (and flows around Cisco
Unified Border Element). Only signaling devices (CUCM) are hidden from the outside.
• Flow-through: In this mode, signaling and media streams are both intercepted by
Cisco Unified Border Element (flowing through Cisco Unified Border Element). Both
CUCM and IP Phones are hidden from the outside.
In flow-through mode, only Cisco Unified Border Element needs to have a public IP address,
so NAT and security issues for internal devices (CUCM servers and IP Phones) are solved.
Because Cisco Unified Border Element is exposed to the outside, it should be hardened
against attacks.
Cisco Unified Border Element in Flow-Through Mode
In Figure 2-18, CUCM has a private IP address of 10.1.1.1, and the Cisco IP Phone has
a private IP address of 10.2.1.5 with a subnet mask of 255.0.0.0. A Cisco Unified Border
Element connects the CUCM cluster to the outside world—in this case, to an Internet
telephony service provider (ITSP). The Cisco Unified Border Element is configured in
flow-through mode and uses an internal private IP address of 10.3.1 and an external public
IP address of A.
NAT and Security Solutions 47
Figure 2-18 Cisco Unified Border Element in Flow-Through Mode
Company A
When CUCM wants to signal calls to the ITSP, it does not send the packets to the IP address
of the ITSP (IP address B). Instead, it sends them to the internal IP address of the Cisco
Unified Border Element (10.3.1.1) via a SIP trunk configuration. Cisco Unified Border
Element then establishes a second call leg to the ITSP using its public IP address A as the
source and IP address B (ITSP) as the destination. As soon as the call is set up, the Cisco
Unified Border Element terminates RTP toward the ITSP using its public IP address and
sends the received RTP packets to the internal IP Phone using its internal IP address.
This solution allows CUCM and IP Phones to communicate only with the internal, private
IP address of the Cisco Unified Border Element. The only IP address visible to the ITSP
or anyone sniffing traffic on the outside is the public IP address of Cisco Unified Border
Element.
No comments:
Post a Comment