Implementing SBC Multi-VRF

Transcription

1 10 CHAPTER The Session Border Controller (SBC) provides support for multi-vrf (VPN routing and forwarding) on customer edge (CE) devices. This feature provides the capability of suppressing provider edge (PE) checks to prevent loops when the PE is performing a mutual redistribution of packets. Note VRF is only supported in DBE media address and SBE AAA/H248 control address; DBE H248 control address does not support VRF. Note For ACE SBC Release and later releases, this feature is supported in both the unified model and the distributed model. For a complete description of commands used in this chapter, refer to Chapter 39, Cisco Session Border Controller Commands. To locate documentation for other commands that appear in this chapter, use the command reference master index, or search online. Feature History for Release Modification ACE SBC Release Added support for VRF-Aware DNS Query. ACE SBC Release Added support for SBC unified model. The following sections were added: Configuring Multi-VRF Associating an H.323 Adjacency with a VRF Associating a SIP Adjacency with a VRF ACE SBC Release This feature was introduced on the Cisco 7600 series router. Contents This module contains the following sections: Prerequisites Implementing Multi-VRF, page 10-2 Information About Implementing Multi-VRF, page 10-2 Implementing Multi-VRF, page

2 Prerequisites Implementing Multi-VRF Chapter 10 Configuration Examples for Implementing Multi-VRF, page Prerequisites Implementing Multi-VRF The following prerequisites are required to implement SBC multi-vrf: On the Application Control Engine Module (ACE), you must be an Admin user to enter SBC commands. For more information, see the Application Control Engine Module Administration Guide at: on/administration/guide/admgd.html Before implementing multi-vrf, the SBC must already be created. See the procedures described in Chapter 2, ACE Configuration Prerequisites for the SBC. Information About Implementing Multi-VRF The SBC support for multi-vrf on customer edge (CE) devices (that is, customer premises routers) feature provides the capability of suppressing PE checks that are needed to prevent loops when the PE is performing a mutual redistribution of packets. Multi-VRF allows for the use of only one router to accomplish the tasks that multiple routers usually perform. It runs on a network without the requirement of MPLS and BGP installed. When VRF is used on a router that is not a PE, the checks can be turned off to allow for correct population of the VRF routing table with routes to IP prefixes. Multi-VRF is also important because virtual private network (VPN) functionality is not completely supported on low-end systems. Multi-VRF provides logical separation of routing instances (and by the implication address space) within one router. The following summarizes the features of multi-vrf: Allows a single physical router to be split into multiple virtual routers, where each router contains its own set of interfaces, routing table, and forwarding table. SBC supports multiple (overlapping and independent) routing tables (addressing) per customer. Virtual routing contexts are used to separate routing domains within a single router. Multi-VRF can be used where multiple routers are required but only one is available. One physical interface can belong to multiple virtual routers through the usage of subinterfaces (Frame Relay, ATM, VLANs). BGP and MPLS are not used. No connectivity is provided between VRFs (would require using BGP for internal exporting and importing between VRFs). When a call is placed between two endpoints in the same VPN site, SBC can route the media directly between them, to reduce network utilization. Multi-VRF on SBC provides optimization where both endpoints are on the same VPN, by turning media bypass on. For ACE SBC Release , by default, all adjacencies on the same VPN have media bypass turned on. Media bypass can be turned off by using the media-bypass-forbid command (this command is implemented for CAC policies only). 10-2

3 Chapter 10 Implementing Multi-VRF Note The VRF name under the adjacency must match the context name. VRF-Aware DNS Query This feature allows the SBC to query DNS per VRF. Before ACE SBC Release 3.0.1, all DNS queries were performed within the Admin context; this feature allows DNS queries to be performed on a per-context basis. Implementing Multi-VRF Implementing SBC multi-vrf is described in the following sections: Configuring Multi-VRF, page 10-3 Associating a SIP Adjacency with a VRF, page Configuring DBE with VRF Distributed Model Only, page Configuring Multi-VRF SUMMARY STEPS This task configures the router with the SBC running in multi-vrf mode in unified deployment mode. Note the relationship between the interface and SBC s service virtual interface (SVI), adjacency, and data border element (DBE) media-address as required. 1. configure 2. context vrf 3. allocate-interface 4. exit 5. ft peer 6. heartbeat interval 7. heartbeat count 8. ft-interface vlan 9. exit 10. ft group 11. peer 12. priority 13. peer priority 14. associate-context 15. inservice 16. ft group 10-3

