Overview
The SIP Binding feature enables you to configure a source IP address for signaling packets and media packets.
When you configure SIP on a router, the ports on all its interfaces are open by default. This makes the router vulnerable to malicious attackers who can execute toll fraud across the gateway if the router has a public IP address and a public switched telephone network (PSTN) connection. To eliminate the threat, you should bind an interface to an IP address so that only those ports are open to the outside world. In addition, you should protect any public or untrusted interface by configuring a firewall or an Access Control List (ACL) to prevent unwanted traffic from traversing the router.
Note |
All Cisco Unified Border Element (CUBE) Enterprise deployments must have signaling and media bind statements specified at the dial-peer or voice class tenant level. For Voice class tenants, you must apply tenants to dial-peers used for CUBE call flows if these dial-peers do not have bind statements specified. |
Feature Information
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Support of Live Binding at dial-peers. |
Cisco IOS XE Amsterdam 17.3.1 |
This feature allows you to either change or add binding on a dial-peer that does not have any active calls, while other dial-peers with the same binding have active calls. The following command was introduced or modified: voice-class sip bind all . |
Benefits of SIP Binding
-
SIP signaling and media paths can advertise the same source IP address on the gateway for certain applications, even if the paths used different addresses to reach the source. This eliminates confusion for firewall applications that may have taken action on source address packets before the use of binding.
-
Firewalls filter messages based on variables such as the message source, the target address, and available ports. Normally a firewall opens only certain addresses or port combination to the outside world and those addresses can change dynamically. Because VoIP technology requires the use of more than one address or port combination, the bind command adds flexibility by assigning a gateway to a specific interface (and therefore the associated address) for the signaling or media application.
-
You can define specific interface for both signaling and media traffic. The benefits of administrator control are:
-
Administrators know the traffic that runs on specific networks, thereby making debugging easier.
-
Administrators know the capacity of the network and the target traffic, thereby making engineering and planning easier.
-
Traffic is controlled, allowing Quality of Service (QoS) to be monitored.
-
Source Address
The order of preference for retrieving the SIP signaling and media source address for inbound and outbound calls is as follows:
-
Bind configuration at dial peer level
-
Bind configuration at tentants
-
Bind configuration at global level
The table below describes the state of the system when the bind command is applied in the global or dial peer level:
The bind command performs different functions based on the state of the interface (see the table below).
Interface State |
Result Using Bind Command |
---|---|
Shut down With or without active calls |
TCP, TLS, and User Datagram Protocol (UDP) socket listeners are initially closed. (Socket listeners receive datagrams that are addressed to the socket.) Then the sockets are opened to listen to any IP address. If the outgoing gateway has the bind command that is enabled and has an active call, the call becomes a one-way call with media flowing from the outgoing gateway to the terminating gateway. The dial peer bind socket listeners of the interface are closed and the configuration turns inactive for all subsequent SIP messages. |
No shut down No active calls |
TCP, TLS, and UDP socket listeners are initially closed. (Socket listeners receive datagrams that are addressed to the socket.) Then the sockets are opened and bound to the IP address set by the bind command. The sockets accept packets destined for the bound address only. The dial peer bind socket listeners of the interface are reopened and the configuration turns active for all subsequent SIP messages. |
No shut down Active calls |
TCP, TLS, and UDP socket listeners are initially closed. Then the sockets are opened to listen to any IP address. The dial peer bind socket listeners of the interface are reopened and the configuration turns active for all subsequent SIP messages. |
Bound-interface IP address is removed. |
TCP, TLS, and UDP socket listeners are initially closed. Then the sockets are opened to listen to any address, because the IP address has been removed. This happens even when SIP was never bound to an IP address. A message stating that the IP address has been deleted from the SIP bound interface is printed. If the outgoing gateway has the bind command that is enabled and has an active call, the call becomes a one-way call with media flowing from the outgoing gateway to the terminating gateway. The dial peer bind socket listeners of the interface are closed and the configuration turns inactive for all subsequent SIP messages. |
The physical cable is pulled on the bound port or the interface layer is down. |
TCP, TLS, and UDP socket listeners are initially closed. Then the sockets are opened and bound to listen to any address. When the pulled cable is replaced, the result is as documented for no shutdown interfaces. The dial peer bind socket listeners of the interface are closed and the configuration turns inactive for all subsequent SIP messages. |
A bind interface is shut down or its IP address is changed or the physical cable is pulled while SIP calls are active. |
The call becomes a one-way call with media flowing in only one direction. It flows from the gateway where the change or shutdown took place, to the gateway where no change occurred. Thus, the gateway with the status change no longer receives media. The call is then disconnected, but the disconnected message is not understood by the gateway with the status change, and the call is still assumed to be active. If the bind interface is shut down, the dial peer bind socket listeners of the interface are closed. If the IP address of the interface is changed, the socket listeners representing the bind command is opened with the available IP address of the interface and the configuration turns active for all subsequent SIP messages. |
Note |
If there are active calls, the bind command does not take effect if it is issued for the first time or if another bind command is in effect. A message reminds you that there are active calls and that the change cannot take effect. |
The bind command that is applied at the dial peer level can be modified only in the following situations:
Voice Media Stream Processing
If multiple bind commands are issued in sequence—That is, if one bind command is configured and then another bind command is configured—a set interaction happens between the commands. The table below describes the expected command behavior.
