SIP Access Configuration on the 3000/4000 Series

Net-Net Session Directors

Revision History
Version Author Description of Changes Date
520-0005-03 P Timmons & M Archer Refreshed for C6.0 09/26/08
520-0005-04 M Archer Corrected reference config IP errors 11/11/08
520-0005-05 P Timmons & M Archer overload controls + S-C6.2.0 refresh 04/05/11
520-0005-06 H Modi Corrected Appendix C config 10/17/11

Status of this Memo

Acme Packet Best Current Practices are working documents of the Professional Services
department of Acme Packet, Inc. Note that other groups may also distribute working documents
as Best Current Practices.

Best Current Practices are working documents valid until explicitly obsoleted, and may be
updated, replaced or obsoleted by other documents at any time. It is recommended to use Best
Current Practices as reference material as well as to cite them in other works in progress.

Copyright Notice
Copyright © Acme Packet, Inc. (2011). All Rights Reserved.

Abstract
The use of the RFC 2119 keywords is an attempt to assign the correct requirement levels
("MUST", "SHOULD", "MAY", etc.).

This document defines a series of SIP access configuration recommendations to be used when
deploying a new Session Director. When at conflict with Customer requirements or desires, the
Customer’s preference SHOULD take precedence.

1
Best Current Practice SIP Access Configuration October 2011

Table of Contents
1. Introduction.............................................................................................................................. 3
2. Intended Audience ................................................................................................................... 5
3. Terminology............................................................................................................................. 5
4. Background .............................................................................................................................. 5
5. Design Goals............................................................................................................................ 6
6. Notes on the reference configurations ..................................................................................... 7
7. Registration caching modes ..................................................................................................... 8
8. Policy Based Realm Bridging .................................................................................................. 8
9. Single NAT, homed in the access network .............................................................................. 8
10. SIP NAT Bridge...................................................................................................................... 9
11. Single NAT, homed in trusted network ................................................................................ 10
12. Endpoint Management Controls ........................................................................................... 11
12.1. Access Network Smoothing (max-register-refresh) .........................................................11
12.2. Core network smoothing (max-register-forward).............................................................12
12.3. Cache Resiliency (register-grace-timer) ...........................................................................12
12.4. Overload protections.........................................................................................................13
SIP Registration Overload Protection (SROP) ..................................................................... 13
Cache preservation................................................................................................................ 14
13. Normative References........................................................................................................... 15
14. Informative References ......................................................................................................... 15
15. Authors’ Address .................................................................................................................. 15
16. Disclaimer ............................................................................................................................. 16
17. Full Copyright Statement ...................................................................................................... 16
Appendix A. Reference Configuration: Policy-Based Realm Bridging ................................... 17
Appendix B. Reference Configuration: Single NAT, homed in access network ..................... 28
Appendix C. Reference Configuration: SIP NAT Bridge ........................................................ 39
Appendix D. Reference Configuration: Single NAT, homed in trusted network..................... 52

520-0005-06 Acme Packet Confidential Page 2

Best Current Practice SIP Access Configuration October 2011

1. Introduction
Access is a term used to describe the technology deployed to allow devices in an “untrusted”
network access to services provided by network elements residing in a Service Provider’s
“trusted” network.

From the Session Border Controller (SBC) perspective, SIP access configurations are designed
to grant remote terminals (IADs, softclients and VoIP phones) secure, controlled access to
Service Provider network elements such as softswitches, proxies, media gateways, application
servers, etc.

The major functional areas for consideration in the design of SIP Access configurations are:

Registration. The majority of SIP User Agents (UAs) in an access network are required to
perform a SIP registration sequence in order to present authentication credentials to a registrar.
This registration sequence creates a binding such that calls destined to terminate on the end
terminal can be located by transport address (IP address:port).

SIP Hosted NAT Traversal (HNT). A technique that a carrier-hosted border element such as
the Acme Packet Session Director (SD) employs to provide persistent reachability for SIP User
Agents (UAs) located in private Local Area Networks behind NAT/firewall devices.

In this role, managing endpoint behavior at the edge of a service provider network is a
challenging task. The edge SBC needs to have persistent, frequent communication with each UA
by asking that device to send SIP REGISTER methods with a high frequency. The
softswitch/registrar that the SBC is protecting, however, doesn’t need to be (and almost always
cannot be) burdened by receiving registration messages with the same frequency; the registrar
has a lot of work to do with every REGISTER it receives – database lookups involving disk
access, MD5 digest computations, etc., which are “expensive” operations, in computing terms.
The SBC is inserted into the network to manage these many thousands (or tens of thousands) of
messages on the access network, and honing it down to a small trickle of registration events on
the core network.

This challenge is compounded due to a phenomenon not unlike a harmonic convergence – a

tendency of endpoints to start to cluster their registration events together, so as to be nearly
simultaneous. This happens for a number of reasons, but is mostly commonly precipitated by
some kind of failure and subsequent recovery; the classic example is the “city power outage”
scenario, but even smaller-scale events can have as dramatic an impact. When endpoints become
clustered together, it becomes increasingly difficult for the SBC to manage the disparate
networks’ requirements (frequent signaling vs. infrequent signaling).

Topology Hiding. The mechanism where a carrier-hosted border element removes sensitive
topology information (e.g., IP addresses) belonging to core devices such that this data are never
transmitted to the untrusted network.

520-0005-06 Acme Packet Confidential Page 3

Best Current Practice SIP Access Configuration October 2011

The SD also operates as a P-CSCF in IMS architectures. Although the specific features typically
found on a P-CSCF are beyond the scope of this document, the configuration archetypes
described in this document, especially Policy Based Realm Bridging represent sound skeletal
configurations upon which specific IMS features can be enabled.

This document will describe the methodology and theory behind various configuration designs
the SD can use for supporting access deployments. Additionally, this document will describe the
methodology and strategy for designing comprehensive endpoint management controls into
Session Directors performing SIP access functions, to assist in honing the mass of signaling
events into a predictable, normalized flow of traffic into the core signaling infrastructure.
Because of the potential service impact that can be incurred by ignoring endpoint management
controls, the implementation of the configuration techniques described in this document is
STRONGLY RECOMMENDED.

This document was tested against SD software version S-C6.2.0 although the theory applies to
earlier releases.

Four configuration archetypes are discussed here. A “golden configuration” template is provided
for each of the four archetypes, in appendices A, B, C and D.

520-0005-06 Acme Packet Confidential Page 4

Best Current Practice SIP Access Configuration October 2011

2. Intended Audience
This document is intended for use by Acme Packet Systems Engineers, third party Systems
Integrators, and end users of the Session Director. It assumes that the reader is familiar with
basic operations of the Session Director, and has attended the following training courses (or has
equivalent experience):

 CAB-C-CLI: Net-Net 3000/4000 Configuration Basics

It also presumes that the reader is familiar with standard configuration models and archetypes;
for more information please review the Best Current Practice series of documentation.

3. Terminology
Forward (registration forward): when the SD sends a REGISTER it has received on towards the
softswitch/registrar.

Refresh (registration refresh): when the SD replies to a REGISTER directly without sending it on
to the softswitch/registrar, as a means of maintaining persistent communication for NAT
traversal purposes.

4. Background
A registration cache entry is written for each UA whose registration signaling traverses the SD.
With registration caching enabled 1, a successful registration results in a cache entry that is valid
for the period determined by the Expires header or Contact parameter. Upon expiry of this period
(plus a configurable grace timer) or the timeout of an unsuccessful registration sequence, the
cache entry will be removed. The SD employs an application-layer access control feature of the
sip-interface to reject SIP INVITEs from UAs which are not represented by a valid registration
cache entry.

To avoid loss of service, UAs must send a new register requested within the Expiry period.
Should this request arrive at the SD within half of the Expires period, the SD will respond locally
to the UA (a refresh registration) However, should the register request arrive beyond this half-
life timer, the request will be routed by the SD to the core registrar.

SIP HNT relies on frequent, persistent messaging to ensure that the binding on the intermediary
NAT device is not torn down due to inactivity. There are two popular techniques employed by
SBC manufacturers today:

 The “push” technique: this is where the SBC sends application-layer keepalive messages
(such as OPTIONS pings) to UAs at regular intervals. That is, the SBC is “pushing”
messages down to the UA.

1
Disabling registration caching is a valid option, particular in deployments with SDs in “series” i.e. enterprise edge
and service provider edge.

520-0005-06 Acme Packet Confidential Page 5

Best Current Practice SIP Access Configuration October 2011

 The “pull” technique: the SBC requests that the UA send REGISTER messages at very
short intervals (typically between 30 and 120 seconds). The SBC is “pulling” messages
out of the UA by asking it to send SIP messages at a rate often enough to keep the
binding persistent on the intermediary NAT device.