4 Implementing Multi-VRF Chapter peer 18. priority 19. peer priority 20. associate-context 21. inservice 22. exit 23. exit 24. changeto 25. configure 26. interface vlan 27. ip address 28. alias 29. peer ip address 30. no shutdown DETAILED STEPS Step 1 configure Enter ACE module configuration mode. Step 2 Step 3 Step 4 host1/admin# configure host1/admin(config)# context host1/admin(config)# context my_vrf1 allocate-interface vlan host1/admin(config-context)# allocate-interface vlan 100 exit Creates a context. Note The vrf name under the adjacency must match the context name. The example creates a new context my_vrf1. Allocates VLAN 100 to context my_vrf1 to allow the context to receive the traffic classified for VLAN 100. Exit from config-context mode. Step 5 host1/admin(config)# exit ft peer host1/admin(config)# ft peer 1 host1/admin(config-ft-peer)# Configures an FT peer and accesses FT peer configuration mode. 10-4

5 Chapter 10 Implementing Multi-VRF Step 6 Step 7 Step 8 heartbeat interval frequency host1/admin(config-ft-peer)# heartbeat interval 100 heartbeat count number host1/admin(config-ft-peer)# heartbeat count 10 ft-interfac vlan vlan_id Configures the heartbeat interval for verification timing between active and standby FT peers. Configures the heartbeat count for verification timing between active and standby FT peers. Associates an existing FT VLAN with a peer. Step 9 host1/admin(config-ft-peer)# ft-interface vlan 99 exit Exit from config-ft-peer mode. Step 10 host1/admin(config)# exit ft group Configures ft group 1 with the default (Admin) context. Step 11 host1/admin(config)# ft group 1 host1/admin(config-ft-group)# peer Associates a peer ACE with an FT group. Step 12 host1/admin(config-ft-group)# peer 1 priority Configures the priority of the active group member. Step 13 Step 14 host1/admin(config-ft-group)# priority 150 peer priority host1/admin(config-ft-group)# peer priority 50 associate-context Configures the priority of an FT group on the remote standby member. Associates a context with an FT group. Step 15 host1/admin(config-ft-group)# associate-context my_vrf1 inservice Places an FT group in service. host1/admin(config-ft-group)# inservice 10-5

6 Implementing Multi-VRF Chapter 10 Step 16 ft group Configures another ft group with non-admin context. Step 17 host1/admin(config)# ft group 2 host1/admin(config-ft-group)# peer Associates a peer ACE with an FT group. Step 18 host1/admin(config-ft-group)# peer 1 priority Configures the priority of the active group member. Step 19 Step 20 host1/admin(config-ft-group)# priority 150 peer priority host1/admin(config-ft-group)# peer priority 50 associate-context Configures the priority of an FT group on the remote standby member. Associates a context with an FT group. Step 21 host1/admin(config-ft-group)# associate-context my_vrf1 inservice Places an FT group in service. Step 22 host1/admin(config-ft-group)# inservice exit Exit from config-ft-group mode. Step 23 host1/admin(config-ft-group)# exit exit Exit from config mode. Step 24 host1/admin(config)# exit changeto Moves from one context on the ACE to another context. Step 25 host1/admin# changeto my_vrf1 Router/vrf1# configure Enter configuration mode of context my_vrf1. host1/my_vrf1# configure host1/(config)# 10-6