Interface State |
bind Command |
Result Using bind Command |
---|---|---|
Without active calls |
bind all |
Generated bind control and bind media commands to override existing bind control and bind media commands. |
bind control |
Overrides existing bind control command. |
|
bind media |
Overrides existing bind media command. |
|
With active calls |
bind all or bind control bind media |
Global Configuration: Blocks the command, and the following error message appears:
|
bind all or bind control or bind media |
Dial-peer Configuration: You cannot apply bind or no bind command to a dial-peer that is processing active calls. Blocks the command, and the following error message appears:
|
Consider the following scenarios for attaching a tenant to a dial-peer that is processing active calls:
-
You can attach a tenant to a dial-peer, when the dial-peer has bind (bind control or bind all ) command enabled.
-
You cannot attach a tenant to a dial-peer, when the dial-peer has no bind or bind media command that is enabled and the tenant has bind control or bind all command enabled.
Consider the following scenarios for changing bind configuration on a tenant, when the tentant is attached to a dial-peer that is processing active calls:
-
You can change the bind configuration on tenant, when the associated dial-peer has bind ( bind control or bind all ) command enabled. Because the dial-peer bind configuration takes precedence over the tenant bind configuration.
-
You cannot change the bind configuration on tenant, when the associated dial-peer has no bind or bind media command that is enabled and the tenant has bind control or bind all command enabled.
The bind all and bind control commands perform different functions based on the state of the interface.
Note |
The bind all command applies to global and dial peer. The table below applies to bind media only if the media interface is the same as the bind control interface. If the two interfaces are different, media behavior is independent of the interface state. |
Interface State |
Result Using bind all or bind control Commands |
---|---|
Shut down With or without active calls |
TCP, TLS, and UDP socket listeners are initially closed. (Socket listeners receive datagrams that are addressed to the socket.) Then the sockets are opened to listen to any IP address. If the outgoing gateway has the bind command that is enabled and has an active call, the call becomes a one-way call with media flowing from the outgoing gateway to the terminating gateway. The dial peer bind socket listeners of the interface are closed and the configuration turns inactive for all subsequent SIP messages. |
Not shut down Without active calls |
TCP, TLS, and UDP socket listeners are initially closed. (Socket listeners receive datagrams addressed to the socket.) Then the sockets are opened and bound to the IP address set by the bind command. The sockets accept packets that are destined for the bound address only. The dial peer bind socket listeners of the interface are reopened and the configuration turns active for all subsequent SIP messages. |
Not shut down With active calls |
TCP, TLS, and UDP socket listeners are initially closed. Then the sockets are opened to listen to any IP address. The dial peer bind socket listeners of the interface are reopened and the configuration turns active for all subsequent SIP messages. |
Bound interface’s IP address is removed. |
TCP, TLS, and UDP socket listeners are initially closed. Then the sockets are opened to listen to any address because the IP address is removed. A message is printed that states the IP address has been deleted from the bound SIP interface. If the outgoing gateway has the bind command that is enabled and has an active call, the call becomes a one-way call with media flowing from the outgoing gateway to the terminating gateway. The dial peer bind socket listeners of the interface are closed and the configuration turns inactive for all subsequent SIP messages. |
The physical cable is pulled on the bound port, or the interface layer goes down. |
TCP, TLS, and UDP socket listeners are initially closed. Then the sockets are opened and bound to listen to any address. When the pulled cable is replaced, the result is as documented for interfaces that are not shut down. The dial peer bind socket listeners of the interface are closed and the configuration turns inactive for all subsequent SIP messages. |
A bind interface is shut down, or its IP address is changed, or the physical cable is pulled while SIP calls are active. |
The call becomes a one-way call with media flowing in only one direction. The media flows from the gateway where the change or shutdown took place to the gateway where no change occurred. Thus, the gateway with the status change no longer receives media. The call is then disconnected, but the disconnected message is not understood by the gateway with the status change, and the call is still assumed to be active. If the bind interface is shutdown, the dial peer bind socket listeners of the interface are closed. If the IP address of the interface is changed, the socket listeners representing the bind command is opened with the available IP address of the interface and the configuration turns active for all subsequent SIP messages. |