While both techniques are generally successful, preference has been given to the second as it is
considered more resilient. For example, assume a UA has a default registration refresh interval
of 3600 seconds (one hour). At boot, the UA sends a REGISTER to the SBC, creating a pinhole
in the intermediary NAT device. The SBC forwards the REGISTER to the SIP registrar and
forwards the registrar’s response to the Layer 3 IP address and port of the intermediary device.
When employing the “push” method, a failure or reboot of the intermediary will cause service
outage for that user for as long as one hour, as the UA will be unaware of the discontinuity of
service. When employing the “pull” method, a failure of the intermediary will self-heal upon the
next registration message sent by the client.

A list of recommended reading is given in Section 10 of this document. The remainder of this
document will be spent discussing the implemented design of the Session Director.

Topology hiding is achieved on the SD in two distinct manners. Firstly, rather than merely
forwarding signaling messages between untrusted and trusted networks as a true proxy would do,
the SD’s B2BUA creates new headers such as Contact and Via containing its own configured IP
addresses, thereby performing a measure of topology hiding by default. Secondly, in order to
rewrite a number of other headers that the B2BUA engine is not obliged to create, other
techniques such as the sip-nat configuration object can be deployed. Although all the techniques
available to the SD for comprehensive topology hiding are beyond the scope of this document,
the function does fundamentally affect the configuration models and is therefore included.

5. Design Goals
By its nature, SIP Access, and in particular performing the HNT function requires additional
signaling overhead. In addition, topology hiding incurs a measure of processing overhead.

Several models will be presented here, and each will include its general applicability – when to
use it, and when to avoid it. The intents of these designs are to:
 Minimize interoperability issues by standardizing field configurations
 Provide guidelines for new users to the Session Director
 Document when and why configuration elements should be changed from their default
values
 Facilitate transition of customers from Systems Engineering to Technical Support by
making configurations consistent (yielding predictable behavior)

Further, each design considers the following aspects (in order of priority):
 Flexibility: how resilient the configuration is, and how adaptable the configuration is (i.e.
when turning up new connected networks)

520-0005-06 Acme Packet Confidential Page 6

Best Current Practice SIP Access Configuration October 2011

 Performance: minimizing the use of “heavy” configuration objects (i.e., the sip-nat), to
streamline the message flow through the system and reduce CPU usage. By limiting the
use of the sip-nat, the SD will regain processing power
 Scalability: minimizing redundant configuration objects and setting a templated
foundation to allow overlay configuration with minimal disruption
 Compatibility: working with other popular devices in carriers’ VoIP networks

6. Notes on the reference configurations

All of the configurations presented here have been entered, tested, and verified on a SD in the lab
at Acme Packet headquarters. The goal is not to demonstrate a full-featured configuration;
rather, each contains only the minimum number of configuration objects required to pass basic
SIP transactions.

In all cases, the design uses a single “untrusted” network, in the 192.168.11.0/24 subnet, and a
single “trusted” network using 192.168.12.0/24. The configurations have been designed such
that no 192.168.12.0/24 IP addresses are leaked into signaling messages sent to the untrusted
network.

The IP address to which UAs send their SIP signaling in all cases is 192.168.11.100. The IP
address from which the SD sends its messages to the core infrastructure is 192.168.12.100.
Depending on the configuration model, there may be more addresses used on either network; this
will be noted as applicable. The SIP registrar used for testing is located at 192.168.12.200.

Steering-pool range outlined in the reference configurations (Appendices A, B, C and D) are

provided merely to give an idea of start-port and end-port values. It is recommended that
steering-pools be allocated judiciously (depending upon your network configuration) to avoid
unnecessary memory allocation of unused steering-pool ports.

The wancom0 management address is 10.0.0.100. This is configured as the default-gateway in

system-config.

No Denial of Service (DoS) configuration has been applied, save the application-layer access
control features of the sip-interface. For more information on DoS configuration guidelines,
refer to [7]. Note that when using the application-layer access control feature “registered” (to
prevent inbound traffic from unregistered endpoints from traversing the SD), that registration-

520-0005-06 Acme Packet Confidential Page 7

Best Current Practice SIP Access Configuration October 2011

caching must be ENABLED on the appropriate sip-interface; otherwise, the SD will not find
matching cache entries for endpoints that are not behind NATs and subsequently reject their call
attempts. (NATted endpoints are cached irrespective of the registration-caching setting.)

The system used for testing purposes was configured in a standalone environment (i.e., no
highly-available peer was used). For more information on configuring High Availability on the
Session Director, refer to [4].

Best Current Practices for object naming conventions have been followed whenever possible.
For more information on naming convention best practices, refer to [2].

7. Registration caching modes

When registration-cache is enabled (i.e., caching is requested for endpoints that are NOT behind
a NAT), the default reg-cache-mode will be 'append-from'. However, if contact-endpoint is also
added as a sip-config option, the default reg-cache-mode will be 'from'.

8. Policy Based Realm Bridging

The first and most preferable model is the policy-based bridged realm approach, using local-
policy statements to route traffic from realm to realm. This configuration does not use the sip-
nat object at all. This is the most efficient configuration for the SD as it eliminates the need for
the SD to parse each header, scrub it for sensitive data, and encode cookies for subsequent
decoding on the return path. As a side effect, the configuration is considerably simpler – making
it easier to implement and troubleshoot.

When you should use this model:

 The endpoints use domain-based Addresses of Record (AORs)

 The softswitch infrastructure can accommodate the domain-based AORs sent by the
endpoints

Note that even though there are no sip-nat objects, the SD will still act as a Back To Back User
Agent (B2BUA) and rewrite many aspects of the signaling messages: Contact-URI, Via, the
SDP’s connection information, etc. Thus there is no less topology hiding performed in this
design than if there were sip-nat configuration present.

The sample configuration is given in Appendix A.

9. Single NAT, homed in the access network

This is considered the “classic” HNT configuration, with the home-realm located on the access
network. This configuration is the best choice when a customer is offering a consumer VoIP
service using the Internet as transport, and Policy-Based Realm Bridging cannot be applied.

The sample configuration, given in Appendix D, illustrates the common technique of setting the
core realm’s addr-prefix to a well-defined range and leaving the access realm’s addr-prefix as

520-0005-06 Acme Packet Confidential Page 8

Best Current Practice SIP Access Configuration October 2011

open (0.0.0.0). A variation on this classic HNT configuration has the access realm’s addr-prefix
set to match the subnet properties of the network-interface upon which the access realm is built,
and the core realm’s addr-prefix is set to 0.0.0.0. This is convenient for supporting carriers that
have their core proxies spread over several disparate subnets. It works because, at layer 5,
endpoints in the access realm will use their Address of Record in all NATtable headers (such as
From, To, etc.). This will be replaced with the SIP registrar by the sip-nat. All other addresses
in the signaling (i.e., those representing the endpoint itself such as the sent-by address in the Via
header and the Contact-URI) are “fixed” due to the SD’s B2BUA nature. For more information
on the SD’s NAT behavior refer to [3].

Although using 0.0.0.0 as the addr-prefix for the access realm (and non-zero in the core realm) is
the most common deployment scenario, it is equally acceptable to use a non-zero prefix in the
access realm and 0.0.0.0 in the core realm.

Because this configuration requires the SIP home-realm to be on the access network (typically
the Internet), the cost of adding sip-nat objects to connect other protected realms becomes very
dear: extra IP addresses are gratuitously used merely for obfuscation.

This configuration is the least flexible, and least expandable, but will yield better overall
performance than any of the other models presented here with the exception of Policy-Based
Realm Bridging.

When you should use this archetype:

 Your customer purchased the SD strictly for HNT within a single untrusted network (e.g.,
the Internet)

The sample configuration is given in Appendix B.

10. SIP NAT Bridge

The SIP NAT bridge was originally designed as a way to collapse external realms into single IP
addresses for complete and thorough topology hiding. Historically, this uses a 127.0.0.0/8
network for the SIP home-realm, with each external realm collapsed to a loopback IP address
(which have the advantage of being free and plentiful). SIP NAT bridge is perhaps the easiest
configuration to troubleshoot.

As the SIP NAT bridge is imminently usable in both peering and access environments, it is a
good choice for deployments that will include both applications within a single SD node.

This configuration is the most flexible, most expandable, and arguably the most intuitive (after
the policy-based realm bridging model). The cost, however is performance: twice NATting each
SIP message reduces the performance of the SD versus NATting each message only once.

A substantive change is included in the SIP NAT bridge configuration in this document; when
performing HNT using a SIP NAT bridge, the home-proxy-address MUST NOT be filled in on

520-0005-06 Acme Packet Confidential Page 9

Best Current Practice SIP Access Configuration October 2011

the “core” sip-nat object. The reason is that upon receipt of an INVITE from a core device (e.g.,
proxy, registrar) the SD will first translate the INVITE’s Request-URI using the rules of the sip-
nat (reference [3]), substituting the sip-nat’s ext-address with the home-proxy-address. This will
not match the cached registration entry for the UA (which is user@SIPD, not
user@home-proxy-address), and subsequently the SD may return a 480 Temporarily Unavailable
error back to the UAC. This is seen most often when using non-standard configurations such as
SIP port mapping, global contacts, or non-standard registration caching modes. Regardless of
whether or not these options are employed, the removal of the home-proxy-address is now
considered to be the best practice.