7 Chapter 10 Implementing Multi-VRF Step 26 Step 27 interface vlan host1/vrf1(config)# interface vlan 100 ip address Creates a VLAN interface. The example creates an SVI using VLAN 100.The VLAN was assigned to this context from the Admin context in Step 3. Assigns an IP address to a VLAN interface. Step 28 Step 29 Step 30 host1/vrf1(config-if)# ip address alias host1/vrf1(config-if)# alias peer ip address host1/vrf1(config-if)# peer ip address no shutdown Configures an IP address that floats between active and standby modules for a VLAN interface. Configures the IP address of a standby module for the VLAN interface. Enables an interface for use. host1/my_vrf1(config-if)# no shutdown Configuring a VRF-Aware DNS Query This task configures a DNS query for a VRF. SUMMARY STEPS 1. configure 2. context vrf 3. allocate-interface vlan 4. exit 5. sbc sbc-name 6. sbe 7. sip dns 8. cache-lifetime cache-limit exit 11. adjacency sip adjacency-name 12. vrf vrf_name 10-7

8 Implementing Multi-VRF Chapter exit 14. exit 15. exit 16. exit 17. changeto context_name 18. configure 19. ip domain-lookup 20. ip domain-name 21. ip name-server DETAILED STEPS Step 1 configure Enter ACE module configuration mode. Step 2 Step 3 Step 4 host1/admin# configure context host1/admin(config)# context my_vrf1 allocate-interface vlan host1/admin(config-context)# allocate-interface vlan 100 exit Creates a context. Note The vrf name under the adjacency must match the context name. The example creates a new context my_vrf1. Allocates VLAN 100 to context my_vrf1 to allow the context to receive the traffic classified for VLAN 100. Exits the current mode. Step 5 Step 6 Step 7 host1/admin(config)# exit sbc sbc-name host1/admin(config)# sbc mysbc sbe host1/admin(config-sbc)# sbe sip dns Creates the SBC service on the SBC and enters into SBC configuration mode. Creates the SBE service on an SBC and enters into the SBC-SBE configuration mode. Enters the SIP DNS configuration mode. host1/admin(config-sbc-sbe)# sip dns 10-8

9 Chapter 10 Implementing Multi-VRF Step 8 cache-lifetime host1/admin(config-sbe-dns)# cache-lifetime 444 Step 9 cache-limit Step 10 host1/admin(config-sbe-dns)# cache-limit 14 exit Configures the lifetime of any DNS entries in the DNS cache. Configures the maximum number of entries that are permitted in the DNS cache. Exits the current mode. Step 11 host1/admin(config-sbe-dns)# exit adjacency sip adjacency-name Configures an adjacency for an SBC service. Step 12 host1/admin(config-sbc-sbe)# vrf vpn3 vrf vrf_name Configures a SIP adjacency tied to a specific VPN. Step 13 host1/admin(config-sbc-sbe-adj-sip)# vrf vpn3 exit Exits the current mode. Step 14 host1/admin(config-sbc-sbe-adj-sip)# exit exit Exits the current mode. Step 15 host1/admin(config-sbc-sbe-adj)# exit exit Exits the current mode. Step 16 host1/admin(config-sbe)# exit exit Exits the current mode. Step 17 host1/admin(config)# exit changeto context_name Moves from one context on the ACE to another context. Step 18 host1/admin# changeto vrf120 configure Enters ACE module configuration mode. host1/admin# configure 10-9

10 Implementing Multi-VRF Chapter 10 Step 19 Step 20 ip domain-lookup host1/admin(config)# ip domain-lookup ip domain-name Enables the ACE module to perform a domain lookup (host-to-address translation) with a DNS server. Configures a default domain name. Step 21 host1/admin(config)# ip domain-name cisco.com ip name-server host1/admin(config)# ip name-server Configures a DNS name server on the ACE module. You can configure a maximum of three DNS name servers. Associating an H.323 Adjacency with a VRF This task associates an H.323 adjacency with a VPN. SUMMARY STEPS 1. adjacency h323 adjacency-name 2. vrf vrf_name 3. signaling-address ipv4 local_signaling_ip_address 4. signaling-port port_num 5. remote-address ipv4 remote_ip_address/prefix 6. signaling-peer [gk] peer_address 7. signaling-peer-port port_num 8. account account_name 9. media-bypass (Optional command) 10. media-bypass-forbid 11. attach DETAILED STEPS Step 1 adjacency h323 adjacency-name host1/admin(config-sbc-sbe)# adjacency h323 h323my_vrf1 host1/admin(config-sbc-sbe-adj-h323)# Enters the mode of an SBE H.323 adjacency. Use the adjacency-name argument to define the name of the service

