4.10. Interface Configuration

4.10.1. Physical and System Interfaces

System (network) interfaces can be configured either by manually editing the CentOS network configuration files located in /etc/sysconfig/network-scripts  or using standard Centos tools nmtui or nmcli if NetworkManager is being used.

Several types, like simple system network interfaces (e.g. eth1), VLAN tagged interfaces (e.g. eth1.100) or bonded interfaces (e.g. bond0) can be configured and used in the ABC SBC configuration.

4.10.1.1. IP Routing

If necessary, IP routing rules can be either manually changed in the configuration files located in the same directory as the interfaces configuration (/etc/sysconfig/network-scripts) or using standard Centos tools.

4.10.1.2. SBC nodes

If ABC SBC is installed in HA (active-standby) or cluster mode, the main configuration node should know about all the SBC nodes. This is required specifically in case the SBC interfaces settings differ between the nodes - e.g. when the nodes differ in IP address or system interface name used for one interface of the same logical type.

Before proceeding to VIP addresses and interfaces configuration, add records for all SBC nodes (including the node acting as main configuration node) under “System ‣ Nodes” screen of the main configuration GUI. For each SBC node, you have to enter it’s hostname and optionally it’s IP address (preferrably IMI interface IP). If you enter only hostname, the record will apply to a node which has equal hostname. If you enter both hostname and IP address, the record will apply to a node which has one of all it’s network adapters IP address equal to the specified IP address (excluding loopback interface), or to a node with equal hostname if no matching IP address is found. If the node is matched using IP address and it’s hostname is different from the specified hostname, the node hostname will be changed.

For the node hostnames, use the full (long) hostnames (includding domain name, if used).

4.10.1.3. Configuring Virtual IP (VIP) Address (OPTIONAL: in HA mode only)

When deployed in an active/standby mode both instances of the ABC SBC nodes will share one or more Virtual IP addresses. Virtual IP addresses are assigned to the currently active node.

The Virtual IP is configured in the “HA ‣ Virtual IP” screen. The VIP address can then assigned later to the SBC signaling and media interfaces. The VIP address configuration has to be done from main configuration gui.

For the VIP address, the administrator can optionally specify a system interface (e.g. eth1) that the Virtual IP address should be assigned to. Also netmask (network prefix) and default gateway can be optionally specified.

With the default system interface setting “Autodetect” the system interface for VIP will be automatically detected based on system routing table. This setting should be used in usual configurations with the VIP address being from the same ip subnet as the basic non-VIP ip address on the interface where VIP is going to be used. As the system interface name will be auto-detected, it may differ between the nodes.

In case the VIP address to be used is not from an ip subnet already used on the corresponding interface, or if the VIP is the only one ip used on the interface, the exact system interface name has to be assigned to the VIP. In this case, the system interface has to use the same name (e.g. eth1) on both HA nodes.

For the netmask, CIDR notation has to be used (example: 24 for 255.255.255.0 netmask in dot-decimal notation). If netmask if left empty, then default 32 netmask will be used (single host ip).

The default gateway should be used ONLY when there is no basic non-VIP ip address on the interface and the Virtual IP address is the only one where default gateway can be used. It should be used only for one Virtual IP in case there are more Virtual IP addresses used. If default gateway for Virtul IP is used, it will be set on the active node and moved together with the Virtual IP when switchover occurs. In normal cases the gateway field should be left empty.

_images/ha-create-vip.png

Figure 1: Assign a VIP to a system interface

4.10.2. SBC Interfaces

For signaling and management the ABC SBC uses five types of interfaces:

  • XMI - External Management Interface - this interface is used for the GUI, SNMP, XMLRPC and SSH and other administrative services that should be accessible from outside of the ABC SBC host. Only one XMI can be be configured. This interface must not be configured to be on a VIP.
  • IMI - Internal Management Interface -  the IMI is used for inter-node communication (in HA pair or cluster mode) and for configuration transfer from configuration master to ABC SBC node(s). Only one IMI can be configured. Separate system interface using IP subnet not routed or accessible from outside should be used for IMI, unless there is a external firewall in front of ABC SBC.
  • SI - Signaling Interface -  SI is used for SIP signaling. Multiple SI can be configured
  • MI - Media Interface -  MI is used for media (RTP, UDPTL, ..) processing and relay. Multiple MI can be configured
  • WS - Websocket Signaling - WS is used for SIP signaling over Websockets. This is useful only if the ABC SBC is configured to act as RTC gateway as described in Section SIP-WebRTC Gateway.

Signaling and media interfaces can be configured in different combinations. All SI/MI can share the same system interface, can be configured on a “per Call Agent” basis where each Realm has its signaling and media interface, or can share one assigned IP address with different ports per SBC interface.