Additionally, due to the (default) mechanism used to construct the index key used in our internal
registration cache, there exists a possibility of collision when UA devices change their IP
address. For this reason, it is STRONGLY RECOMMENDED that the sip-config option “reg-
cache-mode=append” is applied to any SIP NAT bridge configuration used for HNT.

When you should use this archetype:

 The core network does not fit within a single “neat” subnet
 Each untrusted network must be represented as a unique address within the carrier’s core
infrastructure
 The SD will be used for both access and peering applications

The sample configuration is given in Appendix C.

11. Single NAT, homed in trusted network

This configuration archetype combines most of the flexibility of the SIP NAT bridge with the
performance of the single sip-nat (classic) model. With the exception of slightly less-
comprehensive NATting ability, this is a suitable replacement for the SIP NAT bridge. 2

The key features of this archetype are the multiple SIP targets (home-addresses) on the core side
(one per “HNT realm”) and the home-realm assigned to the core side of the SD. In this way, the
access realm(s) are NATted to the home-realm, and the access realms do not need to share a
network-interface. It also inherently supports HNT in multiple disparate access realms, which
may or may not share overlapping IP address space (OLIP).

The only caveat to this design is that all packets on the core side of the SD, destined for the
registrar, will be sourced from the same Layer 3 IP address and port. The AOR at Layer 5 will
be unique per ingress realm, however. Packets coming from the registrar may target the unique
home-address of each sip-nat directly.

When you should use this archetype:

 The endpoints do not use domain-based Addresses of Record (AORs) and NATting is
required at Layer 5
2
The use of a single sip-nat object means that NATting is done using the public/private and exchange rules as
described in [3]. This NATs either to or from a single subnet.

520-0005-06 Acme Packet Confidential Page 10

Best Current Practice SIP Access Configuration October 2011

 You need to perform HNT within multiple access networks (either within the same
VLAN or not)
 Each untrusted network must (or can) be represented as a unique address within the
carrier’s core infrastructure

The sample configuration is given in Appendix D

12. Endpoint Management Controls

The following four controls, designed to to assist in honing the mass of signaling events into a
predictable, normalized flow of traffic into the core signaling infrastructure are STRONGLY
RECOMMENDED to be included in any and all of the configuration models detailed in chapters
8..11 where endpoints in the Access network reside behind NAT devices.

12.1. Access Network Smoothing (max-register-refresh)

The Session Director actively replies to most REGISTERs it receives itself; assuming fairly
common values for the expiry time advertised by SIP registrars (e.g., 3600 seconds) and the SD’s
configured nat-interval (e.g., 60 seconds), the SD will locally reply to 29 REGISTERs it receives
for every one that it forwards. Said another way, the SD receives roughly thirty times the
amount of registration traffic on the access network than it passes on to the core network. It is
beneficial from a network engineering perspective to make every effort possible to present the
SD with a regular stream of traffic; since all endpoints across the entire NATted user population
are expected to refresh their registration with the SD every minute (in this example), an even
balance of traffic spread throughout the minute will avoid congestion, queuing, etc. To assist in
the smoothing of traffic presented to the SD’s SIP proxy, a global sip-config option “max-
register-refresh” was developed.

This option will incrementally extend the registration refresh period that the SD advertises back
to an endpoint. For example, assume that the configured max-register-refresh value is set to 10
(very low, but just for illustrative purposes) and that the nat-interval on the Internet-facing sip-
interface is set to 30. Every second, the SD tallies up the number of refresh 200 OKs it sends
back to NATted endpoints, and if the number exceeds the value configured in the max-register-
refresh, it will start to take action. In this example, the first 10 REGISTERs that the SD
refreshes within that second will be sent a 200 OK with expires=30. The 11th REGISTER to
arrive that second will be sent a 200 OK with expires=31; so will the 12th through 20th
REGISTERs. Should a 21st endpoint also send a REGISTER within that same second, the SD
will send back expires=32, etc. When the second is over, the SD resets its counter and starts
using expires=30 again. Thus the next time any extended endpoints "check in" with the SD,
there shouldn't be more than TEN of them in any given second. (It generally takes a few
registration cycles for this to really demonstrate any appreciable smoothing.)

The recommended value for this configuration setting is derived by dividing the number of
subscribers for which the platform was engineered to support by the nat-interval configured on
the Internet-facing interface. I.e., with a platform engineered to support 60,000 subscribers and a
nat-interval of 60, max-register-refresh should be set to 1,000 (options +max-register-
refresh=1000).
520-0005-06 Acme Packet Confidential Page 11
Best Current Practice SIP Access Configuration October 2011

12.2. Core network smoothing (max-register-forward)

This global sip-config option will cause the SD to make an extra test before it forwards a
registration into the core. The SD will forward registrations into the core network once half of
the registrar’s advertised expires value elapses; e.g., if your registrar sends back expires=3600,
then the SD will refresh locally between the UA and itself for 1800 seconds before it forwards
the next REGISTER it receives into the core. The max-register-forward lets you put a "cap" on
the number of forwards the SD sends; let's say you configure the value max-register-forward=5.
If in any given second the SD sends five registrations to the registrar, and another REGISTER
arrives that's eligible for forwarding, the SD will decide whether or not it is "safe" to refresh that
endpoint locally instead. Because the SD's default behavior is to forward at 50% of the elapsed
registration expiry on the registrar, the SD has a bit of flexibility in deciding whether to forward
this REGISTER instance or not. Assuming the registrar's expires=3600 and the relevant nat-
interval=30, the SD has sixty or so local refreshes before it forwards it to the core, and even
when it does there's still thirty minutes of time before the registrar is due to time it out. So the
SD can safely refresh this one locally during times of higher-than-normal activity, and wait until
the UA’s next transmission before making the same test.

Note that the notion of "safeness" is very important: the SD will NEVER refresh a REGISTER
locally if it knows the registrar will time it out otherwise, so those are always forwarded.
Likewise, any new registrations from previously unknown endpoints are always forwarded,
obviously, and thus not counted against the max-register-forward tally.

The recommended value for this configuration setting is wholly dependent on the registrar’s
stated REGISTER performance. For example: if the registrar’s performance boundaries mean
that it cannot exceed 30 REGISTERs/second, then the value for this setting should be set to 30
(max-register-forward=30).

Note that applying this configuration setting will neither prevent the SD from forwarding
endpoints that will expire if they’re not forwarded, nor will it prevent the SD from forwarding
requests from new endpoints not in its cache.

12.3. Cache Resiliency (register-grace-timer)

As the SD receives registration requests from endpoints, data about these endpoints are stored in
the SD’s registration cache. The SD maintains two timers associated with each cache entry: a
remote expires and a local expires. The remote expiry time is the one received in the 200 OK
from the registrar. The local expiry time is the value configured in the sip-interface that received
the REGISTER request (either the nat-interval or registration-interval, for NATted and non-
NATted endpoints, respectively), to which the SD adds several seconds as a “grace timer” – to
account for circumstances where an endpoint’s registration attempt gets lost in transit. The
registration cache entry will be removed once either the local timer expires without refresh, or
the remote timer fires because the SD did not get a successful response from the registrar to a
REGISTER it forwarded.

When the SD is caching many endpoints (particularly those behind NATs), the local expiry time
becomes very delicate. Imagine a scenario where 60,000 NATted endpoints are refreshing every

520-0005-06 Acme Packet Confidential Page 12

Best Current Practice SIP Access Configuration October 2011

60 seconds – 1,000 refreshes per second – an interruption of even just ten seconds can have a
tremendous impact on the number of endpoints in the cache.

The grace time that the SD adds to the expires value it sends to the endpoint is, by default, four
seconds. The recommended value for this grace time is 120 seconds (two minutes). Setting this
value to 120 seconds will allow the SD to be more tolerant to access network failures, without
causing an undue burden on the SD by maintaining cache entries that have expired legitimately.
The value of 120 represents a typical NAT binding’s time to live (TTL) for UDP packets; if the
SD were to retain a cache entry for longer than 120 seconds, the risk of the NAT releasing and
reusing this port increases. (We do not want the SD to send SIP messages to a port that has been
released and renewed, as it could be delivered to another application behind the NAT.) This is
configured as a global sip-config option, register-grace-timer=120.

12.4. Overload protections

Because network failures will happen, the clustering of endpoint registration events into an
“avalanche” is an unfortunate eventuality. The Session Director offers several mechanisms for
mitigating the effects of these clusterings, to protect itself in addition to any network equipment
that it may be fronting. This section describes the options available to you, and how to apply
them most judiciously.