11 Chapter 10 Implementing Multi-VRF Step 2 Step 3 vrf vrf_name host1/admin(config-sbc-sbe-adj-h323)# vrf my_vrf1 signaling-address ipv4 local_signaling_ip_address Ties an H.323 adjacency to a specific VPN. Note The vrf name under the adjacency must match the context name. Specifies the local IPv4 signaling address of the H.323 adjacency. Step 4 host1/admin(config-sbc-sbe-adj-h323)# signaling-address ipv signaling-port port_num Specifies the local signaling port of the H.323 adjacency. Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 host1/admin(config-sbc-sbe-adj-h323)# signaling-port 1720 remote-address ipv4 ipv4_ip_address/prefix host1/admin(config-sbc-sbe-adj-h323)# remote-address ipv signaling-peer [gk] peer_address host1/admin(config-sbc-sbe-adj-h323)# signaling-peer gk signaling-peer-port port_num host1/admin(config-sbc-sbe-adj-h323)# signaling-peer-port 1720 account account_name host1/admin(config-sbc-sbe-adj-h323)# account h323-vrf1 media-bypass host1/admin(config-sbc-sbe-adj-h323)# media-bypass media-bypass-forbid host1/admin(config-sbc-sbe-adj-h323)# media-bypass-forbid Restricts the set of remote signaling peers contacted over the adjacency to those with the given IP address prefix. Specifies the remote signaling peer for the H.323 adjacency to use. Specifies the remote signaling-peer port for the H.323 adjacency to use. Defines the H.323 adjacency as belonging to an account on an SBE. (Optional) Configure the adjacency to allow media traffic to bypass the DBE. This command is optional and will only work on one adjacency. Configures the H.323 adjacency to forbid media traffic to bypass the DBE. If this is not configured, media traffic for calls originating and terminating on this adjacency flows directly between the endpoints and does not pass through the DBE, as long as both adjacencies are on the same VPN

12 Implementing Multi-VRF Chapter 10 Step 11 attach Attaches the adjacency. host1/admin(config-sbc-sbe-adj-h323)# attach Associating a SIP Adjacency with a VRF This task associates a SIP adjacency with a VPN. SUMMARY STEPS 1. adjacency sip adjacency-name 2. vrf vrf_name 3. signaling-address ipv4 local_signaling_ip_address 4. signaling-port port_num 5. remote-address ipv4 local_signaling_ip_address/prefix 6. local-id host name 7. signaling-peer [gk] peer_address 8. signaling-peer-port port_num 9. account account-name 10. media-bypass (optional) 11. media-bypass-forbid 12. attach DETAILED STEPS Step 1 Step 2 adjacency sip adjacency-name host1/admin(config-sbc-sbe)# adjacency sip sip_vrf1 host1/admin(config-sbc-sbe-adj-sip)# vrf vrf_name host1/admin(config-sbc-sbe-adj-sip)# vrf my_vrf1 Enters the mode of an SBE SIP adjacency. Use the adjacency-name argument to define the name of the service. Ties an H.323 adjacency to a specific VPN. Note The vrf name under the adjacency must match the context name