It is also possible to create separate signaling and media interfaces on the same system interface for different purposes. For example, one for a PSTN gateway and one for receiving calls from residential users. In this case, a different signaling port and media port range shall be used. A typical ABC SBC configuration is to have one separate XMI, one separate IMI and one shared signaling and media IP address for each Realm.

When doing the initial ABC SBC configuration, add the XMI and IMI interfaces. The XMI interface has to be defined always, to allow access to ABC SBC gui. The IMI interface has to be defined always if HA or cluster mode is used (otherwise needed firewall rules would not be set).

Then add the interafaces for the SBC application: sinaling (SI) and media (MI), optionally websockets signaling (WS).

In HA or cluster mode, if the interfaces differ between the nodes (use different IP address or system interface name), you have to create more separate entries using equal SBC interface name. Create a separate entry for each SBC node, select the node hostname in SBC node, and use equal SBC interface name for all the entries that belong to one logical SBC interface.

If the SBC interface settings do not differ between nodes, you can create just one entry for each interface and leave the SBC node field blank.

Note: each Sbc node will use all interface records with the SBC node field set to that node, plus all interface records with SBC node field empty.

If SBC interface is going to use VIP ip address (shared IP), the VIP address should be added before adding the interface.

SBC Interfaces are configured in the “System ‣ Interfaces” screen and the following parameters have to be defined:

  • SBC node. This listbox option limits the interfaces to a spefific node which has been pre-configured under “System ‣ Nodes” or auto-learned (see “Monitoring ‣ Nodes Status”). If the option is left blank, the interace is applied to any node. If there is an interace that applies both to any and a specific node, the specific interface prevails.
  • Interface name: A unique identifier of the interface - [a-z, A-Z, 0-9]. If a configuration of an interface shall differ on a various nodes, define multiple interfaces with different node reference and the same node name.
  • Interface type: Signaling, Media, WebSocket Signaling, External management, Internal management.
  • Interface description: description (alias) for the interface that is used in the GUI configuration
  • System interface: system physical/logical interface (eth1, eth1.123 - VLAN tagged, bond1 - bonded interface)
  • IP address autoconfig: if enabled, the first ip address from the corresponding system interface will be taken automatically. Disabled by default.
  • IP address: you can use the normal ip address of the interface, or VIP if Virtual IP address was configured.
  • Public IP autoconfig: if enabled, the public IP address (see next field) will be autodetected. Current options of autodetection include Amazon EC2 cluster method. Disabled by default.
  • Public IP address: this parameter is optional. It allows to configure an IP address that will be used instead of the real or virtual IP address in SIP signaling (in case of the signaling interface) or media description (SDP; in case of a media interface). This is very useful to support near end NATs, e.g. Amazon EC2. Please refer to Sec. Physical, System and SBC Interfaces more details on the topic.
  • Port(s): This is the port numbers where the ABC SBC listens for incoming packets. On MI interface specify a valid RTP port range is specified. Usual values are 16384-64000. A failure to configure a too narrow port range may limit the number of parallel calls processed. On SI interface specify the SIP port number, 5060 by default. If TLS is turned on (“Config ‣ Global Config ‣ SSL ‣ Enable TLS”), a TLS listener is started on the subsequent port number, 5061 in the default case.
  • Interface options: special options for the interface. Currently supported options are: “force_via_address” for signaling interface type and “wspath_xxx” for websocket interface type. The “wspath_xxx”, where the “xxx” can be set as needed, sets up redirect from path “/xxx” on https 443 port to the websocket port on localhost (it has to be used only on interface using system interface “lo”).
  • TOS field. This is the TOS field which is sent for outbound media packets set using this interface. This is an eight-bit value as specified in RFC781, not to be confused with related DSCP codes. The best current practice is to use 184.
  • Greylist: If enabled, incoming traffic to this interface will be subject to greylist filtering. See Section Automatic Proactive Blocking: Greylisting for more details.
  • Verify client certificate. If enabled, incoming TLS connections are tested to include client certificate and declined if absent or invalid.
_images/sbc_interface_40.png

Figure 2: SBC Interface configuration

Important: When the SBC interfaces are configured, a warning message with a link to activate the new SBC configuration is shown in the GUI. No SBC interface changes are applied until the “activate” link is used. When the configuration changes are applied, all services using network configuration are restarted (e.g. SIP and RTP processes, SNMP daemon etc..). Note that this may cause service disruption.

_images/100002010000029F0000006D998F678B.png

If the XMI management interface is accessible via public Internet, we recommend to enable blocking IP address for repeated ssh or gui login failed attempts, which can be done by enabling options “Blacklist IP addr for repeated ssh login failures” and “Blacklist IP addr for repeated gui login failures” under Config / Global Config / Firewall tab.

Important: In active/standby deployments, the administrator has to configure the same interfaces for both nodes. Be careful to use the same SBC interface name for the same signaling interfaces on both nodes! This is important for successful call restoration on the standby node.