SIP Registration Overload Protection (SROP)

The Session Director has a comprehensive suite of denial-of-service/distributed denial-of-service
protection collectively referred to as the NetSAFE framework. One significant part of this
framework is the notion of assigning trust to endpoints dynamically. Typically, when the SD
participates in a successful transaction between UA and softswitch/registrar, the SD will interpret
the softswitch’s acceptance of the UA’s transaction as an indicator that the UA is trustworthy. It
then “promotes” that user agent, guaranteeing it bandwidth. (Devices that have guaranteed
bandwidth will not compete for a limited amount of leftover bandwidth reserved for “untrusted”
endpoints.) It is important to realize that the promotion event occurs upon receipt of the success
response (200 OK) to the transaction. During a registration avalanche, characterized by many
tens of thousands of heretofore untrusted endpoints attempting to gain service, the SD will
generally receive many more “untrusted” messages than it is configured to process – causing the
SD to discard them. Because a registration event almost unilaterally consists of a REGISTER,
401/407 challenge, a reattempted REGISTER with credentials, and a 200 OK, there exist two
opportunities for the REGISTER from the UA to be discarded upon entry. When any given UA
is fighting for limited bandwidth and has a very small likelihood of their packet making it to the
SIP process on the SD for forwarding already, requiring it to happen twice before it is promoted
can lead to non-convergent avalanche outages, where the network never calms.

The SROP function on the SD allows these networks to calm by causing a temporary promotion
event to occur upon receipt of a 401/407 from the core. This ensures that the subsequent
registration received from that UA has guaranteed bandwidth reserved, and will be handed up to
the SD’s SIP process for forwarding.

520-0005-06 Acme Packet Confidential Page 13

Best Current Practice SIP Access Configuration October 2011

Configuring SROP is STRONGLY RECOMMENDED for all deployments on access networks

with registering endpoints. Please note that configuring SROP presupposes that your SD is
already configured for dynamic promotion and demotion of endpoints (a.k.a. Net-SAFE). For
Net-SAFE configuration best practices, refer to [7]. Assuming the necessary Net-SAFE
configuration is in place, SROP is enabled via global sip-config option reg-overload-protect3.

Cache preservation
During CPU overage, the SD will reject inbound messages in an attempt at self-preservation.
The rate at which rejections occur is proportional to the current CPU utilization percentage, and
is limited to out-of-dialog messaging. Since REGISTER methods are always out-of-dialog, they
are the most susceptible to rejection. Additionally, for the reasons described in section 12.3
above, an endpoint in the SD’s cache typically has an order of magnitude more local refreshes
than it does forwards to the core softswitch/registrar. As it is only nominally more work for the
SD to send a 200 OK refresh as it is to generate and send a 503 rejection message, and the effect
is arguably more palatable to the recipient (Endpoint manufacturers have occasionally
implemented logic specific to 503 handling that causes the device to transmit its messages more
frequently; if the 503 is due to CPU congestion on the SD, it makes an already bad situation
much, much worse.), the SD can be configured to perform an additional test on each REGISTER
it receives prior to rejecting it outright due to CPU constraints. With this option configured, if
the endpoint is in the SD’s cache and it is not eligible for an imminent forward event, the SD will
respond locally with a 200 OK. If the endpoint is not in the SD’s cache, it will be a candidate for
rejection. (Rejection during CPU overage is not absolute, and is more aggressive as the CPU
climbs closer to 100% utilization.)

The configuration is applied as an (global) option in the sip-config, and is set to reject-
register=refresh. Configuring this option is STRONGLY RECOMMENDED for all
deployments on access networks with registering endpoints.

3
Since software version 4.x.x it is not necessary to also configure sip-option cache-challenges

520-0005-06 Acme Packet Confidential Page 14

Best Current Practice SIP Access Configuration October 2011

13.Normative References
[1] Khindari, A., “Theory of the Session-agent”, 520-0013-05, February 2010.
[2] Timmons, P., “Configuration Naming Conventions”, 520-0006-02, December 2009.
[3] Timmons, P., “Theory of the sip-nat”, 520-0009-01, January 2010.
[4] Timmons, P., “High Availability Configuration”, 520-0011-03, November 2009.

14. Informative References

[5] Jennings, C., “NAT Classification Test Results”, draft-jennings-behave-test-results-01,
July 2005.
[6] Huston, G., “Anatomy: A Look Inside Network Address Translators”, The Internet
Protocol Journal, Volume 7, Number 3, September 2004.
[7] Manor, P, “Basic DDoS Configuration for SIP Access Environments”, 520-0051-00,
January 2011

15. Authors’ Address

Marc Archer & Patrick Timmons
Acme Packet, Inc.
100 Crosby Drive
Bedford, MA 017300

email: marcher@acmepacket.com ptimmons@acmepacket.com

520-0005-06 Acme Packet Confidential Page 15

Best Current Practice SIP Access Configuration October 2011

16. Disclaimer
The content in this document is for informational purposes only and is subject to change by
Acme Packet without notice. While reasonable efforts have been made in the preparation of this
publication to assure its accuracy, Acme Packet assumes no liability resulting from technical or
editorial errors or omissions, or for any damages resulting from the use of this information.
Unless specifically included in a written agreement with Acme Packet, Acme Packet has no
obligation to develop or deliver any future release or upgrade or any feature, enhancement or
function.

17. Full Copyright Statement

Copyright © Acme Packet (2011). All Rights Reserved. Acme Packet, Session-Aware
Networking, Net-Net and related marks are trademarks of Acme Packet. All other brand names
are trademarks or registered trademarks of their respective companies.

This document and translations of it may be copied and furnished to others, and derivative works
that comment on or otherwise explain it or assist in its implantation may be prepared, copied,
published and distributed, in whole or in part, given the restrictions identified in section 2 of this
document, provided that the above copyright notice, disclaimer, and this paragraph are included
on all such copies and derivative works. However, this document itself may not be modified in
any way, such as by removing the copyright notice or references to Acme Packet or other
referenced organizations.

The limited permissions granted above are perpetual and will not be revoked by Acme Packet or
its successors or assigns.

This document and the information contained herein is provided on an “AS IS” basis and ACME
PACKET DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

520-0005-06 Acme Packet Confidential Page 16

Best Current Practice SIP Access Configuration October 2011

Appendix A. Reference Configuration: Policy-Based Realm Bridging

local-policy
from-address
*
to-address
*
source-realm
access
description access->core
activate-time N/A
deactivate-time N/A
state enabled
policy-priority none
last-modified-by admin@console
last-modified-date 2011-03-16 22:52:11
policy-attribute
next-hop 192.168.12.200
realm core
action none
terminate-recursion disabled
carrier
start-time 0000
end-time 2400
days-of-week U-S
cost 0
app-protocol
state enabled
methods
media-profiles
lookup single
next-key
eloc-str-lkup disabled
eloc-str-match
media-manager
state enabled
latching enabled
flow-time-limit 86400
initial-guard-timer 300
subsq-guard-timer 300
tcp-flow-time-limit 86400
tcp-initial-guard-timer 300
tcp-subsq-guard-timer 300
tcp-number-of-ports-per-flow 2
hnt-rtcp disabled
algd-log-level NOTICE
mbcd-log-level NOTICE
options active-arp
red-flow-port 1985
red-mgcp-port 1986
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
media-policing enabled

520-0005-06 Acme Packet Confidential Page 17

Best Current Practice SIP Access Configuration October 2011

max-signaling-bandwidth 10000000
max-untrusted-signaling 100
min-untrusted-signaling 30
app-signaling-bandwidth 0
tolerance-window 30
rtcp-rate-limit 0
trap-on-demote-to-deny disabled
min-media-allocation 32000
min-trusted-allocation 1000
deny-allocation 1000
anonymous-sdp disabled
arp-msg-bandwidth 32000
fragment-msg-bandwidth 0
rfc2833-timestamp disabled
default-2833-duration 100
rfc2833-end-pkts-only-for-non-sig enabled
translate-non-rfc2833-event disabled
media-supervision-traps disabled
dnsalg-server-failover disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:52:37
network-interface
name M00
sub-port-id 0
description slot 0 port 0 access network
hostname
ip-address 192.168.11.100
pri-utility-addr
sec-utility-addr
netmask 255.255.255.0
gateway 192.168.11.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by admin@console
last-modified-date 2011-03-16 22:53:21
network-interface
name M10
sub-port-id 0
description slot 1 port 0 core network
hostname

520-0005-06 Acme Packet Confidential Page 18

Best Current Practice SIP Access Configuration October 2011

ip-address 192.168.12.100
pri-utility-addr
sec-utility-addr
netmask 255.255.255.0
gateway 192.168.12.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by admin@console
last-modified-date 2011-03-16 22:53:57
phy-interface
name M00
operation-type Media
port 0
slot 0
virtual-mac
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed 100
overload-protection disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:54:10
phy-interface
name M10
operation-type Media
port 0
slot 1
virtual-mac
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed 100
overload-protection disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:54:19
realm-config
identifier access
description serving all access net endpoints
addr-prefix 0.0.0.0
network-interfaces