13 Chapter 10 Implementing Multi-VRF Step 3 Step 4 signaling-address ipv4 ipv4_ip_address host1/admin(config-sbc-sbe-adj-sip)# signaling-address ipv signaling-port port_num Specifies the local IPv4 signaling address of the SIP adjacency. Specifies the local signaling port of the SIP adjacency. Step 5 Step 6 host1/admin(config-sbc-sbe-adj-sip)# signaling-port 5060 remote-address ipv4 remote_ip_address/prefix host1/admin(config-sbc-sbe-adj-sip)# remote-address ipv local-id host address Restricts the set of remote signaling peers contacted over the adjacency to those with the given IP address prefix. Configures the local identity name on a SIP adjacency. Step 7 Step 8 Step 9 Step 10 Step 11 host1/admin(config-sbc-sbe-adj-sip)# local-id host signaling-peer [gk] peer_address host1/admin(config-sbc-sbe-adj-sip)# signaling-peer signaling-peer-port port_num host1/admin(config-sbc-sbe-adj-sip)# signaling-peer-port 5060 account account_name host1/admin(config-sbc-sbe-adj-sip)# account sip-vrf1 media-bypass host1/admin(config-sbc-sbe-adj-sip)# media-bypass media-bypass-forbid host1/admin(config-sbc-sbe-adj-sip)# media-bypass-forbid Specifies the remote signaling peer for the SIP adjacency to use. Specifies the remote signaling-peer port for the SIP adjacency to use. Defines the SIP adjacency as belonging to an account on an SBE. (Optional) Configures the adjacency to allow media traffic to bypass the DBE. This command is optional and only works on one adjacency. Configures the SIP adjacency to forbid media traffic to bypass the DBE. If this is not configured, media traffic for calls originating and terminating on this adjacency flows directly between the endpoints and does not pass through the DBE, as long as both adjacencies are on the same VPN

14 Implementing Multi-VRF Chapter 10 Step 12 attach Attaches the adjacency. host1/admin(config-sbc-sbe-adj-sip)# attach Configuring DBE with VRF Distributed Model Only This task configures DBE with VRF in the distributed model. SUMMARY STEPS 1. configure 2. sbc sbc-name 3. dbe 4. vdbe global 5. unexpected-source-alerting 6. local-port abcd 7. control-address h248 ipv4 A.B.C.D 8. controller h248 controller-index 9. remote-address ipv4 remote-address 10. remote-port [port-num] 11. transport [udp tcp] 12. attach-controllers 13. media-address pool ipv4 A.B.C.D E.F.G.H vrf vrfname 14. media-timeout timeout 15. overload-time-threshold time 16. deact-mode 17. activate 10-14

15 Chapter 10 Implementing Multi-VRF DETAILED STEPS Step 1 configure Accesses the configuration mode. Step 2 Step 3 Step 4 host1/admin# configure sbc sbc-name host1/admin(config)# sbc mysbc dbe host1/admin(config-sbc)# dbe vdbe [global] Creates the SBC service on the SBC and enters into SBC configuration mode. Creates the DBE service on an SBC and enter into the SBC-DBE configuration mode. Enters into vdbe configuration submode. host1/admin(config-sbc-dbe)# vdbe Note In the initial release only one vdbe (the global vdbe) is supported. The vdbe name is not required. If specified, it must be global. Step 5 Step 6 unexpected-source-alerting host1/admin(config-sbc-dbe-vdbe-global)# unexpected-source-alerting local-port {abcd} Sets alerting for unexpected source addresses. The no form of this command removes alerting for any unexpected source addresses that are received. Configures a DBE to use a specific local port. Step 7 Step 8 Step 9 host1/admin(config-sbc-dbe)# local-port 5090 control-address h248 ipv4 A.B.C.D host1/admin(config-sbc-dbe)# control-address h248 ipv controller h248 controller-index host1/admin(config-sbc-dbe)# controller h248 1 remote-address ipv4 remote-address Configures a DBE to use a specific IPv4 H.248 control address. Identifies the H.248 controller for the DBE and enters into Controller H.248 configuration mode. Configures the IPv4 remote address of the H.248 controller. host1/admin(config-sbc-dbe-vdbe-h248)# remote-address ipv

16 Configuration Examples for Implementing Multi-VRF Chapter 10 Step 10 Step 11 Step 12 remote-port [port-num] host1/admin(config-sbc-dbe-h248)# remote-port 2094 transport udp host1/admin(config-sbc-dbe-h248)# transport udp attach-controllers Defines the port to connect to on the SBE for an H.248 controller. Configures a DBE to use User Datagram Protocol (UDP) for H.248 control signaling. Configure a DBE to attach to an H.248 controller. Step 13 Step 14 Step 15 Step 16 Step 17 host1/admin(config-sbc-dbe)# attach-controllers media-address pool ipv4 A.B.C.D E.F.G.H vrf vrfname host1/admin(config-sbc-dbe)# media-address pool ipv vrf my_vrf1 media-timeout timeout host1/admin(config-sbc-dbe)# media-timeout 10 overload-time-threshold time host1/admin(config-sbc-dbe)# overload-time-threshold 400 deact-mode normal host1/admin(config-sbc-dbe)# deactivation-mode normal activate Create a pool of sequential IPv4 media addresses for an IPv4 address associated with a specific VRF instance. Note The vrf name under the adjacency must match the context name. Sets the maximum time a DBE waits after receiving the last media packet on a call and before cleaning up the call resources. Configures the threshold for media gateway (MG) overload control detection. Specifies that the DBE of an SBC signals a service change and terminates all calls upon deactivation of the DBE service. Initiates the SBC service. host1/admin(config-sbc-dbe)# activate Configuration Examples for Implementing Multi-VRF This section provides the following configuration examples: Configuring Multi-VRF: Example, page Associating an H.323 Adjacency with a VRF: Example, page Associating a SIP Adjacency with a VRF: Example, page

17 Chapter 10 Configuration Examples for Implementing Multi-VRF Configuring DBE with VRF (Distributed Model Only): Example, page Configuring Multi-VRF: Example This sample configuration shows how the Service Virtual Interface (SVI) and adjacencies are added to associate a VPN to them. 1. Configure the line card interface associated with vrf my_vrf1 on Supervisor. vrf definition my_vrf1 rd 55:1111! address-family ipv4 exit-address-family! 2. Configure the line card interface associated with vrf my_vrf1 on supervisor. interface GigabitEthernet1/3 description ''Connected to CAT Fa 0/13 vlan919'' vrf forwarding my_vrf1 ip address interface Vlan 99 vrf forwarding my_vrf1 ip address ! 3. Configure the context on ACE card and assign the VLAN. context my_vrf1 allocate-interface vlan Configure the FT group. Note You must configure the FT group 1 with the default (Admin) context (in this instance, my_vrf1). ft group 1 peer 1 priority 127 peer priority 126 associate-context my_vrf1 inservice 5. Configure the interface on my_vrf1 context for which you need to use change to CLI for changing the context. ACE-101-UUT1-1/Admin# changeto my_vrf1 ACE-101-UUT1-1/my_vrf1# interface vlan 99 ip address alias peer ip address no shutdown ip route ip route Configure the DBE

18 Configuration Examples for Implementing Multi-VRF Chapter 10 dbe media-address pool ipv vrf my_vrf1 activate DNS Query Configuration: Example This sample configuration configures a DNS query. context vrf110 allocate-interface vlan 110 context vrf120 allocate-interface vlan 120 sbc mysbc sbe sip dns cache-lifetime 6000 cache-limit adjacency sip sip1 vrf vrf adjacency sip sip2 vrf vrf host1/admin# changeto vrf110 ip domain-lookup ip domain-name test.com ip name-server host1/admin# changeto vrf120 ip domain-lookup ip domain-name test1.com ip name-server Associating an H.323 Adjacency with a VRF: Example This sample configuration creates an H.323 adjacency associated with a VPN. adjacency h323 h323my_vrf1 vrf my_vrf1 signaling-address ipv signaling-port 1720 remote-address ipv signaling-peer signaling-peer-port 1720 account h323-my_vrf1 attach Associating a SIP Adjacency with a VRF: Example This example configuration creates a SIP adjacency associated with a VPN. Note that there is an ft group configured for each context