520-0005-06 Acme Packet Confidential Page 19

Best Current Practice SIP Access Configuration October 2011

M00:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
diam-e2-address-realm
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
dyn-refer-term disabled
codec-policy
codec-manip-in-realm disabled

520-0005-06 Acme Packet Confidential Page 20

Best Current Practice SIP Access Configuration October 2011

constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
sip-profile
sip-isup-profile
block-rtcp disabled
hide-egress-media-update disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:55:09
realm-config
identifier core
description softswitch resides in this realm
addr-prefix 0.0.0.0
network-interfaces
M10:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
diam-e2-address-realm
symmetric-latching disabled
pai-strip disabled

520-0005-06 Acme Packet Confidential Page 21

Best Current Practice SIP Access Configuration October 2011

trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
dyn-refer-term disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
sip-profile
sip-isup-profile
block-rtcp disabled
hide-egress-media-update disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:55:30
sip-config
state enabled
operation-mode dialog
dialog-transparency enabled
home-realm-id core
egress-realm-id
nat-mode None
registrar-domain *
registrar-host *
registrar-port 5060
register-service-route always
init-timer 500
max-timer 4000
trans-expire 32
invite-expire 180
inactive-dynamic-conn 32
enforcement-profile
pac-method
pac-interval 10
pac-strategy PropDist
pac-load-weight 1
pac-session-weight 1

520-0005-06 Acme Packet Confidential Page 22

Best Current Practice SIP Access Configuration October 2011

pac-route-weight 1
pac-callid-lifetime 600
pac-user-lifetime 3600
red-sip-port 1988
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
add-reason-header disabled
sip-message-len 4096
enum-sag-match disabled
extra-method-stats disabled
registration-cache-limit 0
register-use-to-for-lp disabled
options max-register-forward=<See 12.2>
max-register-refresh=<See 12.1>
max-udp-length=0
reg-overload-protect
register-grace-timer=120
reject-register=refresh
refer-src-routing disabled
add-ucid-header disabled
proxy-sub-events
pass-gruu-contact disabled
sag-lookup-on-redirect disabled
set-disconnect-time-on-bye disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:59:00
sip-interface
state enabled
realm-id access
description Transport address access UAs signal to
sip-port
address 192.168.11.100
port 5060
transport-protocol UDP
tls-profile
allow-anonymous registered
ims-aka-profile
carriers
trans-expire 0
invite-expire 0
max-redirect-contacts 0
proxy-mode
redirect-action
contact-mode none
nat-traversal always
nat-interval 30
tcp-nat-interval 90
registration-caching enabled
min-reg-expire 300
registration-interval 3600
route-to-registrar enabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain
trust-mode all
max-nat-interval 3600

520-0005-06 Acme Packet Confidential Page 23

Best Current Practice SIP Access Configuration October 2011

nat-int-increment 10
nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
sip-ims-feature disabled
operator-identifier
anonymous-priority none
max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by admin@console
last-modified-date 2011-03-16 23:00:39
sip-interface
state enabled
realm-id core
description Transport address softswitch signals
to
sip-port
address 192.168.12.100
port 5060
transport-protocol UDP
tls-profile
allow-anonymous all
ims-aka-profile
carriers
trans-expire 0
invite-expire 0
max-redirect-contacts 0

520-0005-06 Acme Packet Confidential Page 24

Best Current Practice SIP Access Configuration October 2011

proxy-mode
redirect-action
contact-mode none
nat-traversal none
nat-interval 30
tcp-nat-interval 90
registration-caching disabled
min-reg-expire 300
registration-interval 3600
route-to-registrar disabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain
trust-mode all
max-nat-interval 3600
nat-int-increment 10
nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
sip-ims-feature disabled
operator-identifier
anonymous-priority none
max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:15
steering-pool

520-0005-06 Acme Packet Confidential Page 25

Best Current Practice SIP Access Configuration October 2011

ip-address 192.168.11.100
start-port 49152
end-port 65535
realm-id access
network-interface
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:38
steering-pool
ip-address 192.168.12.100
start-port 49152
end-port 65535
realm-id core
network-interface
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:56
system-config
hostname SD1.selab.com
description Policy Based Realm Bridging
location selab.com
mib-system-contact
mib-system-name
mib-system-location
snmp-enabled enabled
enable-snmp-auth-traps disabled
enable-snmp-syslog-notify disabled
enable-snmp-monitor-traps disabled
enable-env-monitor-traps disabled
snmp-syslog-his-table-length 1
snmp-syslog-level WARNING
system-log-level WARNING
process-log-level NOTICE
process-log-ip-address 0.0.0.0
process-log-port 0
collect
sample-interval 5
push-interval 15
boot-state disabled
start-time now
end-time never
red-collect-state disabled
red-max-trans 1000
red-sync-start-time 5000
red-sync-comp-time 1000
push-success-trap-state disabled
call-trace disabled
internal-trace disabled
log-filter all
default-gateway 10.0.0.100
restart enabled
exceptions
telnet-timeout 0
console-timeout 0
remote-control enabled
cli-audit-trail enabled
link-redundancy-state disabled
source-routing disabled
cli-more disabled

520-0005-06 Acme Packet Confidential Page 26

Best Current Practice SIP Access Configuration October 2011

terminal-height 24
debug-timeout 0
trap-event-lifetime 0
cleanup-time-of-day 00:00
last-modified-by admin@console
last-modified-date 2011-03-16 23:10:50

520-0005-06 Acme Packet Confidential Page 27

Best Current Practice SIP Access Configuration October 2011

Appendix B. Reference Configuration: Single NAT, homed in access network

local-policy
from-address
*
to-address
*
source-realm
access
description access->core
activate-time N/A
deactivate-time N/A
state enabled
policy-priority none
last-modified-by admin@console
last-modified-date 2011-03-16 22:52:11
policy-attribute
next-hop 192.168.12.200
realm core
action none
terminate-recursion disabled
carrier
start-time 0000
end-time 2400
days-of-week U-S
cost 0
app-protocol
state enabled
methods
media-profiles
lookup single
next-key
eloc-str-lkup disabled
eloc-str-match
media-manager
state enabled
latching enabled
flow-time-limit 86400
initial-guard-timer 300
subsq-guard-timer 300
tcp-flow-time-limit 86400
tcp-initial-guard-timer 300
tcp-subsq-guard-timer 300
tcp-number-of-ports-per-flow 2
hnt-rtcp disabled
algd-log-level NOTICE
mbcd-log-level NOTICE
options active-arp
red-flow-port 1985
red-mgcp-port 1986
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
media-policing enabled
max-signaling-bandwidth 10000000

520-0005-06 Acme Packet Confidential Page 28

Best Current Practice SIP Access Configuration October 2011

max-untrusted-signaling 100
min-untrusted-signaling 30
app-signaling-bandwidth 0
tolerance-window 30
rtcp-rate-limit 0
trap-on-demote-to-deny disabled
min-media-allocation 32000
min-trusted-allocation 1000
deny-allocation 1000
anonymous-sdp disabled
arp-msg-bandwidth 32000
fragment-msg-bandwidth 0
rfc2833-timestamp disabled
default-2833-duration 100
rfc2833-end-pkts-only-for-non-sig enabled
translate-non-rfc2833-event disabled
media-supervision-traps disabled
dnsalg-server-failover disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:52:37
network-interface
name M00
sub-port-id 0
description slot 0 port 0 access network
hostname
ip-address 192.168.11.100
pri-utility-addr
sec-utility-addr
netmask 255.255.255.0
gateway 192.168.11.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by admin@console
last-modified-date 2011-03-16 22:53:21
network-interface
name M10
sub-port-id 0
description slot 1 port 0 core network
hostname
ip-address 192.168.12.100

520-0005-06 Acme Packet Confidential Page 29

Best Current Practice SIP Access Configuration October 2011

pri-utility-addr
sec-utility-addr
netmask 255.255.255.0
gateway 192.168.12.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by admin@console
last-modified-date 2011-03-16 22:53:57
phy-interface
name M00
operation-type Media
port 0
slot 0
virtual-mac
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed 100
overload-protection disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:54:10
phy-interface
name M10
operation-type Media
port 0
slot 1
virtual-mac
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed 100
overload-protection disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:54:19
realm-config
identifier access
description serving all access net endpoints
addr-prefix 0.0.0.0
network-interfaces
M00:0

520-0005-06 Acme Packet Confidential Page 30

Best Current Practice SIP Access Configuration October 2011

mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
diam-e2-address-realm
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
dyn-refer-term disabled
codec-policy
codec-manip-in-realm disabled
constraint-name

520-0005-06 Acme Packet Confidential Page 31

Best Current Practice SIP Access Configuration October 2011

call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
sip-profile
sip-isup-profile
block-rtcp disabled
hide-egress-media-update disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:55:09
realm-config
identifier core
description softswitch resides in this realm
addr-prefix 0.0.0.0
network-interfaces
M10:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
diam-e2-address-realm
symmetric-latching disabled
pai-strip disabled
trunk-context

520-0005-06 Acme Packet Confidential Page 32

Best Current Practice SIP Access Configuration October 2011

early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
dyn-refer-term disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
sip-profile
sip-isup-profile
block-rtcp disabled
hide-egress-media-update disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:55:30
sip-config
state enabled
operation-mode dialog
dialog-transparency enabled
home-realm-id access
egress-realm-id
nat-mode Public
registrar-domain *
registrar-host *
registrar-port 5060
register-service-route always
init-timer 500
max-timer 4000
trans-expire 32
invite-expire 180
inactive-dynamic-conn 32
enforcement-profile
pac-method
pac-interval 10
pac-strategy PropDist
pac-load-weight 1
pac-session-weight 1
pac-route-weight 1

520-0005-06 Acme Packet Confidential Page 33

Best Current Practice SIP Access Configuration October 2011

pac-callid-lifetime 600
pac-user-lifetime 3600
red-sip-port 1988
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
add-reason-header disabled
sip-message-len 4096
enum-sag-match disabled
extra-method-stats disabled
registration-cache-limit 0
register-use-to-for-lp disabled
options max-register-forward=<See 12.2>
max-register-refresh=<See 12.1>
max-udp-length=0
reg-overload-protect
register-grace-timer=120
reject-register=refresh
refer-src-routing disabled
add-ucid-header disabled
proxy-sub-events
pass-gruu-contact disabled
sag-lookup-on-redirect disabled
set-disconnect-time-on-bye disabled
last-modified-by admin@console
last-modified-date 2011-03-16 23:27:42
sip-interface
state enabled
realm-id access
description Transport address access UAs signal to
sip-port
address 192.168.11.100
port 5060
transport-protocol UDP
tls-profile
allow-anonymous registered
ims-aka-profile
carriers
trans-expire 0
invite-expire 0
max-redirect-contacts 0
proxy-mode
redirect-action
contact-mode none
nat-traversal always
nat-interval 30
tcp-nat-interval 90
registration-caching enabled
min-reg-expire 300
registration-interval 3600
route-to-registrar enabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain
trust-mode all
max-nat-interval 3600
nat-int-increment 10

520-0005-06 Acme Packet Confidential Page 34

Best Current Practice SIP Access Configuration October 2011

nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
sip-ims-feature disabled
operator-identifier
anonymous-priority none
max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by admin@console
last-modified-date 2011-03-16 23:00:39
sip-interface
state enabled
realm-id core
description Transport address softswitch signals
to
sip-port
address 192.168.12.100
port 5060
transport-protocol UDP
tls-profile
allow-anonymous all
ims-aka-profile
carriers
trans-expire 0
invite-expire 0
max-redirect-contacts 0
proxy-mode

520-0005-06 Acme Packet Confidential Page 35

Best Current Practice SIP Access Configuration October 2011

redirect-action
contact-mode none
nat-traversal none
nat-interval 30
tcp-nat-interval 90
registration-caching disabled
min-reg-expire 300
registration-interval 3600
route-to-registrar disabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain
trust-mode all
max-nat-interval 3600
nat-int-increment 10
nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
sip-ims-feature disabled
operator-identifier
anonymous-priority none
max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:15
sip-nat
realm-id core

520-0005-06 Acme Packet Confidential Page 36

Best Current Practice SIP Access Configuration October 2011

domain-suffix .core.com
ext-proxy-address 192.168.12.200
ext-proxy-port 5060
ext-address 192.168.12.100
home-address 192.168.11.101
home-proxy-address
home-proxy-port 0
route-home-proxy disabled
address-prefix *
tunnel-redirect disabled
use-url-parameter none
parameter-name
user-nat-tag -core-
host-nat-tag CORE
headers Call-ID Contact f From i Join m r
Record-Route Refer-To Replaces Reply-
To
Route t To v Via
last-modified-by admin@console
last-modified-date 2011-03-16 23:26:48
steering-pool
ip-address 192.168.11.100
start-port 49152
end-port 65535
realm-id access
network-interface
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:38
steering-pool
ip-address 192.168.12.100
start-port 49152
end-port 65535
realm-id core
network-interface
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:56
system-config
hostname SD1.selab.com
description Single NAT homed in Access Realm
location selab.com
mib-system-contact
mib-system-name
mib-system-location
snmp-enabled enabled
enable-snmp-auth-traps disabled
enable-snmp-syslog-notify disabled
enable-snmp-monitor-traps disabled
enable-env-monitor-traps disabled
snmp-syslog-his-table-length 1
snmp-syslog-level WARNING
system-log-level WARNING
process-log-level NOTICE
process-log-ip-address 0.0.0.0
process-log-port 0
collect
sample-interval 5
push-interval 15

520-0005-06 Acme Packet Confidential Page 37

Best Current Practice SIP Access Configuration October 2011

boot-state disabled
start-time now
end-time never
red-collect-state disabled
red-max-trans 1000
red-sync-start-time 5000
red-sync-comp-time 1000
push-success-trap-state disabled
call-trace disabled
internal-trace disabled
log-filter all
default-gateway 10.0.0.100
restart enabled
exceptions
telnet-timeout 0
console-timeout 0
remote-control enabled
cli-audit-trail enabled
link-redundancy-state disabled
source-routing disabled
cli-more disabled
terminal-height 24
debug-timeout 0
trap-event-lifetime 0
cleanup-time-of-day 00:00
last-modified-by admin@console
last-modified-date 2011-03-16 23:27:17

520-0005-06 Acme Packet Confidential Page 38

Best Current Practice SIP Access Configuration October 2011

Appendix C. Reference Configuration: SIP NAT Bridge

media-manager
state enabled
latching enabled
flow-time-limit 86400
initial-guard-timer 300
subsq-guard-timer 300
tcp-flow-time-limit 86400
tcp-initial-guard-timer 300
tcp-subsq-guard-timer 300
tcp-number-of-ports-per-flow 2
hnt-rtcp disabled
algd-log-level NOTICE
mbcd-log-level NOTICE
options active-arp
red-flow-port 1985
red-mgcp-port 1986
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
media-policing enabled
max-signaling-bandwidth 10000000
max-untrusted-signaling 100
min-untrusted-signaling 30
app-signaling-bandwidth 0
tolerance-window 30
rtcp-rate-limit 0
trap-on-demote-to-deny disabled
min-media-allocation 32000
min-trusted-allocation 1000
deny-allocation 1000
anonymous-sdp disabled
arp-msg-bandwidth 32000
fragment-msg-bandwidth 0
rfc2833-timestamp disabled
default-2833-duration 100
rfc2833-end-pkts-only-for-non-sig enabled
translate-non-rfc2833-event disabled
media-supervision-traps disabled
dnsalg-server-failover disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:52:37
network-interface
name M00
sub-port-id 0
description slot 0 port 0 access network
hostname
ip-address 192.168.11.100
pri-utility-addr
sec-utility-addr
netmask 255.255.255.0
gateway 192.168.11.1
sec-gateway
gw-heartbeat

520-0005-06 Acme Packet Confidential Page 39

Best Current Practice SIP Access Configuration October 2011

state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by admin@console
last-modified-date 2011-03-16 22:53:21
network-interface
name M10
sub-port-id 0
description slot 1 port 0 core network
hostname
ip-address 192.168.12.100
pri-utility-addr
sec-utility-addr
netmask 255.255.255.0
gateway 192.168.12.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by admin@console
last-modified-date 2011-03-16 22:53:57
phy-interface
name M00
operation-type Media
port 0
slot 0
virtual-mac
admin-state enabled
auto-negotiation enabled

520-0005-06 Acme Packet Confidential Page 40

Best Current Practice SIP Access Configuration October 2011

duplex-mode FULL
speed 100
overload-protection disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:54:10
phy-interface
name M10
operation-type Media
port 0
slot 1
virtual-mac
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed 100
overload-protection disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:54:19
realm-config
identifier access
description serving all access net endpoints
addr-prefix 0.0.0.0
network-interfaces
M00:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30

520-0005-06 Acme Packet Confidential Page 41

Best Current Practice SIP Access Configuration October 2011

ext-policy-svr
diam-e2-address-realm
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
dyn-refer-term disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
sip-profile
sip-isup-profile
block-rtcp disabled
hide-egress-media-update disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:55:09
realm-config
identifier core
description softswitch resides in this realm
addr-prefix 0.0.0.0
network-interfaces
M10:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0