19 Chapter 10 Configuration Examples for Implementing Multi-VRF ft interface vlan 99 ip address peer ip address no shutdown ft peer 1 heartbeat interval 100 heartbeat count 10 ft-interface vlan 99 ft group 1 peer 1 priority 127 peer priority 126 associate-context Admin inservice ip route ip route context vlan100 description vlan100 allocate-interface vlan 100 ft group 2 peer 1 priority 127 peer priority 126 associate-context vlan100 inservice username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin domain default-domain username www password 5 $1$UZIiwUk7$QMVYN1JASaycabrHkhGcS/ role Admin domain default-domain sbc mysbc sbe adjacency sip vrf vlan100 inherit profile preset-core preferred-transport udp redirect-mode pass-through authentication nonce timeout 300 signaling-address ipv signaling-port 5061 remote-address ipv signaling-peer signaling-peer-port 5060 dbe-location-id 0 account sip-core attach adjacency sip vrf vlan100 inherit profile preset-access preferred-transport udp redirect-mode pass-through authentication nonce timeout 300 signaling-address ipv signaling-port 5060 remote-address ipv signaling-peer signaling-peer-port 5060 dbe-location-id 0 account sip-core attach 10-19

20 Configuration Examples for Implementing Multi-VRF Chapter 10 adjacency sip vrf vlan100 nat force-on inherit profile preset-core preferred-transport udp redirect-mode pass-through authentication nonce timeout 300 signaling-address ipv signaling-port 5063 remote-address ipv signaling-peer signaling-peer-port 5063 dbe-location-id 0 account sip-core reg-min-expiry 3000 attach sip inherit profile preset-standard-non-ims retry-limit 3 call-policy-set 1 first-call-routing-table invite-table first-reg-routing-table start-table rtg-src-adjacency-table invite-table entry 1 action complete dst-adjacency match-adjacency entry 2 action complete dst-adjacency match-adjacency rtg-src-adjacency-table start-table entry 1 action complete dst-adjacency match-adjacency entry 2 action complete dst-adjacency match-adjacency complete active-call-policy-set 1 network-id 2 sip max-connections 2 sip timer tcp-idle-timeout tls-idle-timeout udp-response-linger-period udp-first-retransmit-interval 500 udp-max-retransmit-interval 4000 invite-timeout 180 blacklist global redirect-limit 2 deact-mode normal activate 10-20

21 Chapter 10 Configuration Examples for Implementing Multi-VRF dbe media-address ipv vrf vlan100 port-range any location-id 0 media-timeout 30 deact-mode normal activate newace4/admin# changeto vlan100 newace4/vlan100# sh run Generating configuration... interface vlan 100 ip address alias peer ip address no shutdown ip route Configuring DBE with VRF (Distributed Model Only): Example In this example, a context called my_vrf1 is created and a VLAN is allocated for my_vrf1. context my_vrf1 allocate-interface vlan 97 A fault-tolerant group is created and associated with the context my_vrf1. ft group 2 peer 1 priority 127 peer priority 126 associate-context my_vrf1 inservice An SBC is configured with a media address associated to the my_vrf1 context. sbc j dbe vdbe global unexpected-source-alerting local-port 2985 control-address h248 ipv controller h248 1 remote-address ipv remote-port 2985 transport udp attach-controllers media-address ipv vrf my_vrf1 media-address pool ipv media-timeout

22 Configuration Examples for Implementing Multi-VRF Chapter 10 overload-time-threshold 100 deact-mode normal activate (in the newly created context my_vrf1) An VLAN interface is created interface vlan 97 ip address alias peer ip address no shutdown ip route ip route The VLAN interface is associated with my_vrf1 on the supervisor engine: interface Vlan 97 vrf forwarding my_vrf1 ip address