520-0005-06 Acme Packet Confidential Page 42

Best Current Practice SIP Access Configuration October 2011

max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
diam-e2-address-realm
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
dyn-refer-term disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
sip-profile
sip-isup-profile
block-rtcp disabled
hide-egress-media-update disabled

520-0005-06 Acme Packet Confidential Page 43

Best Current Practice SIP Access Configuration October 2011

last-modified-by admin@console
last-modified-date 2011-03-16 22:55:30
realm-config
identifier acme
description Internal home realm
addr-prefix 127.0.0.0/8
network-interfaces
lo0:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
diam-e2-address-realm
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip

520-0005-06 Acme Packet Confidential Page 44

Best Current Practice SIP Access Configuration October 2011

monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
dyn-refer-term disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
sip-profile
sip-isup-profile
block-rtcp disabled
hide-egress-media-update disabled
last-modified-by admin@console
last-modified-date 2011-03-17 16:53:18
sip-config
state enabled
operation-mode dialog
dialog-transparency enabled
home-realm-id acme
egress-realm-id
nat-mode Public
registrar-domain *
registrar-host *
registrar-port 5060
register-service-route always
init-timer 500
max-timer 4000
trans-expire 32
invite-expire 180
inactive-dynamic-conn 32
enforcement-profile
pac-method
pac-interval 10
pac-strategy PropDist
pac-load-weight 1
pac-session-weight 1
pac-route-weight 1
pac-callid-lifetime 600
pac-user-lifetime 3600
red-sip-port 1988
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
add-reason-header disabled
sip-message-len 4096
enum-sag-match disabled
extra-method-stats disabled
registration-cache-limit 0
register-use-to-for-lp disabled

520-0005-06 Acme Packet Confidential Page 45

Best Current Practice SIP Access Configuration October 2011

options max-register-forward=<See 12.2>

max-register-refresh=<See 12.1>
max-udp-length=0
reg-overload-protect
register-grace-timer=120
reject-register=refresh
refer-src-routing disabled
add-ucid-header disabled
proxy-sub-events
pass-gruu-contact disabled
sag-lookup-on-redirect disabled
set-disconnect-time-on-bye disabled
last-modified-by admin@console
last-modified-date 2011-03-17 16:53:51
sip-interface
state enabled
realm-id access
description Transport address access UAs signal to
sip-port
address 192.168.11.100
port 5060
transport-protocol UDP
tls-profile
allow-anonymous registered
ims-aka-profile
carriers
trans-expire 0
invite-expire 0
max-redirect-contacts 0
proxy-mode
redirect-action
contact-mode none
nat-traversal always
nat-interval 30
tcp-nat-interval 90
registration-caching enabled
min-reg-expire 300
registration-interval 3600
route-to-registrar enabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain
trust-mode all
max-nat-interval 3600
nat-int-increment 10
nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
sip-ims-feature disabled
operator-identifier
anonymous-priority none

520-0005-06 Acme Packet Confidential Page 46

Best Current Practice SIP Access Configuration October 2011

max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by admin@console
last-modified-date 2011-03-16 23:00:39
sip-interface
state enabled
realm-id core
description Transport address softswitch signals
to
sip-port
address 192.168.12.100
port 5060
transport-protocol UDP
tls-profile
allow-anonymous all
ims-aka-profile
carriers
trans-expire 0
invite-expire 0
max-redirect-contacts 0
proxy-mode
redirect-action
contact-mode none
nat-traversal none
nat-interval 30
tcp-nat-interval 90
registration-caching disabled
min-reg-expire 300
registration-interval 3600
route-to-registrar disabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain

520-0005-06 Acme Packet Confidential Page 47

Best Current Practice SIP Access Configuration October 2011

trust-mode all
max-nat-interval 3600
nat-int-increment 10
nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
sip-ims-feature disabled
operator-identifier
anonymous-priority none
max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:15
sip-interface
state enabled
realm-id acme
description Home realm internal interface
sip-port
address 127.255.255.254
port 5060
transport-protocol UDP
tls-profile
allow-anonymous all
ims-aka-profile
carriers
trans-expire 0
invite-expire 0

520-0005-06 Acme Packet Confidential Page 48

Best Current Practice SIP Access Configuration October 2011

max-redirect-contacts 0
proxy-mode
redirect-action
contact-mode none
nat-traversal none
nat-interval 30
tcp-nat-interval 90
registration-caching disabled
min-reg-expire 300
registration-interval 3600
route-to-registrar disabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain
trust-mode all
max-nat-interval 3600
nat-int-increment 10
nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
sip-ims-feature disabled
operator-identifier
anonymous-priority none
max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by admin@console
last-modified-date 2011-03-17 16:54:21

520-0005-06 Acme Packet Confidential Page 49

Best Current Practice SIP Access Configuration October 2011

sip-nat
realm-id access
domain-suffix .access.com
ext-proxy-address 1.1.1.1
ext-proxy-port 5060
ext-address 192.168.11.100
home-address 127.0.0.100
home-proxy-address 127.0.0.101
home-proxy-port 5060
route-home-proxy enabled
address-prefix *
tunnel-redirect disabled
use-url-parameter none
parameter-name
user-nat-tag -access-
host-nat-tag ACCESS
headers Call-ID Contact f From i Join m r
Record-Route Refer-To Replaces Reply-
To
Route t To v Via
last-modified-by admin@console
last-modified-date 2011-03-17 16:55:53
sip-nat
realm-id core
domain-suffix .core.com
ext-proxy-address 192.168.12.200
ext-proxy-port 5060
ext-address 192.168.12.100
home-address 127.0.0.101
home-proxy-address
home-proxy-port 5060
route-home-proxy disabled
address-prefix *
tunnel-redirect disabled
use-url-parameter none
parameter-name
user-nat-tag -core-
host-nat-tag CORE
headers Call-ID Contact f From i Join m r
Record-Route Refer-To Replaces Reply-
To
Route t To v Via
last-modified-by admin@console
last-modified-date 2011-03-17 16:57:18
steering-pool
ip-address 192.168.11.100
start-port 49152
end-port 65535
realm-id access
network-interface
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:38
steering-pool
ip-address 192.168.12.100
start-port 49152
end-port 65535
realm-id core

520-0005-06 Acme Packet Confidential Page 50

Best Current Practice SIP Access Configuration October 2011

network-interface
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:56
system-config
hostname SD1.selab.com
description SIP NAT Bridge
location selab.com
mib-system-contact
mib-system-name
mib-system-location
snmp-enabled enabled
enable-snmp-auth-traps disabled
enable-snmp-syslog-notify disabled
enable-snmp-monitor-traps disabled
enable-env-monitor-traps disabled
snmp-syslog-his-table-length 1
snmp-syslog-level WARNING
system-log-level WARNING
process-log-level NOTICE
process-log-ip-address 0.0.0.0
process-log-port 0
collect
sample-interval 5
push-interval 15
boot-state disabled
start-time now
end-time never
red-collect-state disabled
red-max-trans 1000
red-sync-start-time 5000
red-sync-comp-time 1000
push-success-trap-state disabled
call-trace disabled
internal-trace disabled
log-filter all
default-gateway 10.0.0.100
restart enabled
exceptions
telnet-timeout 0
console-timeout 0
remote-control enabled
cli-audit-trail enabled
link-redundancy-state disabled
source-routing disabled
cli-more disabled
terminal-height 24
debug-timeout 0
trap-event-lifetime 0
cleanup-time-of-day 00:00
last-modified-by admin@console
last-modified-date 2011-03-17 16:57:40

520-0005-06 Acme Packet Confidential Page 51

Best Current Practice SIP Access Configuration October 2011

Appendix D. Reference Configuration: Single NAT, homed in trusted

network
local-policy
from-address
*
to-address
*
source-realm
access
description access->core
activate-time N/A
deactivate-time N/A
state enabled
policy-priority none
last-modified-by admin@console
last-modified-date 2011-03-17 17:17:49
policy-attribute
next-hop 172.16.123.101
realm core
action none
terminate-recursion disabled
carrier
start-time 0000
end-time 2400
days-of-week U-S
cost 0
app-protocol
state enabled
methods
media-profiles
lookup single
next-key
eloc-str-lkup disabled
eloc-str-match
media-manager
state enabled
latching enabled
flow-time-limit 86400
initial-guard-timer 300
subsq-guard-timer 300
tcp-flow-time-limit 86400
tcp-initial-guard-timer 300
tcp-subsq-guard-timer 300
tcp-number-of-ports-per-flow 2
hnt-rtcp disabled
algd-log-level NOTICE
mbcd-log-level NOTICE
options active-arp
red-flow-port 1985
red-mgcp-port 1986
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
media-policing enabled

520-0005-06 Acme Packet Confidential Page 52

Best Current Practice SIP Access Configuration October 2011

max-signaling-bandwidth 10000000
max-untrusted-signaling 100
min-untrusted-signaling 30
app-signaling-bandwidth 0
tolerance-window 30
rtcp-rate-limit 0
trap-on-demote-to-deny disabled
min-media-allocation 32000
min-trusted-allocation 1000
deny-allocation 1000
anonymous-sdp disabled
arp-msg-bandwidth 32000
fragment-msg-bandwidth 0
rfc2833-timestamp disabled
default-2833-duration 100
rfc2833-end-pkts-only-for-non-sig enabled
translate-non-rfc2833-event disabled
media-supervision-traps disabled
dnsalg-server-failover disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:52:37
network-interface
name M00
sub-port-id 0
description slot 0 port 0 access network
hostname
ip-address 192.168.11.100
pri-utility-addr
sec-utility-addr
netmask 255.255.255.0
gateway 192.168.11.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by admin@console
last-modified-date 2011-03-16 22:53:21
network-interface
name M10
sub-port-id 0
description slot 1 port 0 core network
hostname

520-0005-06 Acme Packet Confidential Page 53

Best Current Practice SIP Access Configuration October 2011

ip-address 192.168.12.100
pri-utility-addr
sec-utility-addr
netmask 255.255.255.0
gateway 192.168.12.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
ssh-address
last-modified-by admin@console
last-modified-date 2011-03-16 22:53:57
phy-interface
name M00
operation-type Media
port 0
slot 0
virtual-mac
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed 100
overload-protection disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:54:10
phy-interface
name M10
operation-type Media
port 0
slot 1
virtual-mac
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed 100
overload-protection disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:54:19
realm-config
identifier access
description serving all access net endpoints
addr-prefix 0.0.0.0
network-interfaces

520-0005-06 Acme Packet Confidential Page 54

Best Current Practice SIP Access Configuration October 2011

M00:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
diam-e2-address-realm
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
dyn-refer-term disabled
codec-policy
codec-manip-in-realm disabled

520-0005-06 Acme Packet Confidential Page 55

Best Current Practice SIP Access Configuration October 2011

constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
sip-profile
sip-isup-profile
block-rtcp disabled
hide-egress-media-update disabled
last-modified-by admin@console
last-modified-date 2011-03-16 22:55:09
realm-config
identifier core
description softswitch resides in this realm
addr-prefix 0.0.0.0
network-interfaces
M10:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
diam-e2-address-realm
symmetric-latching disabled
pai-strip disabled

520-0005-06 Acme Packet Confidential Page 56

Best Current Practice SIP Access Configuration October 2011

trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
dyn-refer-term disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
sip-profile
sip-isup-profile
block-rtcp disabled
hide-egress-media-update disabled
last-modified-by admin@console
last-modified-date 2011-03-17 22:23:33
sip-config
state enabled
operation-mode dialog
dialog-transparency enabled
home-realm-id core
egress-realm-id
nat-mode Public
registrar-domain *
registrar-host *
registrar-port 5060
register-service-route always
init-timer 500
max-timer 4000
trans-expire 32
invite-expire 180
inactive-dynamic-conn 32
enforcement-profile
pac-method
pac-interval 10
pac-strategy PropDist
pac-load-weight 1
pac-session-weight 1

520-0005-06 Acme Packet Confidential Page 57

Best Current Practice SIP Access Configuration October 2011

pac-route-weight 1
pac-callid-lifetime 600
pac-user-lifetime 3600
red-sip-port 1988
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
add-reason-header disabled
sip-message-len 4096
enum-sag-match disabled
extra-method-stats disabled
registration-cache-limit 0
register-use-to-for-lp disabled
options max-register-forward=<See 12.2>
max-register-refresh=<See 12.1>
max-udp-length=0
reg-overload-protect
register-grace-timer=120
reject-register=refresh
refer-src-routing disabled
add-ucid-header disabled
proxy-sub-events
pass-gruu-contact disabled
sag-lookup-on-redirect disabled
set-disconnect-time-on-bye disabled
last-modified-by admin@console
last-modified-date 2011-03-17 17:18:55
sip-interface
state enabled
realm-id access
description Transport address access UAs signal to
sip-port
address 192.168.11.100
port 5060
transport-protocol UDP
tls-profile
allow-anonymous registered
ims-aka-profile
carriers
trans-expire 0
invite-expire 0
max-redirect-contacts 0
proxy-mode
redirect-action
contact-mode none
nat-traversal always
nat-interval 30
tcp-nat-interval 90
registration-caching enabled
min-reg-expire 300
registration-interval 3600
route-to-registrar enabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain
trust-mode all
max-nat-interval 3600

520-0005-06 Acme Packet Confidential Page 58

Best Current Practice SIP Access Configuration October 2011

nat-int-increment 10
nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
sip-ims-feature disabled
operator-identifier
anonymous-priority none
max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by admin@console
last-modified-date 2011-03-16 23:00:39
sip-interface
state enabled
realm-id core
description Transport address softswitch signals
to
sip-port
address 192.168.12.100
port 5060
transport-protocol UDP
tls-profile
allow-anonymous all
ims-aka-profile
carriers
trans-expire 0
invite-expire 0
max-redirect-contacts 0

520-0005-06 Acme Packet Confidential Page 59

Best Current Practice SIP Access Configuration October 2011

proxy-mode
redirect-action
contact-mode none
nat-traversal none
nat-interval 30
tcp-nat-interval 90
registration-caching disabled
min-reg-expire 300
registration-interval 3600
route-to-registrar disabled
secured-network disabled
teluri-scheme disabled
uri-fqdn-domain
trust-mode all
max-nat-interval 3600
nat-int-increment 10
nat-test-increment 30
sip-dynamic-hnt disabled
stop-recurse 401,407
port-map-start 0
port-map-end 0
in-manipulationid
out-manipulationid
manipulation-string
manipulation-pattern
sip-ims-feature disabled
operator-identifier
anonymous-priority none
max-incoming-conns 0
per-src-ip-max-incoming-conns 0
inactive-conn-timeout 0
untrusted-conn-timeout 0
network-id
ext-policy-server
default-location-string
charging-vector-mode pass
charging-function-address-mode pass
ccf-address
ecf-address
term-tgrp-mode none
implicit-service-route disabled
rfc2833-payload 101
rfc2833-mode transparent
constraint-name
response-map
local-response-map
ims-aka-feature disabled
enforcement-profile
route-unauthorized-calls
tcp-keepalive none
add-sdp-invite disabled
add-sdp-profiles
sip-profile
sip-isup-profile
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:15
sip-nat

520-0005-06 Acme Packet Confidential Page 60

Best Current Practice SIP Access Configuration October 2011

realm-id access
domain-suffix .access.com
ext-proxy-address 1.1.1.1
ext-proxy-port 5060
ext-address 192.168.11.100
home-address 192.168.12.101
home-proxy-address 172.16.123.101
home-proxy-port 5060
route-home-proxy disabled
address-prefix *
tunnel-redirect disabled
use-url-parameter none
parameter-name
user-nat-tag -access-
host-nat-tag ACCESS
headers Call-ID Contact f From i Join m r
Record-Route Refer-To Replaces Reply-
To
Route t To v Via
last-modified-by admin@console
last-modified-date 2011-03-17 21:30:31
steering-pool
ip-address 192.168.11.100
start-port 49152
end-port 65535
realm-id access
network-interface
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:38
steering-pool
ip-address 192.168.12.100
start-port 49152
end-port 65535
realm-id core
network-interface
last-modified-by admin@console
last-modified-date 2011-03-16 23:01:56
system-config
hostname SD1.selab.com
description Single NAT homed in Trusted Network
location selab.com
mib-system-contact
mib-system-name
mib-system-location
snmp-enabled enabled
enable-snmp-auth-traps disabled
enable-snmp-syslog-notify disabled
enable-snmp-monitor-traps disabled
enable-env-monitor-traps disabled
snmp-syslog-his-table-length 1
snmp-syslog-level WARNING
system-log-level WARNING
process-log-level NOTICE
process-log-ip-address 0.0.0.0
process-log-port 0
collect
sample-interval 5

520-0005-06 Acme Packet Confidential Page 61

Best Current Practice SIP Access Configuration October 2011

push-interval 15
boot-state disabled
start-time now
end-time never
red-collect-state disabled
red-max-trans 1000
red-sync-start-time 5000
red-sync-comp-time 1000
push-success-trap-state disabled
call-trace disabled
internal-trace disabled
log-filter all
default-gateway 10.0.0.100
restart enabled
exceptions
telnet-timeout 0
console-timeout 0
remote-control enabled
cli-audit-trail enabled
link-redundancy-state disabled
source-routing disabled
cli-more disabled
terminal-height 24
debug-timeout 0
trap-event-lifetime 0
cleanup-time-of-day 00:00
last-modified-by admin@console
last-modified-date 2011-03-17 17:20:56

520-0005-06 Acme Packet Confidential Page 62